最近在做一個網絡安全相關項目的***測試,在拿到了服務器的webshell之後,需要進一步***,服務器上有較高權限的軟件只剩SQL Server 2005了,而且在webshell中通過SQL Server 2005提權拿到系統權限,由於拿到webshell的服務器在內網,通過防火牆做了端口映射,無法直接使用SQL Server管理工具進行管理,就需要通過webshell執行SQL 語句來操作SQL Server數據庫,其中用到了一些非常規的SQL語句,列舉一些sql語句來介紹數據庫,數據表,視圖等等。當我們在使用查詢查詢操作時這些sql語句都是非常有用的。雖然在sql server對象瀏覽器中我們也可以獲得這些語句,但是如果我們寫這些語句時我們可以將它自定義。這就意味着我們可以給予自己的需求來過濾結果。
sql語句列表
(當拿到webshell之後只能看到服務器上有SQL Server數據庫但是不知道數據庫裏有哪些庫,這將會是我們無法操作數據庫)
如何列舉sql server當前連接的可用數據庫
Method 1 : SP_DATABASES
Method 2 : SELECT name FROM SYS.DATABASES
Method 3 : SELECT name FROM SYS.MASTER_FILES
Method 4 : SELECT * FROM SYS.MASTER_FILES -- Type=0 for .mdf and type=1 for .ldf
SP_DATABASES是一個可以列舉數據庫及其大小的存儲過程
sys.databases語句中可以列舉數據庫名稱,創建日期,修改日期,已經數據庫id和其他一些信息。
SYS.MASTER_FILES語句可以查詢數據的詳細情況,比如數據庫id,大小,物理存儲路徑以及列舉數據庫mdf和ldf.
(當拿到webshell之後只能看到服務器上有SQL Server數據庫但是不知道數據庫裏有哪些庫,這將會是我們無法操作數據庫)
如何列舉sql server當前連接的可用數據庫
Method 1 : SP_DATABASES
Method 2 : SELECT name FROM SYS.DATABASES
Method 3 : SELECT name FROM SYS.MASTER_FILES
Method 4 : SELECT * FROM SYS.MASTER_FILES -- Type=0 for .mdf and type=1 for .ldf
SP_DATABASES是一個可以列舉數據庫及其大小的存儲過程
sys.databases語句中可以列舉數據庫名稱,創建日期,修改日期,已經數據庫id和其他一些信息。
SYS.MASTER_FILES語句可以查詢數據的詳細情況,比如數據庫id,大小,物理存儲路徑以及列舉數據庫mdf和ldf.
如何列舉數據庫中的數據表
(知道了數據庫還需要指導數據庫裏有那些表,這樣才能知道各個庫裏有什麼數據,哪些數據能夠幫助我們拿到更高的業務平臺權限)
以下的sql語句都可以列表sql server數據庫中的用戶表.
(知道了數據庫還需要指導數據庫裏有那些表,這樣才能知道各個庫裏有什麼數據,哪些數據能夠幫助我們拿到更高的業務平臺權限)
以下的sql語句都可以列表sql server數據庫中的用戶表.
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='U'
Method 2 : SELECT NAME FROM SYSOBJECTS WHERE xtype='U'
Method 3 : SELECT name FROM SYS.TABLES
Method 4 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='U'
Method 5 : SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'
Method 6 : SP_TABLES
Method 2 : SELECT NAME FROM SYSOBJECTS WHERE xtype='U'
Method 3 : SELECT name FROM SYS.TABLES
Method 4 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='U'
Method 5 : SELECT table_name FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_TYPE='BASE TABLE'
Method 6 : SP_TABLES
如何列舉數據庫中的存儲過程
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='P'
Method 2 : SELECT name FROM SYS.PROCEDURES
Method 3 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='P'
Method 4 : SELECT NAME FROM SYSOBJECTS WHERE xtype='P'
Method 5 : SELECT Routine_name FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE='PROCEDURE'
SYS.OBJECTS數據表包含了全部的存儲過程,數據表,觸發器,視圖等的信息,這裏使用type=’p'來查詢存儲過程.
Information_schema.routines在sql server 7.0是一個數據視圖,在其後的版本中已經變成存儲過程專有的表.
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='P'
Method 2 : SELECT name FROM SYS.PROCEDURES
Method 3 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='P'
Method 4 : SELECT NAME FROM SYSOBJECTS WHERE xtype='P'
Method 5 : SELECT Routine_name FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE='PROCEDURE'
SYS.OBJECTS數據表包含了全部的存儲過程,數據表,觸發器,視圖等的信息,這裏使用type=’p'來查詢存儲過程.
Information_schema.routines在sql server 7.0是一個數據視圖,在其後的版本中已經變成存儲過程專有的表.
如何列舉數據庫中的視圖
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='V'
Method 2 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='V'
Method 3 : SELECT TABLE_NAME FROM INFORMATION_SCHEMA.VIEWS
Method 4 : SELECT name FROM SYS.VIEWS
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='V'
Method 2 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='V'
Method 3 : SELECT TABLE_NAME FROM INFORMATION_SCHEMA.VIEWS
Method 4 : SELECT name FROM SYS.VIEWS
如何列舉數據庫中的函數
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='IF' -- inline function
Method 2 : SELECT name FROM SYS.OBJECTS WHERE type='TF' -- table valued function
Method 3 : SELECT name FROM SYS.OBJECTS WHERE type='FN' -- scalar function
Method 4 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='IF' -- inline function
Method 5 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='TF' -- table valued function
Method 6 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='FN' -- scalar function
Method 7 : SELECT Routine_name FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE='FUNCTION'
Method 1 : SELECT name FROM SYS.OBJECTS WHERE type='IF' -- inline function
Method 2 : SELECT name FROM SYS.OBJECTS WHERE type='TF' -- table valued function
Method 3 : SELECT name FROM SYS.OBJECTS WHERE type='FN' -- scalar function
Method 4 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='IF' -- inline function
Method 5 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='TF' -- table valued function
Method 6 : SELECT name FROM SYS.ALL_OBJECTS WHERE type='FN' -- scalar function
Method 7 : SELECT Routine_name FROM INFORMATION_SCHEMA.ROUTINES WHERE ROUTINE_TYPE='FUNCTION'
如何列舉數據庫中的觸發器
Method 1 : SP_HELPTRIGGER Products
Method 2 : SELECT * FROM SYS.TRIGGERS WHERE parent_id = object_id('products')
下面我以一個products表爲例列舉一些對錶的操作.
Method 1 : SP_HELPTRIGGER Products
Method 2 : SELECT * FROM SYS.TRIGGERS WHERE parent_id = object_id('products')
下面我以一個products表爲例列舉一些對錶的操作.
如何獲取數據表中的列
Method 1 : SP_HELP Products
Method 2 : SP_COLUMNS Products
Method 3 : SELECT * FROM SYS.COLUMNS WHERE object_id = object_id('Products')
Method 4 : SELECT COLUMN_NAME,Ordinal_position,Data_Type,character_maximum_length FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='Products'
Method 1 : SP_HELP Products
Method 2 : SP_COLUMNS Products
Method 3 : SELECT * FROM SYS.COLUMNS WHERE object_id = object_id('Products')
Method 4 : SELECT COLUMN_NAME,Ordinal_position,Data_Type,character_maximum_length FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='Products'
如何根據數據表的列查找數據表的名稱
Method 1 : SELECT O.name FROM SYS.OBJECTS O INNER JOIN SYS.COLUMNS C ON C.Object_ID = O.Object_ID WHERE C.name LIKE '%ShipName%'
Method 2 : SELECT OBJECT_NAME(object_id) AS [Table Name] FROM SYS.COLUMNS WHERE name LIKE '%ShipName%'
Method 3 : SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME LIKE '%ShipName%'
Method 1 : SELECT O.name FROM SYS.OBJECTS O INNER JOIN SYS.COLUMNS C ON C.Object_ID = O.Object_ID WHERE C.name LIKE '%ShipName%'
Method 2 : SELECT OBJECT_NAME(object_id) AS [Table Name] FROM SYS.COLUMNS WHERE name LIKE '%ShipName%'
Method 3 : SELECT TABLE_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE COLUMN_NAME LIKE '%ShipName%'
如何獲得數據表的總列數
Method 1 : SELECT COUNT(@@ROWCOUNT) FROM Products
Method 2 : SELECT COUNT (ProductID) FROM Products
Method 3 : SELECT OBJECT_NAME(id) AS [Table Name],rowcnt FROM SYSINDEXES WHERE OBJECTPROPERTY(id,'isUserTable')=1 AND indid < 2 ORDER BY rowcnt DESC
Method 4 : SELECT rowcnt FROM sysindexes WHERE id = OBJECT_ID('Products') AND indid < 2
Method 5 : SELECT OBJECT_NAME(OBJECT_ID) TableName,row_count FROM sys.dm_db_partition_stats WHERE object_id = object_id('Products') AND index_id < 2
Method 1 : SELECT COUNT(@@ROWCOUNT) FROM Products
Method 2 : SELECT COUNT (ProductID) FROM Products
Method 3 : SELECT OBJECT_NAME(id) AS [Table Name],rowcnt FROM SYSINDEXES WHERE OBJECTPROPERTY(id,'isUserTable')=1 AND indid < 2 ORDER BY rowcnt DESC
Method 4 : SELECT rowcnt FROM sysindexes WHERE id = OBJECT_ID('Products') AND indid < 2
Method 5 : SELECT OBJECT_NAME(OBJECT_ID) TableName,row_count FROM sys.dm_db_partition_stats WHERE object_id = object_id('Products') AND index_id < 2
如何獲得數據表的約束
Method 1 : SELECT * FROM SYS.OBJECTS WHERE type='C'
Method 2 : SELECT * FROM sys.check_constraints
Method 1 : SELECT * FROM SYS.OBJECTS WHERE type='C'
Method 2 : SELECT * FROM sys.check_constraints
如何獲得數據表的索引
Method 1 : sp_helpindex Products
Method 2 : SELECT * FROM sys.indexes WHERE object_id = object_id('products')
Method 1 : sp_helpindex Products
Method 2 : SELECT * FROM sys.indexes WHERE object_id = object_id('products')
如何獲得數據視圖的模式定義
Method 1 : SELECT OBJECT_NAME(id) AS [View Name],text FROM SYSCOMMENTS WHERE id IN (SELECT object_id FROM SYS.VIEWS)
Method 2 : SELECT * FROM sys.all_sql_modules WHERE object_id IN (SELECT object_id FROM SYS.VIEWS)
Method 3 : SP_HELPTEXT ViewName
Method 1 : SELECT OBJECT_NAME(id) AS [View Name],text FROM SYSCOMMENTS WHERE id IN (SELECT object_id FROM SYS.VIEWS)
Method 2 : SELECT * FROM sys.all_sql_modules WHERE object_id IN (SELECT object_id FROM SYS.VIEWS)
Method 3 : SP_HELPTEXT ViewName
如何獲得存儲過程中的數據表
Method 1 : SELECT OBJECT_NAME(id) FROM SYSCOMMENTS S
INNER JOIN SYS.OBJECTS O ON O.Object_Id = S.id
WHERE S.text LIKE '%Products%'
AND O.type='P'
總結
爲了避免涉及到***測試相關的保密數據,這裏的相關操作已經經過了處理,以上列舉了一下sql server用實用的一些sql語句,希望對你在使用查詢窗口操作時有用,這些SQL語句能在無法使用客戶端的情況下,通過webshell執行SQL語句的形式對數據庫進行管理,由於通過webshell連接的數據庫用戶權限受限,需要通過現有較低的權限獲取系統的結構信息,進一步藉助系統現有的較高權限的軟件進行提權。
Method 1 : SELECT OBJECT_NAME(id) FROM SYSCOMMENTS S
INNER JOIN SYS.OBJECTS O ON O.Object_Id = S.id
WHERE S.text LIKE '%Products%'
AND O.type='P'
總結
爲了避免涉及到***測試相關的保密數據,這裏的相關操作已經經過了處理,以上列舉了一下sql server用實用的一些sql語句,希望對你在使用查詢窗口操作時有用,這些SQL語句能在無法使用客戶端的情況下,通過webshell執行SQL語句的形式對數據庫進行管理,由於通過webshell連接的數據庫用戶權限受限,需要通過現有較低的權限獲取系統的結構信息,進一步藉助系統現有的較高權限的軟件進行提權。