从Sqlilabs的Less1和Less2看字符型和数字型注入

从Sqli-labs less1和less2看字符型和数字型注入

Sql注入根据闭合方式分类可以分为:数字型 字符型 搜索型注入这三种

比较典型的是数字型和字符型,数字型的不需要单引号包裹,但是字符型的就需要单引号包裹

源码

less1源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-1 **Error Based- String**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
    if($row)
    {
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
    }
}
    else { echo "Please input the ID as parameter with numeric value";}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-1.jpg" /></center>
</body>
</html>

查询语句:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

less2源码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-2 **Error Based- Intiger**</title>
</head>

<body bgcolor="#000000">




<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
    if($row)
    {
      echo "<font size='5' color= '#99FF00'>";
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>"; 
    }
}
    else
        {    
        echo "Please input the ID as parameter with numeric value";
        }
?>


</font> </div></br></br></br><center>
<img src="../images/Less-2.jpg" /></center>
</body>
</html>

查询语句
$sql=”SELECT * FROM users WHERE id=$id LIMIT 0,1”;


字符型:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

数字型:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

区别在于id=xxx这里,一个被单引号包裹,另一个没有被单引号包裹

一个是id=字符 一个是id=数字,如id='admin',id=1

在注入时的区别

先进入了sqli-labs连接的security数据库查看所有的表名

mysql> show tables;
+--------------------+
| Tables_in_security |
+--------------------+
| emails             |
| referers           |
| uagents            |
| users              |
+--------------------+
4 rows in set (0.00 sec)

用users表举例,查看表内的所有数据

mysql> select * from users;
+----+----------+------------+
| id | username | password   |
+----+----------+------------+
|  1 | Dumb     | Dumb       |
|  2 | Angelina | I-kill-you |
|  3 | Dummy    | [email protected]   |
|  4 | secure   | crappy     |
|  5 | stupid   | stupidity  |
|  6 | superman | genious    |
|  7 | batman   | mob!le     |
|  8 | admin    | admin      |
|  9 | admin1   | admin1     |
| 10 | admin2   | admin2     |
| 11 | admin3   | admin3     |
| 12 | dhakkan  | dumbo      |
| 14 | admin4   | admin4     |
+----+----------+------------+
13 rows in set (0.00 sec)

三个字段:id,username,password

除了id这个字段的值全为数字外,剩下两个均为字符串

再看那两条查询语句

字符型:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

数字型:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

了解一下查询语法:

SQL SELECT 语法

SELECT 列名称 FROM 表名称
符号 * 取代列的名称是选取所有列

WHERE 子句

如需有条件地从表中选取数据,可将 WHERE 子句添加到 SELECT 语句。
语法
SELECT 列名称 FROM 表名称 WHERE 列 运算符 值

where子句相当于对查询进行条件判断,比如:where id=1 就是查询当id=1的时候对应的内容

LIMIT 0,1 就是显示第一条内容


之前说到id对应的为数字,username对应的为字符,那么上面两条查询语句就可以分别对id和username进行查询

字符型:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

实际查询:

mysql> select * from users where username='Dumb';
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

为了方便就没加Limit语句,不影响结果
数字型:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

实际查询:

mysql> select * from users where id=1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

可以看到区别为在字符型注入的时候,注入语句是在两个'包裹之中的

这时如果注入语句不做处理的话,查询语句就会被单引号包裹起来变为了查询条件username中的一部分,用and 1=1举例

url请求:xxx.com/x.php?id=Dumb

查询语句:

$sql="SELECT * FROM users WHERE username='Dumb and 1=1' LIMIT 0,1";

实际查询:

mysql> select * from users where username ='Dumb and 1=1';
Empty set (0.00 sec)

查询结果为空,因为数据库中没有usernameDumb and 1=1的用户

所以需要用单引号把两边包裹语句的单引号闭合掉,让and 1=1成为正常的查询语句

Payload:' and '1'='1

这时候查询语句就变成了:

SELECT * FROM users WHERE username='Dumb' and '1'='1' LIMIT 0,1";

payload中第一个单引号为了和原有的第一个单引号闭合成'Dumb',最后一个单引号为了和原有最右边的单引号闭合成为'1',所以Payload中是两个字符'1'而不是数字1进行的相等判断
如果是数字的话就变成了:and 1=1'会多出一个'造成查询失败

实际查询:

mysql> select * from users where username ='Dumb' and '1'='1';
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

正常返回了查询结果,测试错误条件and 1=2:

mysql> select * from users where username ='Dumb' and '1'='2';
Empty set (0.00 sec)

对于数字型,就没有这么多事了,直接加payload就可以

mysql> select * from users where id =1 and 1=1;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
|  1 | Dumb     | Dumb     |
+----+----------+----------+
1 row in set (0.00 sec)

本博客采用 知识共享署名-非商业性使用-相同方式共享 4.0 国际许可协议(CC BY-NC-SA 4.0) 发布.转载请注明出处
本文链接:https://ares-x.com/2018/05/09/从Sqlilabs的Less1和Less2看字符型和数字型注入/