SQLI 注入原理共筆

# SQLI 注入原理共筆 ###### tags: `共筆` `社團課` 請愛惜共筆 :::info 時間:2022/12/15(四) 19:00~21:00 講師:陳煜仁、侯智晟 [課程投影片](https://hackmd.io/@meowhecker/BJx-3GPLi#/)，請尊重智慧財產權 ::: :::warning 請先下載並安裝[xampp](https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/7.4.33/xampp-windows-x64-7.4.33-0-VC15-installer.exe) 請先註冊[portswigger](https://portswigger.net/) ::: :::success 要先懂得知識:XAMPP、PHP、Javascript(node.js/deno)、MYSQL ::: --- [TOC] --- ## SQL(Structured Query Language) * 結構化查詢語言 * 通過後端去SQL拿東西給前端 ![image alt](https://i.imgur.com/Ea8lxsC.png) ...下載XAMPP... ### XAMPP操作 ![](https://i.imgur.com/51xrZLd.png) 將 Apache 和 MSQL 開啟(Start) ![](https://i.imgur.com/48YwEqt.png) 點擊shell ![](https://i.imgur.com/ii1yEgH.png) ### 語法教學 >小天使提醒您:不要在裡面輸入中文用最高使用者進入sql //-u:使用者名稱 ``` mysql -u root ``` ![](https://i.imgur.com/nUUI2xs.png) 顯示所有資料庫 ``` show databases; ``` ![](https://i.imgur.com/5lxe9AT.png) --- ``` use test; ``` ![](https://i.imgur.com/EeolSsL.png) --- 查看test資料庫中的資料表，因目前未新增內容，所以應該會顯示 Empty ``` show tables; ``` ![](https://i.imgur.com/lxKSF6v.png) --- 建立名為student 的資料表，內有number、name、age 的欄位，並輸入該欄資料的類型 ``` create table student(number int,name char(50), age int); ``` ![](https://i.imgur.com/JXVAou1.png) --- 再次查看資料表，會顯示在test中有一個名為student的資料表 ``` show tables; ``` ![](https://i.imgur.com/KKJvP2M.png) --- 選擇查看名為 student 的資料表，目前無插入任何資料，所以會顯示Empty ``` select * from student; ``` ![](https://i.imgur.com/YbmUhuZ.png) 插入欄位資料，並輸入其值 ``` insert into student(number,name,age)values(1,'mio',19); ``` ![](https://i.imgur.com/V0CYABz.png) 再次查看student的資料表，會顯示我們剛剛所插入的資料 ``` select * from student; ``` ![](https://i.imgur.com/jTSlpVC.png) 重複相同操作，創建第二筆資料 ``` insert into student(number,name,age)values(2,'neil',20); ``` ![](https://i.imgur.com/jmRZS3M.png) ``` select * from student; ``` ![](https://i.imgur.com/UuCZLmi.png) 刪除來自student資料表中number欄位裡值為1的資料 ``` delete from student where number = 1; ``` where是資料庫的條件語句 ![](https://i.imgur.com/nCZgIt1.png) ``` select * from student; ``` ![](https://i.imgur.com/at1WcEL.png) 刪除來自student資料表中age欄位裡值為20的資料 ``` delete from student where age = 20; ``` ![](https://i.imgur.com/YghMBqR.png) 查看資料表，會發現裡面資料已被刪除，顯示Empty ``` select * from student; ``` ![](https://i.imgur.com/1kQgCLP.png) ### LAB 1 **建立2個student的資料表(分別為student1,student2)，裡面輸入3個學生資料欄位是 number,name,age。value 自行新增** --- :::spoiler LAB 1 詳解 ``` create table student1(number int,name char(50), age int); ``` ![](https://i.imgur.com/NnZZNQd.png) ``` create table student2(number int,name char(50), age int); ``` ![](https://i.imgur.com/mmqeUR9.png) ``` show tables; ``` ![](https://i.imgur.com/8QMY6NY.png) ``` insert into student1(number,name,age)values(1,'Tom',20); insert into student1(number,name,age)values(2,'Mary',18); insert into student1(number,name,age)values(3,'Kate',19); ``` ![](https://i.imgur.com/t1pAmyT.png) ``` select * from student1; ``` ![](https://i.imgur.com/b3qOoMW.png) ``` insert into student2(number,name,age)values(1,'Apple',12); insert into student2(number,name,age)values(2,'Chicken',8); insert into student2(number,name,age)values(3,'Guava',10); ``` ![](https://i.imgur.com/J3tuQ82.png) ``` select * from student2; ``` ![](https://i.imgur.com/0oBElUm.png) ::: 講師提供的標準解答 ![](https://i.imgur.com/5qCcPTV.png) [MySQL 語法匯整](http://note.drx.tw/2012/12/mysql-syntax.html) --- ### 語法教學 part2 #### UNION 將student1資料表和student2資料表中的number、name、age欄位合併 >注意要合併的欄位輸入數量要一樣，如果兩邊只寫number則只進行number欄位的合併 ``` select number,name,age from student1 union select number,name,age from student2; ``` ![](https://i.imgur.com/8n0Y3Un.png) 嘗試將student2資料表中age處改為""，會發現到合併後原本屬於student2資料表中的資料在age的欄位顯示空白 ``` select number,name,age from student1 union select number,name,"" from student2; ``` ![](https://i.imgur.com/a2cpO0d.png) --- #### ORDER BY 排序 ``` select number,name,age from student1 union select number,name,age from student2 order by number; ``` ![](https://i.imgur.com/qa4NJif.png) ``` select number,name,age from student1 union select number,name,age from student2 order by name; ``` ![](https://i.imgur.com/IKtXjtc.png) ``` select number,name,age from student1 union select number,name,age from student2 order by age; ``` ![](https://i.imgur.com/O2qEYks.png) ## SQL Injection ![](https://i.imgur.com/Yxnaj5i.png) >圖檔來源:yuzi --- ## Lab實際演練挑戰我們將以PortSwigger上的Lab進行實作及講解 ...請先註冊[portswigger](https://portswigger.net/)... ##### **[練習Lab 1 -嘗試繞過允許登入](https://portswigger.net/web-security/sql-injection/lab-login-bypass)** 講師的講解 ![](https://i.imgur.com/nCCz5Vr.jpg) :::spoiler 解答 ![](https://i.imgur.com/UuJK8DE.png) 或 ![](https://i.imgur.com/sn3sERM.png) ![](https://i.imgur.com/10J0QaU.png) 成功ㄌ ✧*｡ ٩(ˊᗜˋ*)و✧*｡ ::: ### 注入類型 ![](https://i.imgur.com/CA9zNoU.jpg) >圖檔來源:yuzi --- #### Error-Based(報錯) https://meowhecker.php?search=’ ##### **[LAB 2 - SQL 注入漏洞允許檢索隱藏數據](https://portswigger.net/web-security/sql-injection/lab-retrieve-hidden-data)** :::spoiler ![](https://i.imgur.com/mlhdB12.png) ![](https://i.imgur.com/EfJgT0T.png) ![](https://i.imgur.com/G3aLdmZ.png) 上面這兩張圖片表示這個網頁有問題o(*°▽°*)o ![](https://i.imgur.com/C1g06VY.png) ![](https://i.imgur.com/SVjxNM4.png) ::: --- #### Union-Based(聯合) 重要的條件:直行數要相同如果有成功，會回傳東西回來，這代表我們已經猜到**欄位數目** https://meowhecker.php?search='+union+select+null,null+from+user-- ##### **[LAB 3 - SQL注入UNION攻擊，確定查詢返回的列數](https://portswigger.net/web-security/sql-injection/union-attacks/lab-determine-number-of-columns)** :::spoiler 詳解 ![](https://i.imgur.com/wgHDQYg.png) ![](https://i.imgur.com/wBsXs12.png) ::: --- ##### **[LAB 4 - SQL 注入攻擊，列出非 Oracle 數據庫上的數據庫內容](https://portswigger.net/web-security/sql-injection/examining-the-database/lab-listing-database-contents-non-oracle)** :::spoiler 詳解 https://www.youtube.com/watch?v=Dhn9H11c1Hg ::: --- Out-of-band ![](https://i.imgur.com/l1ZEhMN.jpg) --- ## 回饋表單歡迎留下你對此次社課的想法或之後推薦社課想學的內容唷ヽ( ° ▽°)ノ >**[社課回饋表單](https://docs.google.com/forms/d/e/1FAIpQLSfrydZxnpDkYDIh6PsFQ6dhCFWDOt0HdBk9JztEdNsa24OSfw/viewform)** --- >[社課直播留檔](https://www.youtube.com/watch?v=4v550y77Dkg) --- >本次的共筆小天使: > [name=yuzi] [name=侯智晟] [name=Silly Bird 蔡宜潔]