SQL Injection Tips

Transfer from http://www.wupco.cn/?p=3764

Cuit

First Web300 Landscape Group

The first step is to find the encryption interface.

Next is the injection, filter as follows

The main difficulty here is how to disassemble the returned value in bytes to complete the burst blind by byte, the WAF intercepts our usual substr,like,left functions, here I check the official documentation and find the position function.

By position ((STR1) in (STR2)) to bypass the interception of spaces, as for = with! (<>) to bypass and then form the final payload

(1) or (! (Position ((%user_name§b§%) in (Select(Group_concat ( column_name))from (information_schema. COLUMNS))) (%3C))) (3E1))

In fact, this method is not the optimal solution, after looking at the official WP, get to a tip:

Where is used to determine the greater than number, not only for the comparison size, for the string, there is also a comparison of the function (by byte comparison)

Where is used to determine the greater than number, not only for the comparison size, for the string, there is also a comparison of the function (by byte comparison)

So this problem is simple, completely do not need the function, directly use this to do by byte blasting can

Cst

Feel the horror of Master Shifu!

Here I say one of the questions, there are two parameters, one is table, one is ID, and then there is a blind in the ID, but there is a WAF, but the error injection is quite easy.

But the scary thing comes, and the WAF intercepts the string of column, which means we can't get the field name (Column_name,columns, etc.)

After a while, I asked Master Shifu for a moment. Hint,table can be injected without any WAF.

But before trying to modify the table, changed to the flag and news in addition to the hint table error, combined with hint is can be injected, and tried a lot of fundamental guessing how to write the statement, and then find the teacher to the statement.

This desc really didn't think .... Always thought it was the same as the TCTF CI framework, select the name of the table, to detect, and then execute the final SQL statement.

And then the master threw me a rain bull blog

Http://www.yulegeyu.com/2017/04/16/%E5%BD%93%E8%A1%A8%E5%90%8D%E5%8F%AF%E6%8E%A7%E7%9A%84%E6%B3%A8%E5%85%A5%E9 %81%87%e5%88%b0%e4%ba%86describe%e6%97%b6%e7%9a%84%e5%87%a0%e7%a7%8d%e6%83%85%e5%86%b5%e3%80%82/

In the end, my payload is

Http://114.55.36.69:20680/index.php?table=flag '%20 ' i%&id=3

Use the wildcard character% to burst by byte, make the field name, and finally injected with the error to get flag.

But Master Shifu immediately dumped me. A simpler payload, as follows

Http://192.168.20.133/index.php?table=flag '%23 ' where 0=extractvalue (1, (select Group_concat (0x3a,column_name) from Information_schema.columns where table_name= ' Error_flag ')%23 ' &id=1

This sentence in the desc sentence becomes

desc where 0 =Extractvalue (1, (select group_concat (0x3afromwhere table_ Name='error_flag') # "

#直接注释掉后面的内容, and then this sentence normally returns all fields of Error_flag.

In the SELECT statement below, it becomes

Select *  from where 0 =Extractvalue (1, (select group_concat (0x3afromwhere table _name='error_flag')) # '

' # ' just as Alias, followed by a direct error injected field name

A school-school race/WCTF

I only did the first step in this problem, injected part.

The logic is as follows:

The first is the registration, where the Country field is selected by the option user at the front end

Then login login, there are three messages in UserInfo

Here I directly put the final payload out, in fact, to collect information, to step on the following several pits:

1. By constantly changing the country, found the first point: Country the first word inode to judge, if it is uppercase, do not change, if the non-capital English characters, then the ASCII code -0x20 converted into a word designators into the storage;

2. Date is based on the current time of the time zone set

3. The WAF is very powerful, not to mention what is filtered, can use only ', @, (,), and some of the visible characters are not used.

1th, for ordinary English characters no use, is nothing more than the uppercase conversion of characters, but for the symbol is not the same, here through observation can be found that the data is processed by addsalashes, if we pass ' xxx, ' through escape into/', and then after the 1th rule into < ' , closing the single quotation mark successfully.

But how to comment out the following statement? #和空格都被waf拦截.

There's a tip for the Rain Bull blog here.

http://www.yulegeyu.com/2017/04/11/%E4%B8%BA%E4%BB%80%E4%B9%88-backtick-%E8%83%BD%E5%81%9A%E6%B3%A8%E9%87%8A%E7%AC%A6/

' can be automatically closed in the Php-mysql, that is, we can find a place to use alias or use a column name, use this tip to comment out the back of the content.

The final payload constructed is

Country= ' and (1=2) and (1) [email protected] '

And

Country= ' or (1) or (1) [email protected] '

is the type of bool injection, but what is different???

This will test the eyesight, notice that in date, if the use of or (1), the use of the time zone is the default time zone, the last time and China's time to stay in sync, if it is and (1=2), the use of the time zone is not known, and the current time gap is very large.

Here I guess there is a SQL statement in the middle to determine the time zone.

So through this, a two-time injection (bool blind) is achieved, note that you can not use the space, with parentheses to bypass the OK

SQL Injection Tips