当前位置：网站首页>Regular expression password policy and regular backtracking mechanism bypass

Regular expression password policy and regular backtracking mechanism bypass

2022-07-31 00:15:00 【Miracle_ze】

一、正则表达式

1.is expressing the base expression

1.匹配字符:

格式

表达式	作用
.	匹配任意单个字符,不能匹配空行
[]	匹配指定范围内的任意单个字符
[^]	取反
[:alnum:] 或 [0-9a-zA-Z]	匹配范围0-9 a-z A-Z
[:alpha:] 或 [a-zA-Z]	匹配范围 a-z A-Z
[:upper:] 或 [A-Z]	匹配范围 A-Z
[:lower:] 或 [a-z]	匹配范围 a-z
[:blank:]	空白字符（空格和制表符）
[:space:]	水平和垂直的空白字符（比[:blank:]包含的范围广）
[:cntrl:]	不可打印的控制字符（退格、删除、警铃…）
[:digit:]	十进制数字或[0-9]
[:xdigit:]	十六进制数字
[:graph:]	可打印的非空白字符
[:print:]	可打印字符
[:punct:]	标点符号

2.配置次数

格式

1. * 匹配前面的字符任意次,包括0次,贪婪模式：尽可能长的匹配
2. .* 任意前面长度的任意字符,不包括0次
3. \? 匹配其前面的字符0 或 1次
4. + 匹配其前面的字符至少1次
5. {n} 匹配前面的字符n次
6. {m,n} 匹配前面的字符至少m 次,至多n次
7. {,n} 匹配前面的字符至多n次
8. {n,} 匹配前面的字符至少n次

3.Groups and backreferences

格式

① 分组：() 将一个或多个字符捆绑在一起,当作一个整体进行处理
		
	分组括号中的模式匹配到的内容会被正则表达式引擎记录于内部的变量中,这些变量的命名方式为: \1, \2, \3, ...
		
② 后向引用
		
		
引用前面的分组括号中的模式所匹配字符,而非模式本身
		
\1 表示从左侧起第一个左括号以及与之匹配右括号之间的模式所匹配到的字符
		
\2 表示从左侧起第2个左括号以及与之匹配右括号之间的模式所匹配到的字符,以此类推
		
\& 表示前面的分组中所有字符

2.扩展正则表达式

1）字符匹配：

• . 任意单个字符
• [] 指定范围的字符
• [^] 不在指定范围的字符

2）次数匹配：

• * ：匹配前面字符任意次
• ? : 0 或1次
• + ：1 次或多次
• {m} ：匹配m次 次
• {m,n} ：至少m ,至多n次

3）位置锚定：

• ^ : 行首
• $ : 行尾
• <, \b : 语首 • >, \b : 语尾
• 分组：()
• 后向引用：\1, \2, ...

3.Range use

1.登录靶场

在这里插入图片描述

2.order by The query column ensures that the subsequent injection query is successful

使用order by查询原因：The command can be successfully entered only after the correct column is queried

3.Applied to the range for query and joint query 注入

查询列：?id=1'order by 4--+
在这里插入图片描述

查询4Column not found,Just reduce one column

在这里插入图片描述
The union query is performed after three columns are found：?id=-1' union select 1,2,3--+

So find the name in the second column,See the second column of output in detail

?id=-1' union select 1,(select user()),3--+

在这里插入图片描述
但是如果说想要继续编写的话是不可以,因为在编辑网站中的正则表达式的时候设置的是select\b[\s\S]*\bfrom,以select开头,并且在查询的时候一定会跟一个from去引用表

原因：php文件内容包含

if(preg_match('/select\b[\s\S]*\bfrom/is',$id)) {
	die('sql injection');
}

在这里插入图片描述

字符	含义
'\d ’	数字0-9
‘\D’	非数字
‘\D\d’	匹配全部字符 =》 [\D\d]+全部匹配
‘\w’	字符[a-zA-Z0-9]
‘\W’	无字符【#,%,*…等等】=》\n \t \r #$%^& 空格
‘\s’	\n \t \r 空格符
‘\S’	\s相反,匹配非空字符
‘？’	0-1次
‘+’	1-正无穷次
‘*’	0-正无穷次
‘.’	除了换行符,其他都可以匹配

在文件内容中\bis a word boundary character, That is, it matches the gap between two words 此外\s\SThe two are complementary when used together,Played the role of matching all characters
‘*’It is the character that matches the newline character

在这里插入图片描述
测试网站：regex101

The diagram above explains the role of each symbol,And it means that if you match this paragraph in the injection, it will be intercepted for you.
It is worth noting that as long as you perform additions, deletions, changes, and search operations, it will definitely be usedfromto select a table,This prevents you from injecting

测试：
输入：?id=1 'union select 1,(select group_cocat(username,0x3a,password)from users),3--+
在这里插入图片描述
The result shows that it cannot be injected,Because he matches the condition

4.Resolve regular condition matching to bypass

思考：To solve this problem we have to guaranteefromcannot be a word,It has to be delayed and not yet able to report syntax errors

方案：MySQL支持科学计数法,MySQLThe judgment read itself can produce a list of numbers in scientific notation【1e1】

测试一：

directly join the Science and Technology Law1e1

?id=-1' union select 1,(select group_concat(username,0x3a,password),1e1from users),3--+

测试结果1：
在这里插入图片描述

In the input we can query is3列,But we actually query the result is4列.That's what it says our operand should contain1列.

测试二：

?id=-1' union select 1,group_concat(username,0x3a,password),1e1from users--+

在这里插入图片描述
结果

The second column showing the injection is User and Password.第三列是1e1即10

4.Use regular expressions to complete the examples

The goal is to enter matching characters
There are numbers in the content,Uppercase and lowercase letters and special characters,And the total number of all characters is controlled at8-16

^((?=.*[0-9])(?=.*[a-z])(?=.*[A-Z])(?=.*[@#%^&*\\\(\)])).{8,16}$

(?=.*[0-9])：单个组,0-9表示数范围..*Represents any character as any,？means a match 一次和多次.
The same is true for other groups;
Beginning and end of line^与$Make the two groups a whole,That is, the overall length of the match is limited
结果：
在这里插入图片描述

在这里插入图片描述

二、PHPa million times bypass mechanism【Regular backtracking mechanism】

在这里插入图片描述
在php程序中,It is found that there are two judgments in it,Enter when the first judgment is satisfied!is_array($greeting)的条件判断.But it doesn't work when the first one satisfies the second condition,The second line does not work for the first.For this purpose, a backtracking mechanism is used to bypass the first judgment.
解决方法
在PHP中有1000000The number of backtracking times is limited.在PHPRegular expressions used in .*is to match any character any number of times【贪婪模式：In greedy mode, all characters are matched directly,Then backtrack forward from the last character,直到匹配成功】,Through it, it can match unlimited characters and times.For this reason, we can use it to bypass this point1000000times backtracking limit.