-
转自一个不知名大佬的笔记
----------------------------------less-25------------------------------------
原url:
http://192.168.137.138/sqli-labs-master/Less-25/
照提示输入id值
or 与 and 的等效字符
1.等效替换
and =====> &&
or =====> ||
2.后台验证
验证 && 字符是否有效:
mysql> select * from users where id > 5 and id < 10;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 123 |
| 9 | admin1 | admin1 |
+----+----------+----------+
4 rows in set (0.02 sec)
mysql> select * from users where id > 5 && id < 10;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 123 |
| 9 | admin1 | admin1 |
+----+----------+----------+
4 rows in set (0.00 sec)
验证 || 字符是否有效:
mysql> select * from users where id=5 or id=10;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 5 | stupid | stupidity |
| 10 | admin2 | admin2 |
+----+----------+-----------+
2 rows in set (0.00 sec)
mysql> select * from users where id=5 || id=10;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 5 | stupid | stupidity |
| 10 | admin2 | admin2 |
+----+----------+-----------+
2 rows in set (0.00 sec)
可见,|| 和 && 同样起作用
前端注入测试
1.后台sql语句分析
2.利用 or 和and验证
3.绕过对 or 和 and 的过滤
进入less-25的页面,在下方有提示:
Your Input is Filtered with following result: 1'(你的输入被过滤后的结果)
单引号报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1
错误分析:
near ' ' 1' ' LIMIT 0,1 ' at line 1
猜测后台 sql 语句:
select username,password from table where id = 'input'
简单的验证注入语句:
1' and 1=1 #
效果如下:
返回页面并不是正常页面,而且爆出了语法错误
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1 ' LIMIT 0,1' at line 1
页面末尾的提示:
Hint: Your Input is Filtered with following result: 1' 1=1
id后面的 原本是
1' and 1=1 #
过滤后:
1' 1=1
说明过滤掉了 and 和 #
现在把 and 大小写,然后 --+ 替换#试试
语句:
1' AnD 1=1 --+
效果如下:
返回页面还是报错:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1 -- ' LIMIT 0,1' at line 1
末尾提示:
Hint: Your Input is Filtered with following result: 1' 1=1 --
这次是 and 被过滤了,双横杠被保留了下来
这说明 ,and 被过滤是不分大小写的,双横杠 注释符没被过滤
那现在来试一试 && 代替 and 呢?
语句如下:
1' && 1=1 --+
效果如下:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1
返回页面还是报错了
这是为什么呢
因为,&这个符号,在sql中是and 的意思,但是在url中有特殊意义
在这里,查询了一下资料,科普一下"#","?","&"字符在url中的意义:
# 代表网页中的一个位置。其右面的字符,就是该位置的标识符。比如,
http://www.example.com/index.html#print就代表网页index.html的print位置。浏览器
读取这个URL后,会自动将print位置滚动至可视区域。
?
1)连接作用:比如
http://www.xxx.com/Show.asp?id=77&nameid=2905210001&page=1
2)清除缓存:比如
http://www.xxxxx.com/index.html
http://www.xxxxx.com/index.html?test123123
两个url打开的页面一样,但是后面这个有问号,说明不调用缓存的内容,而认为是一个新
地址,重新读取。
&
不同参数的间隔符
所以,要对 && 字符,进行 url 编码(firefox里的hackbar自带)
编码后的注入语句:
1' %26%26 1=1 --+
效果如下:
页面返回正常
末尾提示:
Hint: Your Input is Filtered with following result: 1' && 1=1 --
在这个 1=1 的位置呢,可以构造更复杂的 注入语句,这里就不一一试验了
or 的情况 和 and 的情况 相同
---------------------------------源码部分------------------------------------
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
// take the variables
if(isset(id=
fp=fopen('result.txt','a');
fwrite(id."\n");
fclose($fp);
//fiddling with comments
$id= blacklist($id);
//echo "<br>";
//echo $id;
//echo "<br>";
$hint=$id;
// connectivity
id' LIMIT 0,1";
sql);
result);
if(row['username'];
echo "
";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}
function blacklist(id= preg_replace('/or/i',"",
id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
?>
网友评论