Apr092020
Sqli-labs Less-28a 绕过union\s+select过滤 union注入
关键代码
function blacklist($id)
{
//$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
//$id= preg_replace('/[--]/',"", $id); //Strip out --.
//$id= preg_replace('/[#]/',"", $id); //Strip out #.
//$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $i...阅读全文
抢沙发
Apr092020
Sqli-labs Less-28 绕过union\s+select过滤 union注入
关键代码
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
//$id= preg_replace('/select/m',"", $id); ...阅读全文
Apr092020
Sqli-labs Less-27a 绕过union、select等过滤 union注入
关键代码
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_r...阅读全文
Apr092020
Sqli-labs Less-27 绕过union、select等过滤 union注入
关键代码
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_r...阅读全文
Apr092020
Sqli-labs Less-26a 绕过 or、and、注释符、空格、斜杠过滤 union注入
关键代码
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[...阅读全文
Apr092020
Sqli-labs Less-26 绕过 or、and、注释符、空格、斜杠过滤 基于BIGINT溢出的报错注入
关键代码
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_...阅读全文
Apr092020
Sqli-labs Less-25a 绕过or和and过滤 union注入
关键代码
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
$id=$_GET['id'];
$id= blacklist($id);
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";
//print_r(mysql_error());
不同于25关的是sql语句中对于id,没有R...阅读全文
Apr092020
Sqli-labs Less-25 绕过or和and过滤 extractvalue()报错注入
关键代码
function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive)
return $id;
}
$id=$_GET['id'];
$id= blacklist($id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
本关主要为or and过滤,如何绕过or和and过...阅读全文
Apr092020
Sqli-labs Less-23 绕过注释符过滤 union注入
关键源码如下
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
print_r(mysql_error());
此处主要是在获取id参数时进行了#,–注释符号的过滤。
Solution:
http://127.0.0.1/sql/Less-23/index.php?id=-1′ union select 1,(se...阅读全文
Apr092020
Sqli-labs Less-22 cookie注入 base64编码 extractvalue()报错注入
本关和less20、less21是一致的,我们可以从源代码中看到这里对uname进行了”uname”的处理
$cookee = $_COOKIE['uname'];
$cookee = base64_decode($cookee);
$cookee1 = '"'. $cookee. '"';
$sql="SELECT * FROM users WHERE username=$cookee1 LIMIT 0,1";
$result=mysql_query($sql);
if (!$result)
{
die('Issue with your mysql: ' . mysql_error());
}
可以构造payl...阅读全文