LESS32
Knowledge bedding: byte wide injection
Byte wide injection principle:
GBK occupy two bytes
ASCII occupies a byte
PHP is encoded by GBK, the function performed is to add the ASCII code (symbol added is "\"), MYSQL default character set is GBK byte character set width.
We all know% df 'escaped PHP (open GPC, with the addslashes function, or icov, etc.), single quotes are backslash \, becomes a% df \', which \% hex is 5C, so now % DF \ '=% df% 5c 27% , if the program is the default character set GBK byte character set width, MySQL GBK of encoding time, considers % df% 5c is a wide character, that is mourning , that is to say:% df \ '=% df % 5c% 27 = mourning', with single quotes like injected.
Reference link: https: //blog.csdn.net/helloc0de/article/details/76180190
Chinese, Korean, Japanese, etc. there is a wide bytes, the default English is a byte.
example:
id = 1 'for 1 \' encoding 1% 5c% after 27 into sql id = \ 'and XXXX injection can not be completed at this time
id = 1% df 'processing 1% df \' encoding 1% df% 5c% after 27 transported into sql id = 1 'and XXX At this time there is a wide byte injection vulnerability
Here we begin checkpoints.
We observed the source added the addslashes function
PHP addslashes () function:
check_addslashes () will be added in front of a single quotation marks \ For example: I'm hacker incoming addslashes (), to give: I \ 'm hacker
So this has been a wide-byte injection comes into play.
1. We enter? id = 1 ', the function can be found to be escaped
2. injection byte wide
input: id = -1% df 'union select 1,2, group_concat (concat_ws (0x7e, username, password)) from security.users - +?
3 can also use% aa% 5c 'constructed
% aa% 5c'
% 5C% 27% AA
escape obtained
% aa% 5c% 5c% 5c % 27
decoded
输入:?id=-1%aa%5c' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users --+
LESS33
And like the same hurdle
输入:?id=-1%df' union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users --+
LESS34
This can be seen on using the POST injection type, and the source is still observed using addslashes () function
We try to inject byte wide, I found not, because post incoming data still encoded again.
We enter the account password by burp capture display, it gives us a transcoding pay more 25%, we need to manually delete.
Then we changed to the packet
unmae = a% df 'union select 1,2 # & passwd = ad & submit = Submit
In addition, we can convert UTF-8 to UTF-16.
For example, "utf-16 is converted to: '.
as the picture shows:
LESS35
This is very much the same but there is no parcel off
输入:?id=-1 union select 1,2,group_concat(concat_ws(0x7e,username,password)) from security.users --+
LESS36
Observation source found that the use of PHP mysql_real_escape_string () function
Reference connection: https: //www.w3school.com.cn/php/func_mysql_real_escape_string.asp
mysql_real_escape_string () function escapes special characters in a string SQL statements used in.
The following characters are affected:
- \x00
- \n
- \r
- \
- '
- "
- \x1a
If successful, the function returns a string to be escaped. If it fails, false is returned.
We can still use a wide byte injection.
Input: id = 1% df 'union select 1,2, database () - +?
LESS37
37 and 34 OFF OFF Similarly, POST type, using the mysql_real_escape_string () function
can also use a method to convert a single quote from utf-8 as a utf-16
It may also be modified data packet by burp