<![CDATA[查询某关键词在MSSQL数据库位置的ASP脚本]]> http://www.oldjun.com/blog/index.php/archives/44/ Looking for change zh-cn-utf8 http://blogs.law.harvard.edu/tech/rss Magike 1.2.0 Release oldjun <![CDATA[rolin]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-297 > http://www.oldjun.com/blog/index.php/archives/44/#comment-297 Mon, 11 May 2009 18:08:20 +0000 ﹏]]> 看不懂
别再求我做你徒弟了
o(>﹏

]]> <![CDATA[生存之民工]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-309 > http://www.oldjun.com/blog/index.php/archives/44/#comment-309 Tue, 12 May 2009 14:34:47 +0000 又来膜拜大牛了 今天碰到一问题 来请教下 sql server 2000数据库
db_owner权限,无法列目录(应该是数据库和网站分离),管理账号密码搞到了,后台貌似是个假的什么都不能干所以后台就不用想了。至于上传我用工具扫了下没扫到什么漏洞,服务器在内网,网站是asp加aspx的语言写的。。大致就这些
还有其他解决方法吗?谢谢

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-310 > http://www.oldjun.com/blog/index.php/archives/44/#comment-310 Tue, 12 May 2009 15:27:24 +0000 什么叫无法列目录,试过手工没?无法列目录怎么得出数据库与网站分离?后台为什么是假的?asp或aspx除了备份,上传,写配置文件,貌似没别的好办法了,一般拿shell都是围绕这几点着手的。另外可以继续搜寻有用的路径与页面!

]]> <![CDATA[生存之民工]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-311 > http://www.oldjun.com/blog/index.php/archives/44/#comment-311 Tue, 12 May 2009 16:17:13 +0000 用啊D列目录列不出来,手工没试。后台随便填写一个用户名密码就进去了。只能发布公告,编辑文章页面点开是错误的页面。所以怀疑后台是假的。还有一点我一直认为无法列目录就是因为数据库和后台分离了,难道不是这个原因,貌似在非安全上有提过,忘记了。。。

]]> <![CDATA[生存之民工]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-312 > http://www.oldjun.com/blog/index.php/archives/44/#comment-312 Tue, 12 May 2009 16:22:23 +0000 忘记说了,注入点是支持多行执行的

]]> <![CDATA[雨中风铃]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-313 > http://www.oldjun.com/blog/index.php/archives/44/#comment-313 Wed, 13 May 2009 01:15:35 +0000 只能查每个表的第一行记录

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-314 > http://www.oldjun.com/blog/index.php/archives/44/#comment-314 Wed, 13 May 2009 02:08:51 +0000 to 生存之民工:能不能列目录与web库是否分离没直接联系,一般而言DB权限下基本是可以列目录的,哪怕是分离的,也能列出数据库服务器的目录;为什么无法列目录就说分离?另外怎么能这么依靠工具,即使权限被限制了列不出来,也要看看哪一步过不去;

to 雨中风铃:寒,看清楚介绍,此语句是查询某关键词存在于此数据库的哪个表哪个列,所以用top 1 ,意思是只要存在就返回查询到了。

]]> <![CDATA[生存之民工]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-315 > http://www.oldjun.com/blog/index.php/archives/44/#comment-315 Wed, 13 May 2009 04:13:09 +0000 谢谢。我手工试试!

]]> <![CDATA[生存之民工]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-317 > http://www.oldjun.com/blog/index.php/archives/44/#comment-317 Wed, 13 May 2009 09:45:16 +0000 终于知道为什么不能列目录呢。工具误报,啊D显示是db_owner权限,我手工猜解竟然是public。。还是谢谢呢

]]> <![CDATA[雨中风铃]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-318 > http://www.oldjun.com/blog/index.php/archives/44/#comment-318 Wed, 13 May 2009 11:36:15 +0000 不好意思,CAST(["&liename&"] AS NVARCHAR(1000))='"&keyword&"'")这句没仔细看,早上看成["&liename&"]='"&keyword&"'" 了

]]> <![CDATA[bloodsword]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-326 > http://www.oldjun.com/blog/index.php/archives/44/#comment-326 Mon, 18 May 2009 07:01:24 +0000 膜拜下大黑客,啊D只要不是sa他就报dbowner
public下也有办法列目录的,而且成功率很高

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-328 > http://www.oldjun.com/blog/index.php/archives/44/#comment-328 Thu, 21 May 2009 01:49:23 +0000 BS大牛就是厉害~~~赞~~~

]]> <![CDATA[XSSER]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-329 > http://www.oldjun.com/blog/index.php/archives/44/#comment-329 Thu, 21 May 2009 17:54:34 +0000 SET QUOTED_IDENTIFIER ON
GO
SET ANSI_NULLS ON
GO

ALTER PROCEDURE searchname @sname varchar(10) As

BEGIN
CREATE TABLE #TableList(
tablename char(200),
colname char(200),
content char(200)
)
DECLARE @table varchar(200)
DECLARE @col varchar(200)

SET nocount on

DECLARE curTab scroll cursor for SELECT name FROM sysobjects WHERE xtype='u'

OPEN curTab

FETCH NEXT FROM curTab INTO @table

WHILE @@FETCH_STATUS=0
BEGIN
DECLARE curCol SCROLL CURSOR FOR SELECT name FROM syscolumns WHERE (xtype=175 or xtype=167 or xtype=231) and (id in (SELECT id FROM sysobjects WHERE name=@table))

OPEN curCol

FETCH NEXT FROM curCol INTO @col

WHILE @@FETCH_STATUS=0
BEGIN
EXECUTE('insert into #TableList select '''+@table+''','''+@col+''','+@col+' from '+@table+' where '+@col+' LIKE '''+@sname+'''')
FETCH NEXT FROM curCol INTO @col
END

CLOSE curCol

DEALLOCATE curCol

FETCH NEXT FROM curTab INTO @table

END

CLOSE curTab

DEALLOCATE curTab

SET NOCOUNT OFF

SELECT DISTINCT tablename as 表名,COLNAME AS 字段名 ,content as 内容 from #TableList

DROP TABLE #tablelist

END

GO
SET QUOTED_IDENTIFIER OFF
GO
SET ANSI_NULLS ON
GO

]]> <![CDATA[行情]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-330 > http://www.oldjun.com/blog/index.php/archives/44/#comment-330 Sat, 23 May 2009 06:19:09 +0000 人气好旺啊 我也来了

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-337 > http://www.oldjun.com/blog/index.php/archives/44/#comment-337 Sun, 24 May 2009 10:03:50 +0000 to XSSER牛:当时皇子的SQL存储过程跟你这个思路差不多~~~

]]> <![CDATA[VcOr]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-338 > http://www.oldjun.com/blog/index.php/archives/44/#comment-338 Mon, 25 May 2009 03:56:04 +0000 这种只能对mssql有效是吧
这个就是查看系统表的是否存在这个数据库。
这个权限至少要是db_owner。
不过感觉你这个思路不错。之前虽然知道,但是没想过要写出这种可以方便查询的。但是一直都是利用手动列

]]> <![CDATA[tttest]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-377 > http://www.oldjun.com/blog/index.php/archives/44/#comment-377 Wed, 15 Jul 2009 09:39:42 +0000 收藏个

]]> <![CDATA[oer]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-584 > http://www.oldjun.com/blog/index.php/archives/44/#comment-584 Wed, 04 Nov 2009 02:15:46 +0000 public 权限怎么列目录? 代码那么长怎么提交

]]> <![CDATA[oldjun]]> http://www.oldjun.com/blog/index.php/archives/44/#comment-586 > http://www.oldjun.com/blog/index.php/archives/44/#comment-586 Thu, 05 Nov 2009 07:15:54 +0000 临时表...db怎么提交,就怎么提交!

]]>