0x00 byte wide injection
When the variable we see sometimes addslashes function filtering
single quotes are escaped as'
We preceded% df
becomes id =% df '
after the escape is% df' encoded% 5C% 27% df
% df% 57 is considered to be a Chinese "transport"
escape signals before such single quote "" was eaten tune into the "luck '" escape failed, mysql in the interpretation would ignore the new byte, making our single quote (') entered into force.
sqlmap injection Wide bytes:
python2 sqlmap.py -u "http://117.51.147.2/Ze02pQYLf5gGNyMn/query_aIeMu0FUoVrW0NWPHbN6z4xh.php?id=1" --tamper unmagicquotes --dbs --hex
Use unmagicquotes
hex is because single quotes filtered using hexadecimal bypass
2: directly run:
%df直接可以用sqlmap进行注入,
python sqlmap.py -u"http://chinalover.sinaapp.com/SQL-GBK/index.php?id=1%df'"0x01 byte wide injection repair scheme
1: mysql_set_charset (GBK) specify the character set
2: mysql_real_escape_strings escaped
0x02 secondary injection principle
Secondary injection can be understood as an attacker constructs a malicious data is stored in the database, the malicious data is read into and inject SQL queries caused. Defender of the special characters which may occur when a user inputs a malicious escape processing data, but the data is processed and stored in a database and is reduced when the malicious data into the database when the Web application calls stored in the database when the malicious data and execute SQL queries, SQL secondary injection occurs.
Secondary injection can be summarized as the following two steps:
The first step: insert malicious data
when data is inserted into the database, special characters which were escaped, when written to the database and retains the original data.
Step two: Quote malicious data
Developers default data stored in the database are safe, during the inquiry, remove the malicious data directly from the database without further processing tests.
0x03 secondary injection Ideas
先将注入语句插入到数据库,注册,留言板等功能都具有insert数据库的操作,然后在使用updata的地方触发插入到数据库的注入语句。