生活随笔
收集整理的這篇文章主要介紹了
SQL注入1-5_cookie基于base64的注入
小編覺得挺不錯的,現(xiàn)在分享給大家,幫大家做個參考.
SQL注入1-5_cookie基于base64的注入
1.提交參數(shù)
2,代理抓包點擊forward,看看有沒有cooike
還是沒有,繼續(xù)fowrword
出來了,可以看見他是基于base64加密的數(shù)據(jù)
重發(fā)攻擊
點擊go可以看到返回正常
我們把提交的參數(shù)加反斜杠 admin
然后放到decoder 進行base64加密
然后復制到原來的位置
可以看到報錯
由此推斷存在sql注入,我們只需要把提交的參數(shù)進行base64加密就可以
我們把提交的參數(shù)加密
復制到root目錄下
開始探測
由于他是基于base64加密所以我們需要使用腳本
找到這個腳本擦入
插入sqlmap中
開始探測
可以看到已經(jīng)開始探測了*處了
由于探測時間太長了就不演示了
觀察源代碼可以發(fā)現(xiàn)直接吧cookie帶入SQL語句并且解密
并沒有做過濾措施,所以造成cookie注入
<
!DOCTYPE html PUBLIC
"-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=
"http://www.w3.org/1999/xhtml">
<head>
<meta http
-equiv=
"Content-Type" content=
"text/html; charset=utf-8" /><title>Less
-22 Cookie Injection
- Error Based
- Double Quotes
- string<
/title>
<
/head><body bgcolor=
"#000000">
<?php
//including the Mysql connect parameters
.include
("../sql-connections/sql-connect.php");
if(!isset
($_COOKIE['uname'])){//including the Mysql connect parameters
.include
("../sql-connections/sql-connect.php");echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>";echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>";echo "<div style='padding-top:10px; font-size:15px;'>";echo "<!--Form to post the contents -->";echo '<form action=" " name="form1" method="post">';echo ' <div style="margin-top:15px; height:30px;">Username : ';echo ' <input type="text" name="uname" value=""/> </div>';echo ' <div> Password : ';echo ' <input type="text" name="passwd" value=""/></div></br>'; echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>';echo '</form>';echo '</div>';echo '</div>';echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">';echo '<font size="3" color="#FFFF00">';echo '<center><br><br><br>';echo '<img src="../images/Less-22.jpg" />';echo '</center>';function check_input
($value){if(!empty
($value)){$value = substr
($value,0
,20
); // truncation
(see comments
)}if (get_magic_quotes_gpc
()) // Stripslashes
if magic quotes enabled
{$value = stripslashes
($value);}if (!ctype_digit
($value)) // Quote
if not a number
{$value =
"'" . mysql_real_escape_string
($value) . "'";}else{$value = intval
($value);}return $value;}echo "<br>";echo "<br>";if(isset
($_POST['uname']) && isset
($_POST['passwd'])){$uname = check_input
($_POST['uname']);$passwd = check_input
($_POST['passwd']);$sql=
"SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query
($sql);$row1 = mysql_fetch_array
($result1);if($row1){echo '<font color= "#FFFF00" font size = 3 >';setcookie
('uname', base64_encode
($row1['username']), time
()+3600
); header
('Location: index.php');echo "I LOVE YOU COOKIES";echo "</font>";echo '<font color= "#0000ff" font size = 3 >'; //echo 'Your Cookie is: ' .$cookee;echo "</font>";echo "<br>";print_r
(mysql_error
()); echo "<br><br>";echo '<img src="../images/flag.jpg" />';echo "<br>";}else{echo '<font color= "#0000ff" font size="3">';//echo "Try again looser";print_r
(mysql_error
());echo "</br>"; echo "</br>";echo '<img src="../images/slap.jpg" />'; echo "</font>"; }}echo "</font>"; echo '</font>';echo '</div>';}
else
{if(!isset
($_POST['submit'])){$cookee =
$_COOKIE['uname'];$format =
'D d M Y - H:i:s';$timestamp = time
() + 3600
;echo "<center>";echo "<br><br><br><b>";echo '<img src="../images/Less-21.jpg" />';echo "<br><br><b>";echo '<br><font color= "red" font size="4">'; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "</font><br>"; echo '<font color= "cyan" font size="4">'; echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "</font><br>"; echo '<font color= "#FFFF00" font size = 4 >';echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>";echo '<font color= "orange" font size = 5 >'; echo "YOUR COOKIE : uname = $cookee and expires: " . date
($format, $timestamp);//可以看到這里是解密
$cookee = base64_decode
($cookee);$cookee1 =
'"'. $cookee. '"';echo "<br></font>";//直接傳入沒有做任何過濾
$sql=
"SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";$result=mysql_query
($sql);if (!$result){die
('Issue with your mysql: ' . mysql_error
());}$row = mysql_fetch_array
($result);if($row){echo '<font color= "pink" font size="5">'; echo 'Your Login name:'. $row['username'];echo "<br>";echo '<font color= "grey" font size="5">'; echo 'Your Password:' .$row['password'];echo "</font></b>";echo "<br>";echo 'Your ID:' .$row['id'];}else {echo "<center>";echo '<br><br><br>';echo '<img src="../images/slap1.jpg" />';echo "<br><br><b>";//echo '<img src="../images/Less-20.jpg" />';}echo '<center>';echo '<form action="" method="post">';echo '<input type="submit" name="submit" value="Delete Your Cookie!" />';echo '</form>';echo '</center>';} else{echo '<center>';echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo "<br>";echo '<font color= "#FFFF00" font size = 6 >';echo " Your Cookie is deleted";setcookie
('uname', base64_encode
($row1['username']), time
()-3600
);header
('Location: index.php');echo '</font></center></br>';} echo "<br>";echo "<br>";//header
('Location: main.php');echo "<br>";echo "<br>";//echo '<img src="../images/slap.jpg" /></center>';//logging the connection parameters to a file
for analysis
. $fp=fopen
('result.txt','a');fwrite
($fp,'Cookie:'.$cookee."\n");fclose
($fp);}
?><
/body>
<
/html>
sql報錯注入補充
當訪問頁面可以報錯,但是并不會反回數(shù)據(jù)庫信息時,
手工注入就需要使用 updatexml觸發(fā)函數(shù)報錯,獲得想要的信息,(必須是MySQL新版本,是5.幾一下是不行的,)
語法如下
?id =1’ and updatexml(1,0x7e,(select database()),0x7e,1)–
0x7e作用是編碼,輸出我們看的懂的數(shù)據(jù),如果輸出數(shù)據(jù)庫名,則可以進行下一步滲透。
總結
以上是生活随笔為你收集整理的SQL注入1-5_cookie基于base64的注入的全部內(nèi)容,希望文章能夠幫你解決所遇到的問題。
如果覺得生活随笔網(wǎng)站內(nèi)容還不錯,歡迎將生活随笔推薦給好友。
