SQL Server手注之延时型时间盲注
近来处理安全问题遇到的sql注入:
延时函数 WAITFOR DELAY
WAITFOR是SQL Server中Transact-SQL提供的?个流程控制语句。它的作?就是等待特定时间,然后继续执?后 续的语句。它包含?个参数DELAY,?来指定等待的时间。
如果将该语句成功注?后,会造成数据库返回记录和 Web请求也会响应延迟特定的时间。由于该语句不涉及条件判断等情况,所以容易注?成功。根据Web请求是否有延迟,渗透测试?员就可以判断?站是否存在注?漏洞。同时,由于该语句并不返回特定内容,所以它也是盲注的重要检测?法。
语法:
WAITFOR DELAY '0:0:n'?例:
WAITFOR DELAY '0:0:4' -- 表?延迟4秒IF exists ()?句
语法:
IF exists () WAITFOR DELAY '0:0:5'
手工延时注入
1.判断是否存在注?
WAITFOR DELAY '0:0:4'
2.猜测数据库名
猜测数据库名是否存在
if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--
这条语句的意思呢是判断dibd=6的数据库是否存在!如果存在那么就延迟3秒返回!
根据dbid猜库名,先猜出长度
if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--
为了避免用户进行这个注入攻击系统,c#可以采用如下方法将参数过滤即可
public static string ReplaceSQLChar(string str)
{
if (str == String.Empty)
return String.Empty;
str = str.Replace("'", "");
str = str.Replace(";", "");
str = str.Replace(",", "");
str = str.Replace("?", "");
str = str.Replace("<", "");
str = str.Replace(">", "");
str = str.Replace("(", "");
str = str.Replace(")", "");
str = str.Replace("@", "");
str = str.Replace("=", "");
str = str.Replace("+", "");
str = str.Replace("*", "");
str = str.Replace("&", "");
str = str.Replace("#", "");
str = str.Replace("%", "");
str = str.Replace("$", "");
//删除与数据库相关的词
str = Regex.Replace(str, "select", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "insert", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "delete from", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "count", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "drop table", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "asc", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "mid", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "char", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "xp_cmdshell", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "exec master", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "net localgroup administrators", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "and", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "net user", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "or", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "net", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "-", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "delete", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "drop", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "script", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "update", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "and", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "chr", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "master", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "truncate", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "declare", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "mid", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "waitfor", "", RegexOptions.IgnoreCase);
str = Regex.Replace(str, "delay", "", RegexOptions.IgnoreCase);
return str;
}