Shulou(Shulou.com)06/01 Report--

In a website of CTF practice, I saw a question of wide byte injection. I am a new web, and I don't have much experience. At first, I didn't think it was wide byte, or a friend mentioned it to me, which made me suddenly enlightened. Make some summaries.

Exercise questions website address: http://ctf.bugku.com.

First, understand the principle of wide byte injection

Premise:

1. As we all know, when defending against SQL injection, we mostly use to filter special characters, or use functions to convert special characters into entities, that is, to add'\'in character escape. The first rule here is that there is such a mechanism.

2. Set the wide-byte character set, here is the GBK character set, and the GBK character set takes up two bytes. The key is to set the character set. There are usually many ways to set up, such as:

(1) mysql_query, such as mysql_query ("SET NAMES 'gbk'", $conn), mysql_query ("setcharacter_set_client = gbk", $conn).

(2) mysql_set_charset, such as mysql_set_charset ("gbk", $conn).

Implementation process: when we test, type "% df'". At this time, if the php function is using addslashes (), it will precede the colon with'\'. It becomes% df\'. The corresponding code is% df%5c'. At this time, if the website character set is GBK,MYSQL and the code is also GBK, it will think that% df\ is a Chinese "character". In this way, the\ before the single quotation marks will not work, and the escape will fail, and the topic will have an error message.

Let's test it with the title of the website:

1. View the source code of the web page

When the character set gb2312 appears, you should think of wide byte injection

2. Error reporting test can be injected

An error message appears because there is an extra single quotation mark in the constructed statement. For example, the query statement is:

$name=addslashes ($_ POST ['name']) Select * from user where name='$name'

Passing in our% df' becomes:

Select * from user where name='%df\'

In this way, our single quotation marks and the closure in front of us will add an original single quotation mark and report an error.

3. Number of query fields:

Df' order by 2 23

Here% 23 means comments, which means to comment out the following statements, including what extra single quotes and limit restrictions can only query one line of the statement.

After several tests, it is determined that the number of fields is 2.

4. Judge the database:

Df' union select 1 database () 23

Get the name of the database.

5. Then, according to the prompt of the topic, the table name and field name are given, and the field content can be queried directly.

Df' union select 1 sparing string from sql5.key where id=1 23

Personal opinion

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.