sql注入之like注入

  1. 脚本准备
  2. 测试
  3. 推荐阅读

今天在实战的过程中遇到了一个mssql的数据库,参数提交在了 like 后的参数里面,本地测试注入能成功,但是在实战的时候不晓得后端进行了什么处理,没拿下,哎~~

很烦,写篇博客纪念一下~

like后面的参数可控导致的注入,也没啥花里胡哨的技巧,原理都是互通的,就是注入方式看起来不一样。

不想搭建mssql+aspx的环境,就简单点搞mysql的吧~

环境:

  • phpstudy2014
  • php 5.4
  • mysql 5.5.40

脚本准备

like.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
<?php

$like = @$_GET['like'];

//id没有做 整形转换
if( !isset($like)|| empty($like) ){
exit('get.like 参数不能为空');
}

try{
//分别对应的是 地址,端口号,连接的数据库,编码
$dsn = "mysql:host=127.0.0.1; port=3306; dbname=security; charset=utf8";

//帐号
$user = 'root';

//密码
$psw ='root';

//连接到 MySQL
$pdo = new PDO($dsn,$user,$psw);

//准备执行的sql语句 start
$sql = "select * from users where username like '%$like%'";
echo $sql;
echo '<br/>';
//准备执行的sql语句 end

//进行查询数据库出问题则报具体错误
$res = $pdo->query($sql) or var_dump($pdo->errorInfo());

$mon = $res->fetch(PDO::FETCH_ASSOC);
print_r( $mon );

} catch (Exception $e) {
print $e->getMessage();
exit();
}

?>

security.sql

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
/*
Navicat Premium Data Transfer

Source Server : 本地
Source Server Type : MySQL
Source Server Version : 50540
Source Host : localhost:3306
Source Schema : security

Target Server Type : MySQL
Target Server Version : 50540
File Encoding : 65001

Date: 07/08/2019 18:47:37
*/

SET NAMES utf8mb4;
SET FOREIGN_KEY_CHECKS = 0;

-- ----------------------------
-- Table structure for emails
-- ----------------------------
DROP TABLE IF EXISTS `emails`;
CREATE TABLE `emails` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`email_id` varchar(30) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 9 CHARACTER SET = gbk COLLATE = gbk_chinese_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of emails
-- ----------------------------
INSERT INTO `emails` VALUES (1, 'Dumb@dhakkan.com');
INSERT INTO `emails` VALUES (2, 'Angel@iloveu.com');
INSERT INTO `emails` VALUES (3, 'Dummy@dhakkan.local');
INSERT INTO `emails` VALUES (4, 'secure@dhakkan.local');
INSERT INTO `emails` VALUES (5, 'stupid@dhakkan.local');
INSERT INTO `emails` VALUES (6, 'superman@dhakkan.local');
INSERT INTO `emails` VALUES (7, 'batman@dhakkan.local');
INSERT INTO `emails` VALUES (8, 'admin@dhakkan.com');

-- ----------------------------
-- Table structure for referers
-- ----------------------------
DROP TABLE IF EXISTS `referers`;
CREATE TABLE `referers` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`referer` varchar(256) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
`ip_address` varchar(35) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 4 CHARACTER SET = gbk COLLATE = gbk_chinese_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of referers
-- ----------------------------
INSERT INTO `referers` VALUES (1, 'http://127.0.0.1/sqli-labs-master/Less-19/', '127.0.0.1');
INSERT INTO `referers` VALUES (2, 'http://127.0.0.1/sqli-labs-master/Less-19/', '127.0.0.1');
INSERT INTO `referers` VALUES (3, 'http://127.0.0.1/sqli-labs-master/Less-19/', '127.0.0.1');

-- ----------------------------
-- Table structure for uagents
-- ----------------------------
DROP TABLE IF EXISTS `uagents`;
CREATE TABLE `uagents` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`uagent` varchar(256) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
`ip_address` varchar(35) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
`username` varchar(20) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 15 CHARACTER SET = gbk COLLATE = gbk_chinese_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of uagents
-- ----------------------------
INSERT INTO `uagents` VALUES (1, '/', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (2, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (3, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (4, '/', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (5, 'and 1=1#', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (6, 'and 1=12#', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (7, 'order by 10#', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (8, 'order by 10#', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (9, '', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (10, '', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (11, '0', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (12, '0', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (13, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0', '127.0.0.1', 'admin');
INSERT INTO `uagents` VALUES (14, 'Mozilla/5.0 (Windows NT 6.1; WOW64; rv:18.0) Gecko/20100101 Firefox/18.0', '127.0.0.1', 'admin');

-- ----------------------------
-- Table structure for users
-- ----------------------------
DROP TABLE IF EXISTS `users`;
CREATE TABLE `users` (
`id` int(3) NOT NULL AUTO_INCREMENT,
`username` varchar(20) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
`password` varchar(20) CHARACTER SET gbk COLLATE gbk_chinese_ci NOT NULL,
PRIMARY KEY (`id`) USING BTREE
) ENGINE = MyISAM AUTO_INCREMENT = 11 CHARACTER SET = gbk COLLATE = gbk_chinese_ci ROW_FORMAT = Dynamic;

-- ----------------------------
-- Records of users
-- ----------------------------
INSERT INTO `users` VALUES (1, 'Dumb', '1');
INSERT INTO `users` VALUES (2, 'Angelina', '1');
INSERT INTO `users` VALUES (3, 'Dummy', '1');
INSERT INTO `users` VALUES (4, 'secure', '1');
INSERT INTO `users` VALUES (5, 'stupid', '1');
INSERT INTO `users` VALUES (6, 'superman', '1');
INSERT INTO `users` VALUES (7, 'batman', '1');
INSERT INTO `users` VALUES (8, 'admin', 'admin');
INSERT INTO `users` VALUES (9, 'test#', '1');
INSERT INTO `users` VALUES (10, 'test\' #', '1');

SET FOREIGN_KEY_CHECKS = 1;

将sql文件导入本地的mysql中就行了。

测试

like的用法我就不多说了,就是查找类似参数的数据。

访问:

1
http://127.0.0.1/get.php?like=test

注入的思路和一般可控参数的注入方式是一样的,首先我们要闭合一下。

也并不是两边都要有 %,我们只需要闭合单引号就行了,后面添加一个注释符。

接下来的流程都是一样的。

联合查询注入:

这里是因为我的数据库里面没有像 %test 这样的数据,所以返回为空。想要返回有数据的话把like参数的值变成

布尔注入:

报错注入:

这里就写这三种方式的注入了。

在mssql下情况是一样的。

为什么实战的时候就是没搞出来呢,奇奇怪怪的~

还有一些小众的注入点,像order by + $id / limit + $id / 这些可控的参数都可以造成注入,可以研究一下。

推荐阅读

order,limit和from后的注入


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。可以在下面评论区评论,也可以邮件至 sher10cksec@foxmail.com

文章标题:sql注入之like注入

本文作者:sher10ck

发布时间:2019-08-07, 18:39:32

最后更新:2020-01-13, 12:51:14

原始链接:http://sherlocz.github.io/2019/08/07/sql注入之like注入/

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录