相关阅读
data-postsbox="{"id":21473,"title":"黑客如何在远控后导出浏览器密码?","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/08/20220805095358338.png","cover_video":"","views":2486,"comment_count":13,"category":"knowledge","is_forum_post":false}">{"id":21473,"title":"黑客如何在远控后导出浏览器密码?","author":"FancyPig","author_id":1,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/08/20220805095358338.png","cover_video":"","views":2486,"comment_count":13,"category":"knowledge","is_forum_post":false}
data-postsbox="{"id":16451,"title":"如何通过SQL注入修改密码登录后台","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3656,"comment_count":7,"category":"knowledge","is_forum_post":false}">{"id":16451,"title":"如何通过SQL注入修改密码登录后台","author":"FancyPig","author_id":1,"cover_image":"","cover_video":"","views":3656,"comment_count":7,"category":"knowledge","is_forum_post":false}
data-postsbox="{"id":16195,"title":"【零基础学渗透】SQL注入的常见方式汇总","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220519074409830.png","cover_video":"","views":5635,"comment_count":378,"category":"cybersecurity","is_forum_post":false}">{"id":16195,"title":"【零基础学渗透】SQL注入的常见方式汇总","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/05/20220519074409830.png","cover_video":"","views":5635,"comment_count":378,"category":"cybersecurity","is_forum_post":false}
data-postsbox="{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}">{"id":11474,"title":"【零基础学渗透】工具篇——BurpSuite","author":"Sec-Labs","author_id":10015,"cover_image":"https://static.pigsec.cn/wp-content/uploads/2022/03/20220313155529975.png","cover_video":"","views":9400,"comment_count":663,"category":"cybersecurity","is_forum_post":false}
视频讲解
图文讲解
下面教程中使用的靶场是OWASP MUTILLIDAE II
我们访问mutillidae/webservices/rest/ws-user-account.php?username=adrian
发现在返回的json中有用户名和个人签名
我们尝试通过BurpSuite进行拦截修改请求重新发包
- 打开BurpSuite,开启拦截(Intercept is on显示为蓝色代表打开了)
- 打开FoxyProxy选择BurpSuite模式(默认监听8080端口)
- 再次请求刚才的页面,可以看到BurpSuite抓到了相关请求
通常情况下,我们可以在参数值后面输入单引号',查看报错
我们可以看到这里提示SQL语句有误
再往下看,我们发现这里打印了报错时提交到数据库的SQL语句
知识铺垫(适用于零基础的小伙伴们)
这里简要的分享一下SQL语句的一些细节,你可以访问下面的链接进行测试
https://www.w3schools.com/sql/trysql.asp?filename=trysql_select_all
我们查看默认的语句,这里是查询Customers表中的全部内容
SELECT * FROM Customers;
那如果我们想只看顾客的用户名(CustomerName)和地址(Address)应该怎么输入呢?
SELECT CustomerName,Address FROM Customers;
可以看到现在就只显示顾客的用户名和地址了!
如果我们只想看某个用户的呢?比方说我只想看Alfreds Futterkiste用户的信息?
SELECT CustomerName,Address FROM Customers where CustomerName = 'Alfreds Futterkiste'
这里我们再看另一张表Employees,这里有姓、名、生日、招聘、备注
UNION语句的玩法
我们这里如果想关联两张表的信息,查看Alfreds Futterkiste用户的生日、备注应该怎么操作呢?
SELECT CustomerName,Address FROM Customers where CustomerName = 'Alfreds Futterkiste' UNION SELECT BirthDate,Notes from Employees
奇葩的事情发生了,你会发现用户名(CustomerName)、地址(Address)的地方显示了生日(BirthDate)、备注(Notes)的信息,你可以理解为UNION SELECT在这里其实是一种覆盖的作用,那你是不是能够猜到后面我们是如何针对靶场将其用户名、密码等信息导出来的了?
我们在刚才的报错后面再加入相关语句,可以看到数据库执行成功了,并且拿到了我们想要的用户名、密码等信息!
当然,你还可以自己研究下CONCAT的玩法,其实就是将字段、文本进行拼接处理
比方说将刚才注入的语句进行修改
我们可以看到这里密码前面都会多出一个password is的提示,是不是还蛮有趣的!