网安入门07-Sql注入(二次注入)

渗透测试简介

黑盒测试:看不到后端代码,只能依靠前端页面显示来判断是否有注入点
白盒测试:可以看到后端代码,进行代码审计分析注入点
白+黑:既可以看到后端代码,也可以看到前端页面的回显
实战中黑盒占80%,客户提供源码白盒占5%,通过漏洞挖出源代码白+黑15%

二次注入

Less24
网安入门07-Sql注入(二次注入)_第1张图片
试图进行常规注入
网安入门07-Sql注入(二次注入)_第2张图片
触发过滤机制,页面回显如下(滚开,你个愚蠢的黑客)
网安入门07-Sql注入(二次注入)_第3张图片
点击忘记密码:

注册账号页面,先试一下admin用户
网安入门07-Sql注入(二次注入)_第4张图片
不让我注册!那我先注册一个admin‘#用户,密码123
网安入门07-Sql注入(二次注入)_第5张图片
然后登录admin’#
网安入门07-Sql注入(二次注入)_第6张图片
改一手密码
网安入门07-Sql注入(二次注入)_第7张图片
最后再用admin账号和刚改好的密码222,就登录成功啦!
网安入门07-Sql注入(二次注入)_第8张图片

原理

查看源代码,最重要的三个页面:登录,注册,改密码
网安入门07-Sql注入(二次注入)_第9张图片
其中login.php是登录页面,login_crearte.php是注册页面,pass_change.php是改密码页面

login.php:

<html>
<head>
</head>
<body bgcolor="#000000">
<font size="3" color="#FFFF00">
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?PHP

session_start();
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

function sqllogin(){

   $username = mysql_real_escape_string($_POST["login_user"]);#' " \
   $password = mysql_real_escape_string($_POST["login_password"]);
   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
//$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";
   $res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');
   $row = mysql_fetch_row($res);
	//print_r($row) ;
   if ($row[1]) {
			return $row[1];
   } else {
      		return 0;
   }

}

$login = sqllogin();
if (!$login== 0) 
{
	$_SESSION["username"] = $login;
	setcookie("Auth", 1, time()+3600);  /* expire in 15 Minutes */
	header('Location: logged-in.php');
} 
else
{
?>
<tr><td colspan="2" style="text-align:center;"><br/><p style="color:#FF0000;">
<center>
<img src="../images/slap1.jpg">
</center>
</p></td></tr>
<?PHP
} 
?>

</body>
</html>

login_crearte.php:

<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php

//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


if (isset($_POST['submit']))
{
# Validating the user input........

	//$username=  $_POST['username'] ;
	$username=  mysql_escape_string($_POST['username']) ;
	$pass= mysql_escape_string($_POST['password']);
	$re_pass= mysql_escape_string($_POST['re_password']);
	
	echo "";
	$sql = "select count(*) from users where username='$username'";
	$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
  	$row = mysql_fetch_row($res);
	
	//print_r($row);
	if (!$row[0]== 0) 
		{
		?>
		<script>alert("The username Already exists, Please choose a different username ")</script>;
		<?php
		header('refresh:1, url=new_user.php');
   		} 
		else 
		{
       		if ($pass==$re_pass)
			{
				# Building up the query........
   				
   				$sql = "insert into users ( username, password) values(\"$username\", \"$pass\")";
   				mysql_query($sql) or die('Error Creating your user account,  : '.mysql_error());
					echo "
"
; echo "
"; //echo "

User Created Successfully

";
echo "
"
; echo "
"
; echo "
"
; echo "
Redirecting you to login page in 5 sec................"
; echo ""; echo "
If it does not redirect, click the home button on top right
"
; header('refresh:5, url=index.txt'); } else { ?> <script>alert('Please make sure that password field and retype password match correctly')</script> <?php header('refresh:1, url=new_user.php'); } } } ?> </body> </html>

pass_change.php:

<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
	if (!isset($_SESSION["username"])) 
	{
   		header('Location: index.txt');
	}
	header('Location: index.txt');
}
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php

//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


if (isset($_POST['submit']))
{
	
	
	# Validating the user input........
	$username= $_SESSION["username"];  #admin'#
	$curr_pass= mysql_real_escape_string($_POST['current_password']);
	$pass= mysql_real_escape_string($_POST['password']);
	$re_pass= mysql_real_escape_string($_POST['re_password']);
	
	if($pass==$re_pass)
	{	
		$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
		$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
		$row = mysql_affected_rows();
		echo '';
		echo '
'; if($row==1) { echo "Password successfully updated"; } else { header('Location: failed.php'); //echo 'You tried to be smart, Try harder!!!! :( '; } } else { echo '
'; echo "Make sure New Password and Retype Password fields have same value"; header('refresh:2, url=index.txt'); } } ?> <?php if(isset($_POST['submit1'])) { session_destroy(); setcookie('Auth', 1 , time()-3600); header ('Location: index.txt'); } ?> </center> </body> </html>

前面两个页面都有mysql_real_escape_string()的严格的过滤,无法进行注入

PHP mysqli_real_escape_string() 函数-菜鸟教程
网安入门07-Sql注入(二次注入)_第10张图片
突破点就在登录成功之后的这个地方
网安入门07-Sql注入(二次注入)_第11张图片
由于过滤只在进行sql查询的地方触发,过滤后还是以没被过滤的形式存入数据库的,在重置密码时就可以进行二次注入,admin’#进行闭合,注释了后面的语句,这样我们就成功改掉了admin的密码,得到所有权限了

你可能感兴趣的:(CISP-PTE备考之路,sql,数据库)