less-32

Early judgment

I give id Assign values and then nothing .
See a code in the source code , The comment will show , But this thing should not be annotated , Subsequent experiments need to use .

Although there is a big problem in the environment, I think of wide byte injection when I see that line of code .

Wide byte Injection

Although we can't do experiments, we can still do illusory experiments , Let's talk about the principle first .
because GBK Two byte encoding is required , and ascii Just one byte , So called GBK This type is called wide byte . If two ascii Bytes are connected to a pile , It will be mistaken for a wide byte character .

This experiment
Because the code mysql_query("SET NAMES gbk");, It can lead to MYSQL Part of the code is changed to gbk


I want to see others php What is the code , yes UTF-8（ stay UTF-8 Chinese characters account for 3 To 4 Bytes ）.

php Will be generated through this code sql Sentence to MYSQL,MYSQL When receiving the request, the content of the request will be changed from character_set_client Convert to character_set_connection.

Then take it. character_set_connection Convert to internal operation character set , Use character_set The value of converts the internal operation character set character_set_results, Then press character_set_results Code output .

Where is the injection point , stay character_set_client, because MYSQL received php The coding sql After using character_set_client Code again .

Take an example to understand , Because in order to avoid users entering some unnecessary data , Add a backslash to the vulgar characters “\“ Transference , For example, when entering English single quotation marks " ’ " Will be escaped as " \ ’ ".
Suppose we enter English single quotation marks , Then it is filtered and escaped as a backslash plus English single quotation marks , It will lead to injection failure . If we enter greater than 127 Of ascii Character plus a character , Columns such as %df’.

• %df‘ %df‘ ’ Will be escaped as \',\ ascii Code is %5c

• %df%5c’ Because the first of the two bytes ascii Code greater than 127 It will be regarded as Chinese characters together with the next byte .
  -

• Yun ’ after MYSQL Of GBK After coding, it becomes like this
  Escaped symbols “\” By “%df” With it, it becomes “ Yun ”, It bypasses the escape .

So this experiment should be -1%df%27union%20select%201,user(),3--+

less-33

my less-33 The title is less-32, No accident or with less-32 The same as , No feedback .


Look at the source code to find addslashes

and less-32 Empathy , Inject with wide bytes .